Category: Uncategorized

I use a standing desk when working in my office (and if I could find a light weight portable option I’d use one on client sites as well). Many of the greatest leaders have used standing desks.

There are proven medical benefits to getting off your backside when working. It’s worth bearing in mind that sitting for a living is an invention of the late 19th and early 20th century. Prior to that most people did have to move around a lot. But standing desks can be expensive. So a theme has developed over the past few years of hacking functional standing desks that are ergonomically aligned using a low capital investment model (for which we must read “it don’t cost much if you make a mess of it”). The source of raw materials is a certain Swedish home improvements store famed for their meatballs that I won’t name here because they are very protective of their brand name. But a good source of ideas for how to repurpose their stuff can be found here.

About 18 months ago, after a flare up of back trouble, I did a bit of research (using the hacks site linked to above and a few others) to see how I might best build a standing desk on a near-zero budget. I started with a few basic design principles:

1. Aim for “minimum viable product” – it had to meet ergonomic requirements for me and my height, but I guessed it how I worked, laid out my work, and how the desk would need to function would evolve as I changed from sitting on my ass to moving around.
2. Reuse or recycle things I already had – I had a desk already. I wasn’t going to junk that. I also had a pretty cool laptop stand with cooling fan and USB ports.
3. Kaizen principles – I’d look to find ways to reduce waste of effort and time when working, and accept that the desk would not be perfect as I’d always find something else to improve how it works for me and with me.
4. MacGyver rocks.

Ergonomics

Some basics. If you don’t have your standing desk set up correctly you will simply make things worse for yourself. Do some research. Buy a measuring tape. Think about posture, stance and positioning. I train (as often as I can, which isn’t often enough) in Aikido so I am very concious of my centre point (hara) and the need to have hips and back aligned correctly for good movement and energy flow.

Some good resources for standing desk ergonomics I found during my research are here, here, and here. A recent resource that covers off some good “dos and don’ts” can be found here.

Introducing DeskZilla

DeskZilla was the result of my research and my design principles. It was built entirely from parts purchased from Ikea (oops I’ve named them), with a few extra bits thrown in to make minor adjustments.

The parts I used were:

1. A Vika/Amon desktop (no longer available). It is 100cm wide and 50 cm deep. For alternative table tops, see here: Ikea TableTops
2. An Ekby Jarpen shelf for the monitor and laptop level, with three Ekby Tore clamp brackets (3 ensures shelf doesn’t bow in the middle). Ikea actually illustrate the use of the brackets on a desktop on their website now.
3. Capita legs for the desk (which require a little MacGyvering with a drill to make some new screw holes for them as they are not meant as desk legs). I went for these as they could be adjusted up to 17cm high. Note that the Capita legs aren’t MASSIVELY extendy, they adjustable to compensate for uneven floors in the furniture they are supposed to be used on. But a centimetre or two can make all the difference.
4. Two power blocks from Aldi that bolted onto the desk. I put them on the rear edge to stop DeskZilla from sliding backwards.

Total cost, a little over €70.

A key point… it is really important to measure your existing desk and the height/depth of each component to make sure things are going to be at the right height.

What I have with Deskzilla is a modular system where I can move the monitor and laptop down on to the lower level and move the keyboard and mouse down to the lower desk and use it as a sitting desk. The monitor is almost exactly perfectly positioned for a sitting desk when on the first level.

I had to add a pencil box under the keyboard to move it up a centimetre and a half or so for better ergonomics when typing. The monitor is now raised up on a hardback books to improve positioning (more on that in a moment).

Evolution, Phase 1

Almost immediately DeskZilla began to evolve. While the monitor was almost perfectly aligned, I found that video conferencing was a great way to double check.

Rule of thumb: if you have a webcam in your monitor your eyes should be in line with the lens. A hardback book fixed that.

After a few weeks of use I noticed I was getting stiffness. Some gym mats from Argos on the floor provides an anti-fatigue feature, and I still have my chair and can switch to sitting if I get too stiff and sore any day. The body is a bugger and some days you can stand without issue for hours (I pulled a 27 hour straight working day on a project last year… standing almost the entire time) and other days it hurts like heck after a few hours.

Second rule of thumb: listen to your body and adapt each day.

Evolution Phase 2

DeskZilla will evolve again soon. Experience with the monitor, and the hassle of bending to get pens, post-it notes etc,  tells me that it might make sense to swap the Ekby shelf for one with drawers that has the same length and a bit more height. The Ekby Alex shelf looks like a contender. The only reason I rejected it in Phase 1 was cost – it would have been over 50% additional on the budget.

