Brexit’s got Talent?

I think Charlton Heston put it best:

Damn them all to hell! They finally went and did it! They blew it up!”

That was my immediate reaction to the Brexit news this morning.

  • A campaign that was polluted by lies and misinformation from the pro-Brexit side, including a bold claim that voting to leave the EU would save £350 Million a year, a claim that was debunked during the campaign but which the Pro-Leave side persisted with on the side of their “battle bus”. A claim that the Pied Piper of Brexit himself, Nigel Farage, has started back pedalling away from within single digit hours (barely minutes) of his side’s victory.
  • A campaign that cost a wife and mother her life simply because she had an opinion that differed from that of an armed man who had embraced the propaganda of the pro-Brexiters and, rather than risk his vote not being heard, stabbed and shot Jo Cox to death.  Yes, we all now know the depth of Shooty McShootface’s political opinion. And two children are without their mother.
  • A campaign where politicians blatantly lied and spread misinformation, capitalising on decades of anti-EU sentiment from a media controlled by an immigrant who likes being able to push governments around but gets told to fuck off by EU officials.
  • A campaign where a Minister of the Crown actually said, in response to experts calling bullshit on his arguments, that “People have had enough of experts”.
  • A campaign where, having won and having chased their people pleasing PR obsessed Prime Minister out of office (bye bye Dave), the heirs apparent to the Government of the United Kingdom stopped and, in the manner of kids who have seen a kid who has eaten all the sweets in the sweet shop and now realise what the words “diabetic” and “coma” mean when an ambulance paramedic is shouting them into a radio, have faltered in their cocksuredness that this Brexit thing is something that’s needed. “No need to rush things” says Boris Johnson. “I’ll have to consult with learned minds” says Gove.  Hopefully none of those learned minds are actually experts, because we all know Gove has had enough of them. But if they’re not experts, then is Gove just consulting with the winners of his local Trivial Pursuits club raffle?

Perhaps the arse falling out of the UK (and global) economy as if they had personally shovelled the economic equivalent of senokot and pure dysentery into the bowels of the world financial systems has softened their cough.

Perhaps they didn’t think they’d win so they didn’t have a plan? And now the plan they need will have to be a tad more cunning than one of Mister E. Blackadders. Because the plan they had been following thus far seems to have been concieved by Mr S. Baldrick. But no sensible politician or political leader places the economic futures of millions, the fate of the United Kingdom, and the stability of the global economy in jeopardy without having some semblence of a plan to deal with the fall out when things go their way.

Oh fuck.

But that’s not the bit that gets me angry. Campaigns like this are always fuelled by lies and misinformation from at least one of the sides involved. And a certain class of politician is always going to think of themselves as Machiavelli (instead of Ronald McDonald) and try to use a hiccup to foment a crisis that gets them to the leadership position they want. That’s just the bullshit cut an thrust of politics.

What gets me angry, and makes me very worried, is the Facebook-isation of democracy in two contexts:

  • The UK Electorate seems to think that voting in a referendum is of no more significance than liking a cat video on facebook.

Social media is full of videos and tweets of people saying that they have changed their mind and want a do over. That’s not how it works. Democracy is important. People die to get the right to vote. So… why not think about things before you put your scrawl in a box. Waking up with “Voters’ regret” doesn’t change the fact that you voted against your own best interests and those of your peers. You can’t fix your dumb vote with a smiley face emoticon and an “Unlike Brexit” vote.

This tells me that the education system (one of the things the Brexiters blamed the EU and immigration for messing up, when it is more likely to be chronic underfunding by successive governments) has failed to teach citizens of the soon-to-be-Disunited Kingdom what voting in elections and referenda is actually all about. It’s not about finding out who gets to stay in the Big Brother House. It’s about finding out if your kids get to have a future and at least the opportunities that you had. (One bright note in this is that the younger generation who grew up with social media bullshit and reality TV actually seem to be able to tell the difference between waffle and reality. It’s just a pity their older siblings, parents, and grandparents seem to have forgotten they were voting in a referendum, not on the outcome of Strictly.

Brexit was a world altering decision. To say you voted to leave “because you didn’t think your vote would count” means you don’t understand voting, or vote counting, or addition, or just generally the concept of accountability for your actions. Crying that you want a do-over so you can vote the right way the next time is not the answer. There may be no next time (except if you are Irish and voting on an EU Referendum in Ireland, in which case we tend to keep asking variations on the question until we get the answer that is needed, like Mrs Doyle in Father Ted only with Treaties instead of Tea).

  • The Filter Effect of algorithms in Social Media may have had an impact that may be impossible to quantify

Facebook has proven, through its own experiments, that showing people sad news on their timeline makes them sad. But the algorithms that filter and shape our experiences of social media filter our view of the world. It is not beyond the bounds of possibility that people who rely on social media for their news and for their impression of public opinion and trends simply fell into an echo chamber were the messages that bombarded them made them perceive and feel that their vote wouldn’t count.

