The DOBlog

Category: Ethics & Law of Information

A category dealing with the ethics and legalities of the management of Information and Information Quality.

  • Brexit’s got Talent?

    I think Charlton Heston put it best:

    Damn them all to hell! They finally went and did it! They blew it up!”

    That was my immediate reaction to the Brexit news this morning.

    • A campaign that was polluted by lies and misinformation from the pro-Brexit side, including a bold claim that voting to leave the EU would save £350 Million a year, a claim that was debunked during the campaign but which the Pro-Leave side persisted with on the side of their “battle bus”. A claim that the Pied Piper of Brexit himself, Nigel Farage, has started back pedalling away from within single digit hours (barely minutes) of his side’s victory.
    • A campaign that cost a wife and mother her life simply because she had an opinion that differed from that of an armed man who had embraced the propaganda of the pro-Brexiters and, rather than risk his vote not being heard, stabbed and shot Jo Cox to death.  Yes, we all now know the depth of Shooty McShootface’s political opinion. And two children are without their mother.
    • A campaign where politicians blatantly lied and spread misinformation, capitalising on decades of anti-EU sentiment from a media controlled by an immigrant who likes being able to push governments around but gets told to fuck off by EU officials.
    • A campaign where a Minister of the Crown actually said, in response to experts calling bullshit on his arguments, that “People have had enough of experts”.
    • A campaign where, having won and having chased their people pleasing PR obsessed Prime Minister out of office (bye bye Dave), the heirs apparent to the Government of the United Kingdom stopped and, in the manner of kids who have seen a kid who has eaten all the sweets in the sweet shop and now realise what the words “diabetic” and “coma” mean when an ambulance paramedic is shouting them into a radio, have faltered in their cocksuredness that this Brexit thing is something that’s needed. “No need to rush things” says Boris Johnson. “I’ll have to consult with learned minds” says Gove.  Hopefully none of those learned minds are actually experts, because we all know Gove has had enough of them. But if they’re not experts, then is Gove just consulting with the winners of his local Trivial Pursuits club raffle?

    Perhaps the arse falling out of the UK (and global) economy as if they had personally shovelled the economic equivalent of senokot and pure dysentery into the bowels of the world financial systems has softened their cough.

    Perhaps they didn’t think they’d win so they didn’t have a plan? And now the plan they need will have to be a tad more cunning than one of Mister E. Blackadders. Because the plan they had been following thus far seems to have been concieved by Mr S. Baldrick. But no sensible politician or political leader places the economic futures of millions, the fate of the United Kingdom, and the stability of the global economy in jeopardy without having some semblence of a plan to deal with the fall out when things go their way.

    Oh fuck.

    But that’s not the bit that gets me angry. Campaigns like this are always fuelled by lies and misinformation from at least one of the sides involved. And a certain class of politician is always going to think of themselves as Machiavelli (instead of Ronald McDonald) and try to use a hiccup to foment a crisis that gets them to the leadership position they want. That’s just the bullshit cut an thrust of politics.

    What gets me angry, and makes me very worried, is the Facebook-isation of democracy in two contexts:

    • The UK Electorate seems to think that voting in a referendum is of no more significance than liking a cat video on facebook.

    Social media is full of videos and tweets of people saying that they have changed their mind and want a do over. That’s not how it works. Democracy is important. People die to get the right to vote. So… why not think about things before you put your scrawl in a box. Waking up with “Voters’ regret” doesn’t change the fact that you voted against your own best interests and those of your peers. You can’t fix your dumb vote with a smiley face emoticon and an “Unlike Brexit” vote.

    This tells me that the education system (one of the things the Brexiters blamed the EU and immigration for messing up, when it is more likely to be chronic underfunding by successive governments) has failed to teach citizens of the soon-to-be-Disunited Kingdom what voting in elections and referenda is actually all about. It’s not about finding out who gets to stay in the Big Brother House. It’s about finding out if your kids get to have a future and at least the opportunities that you had. (One bright note in this is that the younger generation who grew up with social media bullshit and reality TV actually seem to be able to tell the difference between waffle and reality. It’s just a pity their older siblings, parents, and grandparents seem to have forgotten they were voting in a referendum, not on the outcome of Strictly.

    Brexit was a world altering decision. To say you voted to leave “because you didn’t think your vote would count” means you don’t understand voting, or vote counting, or addition, or just generally the concept of accountability for your actions. Crying that you want a do-over so you can vote the right way the next time is not the answer. There may be no next time (except if you are Irish and voting on an EU Referendum in Ireland, in which case we tend to keep asking variations on the question until we get the answer that is needed, like Mrs Doyle in Father Ted only with Treaties instead of Tea).