I also need to think about raising the desktop a little to remove the need for a pencil case under the keyboard. That could be achieved through castor guards or something like that (the things that you put on furniture that is going on a wooden floor), another option is some half-inch wooden blocks  between the Ekby desktop and the Capita legs to give a small height boost. That last option would be a good call for anyone over 6ft 2″ who wanted to use this recipe, and could be a way to incrementally tweak the height to what you need rather than relying on just the leg extendibility.

Finally, I’ll probably invest in a folding bar stool type chair, or an ironing board chair to use when fatigue kicks in to take the weight off my ankles and knees.

Some key lessons about standing while working

1. Think zen and do yoga. Simple stretching movements keeps fatigue at bay and helps strengthen core.
2. Don’t stand still… move around and shift posture.
3. Get used to working in shorter bursts and then changing position. I used to sit motionless for hours, now I work in 10 to 15 minute bursts and then switch posture or position… any longer and I stiffen up, which can hurt and break concentration any way. Movement keeps the brain awake!
4. Two monitors makes a massive difference, but only if you aren’t having to crane your neck to see it.
5. Your workspace will evolve around you. Find a natural movement and flow for you and settle into it. If you force it you’ll find it just doesn’t click for you.
6. Breathe. Take advantage of your posture and position to take deep breaths and relax into your work.
7. Each day you will need to improvise something to tweak a factor to improve comfort and flow. Accept that and get on with it
8. The Desk is NEVER finished if you are building your own, (and it’s never perfect if you bought it off the shelf)

So, within hours of me blogging about data protection consent issues in the Facebook mood manipulation study, the Register has the EXCLUSIVE that Facebook is being investigated by the irish DPC with specific questions around the consent relied upon. http://www.theregister.co.uk/2014/07/01/uk_and_irish_data_watchdogs_wade_in_on_facebook_messin_with_your_head_scandal/

I’m not saying anyone in an office above a Centra in Portarlington reads this blog but it is a serendipitous co-incidence.

And it may turn out that manipulating user timelines to provoke emotional responses could make Facebook management very sad.

Earlier this week the Data Protection Commissioner bemoaned the lack of attention to detail and the poor culture of Data Protection compliance practices in the Irish Public Service.

He was right to do so. My experience as both a service user and as a consultant has been that there are excellent people making excellent efforts to swim against a tide of indifference and short-cutting that results in breaches of legislation and puts personal data of citizens at risk.

In a “brain fart” moment yesterday I googled the words “Election”, “Training” and “Ireland” by accident. It brought back a website called ElectionTrainingIreland.ie. This website announces itself to be the “Official Presiding Officer Online Training “. Apparently Presiding Officers in this year’s Local and European Elections are required to complete this training, which I understand consists of a series of videos. It’s actually a rather good idea.

However it has been badly implemented from a Data Protection perspective.

1. It requires a PPS Number to login. This is not a permitted use of the PPS Number. For a start, ElectionTrainingIreland is not registered as a Registered User of the PPSN under the 2005 Social Welfare Consolidation Act.
2. Using PPS Numbers as a login is not good information security practice.
3. As I understand it, Presiding Officers receive a letter that contains their PPS Number and a password for this site – which suggests that passwords are stored somewhere in an unencrypted freetext format (again BAD Information Security practice)
4. There is no information about who Election Training Ireland are. They are NOT an official state body or division of the Department of the Environment. There is no privacy statement on the website that explains the purposes of processing of data, the retention of data, or (for that matter) where Election Training Ireland got the PPSN that they are using in the background to verify your identity.
5. The website, which asks you to key in your PPS Number, does not have a valid SSL certificate. There is no encrypted transfer of information. Given the value of the PPS Number, that’s simply not good enough from a Data Protection point of view.

Looking at the process from the outside, armed only with nearly two decades of experience in designing and reviewing information management processes for regulatory compliance, I suspect that this might be the underlying process:

1. A list of all people who registered to be Presiding officers was provided to Election Training Ireland. This list included PPS Numbers, names, and home addresses. [Issue #1 below]
2. This list was used to create a database of Presiding Officers which in turn was used to create a list of user logins for the website. These user logins used PPSN as the user id [issue #2 below]
3. This list was used to generate a mailmerge to each Presiding Officer at the address provided by them for contact (which is almost inevitably a home address) which contained their password [Issue #3 below]
4. The website is not encrypted. [Issue #4 below]
5. This list was provided to and processed by Election Training Ireland, who are an external contractor working (one assumes) for the Department of the Environment [See: “Who are ETI?” below]

