The DOBlog

Category: Politics & Culture

  • The missing link in Compliance and Governance

    Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

    • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
    • Information Quality programmes involve, by definition, the implementation of a Quality Management System
    • Information/Data Governance… well, that’s another form of Quality Management System
    • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

    In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

    1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
    2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
    3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

    Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

    Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

    Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

    At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

    A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

    Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

  • Expelling the Papal Nuncio

    A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.

    The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.

    And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.

    Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.

    The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.

    So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).

    Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.

    The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.

    The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.

  • Data Breach Code of Practice

    A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

    That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

    Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

    Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

    What would I like to see from the new Govt which will take the reins of power in the coming week or so?

    1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
    2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
      1. Consolidate and simplify the legislation.
      2. Implement clear penalties for infringement of the Acts and penalise non-compliance
      3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
      4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
    3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
    4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

    Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.

  • In the interest of Electoral Balance

    I’ve written previously about Fine Gael and their issues with avoiding Data Protection pitfalls during this current General Election.

    Some people might have gotten the impression that I’m obsessed with Fine Gael. I’m not. I’m obsessed with Data, specifically the management of data and information in manner that ensures quality outcomes through quality data governed with due regard to relevant legislation.

    On courses I teach on Data Protection and Information Quality I often make reference to “The Joe Duffy Effect” to describe the brand impacts that can arise if organisations don’t take care to manage information as a complex and valuable asset. The term refers to Joe Duffy, a talk radio host on Irish radio. Joe enjoys taking the side of the common man, usually. Occasionally he makes a jape of not getting the point, whether by accident or design we may never know. But organisations who fall foul of the “Joe Duffy Effect” can find themselves fighting rear guard actions against an often intractable foe.

    Last week Joe spoke with Jacob, a South African living in Ireland who had received a pre-recorded voicemail to his phone from Michael Martin. Jacob’s tale can be heard in Technicolour on the RTE website.

    From the call we glean that:

    1. A voicemail was received by Jacob on the 9th of February with a pre-recorded message (which Jacob played)
    2. He has apparently received SMS messages from Fianna Fail with calls for volunteering and campaigning.
    3. He is not a member of Fianna Fail
    4. He has not asked for Fianna Fail to contact him and does not know where they got his number.
    5. The mobile in question is used as an internal work mobile and is not listed. His number is only listed with the Road Safety Authority.

    In the broadcast Joe tells Jacob that we live in a democracy.

    Correct. We live in a democracy. Specifically we live in democracy where we have decided that the Right to Privacy, while not absolute, is a right that must be defended. Just because we are a democracy it does not give politicians an automatic carte blanche to process data regardless of where or how it has been obtained. These rights to privacy are enshrined in law, in the Constitution and in EU Treaty obligations. Yes, there are balances, mitigations and exemptions with respect to how that right is exercised and protected – but it is still a democratic right of the individual.

    During the course of the call, a comment from Fianna Fail was read out saying that they didn’t have Jacob’s number. That is at odds with the evidence – to whit: one recording. And if I’ve learned one thing from watching CSI is that evidence trumps counter claim every day.

    So, what is the Data Protection issue here:

    • Fair Obtaining – Jacob is not a member of the party and was not aware of how his number came to be called and texted. Granted his phone seems to be for work purposes, but the electronic Privacy regulations apply to business as well as personal data. Also, while he may use the phone for work purposes a big question to ask here is who is paying the bill – him, or a company. If he pays the bill the phone may actually be a personal phone used for business purposes (Sole Trader data is a tricky area in Data Protection land).
    • Governance and control of data and/or data processors – Fianna Fail claimed not to have Jacob’s number. The fact that a Fianna Fail party message was left by voicemail and various SMS messages were sent to him suggests that they do. Or if not them then someone working on their behalf. Under the Data Protection Acts, the Data Controller is responsible for the actions of the Data Processor unless the Data Processor acts outside the parameters of the formal contract in writing that governs the Data Controller/Data Processor relationship. So… while it may be true that FF HQ don’t have Jabob’s number, someone processing data on behalf of Fianna Fail does. Fianna Fail not knowing whether or not they had the data suggests a weakness in internal control and governance.
    • Accuracy – Joe D. suggested to Jacob that maybe the messages were being sent because of a wrong number. Personal data needs to be kept accurate and up to date. FF should have taken steps to correct the error rather than denying that they have the data. Ultimately FF carry the can for the actions of the Data Processor.