With the bullshit misinformation and outright lies that circulated during the campaign, the bots and filters would have had a lot to play with in shaping a negative world view. That world view might have made marginal voters (the old reliable undecided voter) to vote Leave because they felt any other choice wouldn’t count.

I am speculating of course. But the algorithms that shape our world have biases inherited from the world views that created them, and they consume the data exhaust we leave for them to form a model of the world as we would like to see it and how the data says we perceive it. This has to have an impact.

Taking these two things together we find ourselves with an electorate who are algorithmically brainwashed but don’t consider their democratic function to be of such importance that they will take time to trust but verify the information they are given. And in that context we have shallow thinking, reflexive voting, and undesirable outcomes. And that is just the politicians.

 

Symphisiotomy, Redress, and the DPC

Over on the company site I’ve written a piece on Data Retention policies that references the Symphisiotomy redress scheme as a case study in data retention planning (not in a good way). For those who didn’t spot it yesterday and who are glued to the national media that isn’t referencing this huge story, let me summarise:

The State, in the form of the Redress Scheme, has told women who endured symphisotomies that they have until Monday to request their own medical records back or the State will take it on itself to destroy them. This is the same State that some of these women might want to sue, relying on these records as part of their case. The State has told the women and their legal representatives not by way of a letter, but by way of a notice on their website.

Here, on my personal blog, I get to have a small rant from time to time. This is one of those times. Because this sucks donkey balls. It is a further hideous abuse of women who have suffered, largely in silence, for years.

Donkey. Balls.

The terms of reference of the redress scheme (paragraph 46) clearly distinguish between two types of records: medical records provided by the applicants (the women who have endured the fall out of symphisiotomy) and records obtained from other sources by the Redress Scheme itself.

Paragraph 46 sets out that, for the first category of data “reasonable efforts” must be made to return the records. It does not set out a requirement for the destruction of the records. The second category of records it sets out will be destroyed when the Redress Scheme has run its course.

Regardless of source, this is personal and sensitive personal data relating to identifiable individuals. It is subject to the rights and duties outlined in the Data Protection Acts and in the EU Charter of Fundamental Rights. Those rights include the right to data privacy, which encompasses a right to get your data, and a right to dignity.

The Data Protection Acts and the Data Protection Directive require that data not be retained by a data controller any longer than necessary for the purpose for which it was obtained. It does not require that the data be destroyed. The women whose original medical records are in question here may have any number of purposes for them outside the scope of the Redress Scheme. On-going care and treatment of any complications arising from a symphisiotomy, seeking further legal advice, simply reminding their children and grand children of how poorly the State has treated them, historical record…. it doesn’t matter.

However, the State has skin in the game with regard to the destruction of these records. If they are gone, then it becomes impossible for any of these women to exercise their rights in further legal actions because the evidentiary documentation they need will have been destroyed. This may not be the conscious intent but it is the practical reality: the State is effectively destroying evidence when these records are destroyed. While the records may not ultimately carry the day as evidence in a court action, they are still evidence of what I had hoped were historic attitudes to women in this State.

But the haste with which the State is moving to dispose of these records and the clamorous droning of the shredders firing up heralds otherwise.

The Redress Scheme was required to make reasonable efforts to arrange for the return of documents. A message on a website when your target audience are lawyers and elderly women is not reasonable. It smacks of a box being ticked: “Did we put something out there about it? – TICK”.  It is not an appropriate mechanism of communication to those audiences. A letter to a lawyer, a snippet on Marian Finucane or other radio or TV for the affected women, a feck off big advert in the news paper… all of these are infinitely more appropriate.

I would compare this to the full court press that was done in the media to raise awareness of the closing date for women to apply and provide their records to the Redress Scheme. A cynic might think that this was a cunning strategy to get the evidence in from the affected women and then arrange for its destruction before it could be used in litigation. But that would be awfully cynical.

But this is the pattern that the permanent Government (the Civil Service) seems to fall into in matters like this: Protect the State at all costs.

Compare the approach to the retention of data about primary school children to this Redress Scheme: The Dept of Education has argued trenchantly that a) data relating to medical or psychological assessments is not sensitive personal data (it is)  and b) that they need to hold the data indefinitely (expressed as “until the child reaches their 30th birthday and then review”).

Why would the Dept of Education want to know all the sensitive data about kids for many years after they would have left the school system? They have not provided a coherent answer to this, despite the Grecian work of Simon McGarr (note: Trojans partied and were massacred, the greeks stayed up late and built a horse). The DPC has been left spinning as they apparently had approved of all of this and have been fought to the wire by Simon to ensure they enforce the actual law.

The answer to why is the O’Keefe case, which put the Department on the hook for child abuse in schools. So – get all the data on all the kiddies and hold it for ever in case any of them sue because of a thing so it can be used in defence of an action.

Keep it all for ever in case someone sues. In breach of Data Protection rules which require retention to be “necessary and proportionate”.

