The DOBlog

Category: Other Thoughts

  • New rules, Old roots, Old attitudes

    So, today the European Commission is announcing new rules for Data Protection and Privacy in the EU (and the EEA countries and those countries seeking accession to the EU). There is hype and hoopla about the rules and what they mean, particularly for organisations conducting business on-line, companies based outside the EU selling into the EU, standardisation of penalties, and realignment and consolidation of the Regulatory and Enforcement regime.

    Oh yeah, and it is being done by Regulation which means the rules will be the same across the EU.

    But at its heart the fundamental principles remain the same. Organisations who seek to process personal data of individuals need to make sure that the ‘deal’ is fair. After all, to paraphrase Commissioner Reding’s comments at the DLD conference in Munich earlier this week

    Personal information is the currency of the Information Age

    And as with all markets where items of value are traded, checks and balances need to be in place to ensure the asset is valued appropriately and treated with care. Hence the focus in the new Regulation on concepts such as Privacy by Design, ensuring appropriate training of staff, specific requirements re: organisational governance and internal controls and clarity of documentation about the meaning, purpose, and methods of use of personal data. There is an economic trade off required to obtain the thing that is of value. That trade off is good management of Personal Data through the life cycle of the Information Asset.

    As a Data Governance and Information Quality guy I’m glad to see that the legislators in my third area of passion have finally caught up with the need to ensure organisations have defined Quality Systems with defined decision rights and accountabilities over Information as an Asset.

    So, while many of the rules are new, their roots are old. Based on my reading of the version of the Regulation that was leaked just before Christmas revealed a Regulation with one foot in the camp of Fundamental Human Rights (and the trade offs that need to be made there for economic activity to take place) and the other firmly in the camp of Quality Management practices and principles, with a clear focus on creating a Constancy of Purpose in management towards the goal of striking a sensible balance and ensuring a fair deal in the processing of personal data.

    And that is where the problem begins.

    There is a window now for national governments and the European Parliament to make contributions to the Regulation. Many in national government and the EP will make sensible contributions that will evolve the framework and make it easier to implement in practice.

    However, in a month where one Government Minister acted in blissful ignorance of the Data Protection Acts one week, another flew a policy kite that would require an illegal extension in scope of the database being built by the first Minister, and where the unelected officials of the largest City Council in the country appear to be unable to point to the legitimate grounds on which they transferred the personal data of over 100,000 residents to a private company, I hold out little hope of sensible debate and dialogue from the Irish body politic.

    In a month where we greeted the year (for the second year in a row) with a story about poor planning of projects involving personal data (both under the stewardship of the same person) I hold out little hope of sensible engagement from the Irish body politic.

    And in a month where the reversal of a bad law to control copyright on the Internet (SOPA) after leading websites across the world “went dark” we find a Junior Minister of the Government, in the Department that is in charge of attracting and retaining exactly those companies who opposed the US law, seeking to implement a similar law by Statutory Instrument with no debate or discussion, even after the legal position and EU policy position has changed in relation to Internet blocking, and only the opinions of the dying industry this law would protect seem have been sought in advance, I hold out little hope for the Irish Body Politic not to make an arse of this.

    And as for the Irish media… with a few notable exceptions the absence of attention to Data Protection issues (except where it involves embarrassing a Government Minister and the copy can be lifted from this blog) is staggering. So yet again I hold out little hope of sensible engagement.

    Adapting to the new Data Protection landscape will require individuals to change their mind set. But I fear that the entrenched attitudes in the body Politic and the traditional media may be such that Ireland (the little nation that faced trade sanctions in 2003 for not implementing Directive 95/46/EC by 1998 as we were required to) will fail to step up to the plate and drive the change in thinking and attitude necessary to achieve sustainable and sustained change in Data Protection practices in Ireland.

    W. Edwards Deming wrote in his famous 14 Points for Transformation that it was essential for the transition that organisations “Institute Leadership”. I see precious little leadership in this area from our politicians and only dazzling pin-pricks of illumination from the main stream media. So I must keep my hope guarded in the face of the likely knee jerk reactions against the changes and the almost inevitable white noise of ignorance until the Regulation passes into law with a direct effect sometime in 2014.

    Prove me wrong. Please.

  • Lies, damned lies, and statistics

    On Monday the 16th January 2012 the Irish Examiner ran a story that purported to have found that 93% of the Irish public “decried” the decision of the Minister for Foreign Affairs to close Ireland’s embassy in the Vatican City State. The article detailed how they had undertaken a review of correspondence released under the Freedom Of Information Act which showed that 93% of people in Ireland were against the closure. To cap it off, the article was picked up in the Editorial as well.

