The missing link in Compliance and Governance

Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

  • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
  • Information Quality programmes involve, by definition, the implementation of a Quality Management System
  • Information/Data Governance… well, that’s another form of Quality Management System
  • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

  1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
  2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
  3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

Mobile phone hacking and the e-Privacy Regulations

The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.

The law

There are a few pieces of legislation in Ireland that would come into play here:

  1. The Data Protection Acts 1988 and 2003
  2. The Criminal Damage Act 1991
  3. The Criminal Justice (Theft and Fraud Offences) Act 2001
  4. The Postal and Telecommunications Services Act 1983
  5. Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
  6. The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)

The Data Protection Acts

The Data Protection Acts require that personal data be obtained and processed fairly.

Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).

Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001

Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.

So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.

This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is

  • What’s a computer?
  • What’s dishonest?

It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.

The 1983 and 1993 Acts

Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being

“listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”

The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.

The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.

Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.

The European Commission rejected DRI’s submission at the time

Electronic Privacy Regulations

The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.

For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.

The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to

  1. Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
  2. Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))

Section 4(4) is the doozy I feel.

In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.

My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally,  implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.

And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.

Conclusion

The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.

But that is what we do every day now.

The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).

I invite any comments or corrections from more learned colleagues.

 

Bank of Ireland Customers – check your balances

As the May Bank Holiday draws to a close, I’d like to remind customers of Bank of Ireland that they should take a careful look at their account balances this week if they have been using laser (debit card) or ATM services over the weekend. If you do find you’ve been ‘double-dipped’, please let me know via this blog.

Double Dip confectionery

Double Dip - Nice Confectionery but leaves a bitter taste if it happens to your bank account

Laser-like accuracy

Word reaches me this morning of yet another incident of Bank Of Ireland double-dipping laser card transactions on or around a Bank Holiday.

BOI will, doubtless, claim that this is a once off and hasn’t happened before. That’s what they said the last time (when it had actually happened before). Furthermore, I hope that BOI are more certain this time as to the root cause (last time out it was variously “retailer error” or “a software upgrade glitch”).

And hopefully their process for catching “shadow transactions” which lead to the double-dipping will kick into play and actually refund the customers affected  (which if this glitch is on the scale of their 2009 one could be up to 200,000 card holders).

For reference the relevant blog posts are:

http://obriend.info/2009/09/09/bank-of-ireland-double-charging/

http://obriend.info/2009/09/09/bank-of-ireland-double-charging-a-clarifying-post/

http://obriend.info/2009/09/10/bank-of-ireland-overcharging-another-follow-up/

http://obriend.info/2009/10/28/bank-of-ireland-again/

The issue also featured over on IQTrainwrecks.com.

My €0.02: This issue appears to manifest itself around Bank Holidays. This suggests a batch load process or some human triggered action doesn’t work correctly when there is a Bank Holiday. Having a process to detect the double-dipped transactions is not a fix, as if it doesn’t work (as seems might be the case here) then the incorrect data gets through.

BOI might want to pay attention to Ferguson v British Gas, which while a UK case, could be arguable precedent for the view that Irish Courts won’t care how complex your IT systems are if a customer is impacted through a failure of your systems to process information correctly.

BOI need to identify the precipitating root cause of this problem, based on the data they have available… I’d start with looking at the dates of incidents (BOI should have more data than newspaper headlines to go on) and seeking to confirm or disprove the ‘Bank Holiday hypothesis’.

Relying on a ‘scrap and rework’ kludge that might itself fail is not a sustainable approach to ensuring information quality or quality of customer service.

Doing the right thing

So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.

How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?

What if it turned out that:

  1. The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
  2. Was relatively easily circumvented using free or low cost tools
  3. Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).

That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).

A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:

  • Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
  • Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.

So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.

Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.

So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?

The other price to pay is the privacy cost.

The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.

  • What ever happened to “Adequate, Relevant, and Not Excessive”?
  • And how bullet proof are you against malicious uploading of content to your website anyway?