    Of course, there is the distinction to be made between normal “direct marketing” and the processing of personal data by a candidate for elected office. Basically during an election personal data is “fair game” for politicians, provided they have obtained it correctly first and have clear consents for contact. Which puts the discussion of “auto dialling” or “power dialling” on the table. According to the Data Protection Commissioner’s website:

    The use of automatic dialling machines, to call individual subscribers at random for direct marketing purposes, is prohibited, unless subscribers’ consent has been obtained in advance.  Unsolicited fax messages to individual subscribers are likewise prohibited.

    That is why it is important to know who the “subscriber” is to Jacob’s phone. If it is a limited company or similar legal entity, then it is not a call to an “individual” subscriber. If it is his phone or he is a sole trader or part of a partnership, then it is possible that he is an “individual subscriber” and as such the use of an autodialler to RANDOMLY call numbers for direct marketing would be illegal. Dialling from a preloaded list is OK. So long as the list has been fairly obtained and takes into account NDD Opt-out requests etc. And then there is the grey area of the Political exemptions from the Data Protection Acts.

    The DPC has issued guidelines to all political parties before the election. My sense is that these guidelines may have been breached in this case.

    During previous election campaigns, the Commissioner received numerous complaints from individuals in receipt of unsolicited SMS (text) messages, emails and phone calls from political parties and candidates for election.  In many cases, the individual had no previous contact with the political party or candidate and was concerned at the manner in which their details were sourced.  Subsequent investigations revealed that contact details were obtained from sources such as sports clubs, friends, colleagues and schools.  Obtaining personal data in such   circumstances would constitute a breach of the Data Protection Acts, as there would be no consent from the individual for their details to be obtained and used in this way.

    So.. Fianna Fail need to know where their Data Processors are getting their data from. The evidence says they have Jacob’s phone (and who knows who elses’) but don’t know they have Jacob’s phone. That suggests that the Data Controller is not in Control of the Data. Which is a problem in and of itself.

    Fine Gael are not the only Data protection flaunters in this election. Fianna Fail have had their moments too. The Green Party STILL don’t have a Privacy statement. And I’m sure the others have slipped up along the way as well. But that is a discussion for another day.

  • There is oft a slip twixt tweet and twolicy

    This blog post is basically the text of an audioboo I recorded at 9:30 this morning which has disappeared into the ether ne’er to be found.

    Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

    What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

    knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

    This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

    Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

    1. See my house
    2. See my neighbours’ houses

    They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

    The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

    Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

    This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

    The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

    If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

    If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

    However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

    The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

    Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

    Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

    Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

    Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

    Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

    b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

    [edit to clarify some points raised by @tjmcintyre]

    Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

    carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

    Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

    But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

    [/edit]

    So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

    I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

    [update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

     

     

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.

  • Wrong Country Wrong Call

    I’m diverting briefly today from my regular information quality themes to pick up on a debate that has been triggered by Simon over on Tuppenceworth about the latest tsunami of magical thinking that is Your Country Your Call.

    For those of you in Ireland who reside under a rock or in a cave or readers from outside of Ireland, Your Country Your Call is a competition/website which has been set up on (apparently) a Charitable basis with backing of  number of organisations who have, until recently, been happy to be completely behind the scenes for what one must assume are laudable reasons grounded in humility, modesty and a sense of service.

