The DOBlog

Category: Ethics & Law of Information

A category dealing with the ethics and legalities of the management of Information and Information Quality.

  • Newspaper Licensing Ireland– some thoughts

    This post is about the website of Newspaper Licensing Ireland, who have recently written to a non-profit organisation whose aims I wholeheartedly support, seeking license fees for linking to newspaper content published on the internet by the newspaper publishers. McGarr Solicitors, who are acting for Women’s Aid, have published a detailed analysis of the situation and the questions raised on their website, which I link to in the confidence that the McGarrs won’t come looking for a pound of flesh in return.Sticky buns perhaps, but nothing worse.

    I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

    (But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

    What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

    I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

    What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

    …that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

    My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

    So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

    All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.

  • New rules, Old roots, Old attitudes

    So, today the European Commission is announcing new rules for Data Protection and Privacy in the EU (and the EEA countries and those countries seeking accession to the EU). There is hype and hoopla about the rules and what they mean, particularly for organisations conducting business on-line, companies based outside the EU selling into the EU, standardisation of penalties, and realignment and consolidation of the Regulatory and Enforcement regime.

    Oh yeah, and it is being done by Regulation which means the rules will be the same across the EU.

    But at its heart the fundamental principles remain the same. Organisations who seek to process personal data of individuals need to make sure that the ‘deal’ is fair. After all, to paraphrase Commissioner Reding’s comments at the DLD conference in Munich earlier this week

    Personal information is the currency of the Information Age

    And as with all markets where items of value are traded, checks and balances need to be in place to ensure the asset is valued appropriately and treated with care. Hence the focus in the new Regulation on concepts such as Privacy by Design, ensuring appropriate training of staff, specific requirements re: organisational governance and internal controls and clarity of documentation about the meaning, purpose, and methods of use of personal data. There is an economic trade off required to obtain the thing that is of value. That trade off is good management of Personal Data through the life cycle of the Information Asset.

    As a Data Governance and Information Quality guy I’m glad to see that the legislators in my third area of passion have finally caught up with the need to ensure organisations have defined Quality Systems with defined decision rights and accountabilities over Information as an Asset.

    So, while many of the rules are new, their roots are old. Based on my reading of the version of the Regulation that was leaked just before Christmas revealed a Regulation with one foot in the camp of Fundamental Human Rights (and the trade offs that need to be made there for economic activity to take place) and the other firmly in the camp of Quality Management practices and principles, with a clear focus on creating a Constancy of Purpose in management towards the goal of striking a sensible balance and ensuring a fair deal in the processing of personal data.

    And that is where the problem begins.

    There is a window now for national governments and the European Parliament to make contributions to the Regulation. Many in national government and the EP will make sensible contributions that will evolve the framework and make it easier to implement in practice.

    However, in a month where one Government Minister acted in blissful ignorance of the Data Protection Acts one week, another flew a policy kite that would require an illegal extension in scope of the database being built by the first Minister, and where the unelected officials of the largest City Council in the country appear to be unable to point to the legitimate grounds on which they transferred the personal data of over 100,000 residents to a private company, I hold out little hope of sensible debate and dialogue from the Irish body politic.

    In a month where we greeted the year (for the second year in a row) with a story about poor planning of projects involving personal data (both under the stewardship of the same person) I hold out little hope of sensible engagement from the Irish body politic.

    And in a month where the reversal of a bad law to control copyright on the Internet (SOPA) after leading websites across the world “went dark” we find a Junior Minister of the Government, in the Department that is in charge of attracting and retaining exactly those companies who opposed the US law, seeking to implement a similar law by Statutory Instrument with no debate or discussion, even after the legal position and EU policy position has changed in relation to Internet blocking, and only the opinions of the dying industry this law would protect seem have been sought in advance, I hold out little hope for the Irish Body Politic not to make an arse of this.

    And as for the Irish media… with a few notable exceptions the absence of attention to Data Protection issues (except where it involves embarrassing a Government Minister and the copy can be lifted from this blog) is staggering. So yet again I hold out little hope of sensible engagement.

    Adapting to the new Data Protection landscape will require individuals to change their mind set. But I fear that the entrenched attitudes in the body Politic and the traditional media may be such that Ireland (the little nation that faced trade sanctions in 2003 for not implementing Directive 95/46/EC by 1998 as we were required to) will fail to step up to the plate and drive the change in thinking and attitude necessary to achieve sustainable and sustained change in Data Protection practices in Ireland.

