The DOBlog

Category: Ethics & Law of Information

A category dealing with the ethics and legalities of the management of Information and Information Quality.

  • There is oft a slip twixt tweet and twolicy

    This blog post is basically the text of an audioboo I recorded at 9:30 this morning which has disappeared into the ether ne’er to be found.

    Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

    What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

    knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

    This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

    Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

    1. See my house
    2. See my neighbours’ houses

    They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

    The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

    Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

    This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

    The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

    If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

    If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

    However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

    The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

    Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

    Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

    Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

    Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

    Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

    b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

    [edit to clarify some points raised by @tjmcintyre]

    Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

    carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

    Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

    But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

    [/edit]

    So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

    I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

    [update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

     

     

  • If you’re going to wave a sword, know where the pointy bit is

    Over the weekend two Irish newspapers (Irish Examiner and Sunday Tribune) reported that one of our leading Trade Unions had filed a complaint with the Data Protection Commissioner on behalf of staff who had received letters by courier from their employer with whom they are engaged in an industrial relations dispute.

    While I’m all in favour of seeing discussion and comment on the Data Protection Acts in Irish media, I am dismayed to see poorly explained use of the legislation and am concerned that this might be a precedent setting strategy that results in nonsensical and vexatious complaints diverting the already limited resources of the Data Protection Commissioner’s Office (only 20 people) away from dealing with the many real and valid complaints and queries they get each day.

    Yes, Aer Lingus have duties to their employees under the Data Protection Acts to keep their data safe and secure, to only process it for specific stated purposes, and to only process data in a way or quantity that is relevant and not excessive to the stated purposes. However the Data Protection Acts do NOT prevent employers engaging in legitimate communication with staff members using legitimate 3rd party Data Processors to do so, so long as there are appropriate controls in place and the original intent to engage in that communication is consistent with the purposes for which the personal data was originally provided to the employer.

    From the media coverage, it appears that IMPACT’s position is that employers can’t write to their staff because personal data is shared with 3rd parties (in this case a courier company but it could just as easily be An Post).

    IMPACT may have grounds for a complaint if Aer Lingus specifically targeted the communication to members of the Trade Union using information contained in the HR or payroll systems of Aer Lingus (e.g. deduction of trade union dues at source). This issue was specifically addressed by the Commissioner in relation to attempts by the Dept of Education to deduct pay from teachers who took industrial action based on the fact that the Dept was processing a payroll deduction at source facility. However, Aer Lingus appear to have used the fact that the staff member is not on the payroll (i.e. is not being paid) as the trigger for the letter, this issue may not arise.

    The Union may have grounds for proposing that by sending a batch of letters out to individuals at a time of industrial strife, the courier company could deduce that the addressees were Trade Union members. But, in that context, it must be suggested that Aer Lingus should have appropriate contract terms with the courier company regarding security and unauthorised secondary processing (e.g. making a list) (I’ve written about this on my company’s website today). In addition, if Aer Lingus are sending letters to staff in relation to their work schedules and their contracts of employment they could probably be able to rely on lawful processing conditions under Section 2a and Section 2b of the Data Protection Acts.

    IMPACT may have grounds to argue that there was excessive processing as it seems mobile phone numbers were provided to the Courier company as well. However, Aer Lingus might take the position that that was felt to be a necessary step to ensure delivery of the letters could be made in a timely manner. Again, this might fall under a lawful processing condition under S2a or S2b of the Acts.

    For example, Dell made my mobile number available to the UPS driver who delivered my computer. Likewise they made my mobile number available to the support technician who replaced my keyboard. It all depends on the validity of the purpose and whether a valid Lawful Processing condition can be met. There were lawful processing reasons there in relation to the execution of a contract. Consent was not required (but was asked for).