    The goal of YCYC is to find the magic bullet idea that can trigger a renaissance in the Celtic Tiger. Two prizes are on offer for the people who comes up with two ideas and a fund has been established to help develop these mould breaking concepts into  real industries (not a business… an industry).

    Simon has made a number of cogent arguments on Tuppenceworth about the terms and conditions of entry which basically mean that the promoters of YCYC own the winning idea and control the purse strings for the development and direction of the idea. That’s bothersome enough.

    My issue with YCYC is that it is actually a wasted opportunity that has the hallmarks of  the level of thinking that got us into the current financial mess that the country is in.  If we hype it it will happen. If we generate a general sense of it being built at some point in the future they will come. The general gist of the response to criticism thus far has not been a million miles from the comments made about people who raised concerns about the Irish economy just before the wheels fell off. Apparently it is unpatriotic to question who is behind this and how they are being funded.

    Apparently if we all hold hands and think happy thoughts then, just like Peter Pan, we’ll be able to fly, never grow up, and pick pointless fights with our own shadows.

    But I digress. My problem with YCYC is that a large amount of money is being poured into it. It has been confirmed that €2 million is being poured into this, when you take prize funds, the development kitty and the general costs associated with a big media splash.  Even if we are as generous as people are seeming to be and assume that the media splash is being done pro bono, we still have a  figure of around €2 million attached to YCYC (see discussion around this comment on ValueIreland’s website)

    What other type of model might YCYC have pursued to more effectively make use of this pot of gold at the end of the rainbow, other than a competition model the terms and conditions of which read to me like the ones associated with a Battle of the Bands or a phone in competition to win a car?

    How about beefing up funding to EXISTING supports for entrepreneurship in Ireland such as the County Enterprise Boards, LEADER programmes, or the enterprise incubation programmes associated with the various Universities and Institutes of Technology?

    • The upper limit for a feasibility study grant from a CEB is around €5000. That €2million could support 400 studies into new business ideas, each of which would need to have a business model slightly better than “Underpants- Question mark – Profit” to get the funding.
    • Funding for graduate entreprenuers through the CORD scheme provides up to €30k in funding to participants on an enterprise incubation scheme through an Institute of Technology or University. The €2 million would fully fund 66 additional CORD places around the country, with enough over for a big bang press launch. Even if the money was only to partially fund these places, it would help support real innovation and entrepreneurship.

    I would have to ask why the promoter and financial backers of YCYC decided to by-pass the existing support structures that exist for new business ideas in this country. Is it that the organisers thought the existing structures to be inefficient or broken in some way?

    This question is all the more pressing to me given that it seems that a chunk of this money (15%) came from the Irish Government, specifically, it seems, the Dept of Enterprise Trade and Employment. The Department of Enterprise, Trade and Employment is the Irish Govt. Department which is responsible for County Enterprise Boards. So, rather than fund them more the Dept seems to have been happy to transfer taxpayer’s money to a private initiative.

    At least that is what seems to be suggested by Padraig McKeown’s Twitter reply to Tuppenceworth.ie about which department’s budget the €300k was coming from (warning, you’ll need to scroll down on this to see all the relevant comments). This is also an interesting question given recent comments and posts elsewhere speculating about the future of the County Enterprise Boards.

    • €300k from the Department equates to 60 Feasibility study grants or 10 CORD funded Incubation centre places.

    I’m sure that someone will row in about now with the argument that the Dept can’t just transfer €300k to the CEBs or to the Incubation Centres willy-nilly. But that is exactly what seems to have happened to facilitate a transfer of €300k to YCYC with no (at least as far as I can see) announcement or fanfare that this was being done.

    As for the remaining €1.7million that is in the kitty for YCYC? As each CEB operates as a seperate limited company, there would have been no impediment (that I can see) to these backers simply making the fund available as an Innovation Fund which the CEBs or Incubation Centres could draw on to fund grants and other supports for start-up businesses.

