The DOBlog

Category: The Business of Information

  • Support your Local Sheriff–why the DPC needs us to help them help us.

    Problem Statement

    The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

    And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

    Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

    Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

    If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

    1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
    2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.

    (more…)

  • Describe what you do in one word…

    This is a challenge an old boss of mine used to set. He was an alpha male. The answer he was looking for was usually a variant of “lead” like “inspire”, “command” or “drink”.

    But it is a good exercise to set yourself.

    This evening I was responding to an retweet of an article I published on my company website last year. Vish Agashe retweeted this post about data modelling and Data Protection. In response I asked him if he was still finding the ramblings of a legodatapsychoeconotechnoqualitatrian interesting.

    Then it hit me. That’s a word. A bloody good word. A “kicking my dad’s arse in scrabble” kind of word. Because it almost perfectly describes me.

    Lego

    No. I am not made of plastic and if you separate my legs from my body you will find it very difficult to reattach them.

    But I spent four years half a life time ago studying law and business in UCD. From that study I developed a love of law and all things legal. In particular I developed the skills of legal interpretation and research that all lawyers need to possess.

    And, just as (if not more) importantly I developed a network of friends who are lawyers. Yes. Some of my best friends are lawyers. Who’d a thunk it?

    Data

    No. I am not an android with a positronic brain and the strength of 10 men (I wish). And if you poke me in the back between the shoulder blades I’m more likely to turn around and put you in a painful joint lock or punch you in the face than calmly power down and go lifeless (hint: if you want that, a few bottles of good wine is the best option).

    But I am obsessed with data. The capturing and creation of it, the analysis of it, the value of it. It’s what I do. I’m a Data Scientist, but in the “lives in a castle in the mountains and don’t ask about the missing corpses” sense of “scientist” (at least at times).

    Pyscho

    No. I don’t own a run down motel and I haven’t hacked a young lady to death in the shower. At least not since the dried frog pills kicked in.

    However I have been a closet psychologist for years. And once I realised that closets had very few hidden secrets (if you discount fantastical lands ruled by big lions) I turned my attention to the Human Equation in the context of change management and how we perceive and value information.

    So, BF Skinner was a lovely man who pigeons experimented on to see just how far would he go to have them support his flawed hypothesis that extrinsic reward/punishment is a key motivator of behaviour. At least that’s my opinion.

    Econo

    Last time I checked I’m not a gas guzzling American mini-van that is anything but economical to run. But, linked to my love of data and the interfaculty degree I did in law and business, I am a fan of economics and economic theory and practice. In particular I’m an advocate of the branch of economics that applies economic principles to the study of law and legal principles, and the application of economic principles to the valuation of and management of data.

    What is the value at risk?

    Where is the economic equilibrium of risk and reward/supply and demand?

    Is the economic deal fair when Entity A gives data to Entity B… what is the valuable consideration given for the exchange of assets?

    Techno

    No. I don’t play annoying 9000 beats per minute europop techno. Except for Saturdays. And even then only when there is a total eclipse of the moon.

    But I do enjoy my technology and my tools. I was the first customer in the world for Informatica’s Data Quality offering (back before it was Informatica). And I’ve coded countless Visual Basic skunkworks to do data reformatting, consolidation, reporting etc. And I do like Sharepoint and Drupal and WordPress and Unix and Linux and…..

    …  I think you get the picture. I know a few things about databases and database technology. But unfortunately not with a parchment attached to it (yet).

    Qualitarian

    it’s all about quality. Quality of outcomes for the end customer in a value chain. And quality of outcomes for the data controller, or the regulator, or society. Everything comes down to this.

    • Laws exist to regulate outcomes. Often badly
    • How we internalise and conceptualise the customer and the outcome are key to achieiving the right balance.
    • Technology is a tool to getting us there but is not a destination.
    • The economic value is the point at which things are good enough to achieve the outcome that is required… and no more… anything beyond that is a value-add luxury that we can charge premium price for.

    Now. Where’s my scrabble board?

  • Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

    At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

    1. Ditching Google Maps for its own mapping product and GPS tools
    2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

    I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

    Maps

    By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

    Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

    Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

    Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

    By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

    As CNET reporter Rafe Needleman writes:

    …the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

    And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

    Facebook

    I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

    By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

    And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

    Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

    But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

    And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

    Evolving the Platform

    Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

    But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

    And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

    • With less than 22 full time staff
    • A budget of less than €1.5million

    I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

    Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

    #SupportyourLocalSheriff

  • An Enforcement Reality supporting my “Penalty Points” idea

    Over my morning coffee this morning I read this story from eConsultancy.com about the UK ICO beginning ‘soft enforcement’ of the ePrivacy regulations around cookies.

    Good news: They are starting to enforce the law. They will be taking a balanced approach. I assume that the letters will take the form of Information Notices and possibly Enforcement Notices.

    Bad news: The level of breach that not complying with the Cookie provisions of the ePrivacy Directive constitutes is not likely to meet the standard of severity required for the ICO to levy a fine.

    So businesses will receive a letter. But we can be assured it will be a strongly worded one. But, given the mental discounting that management do in compliance situations, this is inevitably going to lead to precisely no change in compliance behaviour. When faced with the question “So, what’s the worst that is likely to happen?” Data Protection Officers or advisors will have nowhere to go in their persuasion. It is all carrot and no stick. And CxO level managers are pure carnivores, so carrots are not that enticing on their own.

    • There will be no financial penalty for the Cookie breach
    • Any penalty that might arise will be for failing to comply with an Enforcement notice or provide information requested under an Information Notice. But that would require another cycle or three of communication between the ICO and the infringing company.

    There is no sting in the tail. The arc that must be travelled between Breach and Penalty is too long. And as every parent of a toddler knows, there is no point putting them on the naughty step days or weeks after their valiant but doomed attempt to juggle with kittens.

    Hence the need, in my view, to have something else that allows a sting to be put in the tail, that wraps the polite letter from the ICO (or the Irish DPC for that matter) in a small brick that will get attention. In my opinion, if the EU is serious about changing attitudes to Data Protection amongst businesses it needs to ensure that the laws that are passed can be enforced with both carrot and stick so that culture and values in business will change.

    Breaches of the Cookies rules fit the bill nicely for a structured penalty system that allows for cumulative penalties to build towards a more serious fine or enforcement action. Assume, for argument, that writing a non-essential cookie without notice and consent was a 1 point offence carrying a fixed penalty notice of €120/£100 for first offence (with higher penalties for subsequent offences). Audit tools such as those developed by CookieQ.com could be used to audit the site, tot up the number of cookies, an investigator could make a judgement as to the essentialness and generate a fixed penalty notice attached to the letter.

    Perhaps the 1st offence would be a “freebie”, with a second failure leading to a penalty (after all, we want this to be fair and graduated). At some threshold (let’s say 20 points) more serious penalties would kick in (perhaps the €2million outlined in the proposed Regulation, or mandatory multi-year privacy audits such as being imposed on firms in the US by the FTC). As this is an evolving thought doodle I won’t waste time mapping specifics here.

    If the penalty points for the Cookie infringement formed part of the overall “scorecard” that a company would accumulate, adding to the risk of a more severe penalty (and the inevitability for hard core recidivists). If, as with parking tickets and speeding fines, the Data Controller had the right to appeal the fixed penalty to the Courts (at the risk of a greater penalty and increased publicity), the “mental discounting’” would need to change. This would change the conversation for Data Protection Officers and advisors when the letter comes.

    Boss: "What is the worst that they can do?

    DP Team: “Well,50 cookies being written has already cost you €5000 in fixed price penalties. You can appeal them to Court, but that carries a risk of the penalty being increased further and a conviction being recorded against you.”

    Boss: “OK, so pay the fine and then we keep going.”

     Boss: “Oh shit. Let’s fix this then”

    Just as cumulative breaches of Road safety lead to serious penalties, cumulative breaches of Data Protection rules could lead to more serious penalties.

    The benefit of this approach is it would encourage and incentivise organisations to focus on the small stuff. And as repeated studies in risk management and accident investigation have shown, the major disasters are usually a result of an accumulation of small things.