With this Redress Scheme the opposite seems to be happening: Shred focking everything in case we might be sued. Let’s ignore that shredding this data is not within the terms of reference of the Scheme. Let’s ignore that no reasonable effort has been made to arrange the return of records. Let’s create a situation where a room full of records can be whipped in to the shredder so that if any of them were thinking of suing the State they won’t be able to.

And in the middle of this we have the Data Protection Commissioner, whose office has told survivors that they are “looking into the matter”. Not that they will use their powers under the Data Protection Acts to order the proposed act of processing (i.e. the destruction) to be suspended pending a review given the tight timescale, but that they are looking at it.

This is the same Data Protection Commissioner that the Department of Education believed had pre-approved the POD database. The same Data Protection Commissioner that has approved the publication of the name and home address of every naturalised citizen in the State without a clear purpose other than ‘the Aliens Act 1956 requires it’.  The same Data Protection Commissioner that the Department of Enterprise explicitly references as an agent of State policy in strategy documents.

And the same Data Protection Commissioner that Digital Rights Ireland have initiated an action against the State over regarding their apparent lack of independence from the State, as required under the Charter of Fundamental Rights and EU Treaties.

If it walks like a duck and quacks like a duck it is probably a duck. If it pulls the plug on the destruction of medical records provided to the State by women seeking redress for suffering, it might actually be a Regulator.

They have until Monday to act to vindicate and uphold the rights of women whose rights have already been trampled enough.

Anything else just sucks donkey balls.

Stand up for Digital Rights, Ireland.

In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.

Buying back the mortgaged off

Today’s Irish Times has a ‘news’ story about a man who, during the boom, sold his home and land for €3million and has just bought it back for €215,000.

Fair play to him. He sold a property and home he loved and made a profit. Now he can have his cake and eat it, returning wealthier to the same home and hearth.

The same, unfortunately, is not true of protections for fundamental human rights. In the current economic turmoil it is tempting to mortgage them or sell them off in the interests of supporting business and reducing red tape. However, when the economy recovers it will probably be impossible to push the pendulum back towards respecting the rights we have forgone in the interests of economic expedience. We will have a recovered economy but a diminished society.

This is what is happening with the EU Data Protection Regulation. Earlier this month the Irish Government, in one of the last acts of their EU Presidency, trumpeted their ‘victory’ in the first four chapters of the Regulation, getting a quasi kind of agreement to introduce a level of protections that has been watered down to near homeopathic levels. Whatever good is in some of the proposals the Irish Government is horribly undermined and hollowed out by the move to a purely “risk based” model of regulation (similar to that which has worked so well in Financial Services) amongst other things.

I’ve written about that in detail here with Fergal Crehan.

Principles diluted do not retain the memory of the principle. Homeopathic regulation doesn’t work. The parts of the Regulation that might have served to retain focus and concentration were the sections around enforcement and penalties.

Today we learn via a leaked document that these sections have likewise been diluted to homeopathic levels by the Irish EU Presidency (again, annoyingly in tandem with some good and positive changes)

  • The specific levels of fines to be levied have been omitted from the document (Dr. Chris Pounder on the Hawktalk blog suggests this may be due to there being no agreement, my view is that if it has been taken out whatever is put back in will be a lot less attention focussing than the 2% of global turnover levels previously proposed)
  • A range of mitigating factors and considerations have been introduced which must be considered by a Data Protection Authority before levying a penalty of any amount. 13 different factors to be considered. One for every tooth a Regulator might have had. One more line of defence to be argued over before enforcement can commence.

So, errant Data Controllers may now be in a position where they can self-assess their risks based on their own perception of the risk and impacts of their actions (just like people of a certain generation used to self-assess whether they were sober enough to drive), but just in case they get it horribly wrong the hoops a Regulator will have to jump through before being able to levy any form of meaningful penalty have grown in number and vagueness.

This the text book definition of light touch regulation. History has shown repeatedly, and at great cost, that this simply does not work.

The man in the newspaper today bought back his old family home and made a tidy profit because of a catastrophic failure of culture, governance, and regulation. Rules around due diligence and proper management of lending were set aside or worked around because it was “good for business”.

We must learn the lessons of history or we will have mortgaged our rights to be “left alone” in the interests of economic expedience and only those who held on to their financial muscle in this crisis will be able to make the payment needed to buy back that right through the Courts.

An appropriate balance must be struck between the economy and the society.

An Op-Ed about Data Protection

Fergal Crehan and I drafted the original version of this op-ed piece on the evening of the 5th of June, completing it on the 6th and submitting it immediately to the Irish Times as a topical opinion piece. The article was originally drafted in response to the EU Council of Ministers publication of proposed amendments to the EU General Data Protection Regulation that would significantly undermine the protections awarded to individuals and their data under EU law.

It wasn’t published (but them’s the breaks as they say).

I’ve updated it to include reference to the Prism and Tremora stories that were just beginning to break the week the original piece was drafted. I’ve also included references to some anti-data protection stories that have appeared in the Irish Times since the beginning of June, and a nod to the legacy of light touch regulation and associated attitudes that has recently emerged in the Irish press.