    W. Edwards Deming wrote in his famous 14 Points for Transformation that it was essential for the transition that organisations “Institute Leadership”. I see precious little leadership in this area from our politicians and only dazzling pin-pricks of illumination from the main stream media. So I must keep my hope guarded in the face of the likely knee jerk reactions against the changes and the almost inevitable white noise of ignorance until the Regulation passes into law with a direct effect sometime in 2014.

    Prove me wrong. Please.

  • Lies, damned lies, and statistics

    On Monday the 16th January 2012 the Irish Examiner ran a story that purported to have found that 93% of the Irish public “decried” the decision of the Minister for Foreign Affairs to close Ireland’s embassy in the Vatican City State. The article detailed how they had undertaken a review of correspondence released under the Freedom Of Information Act which showed that 93% of people in Ireland were against the closure. To cap it off, the article was picked up in the Editorial as well.

    Except that that isn’t what they had uncovered. The setting out of the statistics they had found in the sensationalised way they presented them was a gross distortion of the facts. A distortion that would, to paraphrase Winston Churchill, “be half way around the world before the truth had its boots on”).

    Demotivational poster about data

    What they had uncovered is that of the 102 people who wrote in to the Minister for Foreign Affairs about the issue, 93% of them expressed a negative opinion about the closure. The population of Ireland is approximately 4.5 million people. 95 people is closer to 0.000021%. While I may not have the academic qualifications in Mathematical physics that my famous comedian namesake has but I know that 95 people (that’s 93% of 102) is slightly less than 93% of the Irish public

    Or, to put it another way, significantly and substantially below the statistical margin for error usually applied in political opinion research by professional research companies.

    Or to put it another way, over 99% of the population cared so little about the closure of the Vatican Embassy that they couldn’t be bothered expressing an opinion to the Minister.

    Of course, the fact is that there were letters written about this issue. And the people who wrote them were expressing their opinion. And 93% of them were against the closure.  In fact, in defending themselves on Twitter against an onslaught of people who spotted the primary school maths level of error in the misuse of statistics in the article, the Irish Examiner twitter account repeatedly states that (and I’m paraphrasing the actual tweets here slightly) “for clarification we did point out that the analysis was based on the letters and emails”. But it is inaccurate and incorrect to conflate the 93% of negative comment in those letters to the entire population as the sample size is not statistically valid or representative being

    1. Too small (for a statistically valid sample of the Irish public you would need between 384 and 666 people selected RANDOMLY, not from a biased population. That’s why RED C and others use sample sizes of around 1000 people at least for phone surveys etc
    2. Inherently biased. 93% of cranky people were very cranky is not a headline. The population set is skewed towards one end of the distribution curve of opinion you would likely find in the wider population.

    Then today we see a story in the Examiner about how Lucinda Creighton, a Junior Minister in the Dept of Foreign Affairs is backing a campaign to reopen the embassy because

    there’s a very strong, and important and sizeable amount of people who are disappointed with the decision and want to see it overturned and who clearly aren’t happy

    What? Like 93% of the Public Lucinda? Where is your data to show the size, strength, and importance of this group? Have you done a study? What was the sample size?

    As a benchmark reference for what is needed for an Opinion Poll to validly represent the opinions of the Irish Public, here’s what a reputable polling company says on their website:

    For all national population opinion polls RED C interview a random sample of 1,000+ adults aged 18+ by telephone. This sample size is the recognised sample required by polling organisations for ensuring accuracy on political voting intention surveys. The accuracy level is estimated to be approximately plus or minus 3 per cent on any given result at 95% confidence levels.

    Anything less than that is not statistically valid data and can’t be held out as representing the opinion of the entire public.

    As an Information Quality Certified Professional and an active member of the Information Quality Profession on an International level for nearly a decade I am ethically bound to cry “BULLSHIT!!” on inaccuracies and errors in  information and in how it is presented. The comments from Ms Creighton are a good example of what that is important in the Information Quality and wider Information Management profession. If bullshit analysis or analysis based on flawed or inherently poor quality data is relied upon to make strategic decisions then we invariably wind up with bullshit decisions and flawed actions.

    And that effects everything from conversation with family, chats in the pub, business investment decisions, political decision making, through to social policy. Data, Information, and Statistics are COOL and are powerful. They should be treated with respect. People publishing them should take time to understand them so that their readers won’t be mislead. And care should be taken in compiling them so that bias does not skew the results.

    So, having had no joy or actual engagement from the Irish Examiner on the issue I forwarded my complaint to the Press Ombudsman yesterday pointing out that the article would seem, based on the disconnect between the headline, the leading paragraph, and the general thrust of it, to be in breach of the Code of Practice of Press Council of Ireland.