    • The Filter Effect of algorithms in Social Media may have had an impact that may be impossible to quantify

    Facebook has proven, through its own experiments, that showing people sad news on their timeline makes them sad. But the algorithms that filter and shape our experiences of social media filter our view of the world. It is not beyond the bounds of possibility that people who rely on social media for their news and for their impression of public opinion and trends simply fell into an echo chamber were the messages that bombarded them made them perceive and feel that their vote wouldn’t count.

    With the bullshit misinformation and outright lies that circulated during the campaign, the bots and filters would have had a lot to play with in shaping a negative world view. That world view might have made marginal voters (the old reliable undecided voter) to vote Leave because they felt any other choice wouldn’t count.

    I am speculating of course. But the algorithms that shape our world have biases inherited from the world views that created them, and they consume the data exhaust we leave for them to form a model of the world as we would like to see it and how the data says we perceive it. This has to have an impact.

    Taking these two things together we find ourselves with an electorate who are algorithmically brainwashed but don’t consider their democratic function to be of such importance that they will take time to trust but verify the information they are given. And in that context we have shallow thinking, reflexive voting, and undesirable outcomes. And that is just the politicians.

     

  • Happy International Women’s Day

    Today is International Women’s Day.

    It is also another day that the Irish Department of Health and Children will spend counting down the hours until they can destroy material evidence of bad things that have happened to women in the State. Material evidence that they obtained through the operation of a Redress Scheme the terms of reference of which require the return of these records to the women who submitted them.

    The Dept of Health has made statements to the effect that there is no need to retain the records as the women will be able to get copies again from their hospitals if they need them. But this ignores the defined retention schedule for clinical records relating to maternity care which is 25 years after the date of last pregnancy. It also ignores that there have been mergers and closures of hospitals and there is every chance that the hospital copies of records will not be available.

    The Data Protection Commissioner is standing on the side line, apparently unconcerned that the destruction of records proposed is in contravention of the Terms of Reference of the Redress Scheme. She (or more accurately her Office) appears to have adopted the position that compliance with the Data Protection requirement to “retain for no longer than is necessary” automatically requires the destruction of records when the period of their usefulness purpose for has expired. “Allumer les déchiqueteuses” as they say in French.

    A cynic would suggest that that is what the Department are counting on, given the renewed attention the United Nations is giving this issue as a question of Human Rights. A cynic might suggest that Digital Rights Ireland might have a point in their case about the independence of the DPC given the Office’s apparent unwillingness to engage with the balancing of rights issues that exist here.

    My daughter is at an age where she wants to know what Daddy does for a living. She has decided I’m a “superhero spy guy” because I travel, wear suits, and try to help people but can’t always talk about it. Her child’s mind has not yet discovered Death by PowerPoint or the “clay layer” of change management, but she has started to learn about History. And History is important.

    This issue is one where I have put my shoulder to the wheel to try and find a solution. It’s important. The medical records that face destruction in 12 days time represent important history. They are a record of the personal history of women who have already suffered and endured pain and indignity. They are a record of the social history of how the Irish State has treated women and women’s rights.

    They are a record of a history we should not forget, even if it is painful for us to remember.

    There is a valid historical value in these records being retained where they cannot be returned to the individuals so that their stories can be told in the aggregate. There is a practical value in the records being placed in trust with an independent body who can provide them back to individuals on request, while still supporting historical research. There is a Public Interest in remembering.

    Ireland is not the only EU country to have struggled with the challenge of how to handle files from the past that evidence the gap between how we want to remember and what we need to remember. Countries of the former Soviet satellite states in Eastern Europe, including Germany, have retained the files that the Secret Police held on citizens. Individuals can request their own files back. Copies are held for historical research. Access for other purposes is strictly controlled. All of this operates in some of the most conservative Data Protection regimes in Europe. Perhaps Ireland needs to adopt a similar approach to the darker periods of our collective past.

    For today’s International Women’s Day I hope my superpower (pedantic analysis of data privacy legislation and fundamental principles) can contribute in some way to ensuring that my daughter grows up in an Ireland that has learned from is painful past and treats its wives, daughters, and mothers with more fundamental respect than her grandmothers’ generation enjoyed.

    Treating the records of Survivors of Symphisiotomy with greater respect than the survivors themselves have received would be a start.

  • Symphisiotomy, Redress, and the DPC

    Over on the company site I’ve written a piece on Data Retention policies that references the Symphisiotomy redress scheme as a case study in data retention planning (not in a good way). For those who didn’t spot it yesterday and who are glued to the national media that isn’t referencing this huge story, let me summarise:

    The State, in the form of the Redress Scheme, has told women who endured symphisotomies that they have until Monday to request their own medical records back or the State will take it on itself to destroy them. This is the same State that some of these women might want to sue, relying on these records as part of their case. The State has told the women and their legal representatives not by way of a letter, but by way of a notice on their website.

    Here, on my personal blog, I get to have a small rant from time to time. This is one of those times. Because this sucks donkey balls. It is a further hideous abuse of women who have suffered, largely in silence, for years.

