A Letter to the Editor

Over the past few days, the Irish Times has carried a larger volume than usual of the “Data Protection Commissioner is evil” letters, giving out about her “nonsensical powers” because the bad lady won’t let them do things they want to do with data about people who are/might be alive.

I don’t always agree with the ODPC (more often than not we have “differences of opinion” on things). But when (against all the odds) they appear to be DOING THEIR JOB, I will defend them. So, I wrote a letter to the Editor. It is probably too long and will get gutted or not published at all. Here it is (with links to the original letters)

Sir –

Over the past few days your letters page has carried unchallenged comments about the Data Protection Commissioner and her “nonsensical powers”.

Robert Frewen states that Electoral register information is available in hard copy through libraries. This is true, but it differs from an on-line and searchable resource in a number of key ways, namely that each search is manual and laborious and the library staff can act as a foil against trawling for data – multiple searches will easily be spotted and librarians are a fearsome breed in my experience. He also states that electoral register information is available on-line. This is incorrect. Electoral registers are available to search online, but only if you have the exact name and address of the individual – so you are searching for information you already have in your possession, not trawling for new facts.

Claire Bradley writes that the DPC’s decision is “small minded” and that “most of the people eligible to vote in the 1940s would be dead by now”. Unfortunately, that means that some of the people eligible to vote in the 1940s (such as my own Grandfather) are still very much alive and continue to enjoy a fundamental right to data privacy. This fundamental right is what the DPC has acted to uphold. Far from being a small minded sectoral interest, the DPC has acted in support of a broadly based fundamental principle.  

The DPC has made similar decisions in relation to other genealogy resources, which have been widely reported by the Irish Times, and clear rules of thumb have been established for births, marriages, and deaths. Perhaps rather than bemoaning the application of fundamental human rights rules to personal data, Ms Bradley might contribute more constructively by suggesting a reasonable and proportionate rule of thumb for the publication of electoral registers in an open and searchable format. The DPC, in my experience, welcomes such constructive discussion. Perhaps a benchmark can be found in the release of the 1911 Census Records?

It is important to note that the DPC has not said that any records should be destroyed, just that they cannot be made available for an open and unrestricted search. Yet.

Finally, Cllr Lacey seems to bemoan the DPC’s recommendation to Local Authorities that they respect and comply with Data Protection principles such as ensuring access to data and processing of data is conducted with a specified and lawful purpose. I would suggest that rather than blaming the DPC for the loss of patronage and perceived power that Councillors may have experienced when their participation in housing allocation was curtailed, he instead address his complaint to the Department of the Environment and ensure that a clear and explicit statutory basis in primary legislation is created to clearly set out what data about Council tenants Councillors can have access to, why, and under what controls such access will operate.

The release of Electoral Register data from the 1960s, 1970s and 1980s constitutes the release of personal data of living individuals for a purpose unrelated to the purpose for which it was obtained, and brings with it a risk of identity theft. If Cllr Lacey believes that the release of this data is sufficiently important, he should seek to have every person communicated with to obtain their consent to the release of their data for this new and, at the time, unforeseen purpose.

It is rare in recent times that I find an opportunity to fall full square behind the DPC and the actions of her office. This is one. Their function is imperfect, and in a professional context as Data Protection consultant and trainer, I have more than ample grounds to be critical of their actions at times.  But far from being nonsensical, the powers of the DPC are woefully inadequate in many ways for the challenge that they face as one of the leading Data Privacy regulators in the world upholding and protecting a fundamental right. As the Oireachtas prepares the updated Data Protection Act to beef up the DPC in line with the requirements of the General Data Protection Regulation, one hopes that the many weaknesses of the DPC will be addressed to make them more fit for purpose.

“Wha!!! Data Protection laws make things hard!” is a dumb argument. Better for people who have valid interests to assess what the “win-win” outcome would be and strike an appropriate balance.

The General Data Protection Regulation and “Mental Discounting”

other_peoples_moneyThe General Data Protection Regulation (GDPR) is now in the home straight, with publication of final, final text expected in Q1 of 2016 (expect something to happen towards the end of January).

One of the small and subtle changes that is buried in the 209 pages of text in the most copy I have come into possession of is the apparent removal from the Regulation of any specific reference to personal liability of officers, directors or managers of bodies corporate where their actions (or inactions) cause an offence to be committed. This is a power that the Irish DPC has used judiciously over the past few years under current legislation (it is a power of the DPC under Section 29 of the Data Protection Acts and Section 25 of SI336 (ePrivacy Regulations), but which has served to focus the minds of managers and directors of recidivist offending companies when the sanction has been threatened or applied. The potential knock-on impact of such a personal prosecution can affect career prospects in certain sectors as parties found guilty of such offences may struggle to meet fitness and probity tests for roles in areas such as Financial Services.

The omission of this power from the GDPR weakens the enforcement tools that a Regulator has available, weakens the ability for Regulators to influence the internal organisational ethic of a body corporate when it comes to personal data, and invites officers, directors, and managers (particularly in larger organisations) to engage in “Mental Discounting” because the worst case scenario that can occur is a loss of “Other People’s Money”, not a direct impact to them.

I’ve written about this before on this blog in the context of organisations in compliance contexts weighing up “worst case scenarios” and assessing if the financial or other penalties are greater than or lesser than the value derived from breaching rules (search for “mental discounting“). However, the absence of a personal risk to the personal money of officers, directors, or managers also creates a problem when we consider the psychology of risk, given that our risk assessment faculties are among the oldest parts of our brain:

  1. We are really bad at assessing abstract risk (we evolved to understand direct physical risks, not the risks associated with abstract and intangible concepts, like fundamental rights, data, and suchlike).
  2. We are tend to down play risks that are not personalised (if there isn’t a face to it, the risk remains too abstract for our primitive brain. This is also the difference between comedy and tragedy… comedy is somebody falling off a ladder. Tragedy is me stubbing my toe).

So, when faced with a decision about the processing of personal data that has a vague probability of a potentially significant, but more probably manageable, financial penalty to an abstract intangible entity (the company we work for), with no impact of any kind on a tangible and very personal entity (the individual making the decision), invariably people will decide to do the thing that they are measured against and that they are going to get their bonus or promotion based on.