I took the decision in consultation with Fergal to publish this here as the points that are raised are important ones regarding the nature of the society we want to live in. The failure of the Irish Times to fact check recent stories raises a further question as to the role of a neutered as opposed to neutral press in the definition of and shaping of that society.

Journalists more than anyone should be alert to and resisting of any efforts to dilute or invade privacy, because it is only where there is privacy that there is the freedom for sources and whistle blowers to express privately (to journalists) facts that should be made public by the media. The logging of data about what numbers you dial, when, where from, and the uses that data can be put to could conceivably jeopardise sources, result in stories that need to be told being silenced, and force public and private conformity with a “party line” regardless of consequences. “All the President’s Men” would have been a significantly different movie if Nixon had had access to a Minority report level of analytics about who called who and who was where when – which is possible today.

A Free Press should be concerned in equal measure about attacks on the freedom of expression and the rights to Privacy. This is why Data Protection should be a hot topic of relevance, not a dry techie story of limited interest. Responsible journalists need to inform themselves of the rights that exist, the ways those rights are being undermined, and how the existence of those rights that are under threat.

A skewed balance struck

For some years now, the EU has been preparing a regulation to update and standardise data protection law in Europe. The expectation was that the rules would be strengthened, giving citizens more protection against misuse of their information. It was a shock then, when the Irish Presidency brought forward a draft regulation which not only dilutes many of the original proposals of the EU Commission, but represents a neutering of many data protection rights rights enjoyed up until now.

Data protection is a human right, closely bound up with privacy, and is unsurprisingly taken especially seriously by European countries whose citizens suffered under the police states of Nazis or Soviets, or even both. It is the right not to have your personal information hoarded, sold, disclosed or otherwise misused. “Data Protection” may not stir passions like other rights do, but in an increasingly data driven world, its importance cannot be overstated. We are already at risk of a two-tier privacy system, where the rich and famous can go to court for super-injunctions, while Joe Citizen cannot sit peacefully at home without their phone ringing with unwanted direct marketing calls.

Ireland has had the privilege of shepherding the revised Data Protection rules through the process of negotiation and agreement. The vision set out by the European Commission in its initial drafts was to provide a simplified regulatory structure for business and strengthened rights for individuals over how, where, and why information about them is processed, and by whom. This vision became the subject of one of the most intensive lobbying campaigns by US firms ever seen in the EU.

In February it emerged that amendments tabled by a group of MEPs that diluted the protection of personal data were copied verbatim from the submissions of these lobbyists. Sean Kelly, the Irish MEP responsible for those amendments, recently received an award from an advertising industry group for his work. The Council of Ministers recently issued a set of proposed changes to the Regulation that are being touted by Alan Shatter, the outgoing President of the Justice and Home Affairs Council, as providing “better protection for citizens” while also “providing a better strategy and architecture for business”.

However, privacy advocates have highlighted that while the proposed changes are good for business they are a serious weakening of protections EU citizens have historically enjoyed. Advocates in favour of the proposed changes cite the importance of data in the modern economy and the potential for jobs.

But are we building an economy or a society? In a speech this week President Michael D. Higgins tells us that the EU is a “union of citizens” and the institutions of the EU must work to protect those citizens. The proposed Regulation weakens those very protections.

The proposed changes introduce a “risk based”, self-regulation approach. This seems not unlike the “light touch” regulation which was adopted in order to attract financial services companies to Ireland, and which fuelled the financial services boom. With our government now keen to attract more data-based firms like Facebook and LinkedIn to Ireland, it seems lessons of recent history are not being learned. And in the week of the Anglo Tapes it is more important than ever that we learn these lessons.

This approach has been hailed as “non-prescriptive”. But a regulation that doesn’t prescribe anything is a mere suggestion, which can and will be ignored unless there are adverse consequences. Ireland’s Data Protection Commissioner is chronically underfunded, but he can and does bring prosecutions for breach of the Data Protection Acts. It is difficult to see how a these kinds of criminal convictions could be achieved under the proposed regulation. 

Under the proposed Regulation, if your personal data is lost or stolen, the decision about whether to tell you will be left in the hands of the people who lost the data. This effectively means that there will be no right to know when your personal information is lost.

Last year Target, the US supermarket, broke the news to a father that his teenage daughter was pregnant by sending her unsolicited targeted adverts for baby products. Current laws make this potentially illegal in Europe. However, direct marketing rules are to be changed under the proposed Regulation. Companies would no longer need your permission to market to you once they have obtained your data. This is an extraordinary win for the marketing lobby, a turn from a right to privacy, to a right to invade privacy. The telemarketer, a scourge familiar to any American with a phone, is set to become an unwelcome part of our daily life too.