    I just hope they can tell the difference between lies, damned lies, and fudged statistics. (This Yes Minister clip about Opinion Polls shows how even validly sampled ones can be biased by question format and structure in the survey design).

  • Household Charge Data Protection: Part 4 – The Circle of Trust

    Phil Hogan has stated on RTE news that the problems with the Privacy Statement have been fixed.

    They haven’t (and for record purposes I’ve taken a PDF copy of the current Privacy Statement to track future evolutions). The problem with not complying with Google’s Terms and Conditions has been fixed. The problems with:

    • Lack of clarity re: the Data Controller has not been addressed. While it is tempting to say that the Controller is Government, in practice there needs to be a single entity who is driving and directing the gathering and collation of the data. Who is the ‘controlling mind’? While this may be set out in legislation somewhere it is a requirement of the Data Protection Acts that it be brought into the light and made clear to people who they are providing their data to. Suggested wording might be:

    The Data Controller for the Household Charge is the Department of the Environment. The Department makes use of a number of Data Processors to help administer the charge, provide IT facilities and services to support this website, and to securely process payments made. These Data Processors include: The Local Government Management Agency (LGMA), the various Local Authorities, and Realex Payments.

    Under the legislation, the Department has delegated to Local Authorities the responsibility for the day-to-day administration and operation of the Household Charge such as issuing Certificates of Discharge etc and in that context Local Authorities will have access to your personal data for those administrative and customer service purposes.

    The LGMA is a shared services organisation providing administrative and back-office support to Local Authorities. In that context they will have access to and will process your personal data in order to provide support for website issues, to assist the Department and Local Authorities in the administration of the Household Charge through the analysis of data, production of reports, and provision of on-line customer support for this website.

    That took me all of 30 seconds to draft. It should be at the beginning of the Privacy Statement.

    • Lack of clarity around the purposes to which the data will be put. While the Privacy Statement as it stands is fairly specific (stating payment processing, issuing reminders of future liability, issuing receipts etc.) the media statements about potential future uses of the data and the data which is actually being obtained (see Elaine Edward’s article in the Irish Times today [scroll to bottom] which points out that the process asks for the type of water supply you have and type of property etc ) suggest either that there are other future purposes that have not been disclosed, or data is being captured which is not relevant or is excessive to the stated purposes.

    The primary purpose for which we are processing your information is to enable you to pay the Household Charge and to enable us to administer the Household Charge, as required under the relevant legislation, through the issuing of receipts, waiver notices, certificates of discharge, and the issuing of reminders for payment and notifications of liability in the future.

    We are also capturing data about you and your property in order to establish a higher quality database of Residential Properties in the State for the purposes of supporting the efficient, fair, and cost-effective roll out of future property or service related charges and to provide a key information resource to the Department and Local Authorities about the nature and make-up of the residential properties in the State to support the planning and delivery of services and facilities in the future in a more cost-effective manner.

    • Lack of clarity regarding the periods for which data will be retained still persists. While the purposes of the retention are required in the legislation, the retention of data indefinitely is not allowed under the Data Protection Acts. How long does data need to be retained to issue a Certificate of Discharge? Is the personal data being retained as a standing database of property owners? (again.. that would be a purpose that would have to be stated).

    In order to support the administration of the Household Charge and to permit the discharge of obligations under the legislation by Local Authorities and/or the Department, your personal data will be retained for the period of time you are the owner of a Residential property in the State. This will enable us to locate your records and issue receipts, Certificates of Discharge, reminder notifications, settlement of arrears on sale of property etc without having to require you to re-register for the Household Charge every year.

    Data relating to persons who cease to be the owners of Residential properties in the State who have no outstanding liability will be retained for two years from the date of sale to allow for the re-issuing of Certificates of Discharge etc. in that period.

    Data relating to persons who cease to be owners of Residential properties with arrears will be retained for six years to allow us to pursue outstanding amounts and for two years from the date of final discharge or settlement of any outstanding arrears.

    Again, this is just a brain dump of what might be in a more ‘fit-for-purpose’ Privacy Statement, but it highlights the need to have thought through the key purposes for which data will be used so you can figure out how long you need to hold it for. So long as there is a lawful purpose for the retention and that is flagged to the Data Subject the ‘deal’ between Controller and Subject is fair and balanced.

    • Disclosure to third parties. The Privacy Statement is silent on this. The media, and the Data Protection Commissioner, have rightly focussed on the proposals to suck data from Utility companies, but the disclosure of data is as important. The Privacy Statement needs to be clear about who data might be disclosed to by the Controller and the basis for that disclosure.