The absence of an “individual accountability” provision in the GDPR means that decision makers will be gambling with Other People’s Data and Other People’s Money  with no immediate risk of tangible sanction. If the internal ethic of a company culture is to take risks and ‘push the envelope’ with personal data, and that is what people are measured and rewarded on, that is what will be done.

In a whitepaper I co-authored with Katherine O’Keefe for Castlebridge, we discussed the role of legislation in influencing the internal organisational ethic. The potential for personal sanctions for acting contrary to the ethical standards expected by society creates a powerful lever for evolving risk identification, risk assessment, risk appetite, and balancing the internal ethic of the organisation against that of society. Even if only used judiciously and occasionally, it focuses the attention of management teams on data and data privacy as business critical issues that should matter to them. Because it may impact their personal bottom line.

Absent such a means of sanction for individuals, I fear we will see the evolution of a compliance model based around “fail, fail fast, reboot” where recidivist offender decision makers simply fold the companies that have been found to have committed an offence and restart with the same business model and ethic a few doors down, committing the same offences. Regulators lacking a powerful personal sanction will be unable to curtail such an approach.

After all, it’s just other people’s money when you get it wrong with other people’s data.

 

 

Irish Water, Data Protection, and the Cut and Paste Fairy

A few weeks ago I wrote a post here about Irish Water’s Data Protection Policy, which was very poorly written and had all the hallmarks of having been cut and paste from another document (for example references to numbered clauses that were not in the Data Protection Notice).

Today they have advertised on RecruitIreland.com for a Data Protection and Information Security Manager. Ignoring for a moment that this conflates two completely different but related skill sets, the advert on RecruiteIreland.com has all the hallmarks of being a cut and paste job from elsewhere. The clues are very obvious to anyone who knows about international data privacy law and practice. Like me.

Take this paragraph for example:

  • Develop and implement Irish Water Information Security and Data Protection policies, processes, procedures and standards based on the existing Ervia framework, legislation and best practice (eg ISO 27000, other industry security standards such as PCI-DSS, NERC/CIP, and FERPA; HIPAA and other privacy/security legislation);

Lots of alphabet soup there that looks very impressive. But what does it mean?

  • PCI-DSS  is a credit card processing data security standard. Scratch that… it is THE credit card processing data security standard.
  • ISO27000 is the benchmark standards family for Information Security.
  • NERC/CIP is a critical infrastructure security standard from the US for electricity networks. It’s used as a reference standard as the EU lacks equivalents at the moment (thanks to Brian Honan for pointing that nugget out)
  • FERPA is not a standard. It is the Family Education Rights and Privacy Act, a US Federal law covering data privacy of student education records. It actually creates rights and duties not unlike the Irish Data Protection Acts, but it applies only to schools that receive funds under an applicable program of the U.S. Department of Education. So, unless Irish Water has a subsidiary teaching creationism in the boonies of Louisiana, it’s not entirely relevant to the point of actually being entirely irrelevant to an EU-based utility company.
  • HIPAA is the Health Insurance Portability and Privacy Act. It is privacy law that applies to certain categories of patient data for patients of US hospitals and healthcare providers and processors of health data such as insurers. In the United States.

Reading through the rest of the job description, the role is weighted heavily towards Information Security professionals. The certifications and skills cited are all very laudable and valid information security certifications. But they are not Data Protection qualifications. Indeed, the only data protection qualification that is specified is an ability to “work the Data Protection Acts”. Work them? I can play them like a pipe-organ!

Given the range of qualifications that exist now for Data Protection practitioners such as the IAPP’s CIPP/E or the Law Society’s Certificate in Data Protection Practice (disclaimer: I helped design the syllabus for that course, lecture on it, and have  set and correct the assignments for it), it’s odd that there is no reference to appropriate Data Protection skills. The question I would pose is what would happen if a Data Protection specialist with experience in ISO27000 implementation, a formal data protection qualification, and experience in data governance applied for the job and wound up shortlisted against someone with a CISSP certification and no practical data protection/data privacy experience, who would get the job?

My reading of the job advert on RecruitIreland.com is that it was cut and paste from somewhere else with minimal review of the content or understanding of what the role of a Data Protection Officer is and how that is related to but different from an Information Security Officer role.

Perhaps it was cut and paste from this advert that appeared almost six months ago http://www.dole.ie/cache/job/3853096. It’s for an Information Security and Data Protection Manager in… Irish Water.

Irish Water Boarding

A few weeks ago I did a lot of research to find the specific section of legislation that authorised Irish Water to request PPSN details from people. It is Section 20 of the Social Welfare and Pensions Act 2014.

So, a bit of a law was done to do a thing. But could that thing actually be done? Were other things needed to be done to make the request of and processing of PPS numbers lawful?

Simon McGarr correctly points out that putting a body on the list of registered bodies is only part of the governance. A protocol is required to be in place governing the use of the data which needs to be approved by the Minister. http://www.mcgarrsolicitors.ie/2014/10/22/irish-water-ppsns-and-the-missing-ministers-agreement/

That protocol appears not to have been in place as of the end of September. After the forms were finalised and sent out. Any PPSN data obtained prior to the finalisation of such protocols was obtained unlawfully. This is a failure of Data Governance. A key Regulatory requirement appears to have been missed.

This is a good example of how doing “a bit o’law” to enable sharing of data is insufficient to ensure compliance. In the absence of a strong Data Governance function to ensure that the right things are done in the right way errors occur, disproportionate processing takes place, and groupthink takes hold. I discuss this at length in a submission my company Castlebridge Associates made in conjunction with Digital Rights Ireland to the Dept of Public Expenditure and Reform on a proposed Data Sharing and Governance Bill.

That document is here: http://castlebridge.ie/products/whitepapers/2014/09/data-governance-and-sharing-bill-consultation-submission

Guest Post: An Overview of the International Data Quality Summit

When I was Director of Publicity for IAIDQ I introduced a policy of writing up the events of conferences the Association ran or was taking part in. This write up was usually published in the IAIDQ journal/Newsletter. Joy Medved has asked if I could let her do the same here so she can thank the people who helped make IDQS14 happen. As she no longer has access to the IAIDQ to publish content, and given the erratic nature of IAIDQ communications, I’m delighted to oblige to let Joy say a deserved “Thank You” and an undeserved “Good Bye”.