It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context.  Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:

“It seems to me as if just about anything can potentially get on the list”

Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.

An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’,  the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.

Would that be acceptable in Irish society?

Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.

Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.

Data Breach Code of Practice

A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

What would I like to see from the new Govt which will take the reins of power in the coming week or so?

  1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
  2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
    1. Consolidate and simplify the legislation.
    2. Implement clear penalties for infringement of the Acts and penalise non-compliance
    3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
    4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
  3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
  4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.

In the interest of Electoral Balance

I’ve written previously about Fine Gael and their issues with avoiding Data Protection pitfalls during this current General Election.

Some people might have gotten the impression that I’m obsessed with Fine Gael. I’m not. I’m obsessed with Data, specifically the management of data and information in manner that ensures quality outcomes through quality data governed with due regard to relevant legislation.

On courses I teach on Data Protection and Information Quality I often make reference to “The Joe Duffy Effect” to describe the brand impacts that can arise if organisations don’t take care to manage information as a complex and valuable asset. The term refers to Joe Duffy, a talk radio host on Irish radio. Joe enjoys taking the side of the common man, usually. Occasionally he makes a jape of not getting the point, whether by accident or design we may never know. But organisations who fall foul of the “Joe Duffy Effect” can find themselves fighting rear guard actions against an often intractable foe.

Last week Joe spoke with Jacob, a South African living in Ireland who had received a pre-recorded voicemail to his phone from Michael Martin. Jacob’s tale can be heard in Technicolour on the RTE website.

From the call we glean that:

  1. A voicemail was received by Jacob on the 9th of February with a pre-recorded message (which Jacob played)
  2. He has apparently received SMS messages from Fianna Fail with calls for volunteering and campaigning.
  3. He is not a member of Fianna Fail
  4. He has not asked for Fianna Fail to contact him and does not know where they got his number.
  5. The mobile in question is used as an internal work mobile and is not listed. His number is only listed with the Road Safety Authority.

In the broadcast Joe tells Jacob that we live in a democracy.

Correct. We live in a democracy. Specifically we live in democracy where we have decided that the Right to Privacy, while not absolute, is a right that must be defended. Just because we are a democracy it does not give politicians an automatic carte blanche to process data regardless of where or how it has been obtained. These rights to privacy are enshrined in law, in the Constitution and in EU Treaty obligations. Yes, there are balances, mitigations and exemptions with respect to how that right is exercised and protected – but it is still a democratic right of the individual.

During the course of the call, a comment from Fianna Fail was read out saying that they didn’t have Jacob’s number. That is at odds with the evidence – to whit: one recording. And if I’ve learned one thing from watching CSI is that evidence trumps counter claim every day.

So, what is the Data Protection issue here:

  • Fair Obtaining – Jacob is not a member of the party and was not aware of how his number came to be called and texted. Granted his phone seems to be for work purposes, but the electronic Privacy regulations apply to business as well as personal data. Also, while he may use the phone for work purposes a big question to ask here is who is paying the bill – him, or a company. If he pays the bill the phone may actually be a personal phone used for business purposes (Sole Trader data is a tricky area in Data Protection land).
  • Governance and control of data and/or data processors – Fianna Fail claimed not to have Jacob’s number. The fact that a Fianna Fail party message was left by voicemail and various SMS messages were sent to him suggests that they do. Or if not them then someone working on their behalf. Under the Data Protection Acts, the Data Controller is responsible for the actions of the Data Processor unless the Data Processor acts outside the parameters of the formal contract in writing that governs the Data Controller/Data Processor relationship. So… while it may be true that FF HQ don’t have Jabob’s number, someone processing data on behalf of Fianna Fail does. Fianna Fail not knowing whether or not they had the data suggests a weakness in internal control and governance.
  • Accuracy – Joe D. suggested to Jacob that maybe the messages were being sent because of a wrong number. Personal data needs to be kept accurate and up to date. FF should have taken steps to correct the error rather than denying that they have the data. Ultimately FF carry the can for the actions of the Data Processor.