The recent revelations of unfettered and covert surveillance on the private commmunications of every individual in every country by US and UK intelligence services has highlighted the risks of the Panopticon. Some argue that if you have nothing to hide you have nothing to fear. But that flies in the face of our fundamental values that everyone has a right to a place where they can have private thoughts and private communications. These rights are under attack and must be defended.

But at a smaller scale, recent articles in the Irish Times have linked Data Protection rules with inefficiencies in the Ambulance service which have contributed to deaths. ‘Data Protection rules mean we can’t use GPS for ambulances’ was the claim. Bunkum is the answer. Such processing is permissible under Section 8 of the Data Protection Acts. ‘Data Protection rules will curtail genealogy’ was another claim. Again, bunkum. The draft Regulation will likely apply only to living persons, Public Registers will have certain exemptions, and the Right to be Forgotten is not a right to be airbrushed from history, as has been made clear by Commissioner Reding on many occasions, and has been made clear by the ECJ in the past week.

Data is hailed as “the new oil”. “Big data” is mined to predict everything from musical taste to voting habits. It is disturbing when rights, once considered uncontroversial, are watered down or neutralised because it has become profitable to do so. What is proposed in this draft of the Regulation is something unprecedented in the history of the EU – the effective abolition of a human right enshrined in EU Treaties. As citizens, we can only wonder and worry which other human rights will become inconvenient to big business, and what their fate will be.

Insolvency Register–some quick thoughts

So, David Hall is challenging the provisions of the Personal Insolvency Act regarding the publication of details on public registers. I’m quoted in this Irish Times article about it. My comments, which I expand on here as an update to my earlier post, where to the effect that:

  • The publication of detailed personal data on a publicly accessible register would invite the risk of identity theft in the absence of any appropriate controls over the access to that data.

Examples of public registers where controls are in place are the Electoral Register (search one name and address at a time), and the Companies Registration Office (find out the home addresses of Directors if you pay a small admin fee), or the list of Revenue Tax defaulters (publication only over a threshold, summary personal data published).

Public does not mean Open. Public means that it should be able to be accessed, subject to appropriate controls. The requirement to name people who are in an insolvency arrangement needs to be balanced against their right to personal data privacy and the risk of identity theft or fraud through the use of published personal data.

The mockup Register entries presented on the ISI website may do the organisation a disservice with the level of data they suggest would be included and I await the publication of further revisions and the implementation of a control mechanism to introduce balance between the requirement to publish a Register and the need to protect personal data privacy. But of course, Section 133 of the Personal Insolvency Act is silent as to what the actual content of the published Registers should be (at least as far as I can see). So there is scope for some haggling over the content of what the final Registers will be.

A key question to be considered here is what is the purpose of the Registers and what is the minimum data that would be adequate and relevant to be provided on a Register to meet that purpose.

Section 133(4) allows for the public to “inspect a Register at all reasonable times" and to take extracts or copies of entries, and even allows for a small fee to be charged (the “reasonable cost of making a copy”). So there is scope for some form of access control to be put in place either with a search mechanism like the electoral register and/or the operation of a paywall for the making of copies (e.g. generating a pdf report on headed paper, at €1 a go).

  • Section 186 of the Personal Insolvency Act needs to be interpreted and applied with care.

Section 186 of the Personal Insolvency Act purports to suspend the operation of Section 4 of the Data Protection Acts in certain circumstances. This is the section which allows a Data Subject to request a copy of their personal data. This is a basic right under the Acts.

However the Data Protection Acts already contain provisions which allow for the suspension of Section 4 in Section 5 of the Data Protection Acts. Specifically Section 5(1)(d) allows for an exclusion for data which is being processed in the performance of a statutory function intended

…to protect members of the public against financial loss occasioned by

i) dishonesty, incompetence, or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations

ii) the conduct of persons who have at any time been adjudicated bankrupt

in any case where the application of that section would be likely to prejudice the proper performance of any of those functions.

The operation of the Insolvency Service of Ireland would appear to fall under this section. But rather than a blanket exclusion, Section 5 has a more nuanced approach – you can’t have your data if it will prejudice the proper performance of the ISI’s role. Of course, 5(1)(d) only kicks in if there has been dishonesty, incompetence, or malpractice on the part of a bank that has resulted in a financial loss or risk of financial loss to the Data Subject.

Section 5 gives a number of other grounds for exclusion from the operation of Section 4. Among them are:

  • If disclosing the data is contrary to the interests of protection the international relations of the State (which would raise an eyebrow I’m sure if cited in an insolvency situation).
  • If legal privilege attaches to the records in the case of communications between clients and legal advisers.

If the restriction is on disclosure of personal data during the course of an investigation then this would likely be covered under Section 5(1)(a ) and there is legislative precedent in the Property Services (Regulation) Act 2011 to extend that to an investigation undertaken by the PRA under that Act.

An explanation and clarification?

The ISI has similar powers of investigation and prosecution of offences (section 180 and Chapter 5 of the Personal Insolvency Act 2012). Therefore the exemption from disclosure under Section 5(1)(a ) would apply. A “belt and braces” inclusion of an exemption from section 4 of the DPA for the investigation of offences would be consistent with the Acts.