    What is clear from the media coverage is that:

    1. If you engaging a Data Processor (in this case the Courier) you need to be clear what the minimum necessary information is to achieve your objective and share no more than this. Aer Lingus might argue that the provision of mobile phone numbers was necessary to ensure delivery was made as quickly as possible. The key question to ask is whether the same objective can be met in other ways (for example, would it have been better for Aer Lingus to get the Courier company to report to them on undelivered letters and for Aer Lingus to ring around where delivery was not successful?)
    2. If you are a Data Controller and you are sending letters or otherwise processing personal data during a time of industrial unrest, you should be very clear the purposes for the processing and the specific lawful processing conditions you will be relying on.
    3. If you are a representative body presenting a story to the media or making a complaint you need to be clear what the grounds are for the complaint you are making. Querying the legitimate use of a courier company to send letters and implying threats to the security of staff as a result does a disservice to everyone. Specifically pointing out that the provision of certain data may have been excessive or that the airline had not ensured appropriate security of the data by way of a contract with their Data Processor clearly highlights lack of care or

    Dragging the Data Protection Acts in to the middle of an Industrial Relations dispute should be done with care. To do so without clarity as to the specific nature of the complaint and the specific characteristics of the breach that you suspect will result in a waste of the resources of the Commissioner’s Office and will serve to only compound the half-truths and untruths that abound about the Data Protection law in Ireland.

    Using the Office of the Commissioner as a negotiating tool is disingenuous and does a disservice to the important role that the Commissioner continues to play in the development of compliant and trustworthy practices in Irish commercial life.

  • The curious case of Enda and the Technology

    Enda Kenny found himself slightly ambushed on the news last night (6-One News on RTE) by Bryan Dobson. At the end of a segment about the trials and tribulations of Brian Cowen, Enda was asked about the problems that have befallen the FG website.

    Enda’s response was telling on a number of fronts.

    1. He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
    2. He indicated that they were looking into moving the site to an Irish host.
    3. He stated that he was not competent in the technology
    4. He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.

    The Obsession

    In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.

    By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.

    Indeed, back in 1999, Peter Drucker wrote that:

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.

    The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.

    In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.

    Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:

    1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.

    So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”

    That is what I mean by SETTING THE TONE FROM THE TOP.

    Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.

    In the context of mobile devices (like phones), the Guidance explicitly states that

    Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.

    So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:

    Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.

    A reasonable implication here is “don’t leave it at the default settings”.

    If it is good enough for the Civil Service, why not good enough for Fine Gael?

    The Training

    Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.

    What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.

    That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.

    A beneficial by-product

    A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy”  might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.

  • Fine Gael’s website: some thoughts

    It looks like there’s been some rework done on the FG website to address Data Protection concerns.

    This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues.  However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.

    Here’s a screen shot I took yesterday

    finegael 2011 screenshot 7th Jan 2011
    Screenshot of FG website on 7th January

    It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:

    • I agree to receive campaign messages on my mobile telephone
    • I agree to share my comments on the website.

    So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of  S.2 of the Data Protection Acts.

    Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…

    I agree to receive campaign messages from Fine Gael.

    … is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.

    So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.

    I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.

    Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would  be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.

    The Privacy Statement

    I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.

    Fine Gael Privacy Statement Screenshot
    Screenshot of FG2011.com Privacy Statement

    FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).

    Screenshot of finegael.org backup site as of 8th Jan 2011 14:14
    Finegael.org – Gone away?

    While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.

    The first test is failed in the very first paragraph which says that

    Visitors can use most of the site without being personally identified by Fine Gael.

    OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.

    The fact that the Privacy Statement doesn’t address many of the specific  points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.

    Compare the Fine Gael Privacy Statement (or Fianna Fail’s) to the equivalent statements on websites from UK political parties:

    The UK Greens (like their Irish counterparts) don’t have a Privacy Statement on their website.

    Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.

    Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.

    Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.

    Some Thoughts

    Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.

    But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!

    The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.

    Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.

    Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.

    A lawyer friend of mine often tells people:

    There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.

  • Red Herrings, Hosting, and Data Protection

    I’ve written a new post over on my business website that looks at some of the issues that have been raised by TheJournal.ie in an article today. I won’t rehash the whole thing here – please follow the link to read the full post on the other site.