    So. I’m left with a sense that Your Country Your Call is:

    1. A poorly thought out muddle with a worrying lack of clarity about where issues such as Intellectual Property rights to any idea sit (the Terms & Conditions do seem to be clear that the IP vests to the promoters of #YCYC).
    2. An initiative that may be laudable in its intent, but perhaps has not been properly thought through – perhaps the use of existing supports that exist under the auspices of the Department of Enterprise, Trade and Employment and Enterprise Ireland.
    3. An initiative that the Government Dept (Enterprise Trade & Employment) responsible for promoting enterprise and employment thought worthwhile investing a significant sum of money into an initiative which keeps the IP to any idea, at what can only be the expense of existing programmes for Enterprise support that exist in the country or, at the very least, at the expense of beefing up those programmes in a structured and sustainable way.
    4. YCYC is a wonderful feat of PR puffery with little real potential to deliver the economic kickstart that is required in Ireland, but doesn’t the website look pretty.
    5. The priority of the government and the sponsors of this initiative is to promote a forum for fuzzy thinking and “end of the rainbow” speculation at the expense of the existing supports for business start-ups which have a track record of supporting local SME development around the country.

    At best it is a noisome distraction and puffery that might, by some sheer accident of chance, uncover a true gem of an idea (that the innovator of which cannot grasp the value of) which will restart the economic engines. At worst, it is a noisome distraction that has diverted funding from existing enterprise support frameworks that exist in the country, apparently with the blessing of the responsible government minister.

    Of course, I could be totally wrong.  Maybe the Department of Enterprise had €300k that was sitting around doing nothing and which the CEBs and University Campus incubators had said no to when it was offered to them. Maybe the €1.7 million war chest was touted around the Campus Incubators and the CEBs but was politely declined as well. Perhaps the President of DCU could shed some light on this as he is on the Steering board of YCYC?

    Maybe the terms and conditions of YCYC will not put off serious thinkers with real viable ideas to shake things up in the economy which they’ll be happy to part with for a hundred grand.

    Personally, I’ll continue with my strategy of knuckling down to graft on my business plan, keeping an eye on costs, and working to build a set of services and products that, while not changing the world, will change that part of it that I’ve spotted needs changing, with a view to creating value and generating employment for others over time.

    It’s my country. It’s my call.

  • An open letter to Orna Mulcahy and Leaving Cert Class of 2010

    Today’s Irish Times has an article by Orna Mulcahy where she bemoans the fact that the points for college courses will be higher this autumn due to the increase in applications from mature students who have recently found themselves unemployed/between jobs/time advantaged (pick your own term).

    After more than a decade of falling points and expanding career options, all signs were that getting into a reasonably fulfilling college course would be just a matter of filling in the forms. But the great recession has put paid to that. Certain courses are no longer attractive at all, such as those leading towards a career in property or construction. The inevitable swing towards the sciences or any course that might feed into Brian Cowen’s beloved “smart economy” will increase competition for places. This year more people will sit the Leaving Cert than ever before. And now there’s talk of a wave of the newly unemployed going back to college.

    Oh. To put that another way:

    Over reliance on the benign nature of an economic model in which effectively turning up and having a pulse assured you of a foot on the entry level (at least) rungs of an asset acquisition ladder has resulted in a shock adjustment when the dynamics of that economic model change due to external factors and internal market forces.

    To me, this sounds a lot like what happened in the property bubble and crash in Ireland, when lots of people chased moderate amounts of property with apparently bottomless pots of mortgage money available from banks, resulting in prices rocketing. A lot of people over stretched themselves financially to buy a property and then found themselves in a state of shock when the arse dropped out of prices and they were left paying a gallon sized mortgage on a half-pint asset value. Which is interesting, given that she is the Property Editor of the Irish Times. (more…)

  • The Leaving Cert exam fiasco

    So. The Irish Government (in the form of the Dept. of Education and the State Exams Commission [SEC]) are faced with a €1million bill because an exam Superintendent inadvertently distributed the wrong exam paper earlier this week.