    Except that that isn’t what they had uncovered. The setting out of the statistics they had found in the sensationalised way they presented them was a gross distortion of the facts. A distortion that would, to paraphrase Winston Churchill, “be half way around the world before the truth had its boots on”).

    Demotivational poster about data

    What they had uncovered is that of the 102 people who wrote in to the Minister for Foreign Affairs about the issue, 93% of them expressed a negative opinion about the closure. The population of Ireland is approximately 4.5 million people. 95 people is closer to 0.000021%. While I may not have the academic qualifications in Mathematical physics that my famous comedian namesake has but I know that 95 people (that’s 93% of 102) is slightly less than 93% of the Irish public

    Or, to put it another way, significantly and substantially below the statistical margin for error usually applied in political opinion research by professional research companies.

    Or to put it another way, over 99% of the population cared so little about the closure of the Vatican Embassy that they couldn’t be bothered expressing an opinion to the Minister.

    Of course, the fact is that there were letters written about this issue. And the people who wrote them were expressing their opinion. And 93% of them were against the closure.  In fact, in defending themselves on Twitter against an onslaught of people who spotted the primary school maths level of error in the misuse of statistics in the article, the Irish Examiner twitter account repeatedly states that (and I’m paraphrasing the actual tweets here slightly) “for clarification we did point out that the analysis was based on the letters and emails”. But it is inaccurate and incorrect to conflate the 93% of negative comment in those letters to the entire population as the sample size is not statistically valid or representative being

    1. Too small (for a statistically valid sample of the Irish public you would need between 384 and 666 people selected RANDOMLY, not from a biased population. That’s why RED C and others use sample sizes of around 1000 people at least for phone surveys etc
    2. Inherently biased. 93% of cranky people were very cranky is not a headline. The population set is skewed towards one end of the distribution curve of opinion you would likely find in the wider population.

    Then today we see a story in the Examiner about how Lucinda Creighton, a Junior Minister in the Dept of Foreign Affairs is backing a campaign to reopen the embassy because

    there’s a very strong, and important and sizeable amount of people who are disappointed with the decision and want to see it overturned and who clearly aren’t happy

    What? Like 93% of the Public Lucinda? Where is your data to show the size, strength, and importance of this group? Have you done a study? What was the sample size?

    As a benchmark reference for what is needed for an Opinion Poll to validly represent the opinions of the Irish Public, here’s what a reputable polling company says on their website:

    For all national population opinion polls RED C interview a random sample of 1,000+ adults aged 18+ by telephone. This sample size is the recognised sample required by polling organisations for ensuring accuracy on political voting intention surveys. The accuracy level is estimated to be approximately plus or minus 3 per cent on any given result at 95% confidence levels.

    Anything less than that is not statistically valid data and can’t be held out as representing the opinion of the entire public.

    As an Information Quality Certified Professional and an active member of the Information Quality Profession on an International level for nearly a decade I am ethically bound to cry “BULLSHIT!!” on inaccuracies and errors in  information and in how it is presented. The comments from Ms Creighton are a good example of what that is important in the Information Quality and wider Information Management profession. If bullshit analysis or analysis based on flawed or inherently poor quality data is relied upon to make strategic decisions then we invariably wind up with bullshit decisions and flawed actions.

    And that effects everything from conversation with family, chats in the pub, business investment decisions, political decision making, through to social policy. Data, Information, and Statistics are COOL and are powerful. They should be treated with respect. People publishing them should take time to understand them so that their readers won’t be mislead. And care should be taken in compiling them so that bias does not skew the results.

    So, having had no joy or actual engagement from the Irish Examiner on the issue I forwarded my complaint to the Press Ombudsman yesterday pointing out that the article would seem, based on the disconnect between the headline, the leading paragraph, and the general thrust of it, to be in breach of the Code of Practice of Press Council of Ireland.

    I just hope they can tell the difference between lies, damned lies, and fudged statistics. (This Yes Minister clip about Opinion Polls shows how even validly sampled ones can be biased by question format and structure in the survey design).

  • My personal thoughts on the Facebook Audit

    This post was originally published on the Irish Computer Society Data Protection blog. I am republishing it here as it is my original work and I am moving my Data Protection musings into one place.

    Over on my personal blog [this one] I’ve written a short piece about my thoughts re: the Facebook Audit by the DPC.

    All in all I welcome the findings (and at 40 or so discrete findings it is not a clean bill of health by any stretch of the imagination regardless of spin and positioning) but feel that, given the breadth of potential scope for any audit and the limited resources and time available to the DPC’s office, it was inevitable that some issues could be missed.