An Overview of the International Data Quality Summit,
Richmond, VA, USA, October 6-9, 2014 (by Joy Medved)

When I was first presented with the opportunity to become Director of Events for IAIDQ, I found the challenge of chairing a conference quite exciting. I have been a conference speaker since 1993 and really liked the idea of expanding my experience in this area. Thankfully, I was working with two extremely well-organized individuals, Alex Doyle and Melissa Hildebrand. Together, the three of us plotted and planned, and were able to outline an exciting program for what was to become the first joint conference of the International Association for Information and Data Quality (IAIDQ) and the Electronic Commerce Code Management Association (ECCMA). Melissa and I decided to call this joint adventure the International Data Quality Summit (IDQSummit.org).

Alex’s main responsibilities centered on contract negotiations with the hotel (though he proved instrumental in a number of other ways!), and Melissa, being the ECCMA Associate Director, was to be my co-chair. Unfortunately, Melissa was laid off from ECCMA and was unable to continue as co-chair; but before she left, she proved most invaluable. She was a pleasure to work with, and demonstrated superb organizational skills. I also found her work to be extremely high quality (which, as a professional quality consultant, isn’t something I say about just anyone!). Thank you, both, for all your hard work; I couldn’t have done it without you!

So, almost a year ago, and with no budget to speak of, Melissa and I set out to organize the first IDQSummit. The result of our efforts finally came to fruition last week (October 6-9, 2014) in Richmond, VA, at the Wyndham Virginia Crossings Hotel and Conference Center. It was quite exciting to see a year’s worth of work unfold before my eyes. Approximately 100 attendees joined us from 11 countries around the world.

Attendees enjoyed 40 sessions, 12 tutorials, two expert panels, and four keynotes during the four-day event, covering a variety of topics within four key tracks: Data Quality, Data Governance, Data Analytics/Big Data, and Metadata. Speakers included well-known industry authors, such as: Bill Inmon (the Father of Data Warehousing), Dr. Peter Aiken, Laura Sebastian-Coleman, Danette McGilvray, Ed Lindsey, Dr. Alex Borek, Dr. John Talburt, David Marco, and Dr. Rajesh Jugulum. Other expert practitioners included: Alan Duncan, Anne Marie Smith and Sue Geuens (from DAMA International), Kelle O’Neal, Martha Dember, Michael Scofield, Nicola Askham, Ronald Damhof and Shane Downey. For a great overview of the tutorials and sessions from an attendee point of view, please read Alan Duncan’s blog post: “IDQSummit: Context is Crucial, but People are Paramount.”

We also hosted an Hawai’ian Shirt Social Monday evening, and a Vendor Expo Tuesday that included two of our top sponsors (Melissa Data and EWSolutions). The Vendor Expo also included an authors’ booth, a Civil War costume rental, a reception, and a join-in music jam with the “Porch Rockers.” It was awesome to see Pei Wang and Daniel Pullen, our two student speakers from UALR’s Ph.D. program, get up and perform. Daniel played guitar, while Pei sang a beautiful rendition of “Let it Go,” from the movie Frozen. We even heard our Closing Keynote, Dr. Alex Borek, joining us from Munich, Germany, play the guitar while singing “Stairway to Heaven,” by Led Zepplin. It was great to see so many people joining in singing, playing guitar and jamming away with the various percussion instruments brought by the Porch Rockers. Everyone rocked!

Wednesday’s events included a fiery Data Quality Expert Panel about data quality definitions, moderated by Michael Scofield and sponsored by Data Blueprint, and an insightful conversation about ethics in our Data Governance Expert Panel, moderated by Anne Marie Smith and sponsored by Castlebridge Associates. Representatives from both IAIDQ and ECCMA stressed how important ethics are, both in business and in data.

Wednesday evening saw, a number of attendees dressing up in US Civil War era (1860s) costumes. Everyone gathered on the terrace to participate in an interactive troupe show depicting life during the US Civil War. One performer, Debbie, dressed as a Southern Bell, humorously told us how embarrassed she was to see women wearing trousers, which every good Southerner of the 1860s knows are only worn by men! She educated us on the language of the fan (information quality is very important here!) and the importance of knitting matching socks for the soldiers. (Yes, even during the throes of a civil war, quality is important!).

We also enjoyed watching as Mario Cantin was “recruited” into the ranks as a soldier of the Confederate South. (The Colonel didn’t mind one bit that Mario was from Canada. He said he’d take anyone who could button at least the top button of his uniform, which Mario did, expertly.) The troupe ended with musical entertainment as a soldier musician played troop songs on his banjo, with everyone joining in, including the “Alabama Yankee,” Anne Marie Smith, who entertained dancing a jig. I was amazed to find out how many of my favorite childhood songs were really from the US Civil War. I knew them all!

But, the entertainment didn’t stop there. After the troupe gave us a taste of what it was like to live in the South, we went inside for a real taste of Southern cooking at The Banquet of 1862. We feasted on a scrumptious Southern dinner of Grilled Ham Stakes with Whiskey-Apple Cider Glaze, Brown Sugar Glazed Sweet Potatoes, Fingerling Potatoes, Slaw, Corn Bread with whipped Apple Butter, and Bourbon Pecan Pie.

We then got a taste of the North, in the form of our Celebrity Keynote, President Abraham Lincoln. (Yeah, how many data conferences can say they had a former US president as a keynote!?) President Lincoln, performed by professional celebrity impersonator, Tim Beasley, provided us a first-hand account of how the Union Army was able to beat the Confederate Army, thanks in part to their “weapon of knowledge”– namely, the telegraph. President Lincoln explained how having the ability to share information more quickly and more accurately (two data quality dimensions) by way of the telegraph, his Union Army was able to stay ahead of the Confederate troops, and ultimately win the US Civil War. It was a thought-provoking insight to how information quality played a pivotal role in shaping what is the United States of America today.