    Donkey. Balls.

    The terms of reference of the redress scheme (paragraph 46) clearly distinguish between two types of records: medical records provided by the applicants (the women who have endured the fall out of symphisiotomy) and records obtained from other sources by the Redress Scheme itself.

    Paragraph 46 sets out that, for the first category of data “reasonable efforts” must be made to return the records. It does not set out a requirement for the destruction of the records. The second category of records it sets out will be destroyed when the Redress Scheme has run its course.

    Regardless of source, this is personal and sensitive personal data relating to identifiable individuals. It is subject to the rights and duties outlined in the Data Protection Acts and in the EU Charter of Fundamental Rights. Those rights include the right to data privacy, which encompasses a right to get your data, and a right to dignity.

    The Data Protection Acts and the Data Protection Directive require that data not be retained by a data controller any longer than necessary for the purpose for which it was obtained. It does not require that the data be destroyed. The women whose original medical records are in question here may have any number of purposes for them outside the scope of the Redress Scheme. On-going care and treatment of any complications arising from a symphisiotomy, seeking further legal advice, simply reminding their children and grand children of how poorly the State has treated them, historical record…. it doesn’t matter.

    However, the State has skin in the game with regard to the destruction of these records. If they are gone, then it becomes impossible for any of these women to exercise their rights in further legal actions because the evidentiary documentation they need will have been destroyed. This may not be the conscious intent but it is the practical reality: the State is effectively destroying evidence when these records are destroyed. While the records may not ultimately carry the day as evidence in a court action, they are still evidence of what I had hoped were historic attitudes to women in this State.

    But the haste with which the State is moving to dispose of these records and the clamorous droning of the shredders firing up heralds otherwise.

    The Redress Scheme was required to make reasonable efforts to arrange for the return of documents. A message on a website when your target audience are lawyers and elderly women is not reasonable. It smacks of a box being ticked: “Did we put something out there about it? – TICK”.  It is not an appropriate mechanism of communication to those audiences. A letter to a lawyer, a snippet on Marian Finucane or other radio or TV for the affected women, a feck off big advert in the news paper… all of these are infinitely more appropriate.

    I would compare this to the full court press that was done in the media to raise awareness of the closing date for women to apply and provide their records to the Redress Scheme. A cynic might think that this was a cunning strategy to get the evidence in from the affected women and then arrange for its destruction before it could be used in litigation. But that would be awfully cynical.

    But this is the pattern that the permanent Government (the Civil Service) seems to fall into in matters like this: Protect the State at all costs.

    Compare the approach to the retention of data about primary school children to this Redress Scheme: The Dept of Education has argued trenchantly that a) data relating to medical or psychological assessments is not sensitive personal data (it is)  and b) that they need to hold the data indefinitely (expressed as “until the child reaches their 30th birthday and then review”).

    Why would the Dept of Education want to know all the sensitive data about kids for many years after they would have left the school system? They have not provided a coherent answer to this, despite the Grecian work of Simon McGarr (note: Trojans partied and were massacred, the greeks stayed up late and built a horse). The DPC has been left spinning as they apparently had approved of all of this and have been fought to the wire by Simon to ensure they enforce the actual law.

    The answer to why is the O’Keefe case, which put the Department on the hook for child abuse in schools. So – get all the data on all the kiddies and hold it for ever in case any of them sue because of a thing so it can be used in defence of an action.

    Keep it all for ever in case someone sues. In breach of Data Protection rules which require retention to be “necessary and proportionate”.

    With this Redress Scheme the opposite seems to be happening: Shred focking everything in case we might be sued. Let’s ignore that shredding this data is not within the terms of reference of the Scheme. Let’s ignore that no reasonable effort has been made to arrange the return of records. Let’s create a situation where a room full of records can be whipped in to the shredder so that if any of them were thinking of suing the State they won’t be able to.

    And in the middle of this we have the Data Protection Commissioner, whose office has told survivors that they are “looking into the matter”. Not that they will use their powers under the Data Protection Acts to order the proposed act of processing (i.e. the destruction) to be suspended pending a review given the tight timescale, but that they are looking at it.

    This is the same Data Protection Commissioner that the Department of Education believed had pre-approved the POD database. The same Data Protection Commissioner that has approved the publication of the name and home address of every naturalised citizen in the State without a clear purpose other than ‘the Aliens Act 1956 requires it’.  The same Data Protection Commissioner that the Department of Enterprise explicitly references as an agent of State policy in strategy documents.

    And the same Data Protection Commissioner that Digital Rights Ireland have initiated an action against the State over regarding their apparent lack of independence from the State, as required under the Charter of Fundamental Rights and EU Treaties.

    If it walks like a duck and quacks like a duck it is probably a duck. If it pulls the plug on the destruction of medical records provided to the State by women seeking redress for suffering, it might actually be a Regulator.