Issue #1: Transfer of data about candidate Presiding Officers

Data constituting a significant portion of what is defined in the 2005 Social Welfare Consolidation Act as the “Public Service Identity” has been transferred to a 3^rd party by local authorities and/or the Dept of Environment. What was the lawful basis for this transfer? Was there a statutory basis (which is the DPC’s favoured basis for data transfers in the Public Sector)? What was the protocols regarding security of transfer, retention, security of storage, restrictions on use etc? Is there a Data Processor contract in place (if there is it will be a doozy IMHO because of questions under “Who is ETI” below)?

As ETI is not registered as a User of the PPSN with the Department of Social Protection, issues potentially arise with the legality of transfer here. And even assuming that ETI has a valid contract etc. with either EVERY local authority or the Dept of Environment, the PPS numbers would have been obtained originally from Presiding Officers for the purposes of processing their payments and making appropriate deductions for taxation and PRSI etc. Not for using them as a unique identifier in a system hosted by a 3^rd party.

Issue #2: Creation of lists and user logins

As mentioned above, the creation of a central database of presiding officers and the use of their PPS Number as an identifier in that database constitutes a new purpose within the context of the Data Protection Acts. Using PPS Number as a login is just dumb (a proxy could easily have been created). This database has PPS Numbers, names, and addresses of Presiding Officers. Where is it being stored? Under what security protocols? Who has access to it? How long will it be retained for? (Please don’t let them have saved it to Google Docs, otherwise I’ll have to get cross).

Issue #3 Mail merge and posting out passwords

Passwords are stored in plaintext if they could be mailed out in a mail merge. Being able to do a mail merge means that who ever sent the letters to Presiding Officers has their PPS Number, name, and addresss. That’s a heck of a lot of personal data. And if they are not thinking of the implications of storing passwords in an encrypted for and not sending them out in unsecured plain text, what’s the level of confidence in back-end security and security of related data transfers?

Issue #4 No SSL on the site

Using PPSN as a login is not great. Doing it in a way that could result in the data being intercepted by anyone minded to do so compounds the issue. Some might say it’s overkill for “just a login”, but the PPS Number is a significant identifier for people using public services in Ireland.

Who are ETI?

The site is not owned or operated by any Local Authority or Government Department. It is owned and operated by a partnership of three people based in Co. Meath. It took me 90 seconds to find that information on the CRO website, a basic due diligence test. If they are a partnership, each individual member of that partnership is a Data Processor acting on behalf of the Data Controller that engaged them (which might wind up being EVERY local authority or the Dept of the Environment – that is still unclear to me). There is nothing on the website identifying that the holder of the data doing this processing is not a government body.

So a private sector organization has been given a chunk of the Public Service identifier for a defined population of people, has implemented a solution that is arguably illegal in its design and is certainly not good information security practice. There is a questionable lawful basis for the transfer of data to this 3^rd party. (I haven’t looked for the tender for this training solution, I’m assuming it went to tender and there was some specification of information security and data protection standards in that document. But I’ve got a day job to do).

What could be done better/differently?

Lots of stuff.

1. Use a proxy identifier. If the data controller holding the PPSN had created a proxy identifier (an alphanumeric string that was NOT the PPSN) and provided that to ETI to use as a login the PPSN issue would not arise.
2. Ensure proper contracts in place with the data processor
3. Use SSL by default.
4. Use an encrypted (salted and hashed) password that could be generated from a link that a user could follow that would bring them to a page where they set their own password, rather than having a plaintext password sent in the post.
5. Improve transparency and communication about who the actors are in the process and their role.

That’ just my first four. Depending on the detail of the processes etc. there could be a LOT more. But none of them would cost a heck of lot of money and would result in a more compliant and less insecure processing of personal data.

Scanning twitter over my post-breakfast intra-planning pre-work coffee this morning I noticed tweets that were agog at a Minister for Health who is a medical doctor asking non-medical doctor political colleagues for lists of people who should have been given a medical card. The agogness was triggered by this news story on the RTE website.

Yes. It is a cause for agogness.

However my gog was a’d by one line in the middle of that story that actually links into a story covered (briefly) by Irish media yesterday. Minister Reilly has also asked for a list of names of people who have given information to the Primary Care Reimbursement Service who have had their information “misplaced”.

Only yesterday the Data Protection Commissioner was scathing in his comments about the level of “sloppiness” around the handling of personal and sensitive personal data in the Public Sector.