    An avoidable root cause for this now unavoidable expenditure seems to be that the packaging that exam papers comes in is too similar. The SEC issued a reminder to Superintendents about this very issue. 

    Reminders and warnings are ultimately reactive in nature. They scream “we know there is a risk of a screw up here, so be careful now”. They do not, unfortunately, in themselves reduce the risk of the screw up happening – that requires the person receiving the warning to remember in all cases to act on it.

    Warnings just give the people who issue the warnings the scope to say “we told you to be careful” as they fire the person who made the error. They are, in effect, a verbal (or written) form of inspecting a defect out of a process before it reaches the customer. They do not improve the process.

    So, what might process improvement here be that actually contributes to a reduction in the risk of significant financial loss to the State because one person in one exam centre makes one mistake?

    When assessing whether it is worth changing a process, we need to assess the cost, impacts and risks involved. The risk of the wrong exam papers being given out is not that high. However, the cost and impact when it does happen is proving to be significant.

    If we assume that the risk of it happening is no more than five times in 100 years then that is a 5% risk each year that something will go wrong (remember – we are dealing with probablity, not a schedule).  We can assume that in any year it happens, as soon as it does everyone involved will be acting on every warning given to make sure it only happens once – the survial instinct kicks in.

     If we assume that the basic financial cost each time will be in the region of €1 million, that means that, prudently, we should see what sort of change can be implemented for an ‘insurance premium’ of €50,ooo  per year. This does not, of course, factor in the reputational damage to government agencies, the PR damage for the elected Minister, the stress impacts on students and their families as exams are rescheduled etc and any potential legal liabilities that might arise. For the sake of argument, we will assume that the monetary equivalent of those risks is  €20,000.

    So. What change can we implement for up to  €70,000 per year that would prevent unintentional and indavertent confusion of exam papers because of similarities in their packaging?

    One option would be to colour code the packaging with distinct colours (i.e. avoiding orange and brown and sticking with strong bold colours that definitely look different). Use different coloured packaging for each subject for example, or put a coloured line or cross on the packaging. Print a logo on the front of the packaging that illustrates the subject (a book for English, a globe for Geography, Einstein’s head for Physics, a picture of Peig for Irish). Anything to provide a standardised visual clue as to what the subject is.

    My preference is for totally colour coded envelopes… If it is Red it is English, Green Irish, Blue French etc. 

    Of course, to do it for ALL the subjects offered in the Leaving Cert in ALL centres might prove more costly than the notional €70,000 we’ve set aside as our insurance premium.

    This is where we would need to further refine our view of the impact of the risk per subject. For example, investing in coloured wrapping for English is a no-brainer. It is a core subject that everyone does.  Accidentally leaking that paper affects ALL students in EVERY exam centre. That’s what costs the €1million we are trying to avoid paying out 5 out of every 100 years.

    Colour coding Classical Studies however might be harder to cost justify. It’s not taken by that many students, it’s not examined in that many exam centres. The cost of colour coding the exam script envelopes for subjects like this could possibly be more than the cost of rescheduling the exam. Also, many of these less taken subjects are examined towards the end of the exams window… further reducing the risk of confusion as the box of exam scripts will be emptying fast.

    So. How much would it cost the State Examinations Commission to colour code the top 10 subjects by number of students and number of exam centres? Would we even need 10 subjects coded in this way?

    While there is little that can be done to ‘risk proof’ against an intentional leaking of an exam paper other than to have a second (or third) version of the exam on stand-by and having criminal sanctions for people caught doing so, there are simple changes that could be made to risk-proof against accidental leaking.

    The only question is does the cost of introducing a preventative control that improves the quality of information presentation (by adding an additional cue – in this case colour) out weigh the risk and impact of having packages that are so similar that they can be accidentally confused. 

    What sort of insurance premium against that risk is the SEC willing to pay?