    According to econsultancy, the ICO is considering applying penalties based on a scale. It is not a significant jump from a scale for a specific penalty to a framework for levying administrative sanctions in a structured and transparent manner.

  • An open letter to Viviane Reding

    Dear Commissioner Reding,

    I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

    I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

    1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
    2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
    3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
    4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

    Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

    (more…)

  • Newspaper Licensing Ireland–a return

    The last post was a little long and analytical. Having reread the great post on McGarrSolicitors.ie I thought I’d reframe my Data Protection take on this in terms that might be more familiar.

    Personal Data is being processed via your website without an appropriate Privacy Statement and without any communication of the purposes for that processing. Furthermore, the failure to have such a privacy statement on your site which references the use of Google Analytics is a breach of Section 8 of the terms and conditions that apply to Google Analytics. Failure to obtain consent for the use of the cookies written by Google for the purposes of Google Analytics is a breach of SI336.

    You are breaking the law; you risk exposing your company to investigation and prosecution, with financial penalties and brand damage ensuing. Processing personal data without it being obtained fairly for a lawful purpose, and writing 3rd party cookies without consent is illegal and breaches a fundamental Human Right in the European Union.

    What do you think?

    I may be over egging it a little. I need a cup of tea now and a good sit down.

  • Newspaper Licensing Ireland– some thoughts

    This post is about the website of Newspaper Licensing Ireland, who have recently written to a non-profit organisation whose aims I wholeheartedly support, seeking license fees for linking to newspaper content published on the internet by the newspaper publishers. McGarr Solicitors, who are acting for Women’s Aid, have published a detailed analysis of the situation and the questions raised on their website, which I link to in the confidence that the McGarrs won’t come looking for a pound of flesh in return.Sticky buns perhaps, but nothing worse.

    I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

    (But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

    What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

    I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

    What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

    …that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

    My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

    So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

    All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.

  • Culture of Compliance

    So, Phil Hogan believes that the vast majority of people in Ireland want to be compliant with legislation, specifically the Household Charge. Perhaps a first step to ensuring that compliance would be for the Minister to ensure that the Household Charge is being implemented in a manner that is compliant with the Data Protection Acts. That would have meant

    1. Early consultation with the Data Protection Commissioner to identify and mitigate Data Protection risks in the Household Charge legislation
    2. Early consultation with the Data Protection Commissioner to ensure that appropriate mechanisms for data sharing were given effective legislative support within the Household Charge legislation
    3. Ensuring clarity about the current and proposed future uses for the (significant) amount of data which is being gathered as part of the registration process
    4. Ensuring that the use of PPS Numbers as part of the registration process was clearly and demonstrably being approached in a manner that complies with the requirements of the Social Welfare Consolidation Act 2005
    5. Ensuring clarity about who the Data Controller is for the Household Charge scheme (it appears to be de facto the Department at this point, despite the text on the Privacy Statement on their website).
    6. Communicating early and often with the public about the charge, its legal basis, the purposes to which data that is being collected will be put to etc. etc.

    Instead we have a Minister announcing on national radio that the Government is backing him in reviewing all relevant legislation, including the Data Protection Acts, to allow the Household Charge to be collected. Thankfully the Data Protection Commissioner’s rebuttal of that utter nonsense has been getting more air time since, but I thought it might be worth a quick examination of why the Minister’s comments were total poppycock.

    (more…)

  • Chuggers (and why I’m not a fan of them)

    Imagine I walked up to you on the street with my arm outstretched to shake your hand and making direct eye contact with you and smiling. Imagine if the next thing I said or did was to ask you to give me

    • Your name
    • Your credit card or bank details
    • Your mobile phone number
    • Your home address
    • Your email address
    • A copy of your signature

    and a range of other personal data. Which I wrote down on a piece of paper and stuck in my bag before thanking you and walking off.

    Chances are I wouldn’t get very far in gathering that information. Your natural sense of risk would (or should) kick in. Chances are you’d call the police on me.