    I am personally dismayed that the DPC did not prosecute some or all of the offences that they identified, particularly those in relation to breaches of the ePrivacy directives (where clear penalties and court precedents exist). A high profile prosecution would have made it a lot easier dealing with clients and prospective clients as it would have focussed the attention on issues.

    Also a number of unasked questions remain unanswered. For example, what is the position of Apps which process data outside the EEA? Does Facebook as a Data Controller not need to ensure that these apps (processors) are undertaking their activities in “safe countries” or under terms consistent with the Model Contracts approved by the European Commission.

    I’d like to think that this is part of a long term strategy by the DPC to develop a “poster child” for compliance (“hey, look… if Facebook can do it so can you”), whittling down issues and changing the Facebook mindset over time.

    But I am fearful that proper regulation and enforcement of Data Protection rules may be seen by the Irish Government as a barrier to enticing foreign investment in the data storage and services sectors and as such the independence of the DPC’s office may be threatened and its ability to effectively carry out its duties may be weakened.

    The Office of the Data Protection Commissioner does a sterling job with a small cohort of staff, a massive remit and scope of responsibility, and a budget that, in their 2010 Annual report was less than €1.5 million. My instinct is that they opted not to blow that budget on prosecutions and instead elected to work the network of International authorities (Canada’s OPC, various German Authorities, the FTC) to keep the pressure on to drive change rather than levy penalties.

    After all, any visit to Courts with a prosecution is a roll of the dice as to whether the judge accepts the full weight of the offences and agrees the penalties requested. The DPC could have spent quite a lot to achieve, in effect, the same result.

    However, I await with interest the findings of the rematch in July 2012. Will Facebook win gold for privacy then? Or will we see the true stamina of the Data Protection Commissioner in a legal tussle? All we can hope for is either an Olympic performance from the “New Facebook” or a Herculean stand by the DPC in defence of individual privacy.

  • Information Quality Change – the Doctor Who effect

    I’m a big science fiction fan. I make no apologies about this fact. One of my favourite science fiction characters is The Doctor, the lead character in the

    The 9th Doctor outside his Tardis
    The 9th Doctor

    BBC’s iconic series of the same name. In a genre that often falls for the easy charms of technology to drive a story, The Doctor (a 930 year old, two-hearted time travelling Time Lord from the Planet Gallifrey) invariably highlights and thrives on the Human Factor – the innate potential, ingenuity and power of the human beings (a lesser species) who he befriends, protects, and travels with.

    Over the years I’ve tried to adopt and adapt some of the principles of The Doctor’s approach to leading Information Quality and Governance change projects:

    There is nothing that can’t be solved by confectionery

    The good Doctor in a number of his incarnations (4th, 6th, 7th, and 8th as memory serves)  was renowned for, in moments of high tension, proffering some confectioneries (specifically Jelly Babies) to help lighten the mood and distract thought. They were an incredible tool that enabled him to befriend others and buy time to develop cunning plans. Doctor Who Jelly Babies (video montage)

    The key lesson is that it is often useful to have a “quirky” way to break down barriers and get conversations going. The Doctor has Jelly Babies. I’ve used various props. Kathy Hunter of DQM Group made extensive use of home baked cakes and biscuits when she was in a previous role to help open conversations.

    It’s Bigger on the Inside

    The Doctor’s space ship/time machine is a Blue Box. It is a Blue Box because the advanced circuitry that let it change appearance to blend in in different timelines got stuck on “Blue Box” on a trip to London around 1963 (the year the series was first broadcast). The thing about the Blue Box is that it is “bigger on the inside”, a fact that The various companions’s to The Doctor remark on whenever they enter the Blue Box for the first time. Bigger on the Inside (Youtube) . Invariably, The Doctor takes the surprise in his stride, often forgetting how big a shot it is to people when they see the size of his Blue Box for the first time.

    The Doctor’s Blue Box is called the TARDIS, which stands for Time and Relative Dimensions in Space. By being able to engineer time and space The Doctor’s race, the Time Lords could build infintely large space craft that could fit into a small space (like the back of a props van on a TV show).

    What’s the parallel with Information Quality? Well, those of us who have worked in Information Quality often forget that it is a discipline that is very much “bigger on the inside”. When people look at Information Quality from the outside, they might be forgiven for thinking that it has the general dimensions of a Blue Box (so to speak) and it is only when they venture inside that they realise there’s more to it than meets the eye. If your perception of IQM is that it is Data Profiling and some Cleansing, it can be quite a shock when you uncover the Change Management challenges, the human psychology issues, and the legal and regulatory issues that can affect Information Quality strategies.