However this would only be the case for the investigation of an offence. The processing of a general complaint would not fall within the scope of an offence under the Insolvency Act or other legislation.

Therefore a blanket opt out would not exist. If an offence is suspected Section 186 reinforces the existing provisions of the Data Protection Acts. But general complaints to the Complaints committee would (based on my reading) not, unless the complaint wound up in an offence being detected. Of course a Data Subject would only be entitled to their own data.

A recent case involving the DPC and Dublin Bus made it clear that the potential for civil proceedings or a complaint were not grounds to refuse a Subject Access Request.

  • Excessive Retention of Data on Public Registers is a concern.

This, of course, is another biggie from a Data Protection point of view.How long does this data need to be held for? In the UK similar schemes have the personal data removed from the public register 3 months after the debtor exits the scheme. Here…

Section 170 of the Personal Insolvency Act indicates that Personal Insolvency Practitioners will need to retain data for 6 years after the “completion of the activity to which the record relates”. This is consistent with the statute of limitations on a debt and makes sense – it would allow people who avail of an Arrangement to get access to information about their arrangement if required. However it is not the same as the Public Registers.

Section 133 sets out the provisions relating to the Registers of Insolvency Arrangements. It says nothing about the length of time a person’s data will be listed on a Register. Given the purpose is to maintain a searchable register of people who are in Insolvency Arrangements, the principle of not retaining data for longer than it is required for a stated purpose kicks in.

And, as is all to often the case in Irish legislation, we seem to be left looking to the UK for a benchmark period for retention: Duration of Arrangement plus 3 months… but that may be 3 months longer than required.

  • Personal Solvency Practitioners acting as Data Processors, and the implications for security and awareness of obligations under the Data Protection Acts

This is a squeaky wheel issue in many respects. All too often organsiations will outsource functions or engage people to perform functions on their behalf on contract, which would set out the purposes of the processing and the role of the Processor and sanctions for breaching their obligations. The Personal Insolvency Act sets out how Personal Insolvency Practitioners will be appointed, empowers the ISI to set standards re: their level of education and skill, and imposes sanctions for breaches of the standards of conduct of the role.

The function of a PIP is one which could have been undertaken internally within the ISI but it has been decided to outsource it to these PIPs.

Therefore a PIP is likely to be viewed as a Data Processor acting on behalf of the Data Controller (ISI) [for more on this read here]. Therefore they need to be taking (at a minimum) appropriate security measures to prevent unauthorised access to data. The concern I expressed in the article was that it is an unknown quantity what level of understanding of their obligations under the Data Protection Acts a PIP will have and what training (if any) will be provided.

Section 161(c) of the Personal Insolvency Act 2012 provides a mechanism for this to be addressed through the prescribing of the completion of appropriate training from a qualified trainer with a proficiency in Data Protection as one of the training requirements for authorisation as a PIP.

[Disclosure: my company provides an extensive range of Data Protection compliance review and training services]

Trust us. We’re the Government

Coverage of some of the structures of the Insolvency Service of Ireland has been rattling through my ears while I work the past few days. What I’ve heard gives rise to an unsettling feeling that the architects of the scheme have decided that the insolvent are a form of unter-mensch for whom some of the fundamental rights that EU citizens enjoy are either put on hold or entirely foregone.

Data protection is a fundamental right in Europe, enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, as well as in Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). As a fundamental right, according to the EU Commission it “needs to be protected accordingly”.

Some of what I have heard I can only hope is half-informed speculation, but I fear it may be grounded in reality.

  1. Publication of personal data including name, address, and date of birth on a public register of insolvents. This is problematic as it creates a risk of identity theft in my view. Also – what is the purpose for which this data is being published? How could the same objective be met without putting personal data privacy at risk of unauthorised access? How is this compatible with s2(d) of the Data Protection Acts which require appropriate measures to be taken to keep data safe and secure?
  2. Retention of data on the register after a scheme has been exited. It is rumoured that the details of people listed on the register mentioned above would have their details retained indefinitely. Why? How is this compatible with the requirement under the Data Protection Acts (and the underlying Directive) to retain data no longer than is necessary for the purpose? How would it be compatible with the requirement under the proposed General Regulation for Data Protection to give citizens of the EU a “Right to be forgotten”? What is the function/purpose of retaining information once the agreed scheme has been completed?
  3. Section 186 of the legislation purports to exempt the Agency from Section 4 of the Data Protection Acts. This is the section that allows individuals to get copies of information held about them by Data Controllers. It is a right that is derived from Directive 95/46/EC. While there are grounds under Article 13 of the Directive for a member state to limit subject access requests where it impacts economic or financial interest of the State, I’m at a loss to see how a response to a Subject Access Request for a single person or class of people might impact our economic and financial interests as a State. The test is that the restriction must be necessary not nice to have. Of course, if things are so precarious that a Subject Access Request will tip the economy into a death spiral, then perhaps the Irish people should be told this.