    Data provided as part of the Household Charge registration process may be disclosed to the Department of Social Protection or the Revenue Commissioners in order to support the administration of the Social Welfare system and the fair collection of other tax revenues. Such disclosures will be on the basis of specific requests arising from an investigation or as a result of legislative requirements currently in existence of which emerge in the future. All such disclosures of data will be undertaken in compliance with the Data Protection Acts and the minimum data necessary to achieve the purpose of the request will be disclosed. Where we believe there to be evidence of criminal activity or fraud data may be disclosed to the investigating authorities to support the detection and prosecution of any offences.

    Again, this is just a brain dump. But it again illustrates that by stopping and thinking BEFORE you rush to obtain data you can improve transparency and identify the controls and governance you would likely need to have in place before you start.

    • The Data Protection Acts suggest that a Fair Processing Notice/Privacy Statement include any other information that the Data Controller considers will make the processing more fair. The obtaining data from 3rd parties should, in my view, be bumped into the Privacy Statement as well in this context  to make it CLEAR to people that this is a potential power and the basis on which it would be used. At the risk of pre-empting the protocols that the Department and the Data Protection Commissioner are agreeing, one possible wording for such a section might be

    In order to investigate cases of non-payment of the Household Charge the Department or a Local Authority may, on a case by case basis, make a request to a Utility Company or other provider of services as specified by the Minister in the legislation for information about services provided to an address. This information will be sought for the purposes of identifying if the property is inhabited. Information which may be sought in this context would include the name of the account holder with the Utility company/service provider.

    I was disheartened yesterday to hear the Minister constantly fall back on the mantra that the information provided on the site would be secure. That is not the point I’ve been making, and that is not where the Data Protection Commissioner’s concerns lie.

    Security of Information (no offence to my friends in the InfoSec world) is just one of 8 Principles that needs to be complied with under the Acts, the Directive, and under our Lisbon Treaty obligations (Personal Data Privacy is a fundamental right of EU citizens).

    The other 7 require Data Controllers to stop and think about what they are doing, what information they need to do that, how long they will need to keep that information for, who might need to look at that information, and a whole host of other factors over and above whether the site uses SSL and whether the data is encrypted on the server and other technical and practical security concerns.

    It is even more disheartening when I see evidence of good work to try and ensure good security was designed in being undermined by a lack of focus on ensuring the other aspects required to balance the right to Privacy against the legitimate interests of the State were equally planned for and designed in.

    This approach of “Privacy by Design” is what builds and sustains a Circle of Trust between the Data Controller and the individual.

    In the case of the Household Charge that circle has been broken and will be difficult to restore.

    If I was Taoiseach Kenny I’d be commenting on Minister Hogan’s Report Card: “Must try harder”.

     

  • The Household Charge Data Protection Kerfuffle (Part 2)

    I don’t normally blog twice in day but I also don’t like to write 40000 word blog posts.

    So here is part 2 of the post I wrote earlier (with thanks to @brianhonan for pointing out some stuff on the twitterbox).

    Data Retention

    The Privacy Statement for HouseholdCharge.ie states that

    The Local Government (Household Charge) Act 2011 provides for the issuing of receipts and certificates of discharge, waiver and exemption on request. To enable a local authority meet these statutory requirements your data will be securely retained in the system.

    Great. That tells me the statutory basis for some of this processing. But it doesn’t tell me how long the data is actually going to be retained for. As VAT isn’t payable/chargeable on a tax the retention period that applies under the VAT acts wouldn’t apply, and in the context of Income tax Revenue require me to hold data, not the other way around (but they do hold data, and hold it quite securely).

    I would assume a receipt would issue as a matter of course (at which point, no need to retain data) , as would certificates of discharge (I assume). I’m not sure about the waivers and exemptions… I would have assumed that that was a seperate process where by you would register your grounds for waiver or exemption and be excluded. (Unless of course data has been disclosed to the LGMA by another department, e.g. DSP, either in bulk or on record by record basis that would allow them to perform look ups to verify eligibility for waivers or exemptions).

    So, I’m hard pushed to find a reason for retention longer than 12 months (and I’m basing that on the need to have the data to send a reminder in 11 months time). But the waivers and exemptions bit might give a reason for asking for the PPSN.. but not from everyone, just from those applying for a waiver or an exemption -anything else is still excessive processing for the purposes stated.

    Rolling up the Tinfoil Hat

    One element of comfort I find in the opacity of the Privacy Statement is that for all the elements it is missing that would add transparency, those that it has place some constraints on current and future uses.

    In my last post I pointed out at the only two purposes that they state that data is being processed for are processing payments and sending reminders. When we look at the Retention Period bit we find a few more (issuing receipts, Waivers and Exemptions).