    Often we hard-core practitioners take it for granted that its is bigger on the inside, because we’re on the inside looking out.

    People First, Technology Second

    Quite apart from the long running love affair The Doctor has had with the Human Race, every adventure winds up with The Doctor being outrageously brilliant as a Time Lord, but more importantly inspiring and encouraging brilliance in his Companions and others around him. Whether it is calling in favours from old enemies (in return for some jelly babies perhaps) or rallying demoralised troops in the face of battle or unnatural enemies, The Doctor puts people first, often appearing willing to sacrifice himself to protect others.

    Technology is applied in innovative and outlandish ways to meet the objective of protecting people. Even The Doctor’s trusted sonic screwdriver is not used as a tool in its own right but as a means of enabling things to happen and for information to be gathered to support decision making.

    From an information quality management point of view it is important that we remember this lesson – the technology should not dictate the solution and, ultimately, it is people who are the brilliant and innovative sources of solutions to problems. A Data Profiler will tell you that the data looks broken. A human being will figure out the best solution (new business rule, new tools etc).

    In short, to paraphrase The Doctor: “People are FANTASTIC!!”

    Conclusion

    I’m very much of the view that we can learn a lot from arts and literature about ourselves and who we can aim to be in how we approach things. Science fiction TV programmes are no different to the works of Shakespeare in this regard. Perhaps we can achieve more sustainable successes in our Information Quality travels by learning some lessons from The Doctor:

    1. Everybody likes Jelly babies – (what is your equivalent?)
    2. Not everyone can see that this is actually Bigger on the Inside… and when they step into the world of Information Quality it can be a bit of a shock to the system.
    3. Technology doesn’t fix things. People fix things, occasionally using technology to get there. Remember that people are FANTASTIC!!

  • The missing link in Compliance and Governance

    Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

    • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
    • Information Quality programmes involve, by definition, the implementation of a Quality Management System
    • Information/Data Governance… well, that’s another form of Quality Management System
    • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

    In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

    1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
    2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
    3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

    Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

    Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

    Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

    At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

    A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

    Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

  • Expelling the Papal Nuncio

    A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.

    The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.

    And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.

    Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.

    The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.

    So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).

    Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.

    The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.

    The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.

  • Data Breach Code of Practice

    A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

    That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

    Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

    Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

    What would I like to see from the new Govt which will take the reins of power in the coming week or so?

    1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
    2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
      1. Consolidate and simplify the legislation.
      2. Implement clear penalties for infringement of the Acts and penalise non-compliance
      3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
      4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
    3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
    4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

    Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.

  • In the interest of Electoral Balance

    I’ve written previously about Fine Gael and their issues with avoiding Data Protection pitfalls during this current General Election.

    Some people might have gotten the impression that I’m obsessed with Fine Gael. I’m not. I’m obsessed with Data, specifically the management of data and information in manner that ensures quality outcomes through quality data governed with due regard to relevant legislation.

    On courses I teach on Data Protection and Information Quality I often make reference to “The Joe Duffy Effect” to describe the brand impacts that can arise if organisations don’t take care to manage information as a complex and valuable asset. The term refers to Joe Duffy, a talk radio host on Irish radio. Joe enjoys taking the side of the common man, usually. Occasionally he makes a jape of not getting the point, whether by accident or design we may never know. But organisations who fall foul of the “Joe Duffy Effect” can find themselves fighting rear guard actions against an often intractable foe.

    Last week Joe spoke with Jacob, a South African living in Ireland who had received a pre-recorded voicemail to his phone from Michael Martin. Jacob’s tale can be heard in Technicolour on the RTE website.

    From the call we glean that:

    1. A voicemail was received by Jacob on the 9th of February with a pre-recorded message (which Jacob played)
    2. He has apparently received SMS messages from Fianna Fail with calls for volunteering and campaigning.
    3. He is not a member of Fianna Fail
    4. He has not asked for Fianna Fail to contact him and does not know where they got his number.
    5. The mobile in question is used as an internal work mobile and is not listed. His number is only listed with the Road Safety Authority.

    In the broadcast Joe tells Jacob that we live in a democracy.

    Correct. We live in a democracy. Specifically we live in democracy where we have decided that the Right to Privacy, while not absolute, is a right that must be defended. Just because we are a democracy it does not give politicians an automatic carte blanche to process data regardless of where or how it has been obtained. These rights to privacy are enshrined in law, in the Constitution and in EU Treaty obligations. Yes, there are balances, mitigations and exemptions with respect to how that right is exercised and protected – but it is still a democratic right of the individual.