    Suffice it to say, there is a big difference between compliance with EU legislation and taking business decisions based on patriotic motives or a desire to “buy Irish”.

    The fact that various parties have their sites hosted in the UK is not a compliance issue per se – the UK is still in the EU and has equivalent legislation to us based on the same root Directive. Norway is a member of the EEA and as such has legislation that is derived from the same Directive as underpins our Data Protection laws (I may be the only person in the country who has actually READ the Norwegian Data Protection Act… it’s very similar in intent and execution to our own law).

    A big issue is hosting personal data, including sensitive personal data outside the EU or EEA or other “Safe Country” without any apparent controls in place, such as using a Data Processor who is registered with Safe Harbor and ensuring you have a written contract in place.

    It is extremely wrong for anyone to claim that hosts don’t have to comply with the Data Protection legislation. They do. As Data Processors, their obligations are not as extensive as those owed by Data Controllers, but the relationship between the Data Controller and the Data Processor is critical to the end-to -end governance of Data Protection obligations.

  • New Data Protection post over on the company site

    I’ve just written a new article over on the company website about Director’s liability for data security breaches. An expert in the Sunday Business Post over the weekend was waving a big stick at Company Directors saying that they could become liable for prosecution for security breaches if Ireland transposes the Convention on Cybercrime into law.

    But this expert missed the important points of Section 29 of the Data Protection Acts 1988 and 2003 which create effectively a cascading liability for the  directors, officers, managers, and employees of an organisation that is processing personal data.

    Check out my post here:

  • Bruce Schneier on Privacy

    Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

    One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

    Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

    This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

    I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

    But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

    Is Information Quality Management a “Green” industry flying under a different flag?

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.

  • Personal Data – an Asset we hold on Trust

    There has been a bit of a scandal in Ireland with the discovery that Temple St Children’s Hospital has been retaining blood samples from children indefinitely without the consent of parents.

    The story broke in the Sunday Times just after Christmas and has been picked up as a discussion point on sites such as Boards.ie.  TJ McIntyre has also written about some of the legal issues raised by this.

    Ultimately, at the heart of the issue is a fundamental issue of Data Protection Compliance and a failure to treat Personal Data (and Sensitive Personal Data at that) as an asset (something of value) that the Hospital held and holds on trust for the data subject. It is not the Hospital’s data. It is not the HSE’s data. It is my child’s data, and (as I’m of a certain age) probably my data and my wife’s data and my brothers’ data and my sisters-in-laws’ data…..

    It’s of particular interest to me as I’m in the process of finishing off a tutorial course on Data Protection and Information Quality for a series of conferences at the end of February (if you are interested in coming, use the discount code “EARLYBIRD” up to the end of January to get a whopper of a discount). So many of the issues that this raises are to the front of my mind.

    Rather than simply write another post about Data Protection issues, I’m going to approach this from the perspective of Information as an Asset which has a readily definable Life Cycle at various points in which key decisions should be taken by responsible and accountable people to ensure that the asset continues to have value.

    Another aspect of how I’m going to discuss this is that, after over a decade working in Information Quality and Governance, I am a firm believer in the mantra: “Just because you can doesn’t mean you should“. I’m going to show how an Asset Life Cycle perspective can help you develop some robust structures to ensure your data is of high quality and you are less likely to fall foul of Data Protection issues.

    And for anyone who thinks that Data Protection and Data Quality are unrelated issues, I direct you to the specific wording in the heading of Chapter 2, Section 1 of the Directive 95/46/EC. (more…)

  • Bank of Ireland – again

    The Irish Times today reports that Bank of Ireland are again investigating incidents of double charging of customers who use LASER cards.

    I wrote about this last month (see the archives here), picking up on a post from Tuppenceworth.ie earlier in the summer. I won’t be writing anything more about the issue (at least not for now).

    Looking back through my archives I found the picture below in a post that I’d written back in May when Simon on Tuppenceworth first raised his issue with BOI’s Laser Cards.