Today, buried in a story that was likely sourced from the Office of the Minister for Health himself, we find a disclosure that sensitive personal data and potentially personal financial data have been “misplaced” by a unit of the HSE.

However, the Minister is asking his colleagues for the names of people who might be affected. So that’s OK then.

No. It’s not.

If the PCRS has “misplaced” information that was provided to them in either electronic or hard copy form this constitutes a breach of Section 2(d) of the Data Protection Acts 1988 and 2003. Under the Voluntary Code of Practice for Data Security Breach Notification, the HSE is required to notify the Data Protection Commissioner where there is a risk that Personal Data, Sensitive Personal Data, or Personal Financial Data have been lost, or accessed or disclosed without authorization. The affected Data Subjects are supposed to be notified (unless it affects less than 100 people and doesn’t relate to Sensitive Personal Data or Personal Financial Data). The HSE, as Data Controller, is required to maintain a Data Breach Register for any reported incidents where the security of personal data has been put at risk. If the Minister is having to effectively do a ring around his mates in the Dáil to find out what the scale of the problem is, that should be a bit of a worry.

So. Riddle me this…

1. Why is the Minister asking for a list of names of people whose data has been “misplaced”?
2. Why is he asking for this list if the HSE PCRS has been maintaining a Register of incidents of reported loss of data?
3. Why has the Minister not referred the issue to the Data Protection Commissioner?

The answer is, as ever, the Tone at the Top in the Public Service in Ireland. Unerringly it is a discordant “BLAAARRRRRRPPPPP” when it comes to matters of Data Protection. Organisation restructurings are undertaken without consideration for effective Data Governance, Information Quality, or Data Protection controls. Training in these things is seen as an overhead not an investment. Kludged manual processes are put in place without documentation and standardization (sure documentation takes AGES), and Ministers give undertakings to do things RIGHT NOW (immediately) rather than doing them RIGHT NOW (error proofed, proper controls, designed for efficiency, consistently executed).

This problem is not confined to the Public Sector. However the Public Sector is, as Billy Hawkes has pointed out many times, the one actor that processes our personal data who can REQUIRE us to provide information by law and which requires us to provide information to avail of key Public Services and functions.

“BLLLAAAAARRRRRPPPPP” is an insufficient response from the leadership.

I’ve written in the past about the problems with the “tone at the top” around Data Protection and Data Privacy in Irish government and political circles.

Bluntly, with few exceptions, it seems they don’t get it, don’t like it, and would rather it go away. That attitude cascades down into government departments where it is almost (again with few exceptions) impossible to sack staff members who blatantly breach basic Data Privacy rights of individuals. Whether it is Social Welfare staff providing information to private detectives without authority or snooping on the personal details of lotto winners or celebrities, or formal political policies that presume a panopticon and damn the data privacy implications and risks.

The icing on the cake for me was Minister for Justice not seeing the problem with disclosing sensitive personal data about a political opponent on national television. I’ve written about that last year.

But the bum notes at the top are resonating higher and further. Our candidates for the European Parliament, the body which only recently has managed to push back against a wholesale dilution of data privacy rights of over 500 million people, are almost unanimous in their silence on the issue of Data Protection. Even those such as Sean Kelly who were active in European Parliament committees looking at the Draft Data Protection Regulation are silent on the issue. (And remember it was only last year that Sean Kelly won an award from the IAB Europe (an internet advertising representative body) for his work on the Data Protection Regulation, and only a few weeks ago that he was voted “MEP of the Year for the Digital Agenda”)

Of a total of 37 candidates only THREE have signed up to support a Charter to oppose any measure “that removes the power to make decisions on matters that affect European citizen’s fundamental rights from the judiciary or democratically-elected policy-makers”.

Three. Out of 37. Less than 10%. 8.1% to be precise. And every single one of them in Dublin.

But the Charter is not perfect. I would have an issue with item 10 which calls for the promotion of Free/Open Source software in public sector environments if was to be interpreted as a “thou shalt not purchase commercial technologies that have warranties and approvals and proper liability if things go tits up”, but that’s not the interpretation I’d put on it – I read that as a “closed source is not the only fruit” and personally think that individuals pushing an ‘Open Source or bust’ approach to things are often missing the total cost of ownership (risk, compliance, learning curves, stability, longevity etc.). However, as @Treasa pointed out to me on Twitter, FOSS ideologies are often presented and pushed as dogmatic mantras which brook no potential use of closed source or proprietary technologies for any reason. She is right of course. That is a risk. And perhaps it is a barrier to candidates endorsing the Charter, in which case candidates should flag that they can do anything for love (or votes) but they won’t do that.