After President Lincoln departed, we raffled off 26 books, donated by our resident authors and their respective publishers. Winners were drawn from session evaluations and our Civil War Trivia Hunt, which was developed by volunteer, Ken Hansen. Ken did a fabulous job coming up with 20 questions that spurred conversation throughout the conference – Thank you, Ken! After the raffle, we finished up the Wednesday evening festivities with our Closing Keynote, Dr. Alex Borek, who presented “Cognitive, Cloud and Big Data: A New Beginning for Data Quality?,” offering insights to the future of information and data quality.

Throughout the conference attendees were provided never-ending Southern hospitality by hotel staff, not to mention the never-ending all-day snack bar. Breakfasts and lunches were also full of tasty Southern delights that changed daily. I don’t think anyone was hungry the entire week!

When all was said and done, we hosted one last event – the Friday Historical US Civil War Tour of Richmond, VA, the capital of the Confederacy. 23 people from various countries stayed an extra day to enjoy a private tour hosted by our Southern Bell from Wednesday night, Debbie. Debbie shared her passion of US Civil War history highlighting a number of historical sites along the way. Our bus driver, Bud, kindly pulled over several times so we could take pictures. The tour included stops and private tours at the Virginia State Capital building and St. John’s Church, where Patrick Henry gave his ever-famous, “Give me liberty, or give me death” speech. The tour ended with one last delicious Southern lunch at the famous Hanover Tavern, originally owned by Patrick Henry’s father-in-law.

All-in-all, it was a great conference! I would personally like to thank the Sponsors, Speakers, Keynotes, Authors, Volunteers and Staff who all helped make this conference a success. I’d also like to thank the Attendees – all of this was done for you with the hope that you would be engaged and excited about information and data quality (with a little US Civil War history thrown in). I hope you enjoyed the IDQSummit and were able to take away some great insights.

I would also like to say how thankful I am for having had the opportunity to chair the 2014 International Data Quality Summit. It was an exciting and educational challenge for me. And, although I have left IAIDQ and will not be chairing future events with the organization, I look forward to other similar opportunities already on the horizon.

Joy L. Medved, SSBB, IQCP, ADKAR
CEO / Principal Consultant
Paradata Consulting, LLC
Email: joy@paradata.us

An Open Letter to my Information Quality Peers

The International Association for Information and Data Quality is dead. I just don’t think they have noticed. Perhaps they have been distracted by the critical success of their IDQS14 conference, an event that I was privileged to have been a sounding board about during planning and which my company provided “hands to the pump” for by way of sponsorship, even though we were never going to be able to attend in person.

You see, I really cared about IAIDQ. I was a Charter Member. I was present at many of the initial meetings in 2003 and 2004 in London where input from Europeans was being sought about the structure and focus of a “professional body for likeminded people working in information and data quality”.

I was the Director of Publicity (aka VP Marketing) and, for four great years, I was the face and voice of the Association at public meetings world wide. I identified World Quality Day as an event that IAIDQ could and should mark in the annual calendar as a rallying point for members internationally. I lead the “Voice of the Customer” research conducted in 2006-2007 to identify the core values of the Association, as expressed by the membership. That project involved surveying all members at the time (about 300 world wide) and having coffee and talking with as many members and prospective members as I could get in contact with at conferences or over Skype.

Customer. Community. Collaboration. Commitment. Continuous Improvement. These where the “5C’s” that the customer wanted at the heart of IAIDQ, and it’s what I and many of the Directors I served with worked hard to try to achieve.

On top of my Publicity role I jumped in to help out on other areas of the Board where input or resource was lacking. The CRM system that has just been implemented by IAIDQ was identified and prototyped by me back in 2006, but implementation to production in a secure and stable fashion was beyond my skillset at the time. I was one of the original team working on the development of IQCP and personally wrote a number of the questions that are on the exam. Heck, I think I’m responsible for Jim Harris of OCDQBLOG (who did his first podcast with me for IAIDQ many years ago).

But we have failed.

Despite having a critically successful event in Virginia this year, an event that my company was proud to be behind because it was conceived as a fun (community) event where people could let their hair down and network (collaboration), and do something that the membership and prospective membership would value and enjoy (customer), I have had to conclude that the IAIDQ is dead, but just doesn’t know it yet.

(For the avoidance of any doubt – I never held any other role on the IAIDQ Board other than Director of Publicity. I did found and lead the Irish Community of Practice and help to found the UK Community of Practice. But that’s all. )

My view is based on the following:

Bizarre Board Decisions

I’ve learned that the Board of Directors dismissed Joy Medved as Director of Events during the conference, but apparently forgot to tell her until a week later. I know Joy and work with Joy. I know she was incredibly passionate about the IAIDQ and was a strong advocate for a “get the basics right” approach to rebuilding the Association.

I know Joy had expressed frustration with the direction of the Association and was considering resigning. However, when a volunteer Director puts together an event that gets people saying positive things about the Association for the first time in a long time, any sensible Board would work to keep that volunteer engaged and listen to their concerns. Instead, the IAIDQ Board has chosen to dismiss a Director who has done incredible work rebuilding the relationships between IAIDQ and other professional bodies and conference organisers and who envisioned an event that actually met the promise of the “5C” values of the Association.

That is just bizarre.

Equally bizarre is the apparent time lag in informing Joy. First rule of business: when you’ve sacked someone, tell them. It seems like it took the IAIDQ leadership a week to pass the message on to Joy. That stinks from a governance perspective.

Furthermore, it appears that the IAIDQ Board has decided against engaging in collaboration with other organisations. My experience on the IAIDQ Board and as the founder of their first Community of Practice is that to help develop a foothold in new markets or find new ways to serve audiences, collaboration is necessary. No individual or organisation can do all things themselves.

A key problem that new entrants in to the data space have is figuring out a career and certification path. That is a key problem that needs to be solved for both individuals and employers. Right now it is not being solved. But it can only be solved through collaboration between professional bodies to educate the market.

But the IAIDQ seems content to keep building walls. That’s just nuts. As an Information Quality consultant and trainer (heck, I teach an IQCP certification syllabus) I regularly hammer people over the head with Deming’s 14 Points. One of those is the need to remove barriers and instil pride of workmanship. Building up walls and pulling up drawbridges can best be described as “odd” and counter-intuitive in an organisation that is supposed to espouse quality management principles and has “Collaboration” as a key core value.