    They have until Monday to act to vindicate and uphold the rights of women whose rights have already been trampled enough.

    Anything else just sucks donkey balls.

  • Census and Data Protection

    My significant other has acted as an enumerator for the Irish Census of Population in the past, and has applied to do it again.

    Every census season, I see lots of ill-informed comment about the nature of the census, what the data can or will be used for, and who it will be shared with. This ill-informed comment actually highlights the importance of trust in government in the obtaining of personal data, something which the former Chairman of one of my company’s clients (a very large Government agency) was obsessed with – loss of trust was directly linked in their mind to a loss of their ability to conduct their agency’s primary function, which is a very important one.

    So, what is the legal position regarding data provided in the Census?

    1. Data that is obtained for a statistical purpose (i.e. obtained for a purpose under the Statistics Act 1993) is subject to a specific exemption under the Data Protection Acts 1988 and 2003.
    2. However, that exemption is justified largely by reason of the fact that it is prohibited under the Statistics Act 1993 to use the data obtained under that Act for any purpose other than “statistical compilation and analysis purposes” (section 32), and that to disclose data obtained under the Statistics Act which may be related to an identifiable individual without their consent (or the consent of their representative if they are deceased) is an offence under Section 33, except under specific circumstances, pretty much all of which relate to the operation of the function of the Central Statistics Office.
      • For the purposes of prosecuting an offence under the Act (you need to be able to identify the records that were the subject of the offence to prosecute the offence, so s33(1)(a) allows for them to be disclosed for that purpose
      • For the purposes of actually doing the statistical analysis functions of “officers of statistics” so that data can be aggregated and reported on (you need to have access to raw data to do the analysis and aggregation, so this is an obvious use of the data that has a very clear statistical basis)
      • For processing data for the purposes of the CSO in a form and manner governed by a contract in writing. This covers the use of 3rd party analysis tools or services or data enrichment, but ONLY for the purposes of the CSO, which is ONLY concerned with the publication of AGGREGATED statistical analysis.
    3. These restrictions do not apply to census data over 100 years old. However, the Data Protection Acts would still apply to data relating to any living individual in that data. Statistically, that is currently a small population and reasonably easy to check, and with a low probability of impact on fundamental rights for any disclosure. But as the life span of population increases, this would need to be kept under review.
    4. It is arguable that, should the CSO provide raw data to other government Departments for matching against their databases to append data for the CSO’s purposes, the recent CJEU ruling in Bara  would require them to disclose the fact of providing data to such Departments, but the Statistics Act 1993 would prevent those departments from making use of the CSO data for their own purposes (but this would likely need to be flagged by the “other side” of such a data enrichment process along the lines of “We get data from CSO and append information to it for statistical purposes but do not retain any CSO data at any time“).
    5. Regarding the actual census forms themselves, there is a very clear requirement under Section 42 of the Statistics Act 1993 that any records held by “officers of statistics” (which includes enumerators) be kept safe and secure “in such manner as to ensure that unauthorised persons will not have access thereto “, and that non-return of records constitutes an offence. Of course, the penalties on summary conviction (a prosecution taken by the Director General of the CSO, not the DPC) are pretty paltry (up to €1000 per offence), so might not be a sufficiently dissuasive penalty under the forthcoming General Data Protection Regulation.

    It’s important to note that breaches of data security or misuse of statistical data are prosecuted not by the DPC but by the Director General of the CSO. To my mind this is not ideal, but reflects the fact that the Data Protection Acts didn’t cover paper records in 1993 as this only became a function of the DPA under the 2003 Act (enacting the 1995 Directive). It does, however, make clear that there are offences, sanctions, and a prosecuting body for breaches of the 1993 Act.

    But of course, none of this will placate the tinfoil hat brigade who act on the default setting that any data you give to the Government is shared willy-nilly.  This highlights the importance of proactive data protection controls and data privacy considerations on the part of Government agencies and the legislature.

    While it is tempting to build ‘databases o’ the people’, every instance of non-transparent and inadequately controlled sharing of data creates a threat to trust. When trust expires, key data simply becomes unavailable or unreliable as people cease to provide it or provide misleading information (which is an offence under the Statistics Act). Trust is fragile and ‘mushroom management’ approaches and “bit of an oul’ law” fig leaves are no longer sustainable when the tinfoil hat can be a fashion trend before the facts and truth of a process has its boots on (to mangle Churchill).

    So: Census data is very strongly protected (albeit with sanctions that could and should be higher), and it is census data that underpins the priorities in government strategy, investment, and expenditure. It’s important for people to fill out the census accurately so that accurate data drives appropriate strategic decisions in Government.

    However, Government needs to realise the impact that damaged trust in public sector data management and respect for data protection has on the willingness of people to trust the government with large amounts of data in the form of  a census. From POD to Health Identifiers to Irish Water there is a litany of error and misstep. Trust is fragile. Government needs to learn how not to step on it, or get used to tinfoil hat fashion shows and policy decisions grounded on statistical quicksand.