 

There is a significant imbalance in rights and duties emerging here. Particularly when compared with the secrecy of NAMA and the closeness with which the privacy of significant contributors to the exuberance of the Boom times has been guarded by that Agency. There is also a suggestion that Data Protection rights are optional extras that can be mortgaged as part of entering the process.

I really do hope I’m wrong about all of this and it is not the data black hole that it appears to be and that personal data privacy will continue to be respected as a fundamental right. After all, when you’ve lost everything else, things like that can be very important.

Heel Pricks. A short thought

Yes. It is a pity that Guthrie cards will be destroyed. Yes, there is potentially valuable data held on them. But there is also a fundamental right to Personal Data Privacy under EU Treaties and there is that pesky thing called the Data Protection Acts/Data Protection Directive.

The DPC investigated the issue of heel prick cards. They negotiated with the HSE to determine a “best fit” solution that struck an uneasy and far from ideal balance between the desire to have a genetic databank and the need to have specific explicit informed consent for the processing of sensitive personal data in that way.

Comments today from Minister Kathleen Lynch that this needs to be looked at again and efforts are underway to prevent the destruction are baffling. “Efforts are underway”? So the Department is actively working to undermine the role and independence of the DPC? Is new legislation being prepared with retrospective effect that will be passed by the end of next week? Is data being anonymised (tricky with genetic data)? Is the HSE going to do a big push to get people to request the cards relating to them and/or their children from the HSE?

What needs to be looked at in my view is the culture and ethos around managing personal data that pervades in some areas of political and civil society. For that is where the root and origin of this dismal scenario lies. (A scenario, as an aside, that has faced private sector organisations with their customer databases on a number of occasions: not obtained lawfully, not obtained for that purpose, destroy it.)

The reason the issue arises with the heel prick tests is that consent was obtained for the processing of blood samples for a very specific purpose – testing for metabolic disorders in neonatal contexts. The consent obtained was for that purpose. No other. Sensitive personal data must be processed on the basis of specific, explicit informed consent. There appears to have been no plan for maintaining the data associated with those samples or for managing the process of obtaining consent for future purposes (or enacting legislation to allow for future purposes without requiring consent). There appears to have been an assumption that these samples could be retained ad infinitum and used for purposes undisclosed, unimagined, or unavailable at the time the samples were originally taken. This was, and is, not the case under Data Protection law.

As an Information Quality practitioner, I am bemused by the optimism that is expressed that the heel prick data would be useable in all cases. What processes are in place to link the data on the Guthrie card to an identifiable individual? Do those processes take account of the person moving house, their parents marrying, divorcing, remarrying (and the name changes that ensue), or the family emigrating? If the Information Governance in the HSE is such that this is rock solid data then great. I’m running a conference and want good case studies… call me!

The quality of information angle is important as it raises a second Data Protection headache – adequacy of information. If the information associated with the actual blood tests is not accurate, up to date, and adequate then a further two principles of the Data Protection Acts come into play.

Yes the destruction of Guthrie cards is a problem (but as Ireland has been doing Guthrie tests since 1966 it has happened before. Yes it is an unsatisfactory situation (but one that appears unavoidable given the legal situation). But the root cause is not the Data Protection Acts or the DPC. The root cause is a failure in how we (as a society) think about information and its life cycle, particularly in Government and Public sector organisations. A root cause is a failure of governance and government to understand the legal, ethical, and practical trade offs that are required when processing personal data, particularly sensitive personal data. A root cause is the failure to anticipate the issues and identify potential solutions before a crisis.

RTE reports that the Minister describes the 12% awareness level of the right to have cards returned to families rather than destroyed as “telling”. But what does it tell us? Does it tell us people don’t care? Or does it tell us that the HSE awareness campaign was ineffective? I would go with the latter. Frankly the lack of information has been stunning and, as always in Irish life, there is now a moral panic in the fortnight before the deadline. And again, the governance of how we communicate about information and information rights is called into question here.

I haven’t seen any data on how often the Guthrie card data was being used for research purposes. I’m sure some exists somewhere. Those arguing for the records to be saved should go beyond anecdote and rhetoric and present some evidence of just how useful this resource has been. We need to move beyond sound-bite and get down to some evidence based data science and evidence driven policy making.

Storing the samples takes physical and economic resource, two things in short supply in the HSE. Storing them ad infinitum without purpose “just in case” creates legal issues. Legally the purpose for which the samples was originally taken has expired. By giving families the option of having the cards returned to them the HSE creates the opportunity for specific informed consent to future testing, while removing the other data protection compliance duties for those records from themselves.

The choice is not an easy one but the Data Protection mantra is “just because you can doesn’t mean you should”. And just because you have to doesn’t mean it is easy or without pain. But by clearly drawing a line in the sand between non-compliant and compliant practices the HSE avoids the risk of future processing being challenged either to the DPC or the ECJ (after all, this is a fundamental human right to data privacy we are dealing with).