Of course, there is the distinction to be made between normal “direct marketing” and the processing of personal data by a candidate for elected office. Basically during an election personal data is “fair game” for politicians, provided they have obtained it correctly first and have clear consents for contact. Which puts the discussion of “auto dialling” or “power dialling” on the table. According to the Data Protection Commissioner’s website:

The use of automatic dialling machines, to call individual subscribers at random for direct marketing purposes, is prohibited, unless subscribers’ consent has been obtained in advance.  Unsolicited fax messages to individual subscribers are likewise prohibited.

That is why it is important to know who the “subscriber” is to Jacob’s phone. If it is a limited company or similar legal entity, then it is not a call to an “individual” subscriber. If it is his phone or he is a sole trader or part of a partnership, then it is possible that he is an “individual subscriber” and as such the use of an autodialler to RANDOMLY call numbers for direct marketing would be illegal. Dialling from a preloaded list is OK. So long as the list has been fairly obtained and takes into account NDD Opt-out requests etc. And then there is the grey area of the Political exemptions from the Data Protection Acts.

The DPC has issued guidelines to all political parties before the election. My sense is that these guidelines may have been breached in this case.

During previous election campaigns, the Commissioner received numerous complaints from individuals in receipt of unsolicited SMS (text) messages, emails and phone calls from political parties and candidates for election.  In many cases, the individual had no previous contact with the political party or candidate and was concerned at the manner in which their details were sourced.  Subsequent investigations revealed that contact details were obtained from sources such as sports clubs, friends, colleagues and schools.  Obtaining personal data in such   circumstances would constitute a breach of the Data Protection Acts, as there would be no consent from the individual for their details to be obtained and used in this way.

So.. Fianna Fail need to know where their Data Processors are getting their data from. The evidence says they have Jacob’s phone (and who knows who elses’) but don’t know they have Jacob’s phone. That suggests that the Data Controller is not in Control of the Data. Which is a problem in and of itself.

Fine Gael are not the only Data protection flaunters in this election. Fianna Fail have had their moments too. The Green Party STILL don’t have a Privacy statement. And I’m sure the others have slipped up along the way as well. But that is a discussion for another day.

There is oft a slip twixt tweet and twolicy

This blog post is basically the text of an audioboo I recorded at 9:30 this morning which has disappeared into the ether ne’er to be found.

Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

  1. See my house
  2. See my neighbours’ houses

They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

[edit to clarify some points raised by @tjmcintyre]

Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

[/edit]

So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

[update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

 

 

If you’re going to wave a sword, know where the pointy bit is

Over the weekend two Irish newspapers (Irish Examiner and Sunday Tribune) reported that one of our leading Trade Unions had filed a complaint with the Data Protection Commissioner on behalf of staff who had received letters by courier from their employer with whom they are engaged in an industrial relations dispute.

While I’m all in favour of seeing discussion and comment on the Data Protection Acts in Irish media, I am dismayed to see poorly explained use of the legislation and am concerned that this might be a precedent setting strategy that results in nonsensical and vexatious complaints diverting the already limited resources of the Data Protection Commissioner’s Office (only 20 people) away from dealing with the many real and valid complaints and queries they get each day.

Yes, Aer Lingus have duties to their employees under the Data Protection Acts to keep their data safe and secure, to only process it for specific stated purposes, and to only process data in a way or quantity that is relevant and not excessive to the stated purposes. However the Data Protection Acts do NOT prevent employers engaging in legitimate communication with staff members using legitimate 3rd party Data Processors to do so, so long as there are appropriate controls in place and the original intent to engage in that communication is consistent with the purposes for which the personal data was originally provided to the employer.

From the media coverage, it appears that IMPACT’s position is that employers can’t write to their staff because personal data is shared with 3rd parties (in this case a courier company but it could just as easily be An Post).