    One route to restoring trust would be for our independent Data Protection regulator to regulate independently and take decisive action against public sector organisations that breach the Data Protection Acts. Enforcing the law is a key step towards ensuring that people trust the law will be enforced.

     

     

  • Farewell Caspar

    Over the course of my career I’ve been lucky to meet and become friends with many of the pioneers in the fields of Information Quality, Data Governance, and Data Protection.  I have been doubly fortunate that some of these people have also become mentors – helping me to figure out what I wanted to do, and more importantly what I stood for, in the world of Information Management.

    I had hoped one day to make the same connection with Caspar Bowden. Sadly that will not be possible now. This saddens me.

    However, over the past few years, twitter has allowed me some level of contact with Caspar. It was often affirming to see him retweet one of my rants or rambles, or engage with me to clarify some point I was making or question I was raising.  At times it felt like I was getting a gold star from teacher… “10/10 for effort… keep paying attention to the details”.

    I have no doubt that, had we met, we’d probably have wound up arguing about something. I’m sure it would have been an argument I’d have lost. But it would have been fun (and educational) to have argued.

    The world has lost a true pioneer, a prophet of the dark consequences of unfettered digital privacy invasion, and a staunch advocate for finding better ways to do things.

    It is never easy to be an advocate swimming against the tide, as Caspar often seemed to be.  However, sometimes the fight is worth fighting so that the pendulum finds a balance between rights, duties, and obligations in society, and so that people become more aware of the erosion of their privacy rights through legislative or technological changes.

    So, if anyone in Ireland wants to remember Caspar Bowden, I can think of no better way then donating to Digital Rights Ireland or any of the other digital rights advocacy groups who fight the same fight that Caspar fought.

    He may be gone but his spirit, and the fight, remain.

     

  • Data Protection Rake: WHACK!!

    Sideshowbob walking on rakesSo, the Minister for Education is fighting a rear-guard action to justify the method of execution of the Primary Online Database. Get ready for the rakes.

    Correctly, she is stressing the need for a means to track education outcomes as children move from primary to secondary education, where there is a drop-out rate which is rightly concerning. It’s been concerning since 2006 when Barnados highlighted the mystery of what was happening to the 1000 children a year who didn’t progress from primary to secondary education.

    She has stated that the Data Protection Commissioner has been consulted and “and that office is satisfied with what we are doing“. The Data Protection Commissioner has commented that the Department has presented “a legitimate and proportionate purpose for requesting to be provided with the data it is seeking“. Now… that’s not the same thing as being “satisfied with what we are doing” as the Minister has said. It also depends very much on what purpose was communicated to the Office of the Data Protection Commissioner in 2013.

    Even in an ideal world scope creep occurs, particularly when the objective for processing the data seems to be a bit confused. Is it for purely statistical purposes (which is implicit in the statements that the data would only be accessed by a small number of people in the statistics unit of the Department of Education), or is it for more day-to-day operational decision making purposes (which is implicit in comments made by the Minister that school funding could be at risk if data was not returned)? Those are two different categories of purpose.

    [Whack]

    But what about the DPC’s position?

    The Data Protection Commissioner’s statement to the Irish Times actually limits its comment to the legitimacy and proportionality of the purpose that the Department may have for seeking to process this data. Ensuring children move from Primary to Secondary education and ensuring that the State has data available to help identify any trends in drop-out rates and ensure that limited resources are deployed as efficiently as possible to ensure equality of access to education (here’s a link to some more stuff from Barnardo’s on that) and support children in getting the best education outcomes possible.

    Legitimacy and proportionality are linked to the purpose for which the data is being obtained. And the need to ensure that data is “Obtained fairly and processed for a specified and lawful purpose” it is just the first two of eight Data Protection principles. So what is the purpose the DPC was told about? Are there new purposes?

    So, when the Minister comments on the retention of data about primary school children until they are 30 years old, and says that

    “I did say I would examine it but it looks to me that up to the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well which is obviously very important,”

    it is really important to ask: What is the purpose for which this long a retention period is required?

    [Whack]

    It’s actually more than that: it’s essential that the Minister is able to say categorically what the purpose is for this retention and why a 25 to 26 year retention period for personal and sensitive personal data is required (“probably appropriate” is not the test… “retention for no longer than is necessary for the purpose for which the data is being processed” is the test under the Data Protection Acts. It is also important to assess whether the purpose and requirement can be met by less personally identifying data: would anonymised or pseudonymised data support the objective? If yes, then it ceases to be necessary to hold the raw data, so it is no longer “probably appropriate”).