It also makes it difficult for IAIDQ to establish a point of presence in new markets. The experience of the Irish and UK CoPs evidences what happens when the IAIDQ’s Board doesn’t engage in collaboration – both Communities relied on collaboration with national informatics societies (Irish Computer Society and British Computer Society) to grow and operate. In both cases engagement from the top was required – basic “diplomacy between Heads of State” if you will. It didn’t happen. Both CoPs died away.

At one point Ireland accounted for over 10% of the IAIDQ’s world-wide membership (approx. 40 people out of approximately 380 members in 2006/2007). Today, there is at most one paid up member here that I know of.

I hope the view from the IAIDQ’s Ivory Tower is nice.

 Absence of an IQCP ecosystem

I am a strong believer in the importance of skills certification for Information Quality. I have been a staunch advocate of IQCP and my company was the first in the world to offer IQCP training. It’s likely that I have personally trained or coached more current IQCP holders than anyone else in the world. However, it has been a constant struggle to get engagement. Key information was out of date or full of errors for over two years, despite the errors being spotted by my clients and fed back.

To an outsider trying to deal with IQCP, it appears that it appears like it is being run as a mini-fiefdom of a small group of people. That is not sustainable, and it does a disservice to the wonderful work that has been done recently by Dan Myers in particular.

I was on the Board that initiated the IQCP process. At that time the strategy was that IAIDQ would create an ecosystem within which trainers and content developers could contribute to the body of knowledge and grow the certification. That was a strategy I could get behind and sell as Director of Publicity because it aligned with the 5Cs of the core values.

It hasn’t happened. IQCP has failed to reach critical mass. But the same levers keep being pulled hoping for a different result.

No consistent product delivery in nearly 2 years

A core product of IAIDQ membership is advertised as being the Journal (originally a newsletter issued monthly it became a Journal issued quarterly). From 2005 to 2010 I was among the most frequent contributor of articles to the IAIDQ Newsletter/Journal. I was proud to contribute and it helped me stretch my thinking in the Information Quality space.

Since 2011 the Journal has appeared four times – twice in 2012, once in 2013 and once in 2014. I volunteered time from myself and one of the team in my business to look at what could be done with the tonnes of content that apparently had been submitted. Like Old Mother Hubbard we found the cupboard to be bare. Not enough content existed to produce an edition.

An Association that cannot consistently produce a single core product has a problem. Where there is an absence of volunteered content, and an absence of volunteers to package and produce the core product, then there is a problem. And the problem is not one of grand vision. It’s one of basic operations. And the answer to a problem like that is not to leap into something new and hope that that reinflates the passions of volunteers to crank out the goods.

No Volunteers

The IAIDQ is failing most of all because it cannot attract or retain volunteers. This has been an issue since 2006/2007at least. I have personally had volunteers who were working with me on Publicity activities when I was a Director walk away because of the conduct of other officers of the Association towards them. Apparently, it hasn’t improved. Those officers are still around, but the volunteers aren’t.

The lack of volunteers is not unique to IAIDQ. It is a common issue across the not-for-profit/voluntary sector. However, the consensus is that the approach to addressing that is to work the values and, in true quality management fashion, focus on the most important needs of your customers. That’s why IDQS14 was a great opportunity to reboot the Association. IAIDQ’s customers want to have fun and a sense of community because the day job is just so darned stressful. It’s an opportunity missed, I fear.

Volunteers don’t rally around a vague future strategy, and a strategy does not arise from talking within a sub-set of the leadership group about what might be done. Volunteers need something they can emote with, that taps into their intrinsic motivation to contribute, and pushes them to find the extra hours in their busy days to write articles, phone sponsors, travel to meetings, run a website, co-ordinate events,  sit on conference calls, and generally all the stuff that needs to be done to do the business of an Association.

One thing I’ve learned running my own business is that not-for-profits are in a perpetual state of “startup” – and that’s where clarity of vision, clarity of values, and prioritisation around the resources you have is essential. If you can’t answer the question “Who will do that?” with a name that is actually on-board to do that thing, it’s not going to get done!

For many years, I was that name. I was so passionate about IAIDQ that I tapped my insomnia, and my personal finances in some cases, to get things done for the Association, to design marketing materials, man stands, and communicate constantly the core values of the Association to try and attract like minded people. IAIDQ no longer has that pool of people. But it’s not because those people don’t exist. I meet them on twitter and at events all the time. I count some people I’ve never met as friends in the data community. But the IAIDQ is not engaging those passions any more. High-brow dreams of a future method of operating will remain just that. Just like the 80% of startups that fail because they lack the means to execute and the clarity of vision to know what to kill off.

In March I was asked if I’d be manning an IAIDQ booth at a conference in London. I said no. For the first time in a decade. The passion to contribute is gone. Because the organisation has turned insular. And nobody says “thank you” any more.

Group Think

Worst of all I believe the Association has fallen foul of Group Think. Over the years, as a Director and then as a passionate volunteer, and most recently as a candidate for the Presidency, I’ve presented evidence of negative market sentiment, stagnant membership numbers, and the opportunities for expansion through collaboration. As Director Publicity/VP Marketing I took it on as part of my role to challenge decisions at the Board level on whether they aligned with the “5 Cs” of the core values. I was an argumentative little prick, but always accepted the final Board decision once the debate was had.

But over the years, debate has become more and more the sound of one voice. Increasingly I have found the Board dismissive of evidence and filling in optimistic assumptions where hard assed reality is required. It reminds me of the joke about how the economist was rescued from the desert island: “first assume the existence of a lifeboat”.

Last year I submitted my candidacy for President, after nearly five years of being asked by various members of the Board and various advisors to the Association and declining it because I had other priorities and wanted to avoid any implication that I’d spent four years as Director of Publicity just to be President. Don’t get me wrong, I feel that the Presidency of the Association as a great honour and a crucially important role. Which is why I didn’t want to take it on at a time when I couldn’t give it 100%.

Last year I felt it was then or never. I assessed the situation of the Association and submitted a high level strategic plan to address the issues that people I’d connected with in the community had raised with me, often in hushed tones as if they were afraid to speak truth to power.

The Board, many of whose members had personally called me and quite literally begged me to self-nominate, ultimately voted against my candidacy. I accepted their decision, and still do. But I cannot respect it any longer.