Hard cases make bad laws is the old saying. However the corollary is that often good laws lead to hard cases where society needs to accept errors of the past, take short term pain, identify medium and long term solutions, and move on in a compliant and valid manner.

Rather than weeping and gnashing teeth over a decision that is done and past it would behove the Minister and our elected representatives more to focus their efforts on ensuring that the correct governance structures, mind-sets, knowledge, training, and philosophy are developed and put in place to ensure we never find ourselves faced with an unsatisfactory choice arising from a failure to govern an information asset.

Call the Tweet Police (a slight return)

An opinion piece by Joe Humphreys in the Irish Times on the 9th of January (which I can link to here thanks to the great work of McGarr Solicitors) discusses anonymous comment on-line. In doing so he presents an argument that would appear to suggest that persons taking a nom de plume in debate are in some way sinister and not trustworthy.

He suggests three actions that can be taken to challenge “trolling”. I’ve previously addressed this topic on this blog (27th December 2012 and previously) I thought I’d examine each of Mr Humphrey’s suggestions in turn and provide agreement or counter argument as appropriate.

1. Publicly condemn it. Overall I agree with this. However who or what should be condemned? The pseudonymous comment or the pseudonymous commenter? Should you ‘play the man or the ball’, to borrow a metaphor from sports? The answer is that, in an open society the correct course of action is to either ignore the argument or join the argument. Anything else leads to a downward spiral of tit-for-tat trolling and abuse, one of the very behaviours that has sections of our body politic and mainstream media crying “Down with this sort of thing!”

2. “Develop ways of discriminating against it… … by technology that helps to authenticate people’s identities”. In my blog post of the 27th of December I address this under the heading of “Bad Idea #1”. The concept of identity is incredibly fluid. As Mr Humphreys appears fond of citing scientists and philosophers, I’m sure he is familiar with Descarte’s writings on the existentialist concepts of identity.

The idea of an “identity register” is one that raises significant technical, philosophical, and legal issues. South Korea has recently abandoned their attempts to impose a “Real Names” policy on the use of social media due to these issues, and “Real Name” policies in social media have been criticised on Data Protection grounds in Europe. In China, where a “real names” policy is in place for social media, people use fake ID to register and the Chinese government has failed to get a significant majority of internet users to comply with their law.

Describing anonymity as a “market failure” to be fixed by enforced identification equates identity with a tradable commodity. This is, ironically, the business model of Facebook, which Mr Humphreys describes as “an invention of Orwellian proportions”.

3. “Challenge the anonymous to explain why they are hiding themselves. I’ve yet to hear a good excuse…” In my post of the 27th of December I link to an excellent resource (the GeekFeminism Wiki) which lists a number of reasons why people might not be able to use their real names in on-line comment. Time taken to research this: 30 seconds on Google. They include: survivors of abuse, whistleblowers, law enforcement personnel, and union activists.

The implication made by Mr Humphreys that people choose to comment anonymously because they don’t want their employer to know they are on social media all day is disingenuous to say the least and belies a biased view of those of us who are active users of modern technologies for communication, discussion, and debate.

Finally, history has a litany of examples of people who, for various reasons have used pen names to hide themselves. From Leslie Charles Bowyer-Yin (Leslie Charteris, author of The Saint) to Samuel Langhorne Clemens (Mark Twain), to Francois-Marie Arouet (Voltaire), to Eric Blair (George Orwell) there is a tradition of, in the words of preparing “a face to meet the faces that you meet” (to borrow a line from T.S Eliot) for a variety of reasons. See http://en.wikipedia.org/wiki/List_of_pen_names for more examples.

Some food for thought

The Official Twitter Account of the Irish EU Presidency (@eu2013ie) tweeted earlier today about recipes.

That gave me a little food for thought given the subject matter I posted on yesterday.

  1. Ireland will hold the Presidency of the EU in the first half of 2013.
  2. Part of what we will be tasked with is guiding the Data Protection Regulation through the final stages of ratification
  3. Viviane Reding has been very vocal about the role Ireland will play and the importance of strengthening enforcement of rights to Personal Data Privacy in the EU. 
  4. World wide media  and our European peers will be looking at Ireland and our approach to Data Protection.

In that context I would hope that any Dáil Committee would have the importance of the right to Privacy (as enshrined in EU Treaties and manifested by our current Data Protection Acts and the forthcoming Data Protection Regulation) when reviewing legislation and regulation around Social Media.

While I don’t think that the recipes being tweeted about by the @eu2013ie account contained any Chinese recipes, the news today about changes in the Chinese Social Media regulatory environment are disturbing in the context of the rights to privacy and free speech. One interesting point about China’s approach to control of on-line comment from the FT article linked to above is this:

It has also tried to strengthen its grip on users with periodical pushes for real name registration. But so far, these attempts have been unsuccessful in confirming the identity of most of China’s more than 500m web users

Food for thought.