    But imagine that scenario again with one small change. I’m wearing a polyester jacket with the logo of a charity on it and I’ve got an ID badge hung around my neck and a backpack. What would you do then? Hey, I’m collecting for a charity.

    I am a charitable person. I like to support good causes and I like to contribute as much as I can when ever I can to such causes. But I’d say no to me because  of my personal sense of Information risk.

    Others base their dislike of Chuggers (Charity Muggers) on the methods that some use to get people to sign up, methods which are often the result of the commission or quota based systems that some of these people work under (and I’ve content elsewhere about why quotas are a BAD idea in the delivery of quality service). Of course, these are methods which charities who use this means of fundraising disavow all knowledge of and disown completely, but which I have witnessed.

    My avoidance of chuggers is based simply on good Information Security practice. I don’t like the idea of my data being in a bag around someone’s neck or a plastic zip-lock folder, in a public place.  From a Data Protection of view I’d rather not have to have a real-world test of the compliance of the organisations that run these collection methods with things like the Data Security Breach Code of Practice or the requirement under S2 of the Data Protection Acts to take reasonable and appropriate steps to ensure the security of personal data. Particularly not with my data. The data that is obtained by Chuggers is Personal Data within the meaning of the legislation as it is data that has been obtained with the intention of processing it electronically or of filing it in a relevant filing system, ergo it needs to be treated with care.

    I’ve advised clients in the non-profit sector of the potential for brand damage arising from something as simple as one of their Chuggers being mugged and their bag being stolen… or to put it another way: the temporary storage location of an array of personal data. I’m not saying don’t use the method. What I’m saying is your controls need to be very tight.

    Among the controls that need to be in place is appropriate training for staff on Data Protection. I’m not sure if such training is happening as many of the techniques I’ve seen or heard of being used to get people to stop could actually be construed as being contrary to the requirement for consent to processing of data to be freely given. That said, a volunteer for one charity came on a Data Protection course I taught a few years back and they stopped using chuggers afterwards.

    If the UK experience is anything to go by, my risk aversion is justified. The ICO there has investigated charities for loss of data. It is inevitable that similar will happen here, if it hasn’t already (but if it has I can’t find a reference to it on the Data Protection Commissioner’s website). The root cause in the UK case I link to was a lack of training and awareness that lead to a loss of data.

    So how should your chugger experience go? Well, first of all you should know what happens to all this information you have just given them. The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder or clipboard they are holding.

    My advice to anyone accosted by a chugger is: if you can’t get away, ask politely for a copy of the charity’s form for you to fill in at your leisure. If they don’t give it to you take their name from their ID badge and report them to their Charity and if the Charity doesn’t take it seriously report it to the Data Protection Commissioner. (If they don’t have an ID badge, assume they are not representing a charity and you’re about to be mugged – react accordingly).

    My advice to any Chugger who is careless with their folder or is mugged for their bag… notify your Charity immediately. The Charity should notify the Gardaí as well and make sure they know that there was personal and financial data stolen/mislaid. The charity should also notify the Data Protection Commissioner. As the paper work will not have been processed you won’t be able to notify the Data Subjects directly (as is required under the Code of Practice) so they will likely have to put out a public statement about the loss of data to alert people who have given their details to the risk of identity theft.

    Personally, I make my donations either on-line (and I look for PCI compliant payment processors and HTTPS security on the donation page) or over the phone. I have never and will never donate to a charity by means of a chugger, and when faced with a choice I will opt for a charity that doesn’t use them.

  • While we’re all fired up about protecting rights..

    Hey you #stopsopaireland people, I’ve got a favour to ask. It’s not a big one. It will take you 30 seconds to do but it may help to make your life a little better

    The 30 seconds kicks in as soon as you’ve finished reading this post.

    The discussion around #stopsopaireland has focussed on the impact that internet blocking would have on fundamental rights of freedom of expression, and the EU legislative and policy frameworks and case law that exist to support that right and ensure it is protected in a balanced way.