I firmly believe that the Board ultimately dismissed Joy Medved because she took on my role on the Board of argumentative pricker of consciences, the devil’s advocate against group think and Pollyanna-ish assumptions. She ran an event that was a critical success, one that I and my company were proud to be associated with, and which ticked all the boxes for alignment with the original core values of the Association.

The Group Thinkers will attempt to rationalise their decision from a number of directions and I fully expect attempts at character assassination (because that was done to me), but as an outsider with experience on the inside it looks very much like vested interests took an axe to the legs of a volunteer whose approach to delivering value to the customer was making them uncomfortable – because it was working, and because she wanted to push others to work hard on delivering core services and core values.

The Future

I fully expect the IAIDQ Board to continue to pursue a vague and uncertain strategic plan, one that assume the existence of volunteers who give a damn. But I don’t hold out hope for the future of the Association. Its heart is gone. Its values, defined by the many, have been cast aside because they have become inconvenient to a few.

From our founding vision of an International community of like-minded people who were passionate about Information and Data Quality, I fear that the IAIDQ has been hollowed out to a US-centric vipers’ nest of vested interests that has turned its back on its customers as it chases its tail, blissfully happy in the ignorance of how the world of professional associations has moved or how its actions towards volunteers, supporters, and others makes it look.

Commercially, my company will continue to provide training in IQCP to clients who request it or to whom we are currently committed, but we will be looking to the market for an alternative as soon as possible as we cannot rely on a certification provider who will likely not exist in 12 month’s time.

The idealist me of 2004 who signed on to help found IAIDQ hopes I’m wrong about the present and the future of IAIDQ and that, in this 10th anniversary year something will change. But the realistic me of 2014 fears I’m not.

To paraphrase the sci fi character Dr Who: “Does the IAIDQ look tired to you?”

Update: What can be done?

A trusted advisor suggested I make this read less like a rant (which I didn’t intend it to be) and more like constructive criticism by putting on my consultant’s hat and making some suggestions for improvement.

Looking at IAIDQ as a consultant, I would make the following recommendations:

Do this:

  1. Clearly and publicly define who your customer is and what the most important needs are of that customer that the Association is going to meet – and HOW.
  2. Tailor ambition to capability, at least until such time as core value proposition elements are stable and the customer can see clear value in being associated with IAIDQ.
    • Ensure that there is a value proposition for members, something that they can see is worth their dollars/euros/zloti
    • Make sure that deliverables happen regularly and as promised. Agile methods might be appropriate, but waiting for perfection in all things is worse than delivering a “beta”.
  3. Create a simple vision of the future that people can get behind. And COMMUNICATE IT
  4. Build bridges with other organisations. Lots of bridges. That is a collaboration and community strategy that aligns with the principles espoused by Deming, Juran, and other pioneers in Quality.
  5. Develop a habit and practice of ‘inclusivity and reward’, where volunteers and contributors can feel that their voice is heard and their contributions are valued.
  6. Give careful consideration to the meaning of the word “International” in the Association’s name. Use it or lose it.

Don’t do this:

  1. Craft a master plan strategy for the future without being clear on what distinct need you are serving.
  2. Define a vision and a plan for the future that ends with “and then we will have the volunteers come on board to do this”. Lots of non-profits make that mistake.
  3. Overestimate your capacity for delivery and capability for change, based on an assumption that volunteers will appear. Assume they won’t and work from there.
  4. Attempt to deliver an all encompassing “one-size-fits-all” offering without having robust alliances in place

These are basically the 10 things I’ve been saying for a number of years as a Director, volunteer, and member of the IAIDQ.

They apply to that body, but they are universally applicable to all professional membership organisations that rely on volunteers to deliver the goods. Hopefully someone will read this and learn from it. It might even be the IAIDQ.

 

Buster keaton cameraman movie poster

Washing the Defectives

I’m away places foreign at the moment, delivering a keynote on data protection and data governance stuff in an EU country where everyone was shocked and horrified to hear what a cack handed job of Data Protection compliance Irish Water was making.

I was hoping to leave Irish Water alone. But they’ve apparently gone and done another SideShow Bob on it and trodden on yet another Data Protection compliance rake.

So. We now have covert surveillance by a company. I’m sure that’s something that the DPC has had some thoughts on in the past. But before we do that, we need to distinguish between recordings by the police, or revenue/customs authorities and recordings by private individuals or companies. The distinction is simple: the police can process data (i.e. record) where the processing is necessary for the prevention, detection, investigation, or prosecution of an offence. Their law enforcement function gives them a little lee way around things like fair processing notices etc (it defeats the purpose of a police covert surveillance operation if they have to have a big, visible sign and flashing lights).

With regard to other forms of CCTV recording, the Gardai have produced this helpful document for people who are installing CCTV systems. It’s not as helpful as it might seem at first as its focus is on ensuring that the recordings are admissible in court as evidence and it spends a lot of time on the rules of evidence for CCTV in court. It fails to mention that CCTV recording constitutes processing under the Data Protection Acts and, therefore, requires that the Eight Principles of the Data Protection Acts be complied with by anyone who is not a member of a law enforcement agency in the State. The Data Protection Commissioner’s Guidance on CCTV can be found here.

Use of recordings, particularly covert recordings, is a very tricky and complex area to get right from a Data Protection point of view as you are balancing competing rights.

  1. The data must be obtained fairly
  2. It must be obtained for a specified and lawful purpose
  3. It cannot be used for a purpose that is not compatible
  4. It must be kept safe and secure
  5. It should be kept accurate, complete, and up to date
  6. It must be adequate, relevant, and not excessive (i.e. proportionate to the purpose)
  7. it should be retained for no longer than necessary for the purpose
  8. Data subjects have a right of access

Fair Obtaining/Processing/Not incompatible use

Where covert CCTV is installed by an organisation to investigate a specific instance of an offence, then the DPC has historically taken the view that this is reasonable, but only if it does not infringe on the rights of people who are not committing that offence. Given that peaceful protest is not an offence, covert recording is excessive unless there is an offence being committed, but a public CCTV system with appropriate Fair Processing notice and statement of recording and the purposes for that recording would be OK . The relevant case study from the DPC is here. – note it is filed under both CCTV and “Fair Obtaining”.