    [Whack]

    So… what is the specific purpose for which a retention period of “until 30th birthday” is required? State it. Assess it. Compare against other alternative methods. And then make a clear decision based on the Privacy impact and the necessity and proportionality of the processing. “Probably appropriate” is not a form of words that fills me with confidence. “Assessed to be necessary and proportionate against other options, which were rejected because of X, Y, Z reasons” would be more illustrative and evidential of a proper Privacy Impact Assessment and Privacy by Design thinking at work.

    [Whack]

    For other purposes it might not be appropriate to allow access to the identifiable data even 90 seconds after it is recorded. Those purposes need to be identified and appropriate governance and controls defined and put in place to ensure only appropriate data is disclosed that is adequate, relevant, and not excessive to the purpose for which it is being processed. And that purpose needs to be consistent with and not incompatible with the purpose. The Data Protection Commissioner doesn’t appear to have actually commented on that. So the standard protocol of clear statutory basis and an appropriate system of Governance still needs to be considered and put in place for any sharing of data or subsequent use of data to be compliant with the Data Protection Acts (and, just in case we forget, Article 8 of the EU Charter of Fundamental Rights).

    [Whack]

    Disturbingly, the Minister seems to imply that it is irrelevant if parents provide their PPSN to the Department or not as they will be able to obtain that data from the Department of Social Protection. It is true that name, address, date of birth and mother’s maiden name can be used to validate a PPSN. However I would question the  basis under which the passing of that data to obtain the PPSN would be valid, given that the Dept of Education’s registration with Client Identity Services in the DSP seems to presume the Department has the PPSN it needs.The rent has been paid up on the battlefield it appears, and there is no going back.

    [Whack. Whack]

    (Name, address, date of birth, and mother’s maiden name could form a composite key to identify a child uniquely on the database where no PPSN is available. In which case, what is the purpose for the PPSN?)

    [Whack]

    What does the Minister’s statement mean?

    In my opinion, the Minster’s statement means that the Department are mis-understanding the role of the Data Protection Commissioner and what it means for the DPC to give an opinion on the appropriateness of processing. The DPC will determine if there is risk of non-compliance with a proposed purpose for processing and will give guidance and feedback based on the information that is provided to them.

    If that information is incomplete, or doesn’t match the final implementation of a system, then the DPC can (and does) change their position. It’s also not the role of the DPC to correct the homework of a Government Department, and the new Commissioner Helen Dixon has made that exceptionally clear to Public sector representatives in at least two forums since November. Her role is to enforce the legislation and support the protection of fundamental data privacy rights of individuals and to be independent of Government (that’s a Treaty obligation by the way since 2009… and towards the end of his term Billy Hawkes the former Commissioner exercised that independence by, for example, prosecuting the Minister for Justice).

    It also means that the Minister is at risk of having to dig herself out of an entrenched position. The road to heck is paved with good intentions. This scheme (and all the other education outcome tracking databases that the Department has) are all valid and valuable as part of a coherent information strategy for the design and implementation of education services and delivery of education outcomes in Ireland. But the design and execution of the systems of processing (not just the technology systems but the wider scheme of stakeholder engagement, controls, governance, and impact assessments) is leaving a lot to be desired.

    It means, unfortunately, that rather than display their homework around Privacy Impact Assessment, Governance controls, and Privacy by Design, the Minister and her Department are reacting exactly as I described in yesterday’s blog post:

    Data Protection Expert: I think this raises significant issues and may be illegal

    Government Representative: It’s too late. I’ve already paid a months’ rent on the PR agency project.

    So far the report card reads:

    • Intention: 10 /10
    • Effort: 4 /10 for effort.
    • Execution:  2 / 10  (and negative marking applies here).

    “Trust us, we’re the Government” doesn’t work any more because the Government has failed spectacularly to build and engender trust on previous data gathering and data sharing initiatives. So, laudable as the goals are, there was already a mountain to climb to put this data gathering inside the “circle of trust”.

    My €0.02

    Having reviewed a range of documentation around the Primary Online Database (including the specifications for the drop down fields in the database).