    There is another right that is important. The right to Privacy. In particular the right to Personal Data Privacy which is set out in Article 16 of the Lisbon Treaty. It is this Article that provides the basis for the EU’s Data Protection regime, changes to which were announced on Wednesday. Those changes will take a number of years to come into affect, assuming they are not bastardised and watered down beyond all recognition by national parliaments or the European Parliament responding to lobby groups.

    But a functioning Data Protection framework is in existence day and it is policed in Ireland by the Data Protection Commissioner. Already this year they have engaged with the Dept of the Environment regarding the Household Charge database and with Dublin City Council regarding the transfer of personal data from Dublin City Council to a private company. And let’s not forget their audit of Facebook last year. And that’s just the high profile stuff that gets in the media. In my professional context I’m aware of the significant number of complaints they help people with each year as they strive to promote compliance with the Data Protection Acts in an increasingly complex information management environment and a financial culture where organisations and governments are trying to to less with more and often cutting the wrong corners in the process.

    The Office of the Data Protection Commissioner serves the individual citizen, helping them with advice regarding their rights and acting to investigate and prosecute breaches of those rights. They also serve the Organisation (be that a Government department, a large multi-national, a local football team, or a student company selling jumpers on-line) providing education and advice (when asked) as to what steps should be taken to ensure the right balance is struck between the goals of the organisation and the rights of the individual. They don’t deal with just one sector of the economy. Anywhere personal data is being processed they have a role to play.

    Saturday 28th January is World Data Privacy Day. It is one day in the year where Data Privacy is celebrated. Companies and regulators around the world have planned activities and events to celebrate the day (see here and here), but in Ireland it seems to be just another Saturday. Some of you might say that the Data Protection Commissioner should have lead the charge on this but, to be frank, they are under resourced in terms of numbers and budget and need to prioritise their efforts and energies to dealing with the actual and alleged breaches of people’s rights that come through their inbox every day.

    So, to celebrate World Data Privacy Day 2012 I’m asking you to write an email to your TD, Minister, or other elected official asking them to comment, tweet, or in some other way make public

    1. Their support for the principles set out in the Data Protection Acts and the proposed revised EU Regulation on Data Protection
    2. Their commitment to ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner.
    3. What one thing they will do by January 2013 to improve their personal knowledge of the Data Protection regulations.

    I’ve even put sample text below so you can just cut and paste it. You can use the great contact form at Contact.ie to bulk contact your elected representatives (while you are there, why not donate to support the site), or you ca nmake the message personal and send it yourself from your own computer/phone/device/smoke ring maker. Heck, if you want to phone them or tweet them directly about this fire ahead.

    +++ email text

    Dear Sir/Madam

    I write to you on the occasion of World Data Privacy Day, which is being celebrated globally on Saturday the 28th of January (mark your diary, it’s the same day next year).

    Personal rights, particularly personal rights in relation to information and personal data, have been in the media a lot this past month. Much of the coverage could have been avoided had proper attention been paid to the requirements and obligations under the Data Protection Acts 1988 and 2003 which apply equally across a wide range of industry sectors, including Government

    To celebrate World Privacy Day I would ask you to consider issuing a statement either by traditional press release, a blog post, or a tweet, that will tell your electorate where you stand on the following questions:

    1. Do you support the principles set out int he Data Protection Acts and in the proposed revised Regulation on Data Protection announced this past week by Vice President of the European Commission Viviane Reding?
    2. Are you committed to  ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner, as is required under EU Directive and the Lisbon Treaty?
    3. What one thing will you do by this time next year to improve your personal knowledge of the Data Protection regulations.

    Of these three questions, the second is one I feel is important.  Personal data is the currency of the new economy and it is a valuable commodity. The Regulator for the Personal Data Industry is the Data Protection Commisioner. One of the key lessons of the Financial crisis is that for a Regulator to be effective they must be correctly resourced and independent of Government or industry influences.

    I appreciate your time on this and look forward to seeing your press release, blog post, or tweet expressing your support for #DataPrivacyDay, the principles of Data Protection, and the office and role of the Data Protection Commissioner.

    ====ends===

    If you get responses please post a comment below so I can see what uptake (if any) there has been from our political classes.