The DPC picked up the thread again in 2009 with a complaint about covert CCTV filed against Westwood Fitness. Again the issue for the DPC was the fairness and transparency of the processing. Specifically they stated that:

any monitoring must be a proportionate response by an employer to the risk he or she faces taking into account the legitimate privacy and other interests [of others]

and thatthe

in terms of meeting transparency requirements, staff must be informed of the existence of the CCTV surveillance and also of the purposes for which personal data are to be processed by CCTV systems.

In the Westwood case, Westwood stood down their CCTV, terminated all staff disciplinary proceedings that were based on CCTV evidence, and were found to have breached the Data Protection Acts.

If Irish Water are engaging in recording for the purposes of prevention or investigation of criminal activity that might occur, any use AT ALL for any other purpose is incompatible with that, so sharing, distribution etc., except to An Garda Siochana in the course of an investigation, would be unlawful.

[Update – inserting a statement of the bleedin’ obvious]

But if An Garda Siochana are already present, for the purposes of preventing crime, detecting its occurrence, and taking action if criminal acts take place, what is the lawful purpose of any recording? CCTV is used in shops because the gardai are not there all the time so need to have some tools to help them track down ne’er-do-wells when a crime occurs as, despite earnest hopes to the contrary, Doctor Who’s blue police box never really made it as a default tool in modern policing.

So, what is the specific purpose for which Irish Water is engaged in recording, covert or overt, at water meter protests, given that the constabulary are already in attendance?

[/update]

Suggestion:

  1. Add a section to the Irish Water Data Protection notice to the effect that “from time to time, in order to help ensure the safety of our installers and contractors,  and for the purposes of preventing and detecting criminal activity, we may use CCTV recording equipment in the vicinity of engineering works on behalf of Irish Water. These recordings will be retained for XX days”.
  2. Don’t use a covert surveillance system disguised as workers. Use a massively visible camera and an audible warning (for the blind among us) that alerts people to the fact of recording. It will either deter criminal acts or lead to one happening. It all depends on how Irish Water handle the escalation.
  3. Don’t act like you are sanctioned and authorised police officers engaging in covert surveillance. Even though there are exemptions for law enforcement under the Data Protection Acts, constitutional privacy rights still apply and even the Gardai are bound by certain rules and protocols on the use of covert video surveillance under the Criminal Justice (Surveillance) Act 2009, not least that a senior officer can only approve surveillance of an individual for 72 hrs for an “arrestable offence”. Revenue published a useful guideline to their interpretation of that legislation in 2010. TJ McIntyre put it here. Of course, if you are standing in a place to which the public has access (i.e. on the road) that means the 2009 Act may not apply even if the Gardai are recording you, but the Data Protection Acts still do!
  4. If there are specific individuals who Irish Water wish to gather evidence against in relation to the commission of offences, then I would suggest filing an appropriate complaint with the Gardai and allowing them to make the decision as to the appropriate approach to evidence gathering and the handling thereof.

Subject Access Request

Irish Water should bear in mind that, as Data Controllers, they are subject to subject access requests for information that is recorded by CCTV (whether overt or covert) or by way of photography or audio recording.  The address to write to to make a request is on the Irish Water website (www.water.ie).

Use of Contractors to take recordings (Data Processors)

If Irish Water has engaged a firm to engage in covert recording, that firm are a Data Processor. Irish Water will be liable for any unlawful acts of that Data Processor. The recent prosecutions of private investigators for unlawful obtaining of information should be a warning to any organisation engaging 3rd parties to obtain data on individuals through blagging, surveillance, or other means, that the Data Protection Acts apply and are being enforced.

Irish Water need to ensure that there is a contract in place covering this activity and the means by which the data is being obtained, processed, stored, and retained.

Retention

Irish Water need to have a retention period for these recordings. The current “for as long as required by law” response from Irish Water’s customer service team is, frankly, insipid nonsense. The DPA does not specify a period for retention, so you need to nail down either a policy (28 days) or a specific statutory purpose, and exemptions to that (i.e. “or for the duration of a criminal prosecution and related appeals”).

The Kicker

Of course (and this is where I will INSTANTLY become unpopular with all the people who’ve been hanging off my earlier missives on Irish Water’s Data Protection woes) ANYONE ELSE who is engaged in recording for anything other than a “domestic purpose” needs to be very careful that they too are not breaching the Data Protection Acts.

Journalists have a journalistic exemption they can rely on where there is an intent to publish a story. Sean Q Ó Pobail who wants to post the video to Youtube needs to bear in mind that the domestic exemption is not the same as a “non-business” use. A recent case on CCTV has raised these issues and the Advocate General’s opinion (which may or may not be followed by the CJEU) was that video surveillance of others could not be considered exclusively “personal” within the meaning of the Directive, although it could be within the scope of “domestic” processing. However, when that processing extended into a public space, it could not be considered exclusively domestic due to its impact on others, who may wish to protect their privacy. There is a good analysis of that case here.

So, while Joan Bruton might jump on a minefield by complaining about the smartphones and tablets being used, the people engaging in recording need to be aware that the Data Protection Acts can cut both ways and care should be taken with the use of and disclosure of any images that are recorded.

Of course, you might be able to argue that the recording by protestors would fall under a “legitimate interests” exemption where they are using the recordings to document the lawfulness of their actions and peaceful nature of their protests. That still can carry with it an obligation to comply with a Subject Access request. If there is an intention to produce a news item for publication (online, on air, in print media) then that would likely be covered by the journalistic exemption under the DPA and all that goes with that.

But if protestors are intending to use recordings as a tool of intimidation against Irish Water workers (who are, like it or not, simply doing a job to put bread on the table and keep a roof over their heads) or to gather “intel” on Irish Water staff, then complaints about Irish Water recording them ring somewhat hollow.

If you are publishing, pay attention to the need to protect privacy even in a publication – are you ready to redact faces from videos? Do you know how?

If you are just recording in an attempt to intimidate… please stop and think how it makes you feel when someone does it to you. Don’t be a hypocritical asshat with an iPhone.