    1. The project has mis-identified as “non-sensitive” data a range of questions which are capturing sensitive personal data about medical or psychological assessments.
    2. The system has a notes field which currently can be accessed by users of the system in the Department but it is proposed that that will be restricted to just schools but in reality that means that the data is still being stored on a system designed and controlled by the Department and which would be accessible by anyone with an administrator access to the underlying database.
    3. The communication of purpose for processing, and the explanation of the retention period, is bordering on the unintelligible to me. And I read and write those kind of things for a living. I teach this stuff to lawyers. The defence that “it’s based on the Department circular” is not a defence. The requirement under the Data Protection Acts is that data be fairly obtained for a specified purpose. That requires that the statement of purpose be comprehensible (I advise clients to apply adult literacy standards to their text and aim for a reading age of 12 to 15). If the circular is incomprehensible, write a ‘friendly version’ or get the Circular redone.
    4. The project has gone to the wrong source for the data. The schools do not have a lot of this data, and even then they have obtained it for a different specified purpose. Schools guessing at ethnicity or religion or other aspects of the data being gathered makes little sense and creates an admin burden for the schools. The 50% response rate in the pilot project should have been a warning that the execution method was not appropriate.
    5. The use of “local” versions of the questionnaire by schools (where schools have modified the Department’s form and sent it out to parents) means that the Department (as Data Controller) has lost control of the statement of and explanation of purposes and processing. That means that no assumptions can be made now about what parents understood they were agreeing to because the ‘official’ form of communication may not have been used.
    6. There is no clear justification for a retention period of raw, identifiable, data until a child’s 30th year.
    7. The stance adopted by the Minister is not good. In the face of valid criticism she has adopted an entrenched position, clutching to the DPC as a shield rather than a fig leaf. Given the narrative arc in the Irish Water debacle that is, as Sir Humphrey Appleby would say, “Courageous Minister, very courageous”. (Data relating to children, “all cleared by the DPC”, challenge in public by knowledgeable experts, public disquiet, “DPC said it was OK”, immediate reverse ferret after a reshuffle… [we are at stage 3 now].)

    Pausing. Assessing and defining an appropriate strategy for strategic use of data in education for statistical planning and centralisation of operational data, combined with an appropriate Privacy Impact Assessment that takes in to account recent rulings on necessity and proportionality by the CJEU would be advisable at this time.

    Anything else is simply courageous, Minister.

  • Irish Water and PPSN data

    This morning the Irish Times has a story about Irish Water, landlords, tenants, and PPSNs

    The article tells us that:

    Bills are to be issued quarterly, but as Irish Water will have the tenant’s PPS number, the utility firm will be able to pursue the tenant for any arrears and even apply any arrears to new accounts, when the tenant moves to a new address.

    What this tells me as a data geek is:

    1. Irish Water has a purpose for PPSN data that goes beyond the purpose agreed with the DPC (the validation of allowances)
    2. They are using PPSN as a primary key to identify people linked to properties (which goes beyond the “validation of allowances” purpose agreed with the DPC)
    3. Irish Water have some mechanism to identify tenants versus landlords, otherwise they are retaining ALL PPSN details for a period of at least six years. (It may be the PRTB data they have access to under S26 of the Water Services Act 2013).
    4. The retention period for PPSN is likely to be 6 years from the date of the final bill issued, but only where there are arrears on the account. Therefore, retention will be a rolling period for PPSN as bills are issued. It will only crystallise at 6 years once a final bill issues.
    5. The tenant who fills out the Irish Water application will be responsible for any arrears, even if they only wash every second week while their flatmates operate a water park in the kitchen.
    6. Irish Water haven’t modeled scenarios correctly as not every tenant in a rented property will be registered on the Application form… only one. I refer back to point number 5.

    Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week.

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    I’ve highlighted the relevant sentence. And the crucial word. So any use of or retention of PPSN for purposes other than validating allowances is potentially a breach of the Data Protection Acts. Full Stop. End of story. Move along.

    [It also means that they can’t validate the rest of the data – only the entitlement. So they can verify that the PPSN of Joe Blow is valid, and that the PPSN data provided for Joe’s 623 children is valid and that those 623 children exist and are resident in the jurisdiction. No more. So they cannot legally “enrich” their data from the DSP’s data sets (despite what some people are stating might be the case). Of course, this is a perfect reason why the Water Allowance for Children, which is payable only to children in receipt of Child Benefit, would have been better paid as an allowance from the DSP, as I’ve blogged about already.]

    Are Irish Water making this up as they go along ?  If so, this crisis of communication around a critical issue of Regulatory compliance could be a lot worse under the surface. For example, has Irish Water modeled their data and processes to allow for customer life events (births, deaths, marriages, divorces, people moving in, people moving out)? Not doing that will lead to data quality and data protection headaches down the line. If those scenarios are not catered for in their processes, bills will be wrong. Designing for Privacy means considering data and its processing, which means you being to look at how the organisation knows or can know important facts about things it needs to know. Lurching around like a drunken uncle at a country wedding does not suggest good design for processes, data, or privacy.

    At an upcoming conference on the 7th of November I’ll be talking about Data Protection, Data Governance, and Privacy by Design. The other delegates include some of the world’s leading experts on Data Governance, Information Strategy, and Data Quality. It’s a pretty darn good conference.

    Irish Water might want to send some people so they can learn from the other delegates and I about Data Protection, Data Modelling, and Data Governance.

    [Update: This status update has appeared via the @IrishWater twitter account which seems to suggest the Irish Times had it wrong:

    Because Irish Water can’t be wrong can they? Left hand needs to communicate with right hand and then talk to their customers!]

