It’s time for my annual “roll a data protection hand grenade under something†blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only I’m less formal here.
This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.
But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear – I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages – increased charges are yet another burden that should be levied carefully.
The website
Cookies
Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the “View Cookies†add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.
On the home page a set of cookies starting with “_utm†are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.
No mention is made in the Privacy Statement that accompanies the website about their use of Google Analytics [Update: The privacy statement was updated this afternoon to include the text referenced below… well done to who ever acted on that to fix it]. This is a breach of the Terms of Use of Google Analytics, which clearly states:
8. PRIVACY
8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:
“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Googleâ€). Google Analytics uses “cookiesâ€, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.â€
The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.
The Privacy Statement on HouseholdCharges.ie does not do this.
Because the Privacy Statement on HouseholdCharges.ie doesn’t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.
This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).
Privacy Statement – Fit for Use?
Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissioner’s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.
Well, actually we don’t. There is no statement about the purposes for which the data is actually being processed. And that’s just the beginning of it.
IP or Not to IP, that is the question.
The Privacy statement proclaims that for “general web browsing†they may capture the “logical address†of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no ‘may’ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.
So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.
Who’s the Daddy.. I mean Data Controller?
Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?
Or to put it another way… who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?
If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.
Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).
What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?
What I’d have expected to see would be something along these lines:
This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.
Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.
It’s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.
Don’t tell me the what, show me the why?
The Privacy Statement tells me that
Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.
So the purposes for which the data is being processed are:
- Processing a payment for the charge this year.
- Sending a bill to me for the charge next year.
No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.
What information is required to send me a bill?
- My name
- My postal address
- My email address (should be optional if I don’t want to rely on electronic billing)
Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from a client engagement last year that the DPC takes VERY seriously indeed.
Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the “lawful purpose†of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.
If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.
If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.
I’ll post more on this as I get time to poke around a bit more.