IMPACT may have grounds for a complaint if Aer Lingus specifically targeted the communication to members of the Trade Union using information contained in the HR or payroll systems of Aer Lingus (e.g. deduction of trade union dues at source). This issue was specifically addressed by the Commissioner in relation to attempts by the Dept of Education to deduct pay from teachers who took industrial action based on the fact that the Dept was processing a payroll deduction at source facility. However, Aer Lingus appear to have used the fact that the staff member is not on the payroll (i.e. is not being paid) as the trigger for the letter, this issue may not arise.

The Union may have grounds for proposing that by sending a batch of letters out to individuals at a time of industrial strife, the courier company could deduce that the addressees were Trade Union members. But, in that context, it must be suggested that Aer Lingus should have appropriate contract terms with the courier company regarding security and unauthorised secondary processing (e.g. making a list) (I’ve written about this on my company’s website today). In addition, if Aer Lingus are sending letters to staff in relation to their work schedules and their contracts of employment they could probably be able to rely on lawful processing conditions under Section 2a and Section 2b of the Data Protection Acts.

IMPACT may have grounds to argue that there was excessive processing as it seems mobile phone numbers were provided to the Courier company as well. However, Aer Lingus might take the position that that was felt to be a necessary step to ensure delivery of the letters could be made in a timely manner. Again, this might fall under a lawful processing condition under S2a or S2b of the Acts.

For example, Dell made my mobile number available to the UPS driver who delivered my computer. Likewise they made my mobile number available to the support technician who replaced my keyboard. It all depends on the validity of the purpose and whether a valid Lawful Processing condition can be met. There were lawful processing reasons there in relation to the execution of a contract. Consent was not required (but was asked for).

What is clear from the media coverage is that:

  1. If you engaging a Data Processor (in this case the Courier) you need to be clear what the minimum necessary information is to achieve your objective and share no more than this. Aer Lingus might argue that the provision of mobile phone numbers was necessary to ensure delivery was made as quickly as possible. The key question to ask is whether the same objective can be met in other ways (for example, would it have been better for Aer Lingus to get the Courier company to report to them on undelivered letters and for Aer Lingus to ring around where delivery was not successful?)
  2. If you are a Data Controller and you are sending letters or otherwise processing personal data during a time of industrial unrest, you should be very clear the purposes for the processing and the specific lawful processing conditions you will be relying on.
  3. If you are a representative body presenting a story to the media or making a complaint you need to be clear what the grounds are for the complaint you are making. Querying the legitimate use of a courier company to send letters and implying threats to the security of staff as a result does a disservice to everyone. Specifically pointing out that the provision of certain data may have been excessive or that the airline had not ensured appropriate security of the data by way of a contract with their Data Processor clearly highlights lack of care or

Dragging the Data Protection Acts in to the middle of an Industrial Relations dispute should be done with care. To do so without clarity as to the specific nature of the complaint and the specific characteristics of the breach that you suspect will result in a waste of the resources of the Commissioner’s Office and will serve to only compound the half-truths and untruths that abound about the Data Protection law in Ireland.

Using the Office of the Commissioner as a negotiating tool is disingenuous and does a disservice to the important role that the Commissioner continues to play in the development of compliant and trustworthy practices in Irish commercial life.

The curious case of Enda and the Technology

Enda Kenny found himself slightly ambushed on the news last night (6-One News on RTE) by Bryan Dobson. At the end of a segment about the trials and tribulations of Brian Cowen, Enda was asked about the problems that have befallen the FG website.

Enda’s response was telling on a number of fronts.

  1. He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
  2. He indicated that they were looking into moving the site to an Irish host.
  3. He stated that he was not competent in the technology
  4. He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.

The Obsession

In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.

By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.

Indeed, back in 1999, Peter Drucker wrote that:

So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.

The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.

In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.

Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:

1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.

So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”

That is what I mean by SETTING THE TONE FROM THE TOP.

Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.

In the context of mobile devices (like phones), the Guidance explicitly states that

Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.

So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:

Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.

A reasonable implication here is “don’t leave it at the default settings”.

If it is good enough for the Civil Service, why not good enough for Fine Gael?

The Training

Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.

What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.

That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.

A beneficial by-product

A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy”  might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.