    Which means there are a discrete set of stated specific purposes for which this data can be used. And no more.

    Therefore, to roll up the tin foil hat a little, fears that the Government might be building a property register on the sly can be allayed by the fact that any such use would not be lawful as it has not been spelled out as a purpose for the data you are providing.

  • Household Charge–A Data Protection kerfuffle in the making?

    It’s time for my annual “roll a data protection hand grenade under something” blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only I’m less formal here.

    This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.

    But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear – I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages – increased charges are yet another burden that should be levied carefully.

    The website

    Cookies

    Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the “View Cookies” add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.

    On the home page a set of cookies starting with “_utm” are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.

    No mention is made in the Privacy Statement that accompanies the website about their use of Google Analytics [Update: The privacy statement was updated this afternoon to include the text referenced below… well done to who ever acted on that to fix it]. This is a breach of the Terms of Use of Google Analytics, which clearly states:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    The Privacy Statement on HouseholdCharges.ie does not do this.

    Because the Privacy Statement on HouseholdCharges.ie doesn’t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.

    This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).

    Privacy Statement – Fit for Use?

    Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissioner’s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.

    Well, actually we don’t. There is no statement about the purposes for which the data is actually being processed. And that’s just the beginning of it.

    IP or Not to IP, that is the question.

    The Privacy statement proclaims that for “general web browsing” they may capture the “logical address” of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no ‘may’ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.

    So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.

    Who’s the Daddy.. I mean Data Controller?

    Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?

    Or to put it another way… who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?

    If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.

    Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).

    What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?

    What I’d have expected to see would be something along these lines:

    This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.

    Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.

    It’s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.

    Don’t tell me the what, show me the why?

    The Privacy Statement tells me that

    Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.

    So the purposes for which the data is being processed are:

    1. Processing a payment for the charge this year.
    2. Sending a bill to me for the charge next year.

    No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.

    What information is required to send me a bill?

    • My name
    • My postal address
    • My email address (should be optional if I don’t want to rely on electronic billing)

    Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from a  client engagement last year that the DPC takes VERY seriously indeed.

    Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the “lawful purpose” of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.

    If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.

    If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.

    I’ll post more on this as I get time to poke around a bit more.

  • The missing link in Compliance and Governance

    Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

    • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
    • Information Quality programmes involve, by definition, the implementation of a Quality Management System
    • Information/Data Governance… well, that’s another form of Quality Management System
    • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

    In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

    1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
    2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
    3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

    Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

    Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

    Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

    At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

    A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

    Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

  • Mobile phone hacking and the e-Privacy Regulations

    The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.

    The law

    There are a few pieces of legislation in Ireland that would come into play here:

    1. The Data Protection Acts 1988 and 2003
    2. The Criminal Damage Act 1991
    3. The Criminal Justice (Theft and Fraud Offences) Act 2001
    4. The Postal and Telecommunications Services Act 1983
    5. Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
    6. The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)

    The Data Protection Acts

    The Data Protection Acts require that personal data be obtained and processed fairly.

    Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).

    Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001

    Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.

    So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.

    This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is

    • What’s a computer?
    • What’s dishonest?

    It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.

    The 1983 and 1993 Acts

    Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being

    “listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”

    The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.

    The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.

    Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.

    The European Commission rejected DRI’s submission at the time

    Electronic Privacy Regulations

    The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.

    For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.

    The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to

    1. Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
    2. Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))

    Section 4(4) is the doozy I feel.

    In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.

    My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally,  implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.

    And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.

    Conclusion

    The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.

    But that is what we do every day now.

    The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).

    I invite any comments or corrections from more learned colleagues.

     

  • Doing the right thing

    So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.

    How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?

    What if it turned out that:

    1. The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
    2. Was relatively easily circumvented using free or low cost tools
    3. Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).

    That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).

    A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:

    • Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
    • Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.

    So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.

    Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.

    So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?

    The other price to pay is the privacy cost.

    The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.

    • What ever happened to “Adequate, Relevant, and Not Excessive”?
    • And how bullet proof are you against malicious uploading of content to your website anyway?

    It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context.  Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:

    “It seems to me as if just about anything can potentially get on the list”

    Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.

    An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’,  the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.

    Would that be acceptable in Irish society?

    Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.

    Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.

  • Data Breach Code of Practice

    A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

    That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

    Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

    Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

    What would I like to see from the new Govt which will take the reins of power in the coming week or so?

    1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
    2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
      1. Consolidate and simplify the legislation.
      2. Implement clear penalties for infringement of the Acts and penalise non-compliance
      3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
      4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
    3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
    4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

    Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.