  • Irish Water and the DPC’s letter and what it means

    [This is a repost of a post I wrote o the 24th of September. Some people said they had difficulty accessing it so I am reposting it. I’ve updated it with links to other relevant posts that I’ve made since then. They are included in-line]

    This evening [24th Sept] the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: As Irish Water is subject to the Data Protection Acts, the apparent absence of an operational “movers/leavers” policy for people changing address is a problem. I explain why here. The summary being that one of the obligations under the DPA is to keep data accurate and up-to-date, in the context of the purposes for which it is being processed.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    update: Today, on foot of an Irish Times article, I wrote this post which points out that Irish Water are citing a purpose for retaining PPSNs that give a retention period of at least 6 years. And it is not a purpose that is related to the validation of entitlements to allowances.]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identify where possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Roll Up, Roll Up – see the amazing psychic dog! (minor update)

    Roll up Roll Up, meet the new DPC!
    Roll up Roll Up, meet the new DPC! (says Irish Times)

    Every so often I read things in the newspaper that make me go “Yay!”. More frequently I read things that make me go “Boo!”. Today, as with other days, I read something that made me go “WHAT THE F….?!?!”.

    Over the past few weeks the Irish Times has done a bang up job breaking some excellent stories about Data Protection issues in Ireland. Karlin Lillington, Elaine Edwards, and others have sought to “Tell the Story of Why” and push past the usual soundbites and bullshit gloss that usually passes for data-related journalism in Ireland.

    One great example of this was the work done on a story about how the Dept of Arts Heritage and the Gaeltacht had erred in exposing data on living people (whose data privacy rights are protected under the Data Protection Acts and the Treaty for the Formation of the European Union, as well as the Irish Constitution – and if you want a potted guide to all of that Gerard Hogan gives a great summary here) on the IrishGenealogy.ie website. This was despite having had consultation with the Office of the Data Protection Commissioner and having had guidance on what was and was not acceptable from a Data Protection perspective.

    The various pieces written by Elaine Edwards were detailed, explained the core of the issues well, and generally added to the quality of discourse.

    On the 23rd of July, in their Online edition, the Irish Times ran this piece of utter nonsense dressed up as journalism. It’s such a poorly researched and written piece that I can understand why the author felt it best to leave their name off the byline [update- unfair to author, it was a leader piece, but if so my comments below are even more relevant – /update].

    It is true that the DPC raised issue regarding a property price register. The issue was that the sharing of data between different entities that would be required to create such a register, while of interest to the public, lacked a legislative basis and therefore risked breaching the Data Protection Acts. Legislation was passed two years ago that provided the “air cover” for the sharing of data to build a property register and lo and behold there is a property price register in place now, linked to the LPT process.

    Comparisons between Irish law and UK law are often as valid as comparing an apple and orange, and complaining about the bitterness of the orange skin as you try to bite into it, on the basis that they are both fruit.

    But the doozy in this article for me is the challenge to the DPC as to why they didn’t spot that the Dept of Arts Heritage and the Gaeltacht were in breach of the Data Protection Acts for a year. The anonymous author of this article asserts that the DPC’s job is to ensure compliance with the Data Protection Acts.

    Actually no. That is not their job. To make the Regulator responsible for ensuring compliance breaches a number of concepts in Governance, such as segregation of duties.

    Their job is to enforce the Act, to provide advice on how to not be non-compliant (which they did in this case), and investigate and prosecute offences under the legislation (albeit with a role in relation to education and awareness building as well).

    The responsibility for ensuring compliance rests with the Data Controller doing the processing, in this case the Dept of Arts, Heritage and the Gaeltacht, who were non-compliant because they did the very thing they were told not to do by the DPC. Responsibility for ensuring compliance rests with the IT project team who developed interfaces that shared too much data, the testers who didn’t spot it, and the Data Controller in the Dept who didn’t double check that the business rules were followed.

    The DPC’s job is to hold the Data Controller ACCOUNTABLE.

    The bizarre logic of the writer of the article simply makes no sense. Are the Gardai responsible for ensuring compliance with the Road Traffic Acts? No. Their job is the detection of, investigation of, and prosecution of offences. Just like the DPC in this context – when the Office was made aware of a possible breach of the Acts, they investigated and took action immediately.  (Ensuring compliance with the Road Traffic Acts is the responsibility of the road user).

    For all the sense that is in the article, the anonymous scribe [update-anonymous as it is a leader piece-/update] might as well have advocated that the soon to depart Mr Hawkes be replaced with a Psychic Dog who would detect all the potential future crimes, just like Tom Cruise in Minority Report.

    Lazy, sloppy, and brain numbingly dumb hackery dressed up as journalism, an article of this low quality has no place in a paper of merit such as the Irish Times.

    Good, informed, and informative journalism on Data protection issues must be encouraged however.

  • Stand up for Digital Rights, Ireland.

    In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

    Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

    Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

    However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

    The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

    Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

    It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

    And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.