    During the course of the call, a comment from Fianna Fail was read out saying that they didn’t have Jacob’s number. That is at odds with the evidence – to whit: one recording. And if I’ve learned one thing from watching CSI is that evidence trumps counter claim every day.

    So, what is the Data Protection issue here:

    • Fair Obtaining – Jacob is not a member of the party and was not aware of how his number came to be called and texted. Granted his phone seems to be for work purposes, but the electronic Privacy regulations apply to business as well as personal data. Also, while he may use the phone for work purposes a big question to ask here is who is paying the bill – him, or a company. If he pays the bill the phone may actually be a personal phone used for business purposes (Sole Trader data is a tricky area in Data Protection land).
    • Governance and control of data and/or data processors – Fianna Fail claimed not to have Jacob’s number. The fact that a Fianna Fail party message was left by voicemail and various SMS messages were sent to him suggests that they do. Or if not them then someone working on their behalf. Under the Data Protection Acts, the Data Controller is responsible for the actions of the Data Processor unless the Data Processor acts outside the parameters of the formal contract in writing that governs the Data Controller/Data Processor relationship. So… while it may be true that FF HQ don’t have Jabob’s number, someone processing data on behalf of Fianna Fail does. Fianna Fail not knowing whether or not they had the data suggests a weakness in internal control and governance.
    • Accuracy – Joe D. suggested to Jacob that maybe the messages were being sent because of a wrong number. Personal data needs to be kept accurate and up to date. FF should have taken steps to correct the error rather than denying that they have the data. Ultimately FF carry the can for the actions of the Data Processor.

    Of course, there is the distinction to be made between normal “direct marketing” and the processing of personal data by a candidate for elected office. Basically during an election personal data is “fair game” for politicians, provided they have obtained it correctly first and have clear consents for contact. Which puts the discussion of “auto dialling” or “power dialling” on the table. According to the Data Protection Commissioner’s website:

    The use of automatic dialling machines, to call individual subscribers at random for direct marketing purposes, is prohibited, unless subscribers’ consent has been obtained in advance.  Unsolicited fax messages to individual subscribers are likewise prohibited.

    That is why it is important to know who the “subscriber” is to Jacob’s phone. If it is a limited company or similar legal entity, then it is not a call to an “individual” subscriber. If it is his phone or he is a sole trader or part of a partnership, then it is possible that he is an “individual subscriber” and as such the use of an autodialler to RANDOMLY call numbers for direct marketing would be illegal. Dialling from a preloaded list is OK. So long as the list has been fairly obtained and takes into account NDD Opt-out requests etc. And then there is the grey area of the Political exemptions from the Data Protection Acts.

    The DPC has issued guidelines to all political parties before the election. My sense is that these guidelines may have been breached in this case.

    During previous election campaigns, the Commissioner received numerous complaints from individuals in receipt of unsolicited SMS (text) messages, emails and phone calls from political parties and candidates for election.  In many cases, the individual had no previous contact with the political party or candidate and was concerned at the manner in which their details were sourced.  Subsequent investigations revealed that contact details were obtained from sources such as sports clubs, friends, colleagues and schools.  Obtaining personal data in such   circumstances would constitute a breach of the Data Protection Acts, as there would be no consent from the individual for their details to be obtained and used in this way.

    So.. Fianna Fail need to know where their Data Processors are getting their data from. The evidence says they have Jacob’s phone (and who knows who elses’) but don’t know they have Jacob’s phone. That suggests that the Data Controller is not in Control of the Data. Which is a problem in and of itself.

    Fine Gael are not the only Data protection flaunters in this election. Fianna Fail have had their moments too. The Green Party STILL don’t have a Privacy statement. And I’m sure the others have slipped up along the way as well. But that is a discussion for another day.

  • There is oft a slip twixt tweet and twolicy

    This blog post is basically the text of an audioboo I recorded at 9:30 this morning which has disappeared into the ether ne’er to be found.

    Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

    What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

    knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

    This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

    Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

    1. See my house
    2. See my neighbours’ houses

    They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

    The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

    Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

    This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

    The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

    If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

    If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

    However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

    The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

    Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

    Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

    Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

    Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

    Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

    b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

    [edit to clarify some points raised by @tjmcintyre]

    Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

    carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

    Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

    But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

    [/edit]

    So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

    I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

    [update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

     

     

  • Wordle me this

    Thanks to Jim Harris over at OCDQBlog.com I came across Wordle, which creates word clouds (like tag clouds) based on text content.

    Here’s a link to the Word Cloud for this blog. I think the theme of my personal blogging is clear from this image…

    Not a great post to start 2011, but there is more to come (oh yes…)