Suggestion: Protestors engaged in recording also clearly state and communicate their purpose for recording events in the area. Journalists try to identify themselves when covering large public events, if you are a “citizen journalist” don’t hide behind the keyboard – identify yourself as such. If you are engaging in journalism, be a responsible journalist. Balance free speech with respect for privacy. Be a better person for it.

 

Conclusion

Both sides here should educate themselves quickly on the issues and risks involved in recording in public places. Both sides need to put in place appropriate protocols to ensure that they are complying with the Data Protection Acts. Covert recording is invasive and disproportionate in most circumstances, and one of the touted benefits of CCTV is not the recording but the deterrent effect of people being aware that recording is happening. If everyone declares their recording, their purposes for recording, and other items necessary for compliance with the DPA, we might at least reach a stage of mutually assured destruction, an audio visual cold war.

But at least we’ll have some respect for fundamental rights.

not droids

Irish Water channelling Alec Guinness

 

Irish Water is working hard on Twitter and in other forums to convince itself, if not us, that all is well with regard to their Data Protection policies and procedures.

In response to questions raised about the retention of data, specifically PPSN data once allowance entitlements are validated and personal data of non-customers, Irish Water have trotted out the standard 140 character line. Their response is essentially a variation on the following:

Data will be stored in Irish Water, after a customer ceases to be a customer but not longer than is required by law.

It is that response that has prompted my choice of image for this post. Those of you over the age of 12 will recognise Alec Guinness in one of his most famous mortgage paying roles, Obi Wan Kenobi in the original Star Wars. And why does my brain make this connection?

These aren’t the droids you’re looking for. You can go about your business. Move along” (waves hand enigmatically)

Unfortunately for Irish Water many of us are not as feeble minded as an Imperial Storm Trooper in a fictional universe. These Jedi Mind Tricks don’t work. We have a detailed specification for the specific droids we are seeking and we are pretty sure those are they.

  1. What is the specific purpose for the processing and retention of non-customer data by Irish Water? (i.e. why are they processing data about people who are not connected to a public water supply?)
  2. What is the retention period for that data? Why is it being retained? What is the basis for the retention period that has been selected that makes that retention proportionate? Which law are they operating within for their retention period?
  3. What is the retention period that Irish Water are applying to PPSN data provided to them? Why is that data being retained (for what purpose) given that the sole purpose Irish Water has for processing PPSN data is the validation of entitlements, suggesting that once that purpose has been completed the data should be deleted.

These are simple questions. They should be easy to answer if appropriate efforts were made to conduct Privacy by Design based compliance with the Data Protection Acts.

Once this grumpy old Storm Trooper gets a coherent and credible answer I’ll gladly move along.

For Feck’s Sake Irish Water, I’ve got a day job…

Stopped to take a breather for lunch. Saw this from TJ McIntyre (a man who knows his onions when it comes to Data Protection and Privacy).

I’ve covered off the issues with the marketing consents for Irish Water on my company site.  The total confusion here effectively makes any implied or explicit consent for marketing open to challenge on the grounds that it was not unambiguous. Irish Water need to step up, stop faffing around, and fix this. It is a total disaster and it is getting in the way of me doing my real job. Also, the consent Irish Water are relying on isn’t Opt-In, its Opt-out.

I’m not against Water Charges, I’m against what I see as an inevitable waste of 10%-35% of turnover in Irish Water due to poor data quality management, leading to manual work arounds and scrap and rework, and I’m against approaches to obtaining and processing personal data that frankly seem to be oblivious to the national and EU legislation that should be governing that processing.

I’m against €82.4 million being spent on consultants who don’t seem to know how to approach this kind of project correctly given the gaping issues that exist in a data management context. And I’m against me having to be the paramilitary wing of the Data Protection Commissioner’s office asking key questions in public the day before it all kicks off that should have been addressed in private months ago during the design phase. And I’m against any absence of accountability or stewardship over critical data. That just irks me.

I’ve got a day job and clients to serve. conferences to prepare keynote presentations and tutorials for, and a conference of my own to run. The mental exercise of analysing Irish Water was fun, but frankly it’s like shooting fish in an over-engineered under-designed barrel at this point.

So, for all the Irish Water people reading this:

  1. Please come to IGQIE2014 in November. You will learn something you really need to know
  2. Ask you boss if you can hire my company to help you figure this stuff out. We’re pretty good at it. And we’ve got friends who are good at the bits we’re not good on. We will be a rounding error on €82.4 million.
  3. Please try to stop screwing up on your data management and data protection issues quite so publicly because when people ask me about a think I’m wired to look at it and figure it out. They find me on twitter and look to me for answers, and I feel obliged to try to help explain because you are doing such a crappy job of it. This stuff made me trend for Ireland. I hate trending for Ireland.

A blatant advert for IGQIE2014

igqie2014-flyerflyerigqie2014-flyer
I normally try to keep business and personal blogging separate for a variety of reasons *koff* domestic exemption to DPA *koff* but as this site is getting a lot of hits recently about Irish Water stuff, and as the conference my company is running is DIRECTLY RELEVANT to the subject, I thought I’d post a little snippet about it.

IGQIE2014 – (Information Governance and Quality Ireland to give it its full title) is an event Castlebridge Associates is running on the 7th of November in the Marker Hotel in Dublin. The day is aimed at connecting the dots between the legal principles of Data Protection and Privacy in the EU and the coal-face challenges of data modelling, information quality, and data governance necessary to achieve compliance and deliver happy customer outcomes.

In the morning session we have three presentations from:

  • Fergal Crehan – Barrister at Law and expert on EU Data Protection and Privacy law. Fergal has been directly involved in a number of key cases in Ireland and at the CJEU on Data Protection issues.
  • Michael G Morrow: Michael is an expert in Data Modelling. He’s going to be talking about  the need for business engagement in the Data Model design and engineering process.
  • Me – I’m talking Data Governance, Data Protection, Privacy by Design, Privacy Engineering, and Data Engineering. Aim is to link Fergal and Michael’s themes together in something educational.

In the afternoon we have three of the world’s leading experts on Data Governance, Information Quality, and Information Architecture coming to deliver parallel tutorials.

Full details can be found on http://igq.ie

Early bird ticket deals expire TODAY

Student tickets are available for the Morning only.

A flyer is attached to this post for you to download and share.

igqie2014-flyer