(disclosure: my company makes minimal use of some Open Source technologies, but only where the platform is stable, reasonably standardized, and interoperable. We advise clients to consider total cost of operation and governance if putting Open Source in the mix on projects, based in part on personal experience of having to abandon tools that became unsupported or just unworkable)

And the use of a list (albeit one which is non-exhaustive and not overly prescriptive) might be off putting. But I’m not sure what other mechanism might have been used for the effective presentation of the key points of the charter. Perhaps keeping it focused on privacy issues might have been enough?

But overall the Charter is a positive statement of position and opinion on a range of fundamental information rights. It doesn’t mandate any other position other than to ensure that the Parliament have a democratic decision making role and that the Judiciary have an oversight function in the development of policy and legislation in this space.

And only 8.1% of Irish candidates have expressed a preference in favour of their having a role in defending data privacy rights or ensuring oversight on the selection of suppliers to EU projects, and all of them representing Dublin.

Our political classes don’t appear to care enough – either to sign the charter or explain why they won’t and what their position is on key principles.

The “tone at the top” drones on it seems.

Below is an edited version of the letter I faxed to Brendan Howlin today regarding Freedom of Information Act fees proposed last Friday at the end of legislative drafting before the Committee Stage in the Irish Parliament.

While I agree that public service resources need to be utilised efficiently, particularly in the current (apparently getting better) economic context, I disagree that putting a paywall up (which is the practical effect of the fees proposed) is the solution. Better results could be achieved by actually managing information as an asset and ensuring appropriate governance and joined up thinking.

Dear Minister Howlin,

It was with dismay that I learned of the proposals in the current draft Freedom of Information Bill regarding the charging of fees. Simply put: the proposal regarding fees is dangerously retrograde, belies a failure of customer/citizen-centricity in Public Sector thinking and a missed opportunity to mandate improvements in Data Governance, runs counter to your own initiatives in relation to “Open Data”, and may indeed serve to weaken any strategy to break down ‘silo thinking’ in Public Service organisations to achieve operational efficiencies through better use of data internally.

· Dangerously Retrograde:

Creating an uncapped initial application fees structure for simple exercise of Freedom of Information rates is a dangerously retrograde step. Much of the waste in Public Service organisations over the past few years has been uncovered through journalists and others using FOI rights carefully.

An uncapped application fees structure, particularly the provisions which give rise to additional charges where data requests span multiple “administrative units”, creates a financial disincentive for budget-conscious editors or freelance investigative journalists to seek information which might be in the Public Interest.

By effectively curtailing the avenues of information access for citizens to only those who have resources to take an unknown punt on the final costs or to the official press releases our FOI regime that was weakened in 2003 will have been replaced with a model for ‘mushroom management’ in which citizens will be kept in the dark and fed what’s good for mushrooms.

· Failure of Customer/Citizen-centricity and Data Governance:

The erection of a “paywall” that will inevitably act as a disincentive to exercise of FOI rights belies a failure of Customer/Citizen-centricity in the Irish Public Sector. In tandem it highlights a failure to seize a valuable opportunity to drive strategic change in Data Governance processes, practices, and methodologies in the Public Service.

Rather than seeing the challenges raised by requests as an issue which must be curtailed through charges, the Irish Government can choose to invest some effort to understand the root causes of the issues that are reported. For example

o Could it be that multi-part requests being submitted under the current system are likely a function of journalists needing to maximize the ‘bang for their buck’ on each individual request. Removing this may remove the multi-part queries?

o How many queries relate to ‘standard’ information or reports which might be ‘pre-packaged’, perhaps in formats that require additional analysis by the requestor, but which meet the requirement for access to information?

o Are FOI access and accessibility a primary consideration in the design of new systems and processes? If not, should the Data Governance structures of departments be addressed to ensure “FOI-by-design” (producing standardized core reports etc), in the same way as “Privacy by Design” will be a requirement under the forthcoming EU Data Protection Regulation?

I am currently engaged in a project [details of project redacted for publication] where FOI requirements under regulations such as the Aarhus Convention as well as their voluntary compliance with various regulatory standards have been identified as key strategic drivers for precisely this kind of Data Governance change and re-alignment. The project team has identified further substantial benefits arising from the improvements in Data Governance and Information Quality in this organization that go beyond simple Freedom of Information capabilities.

By opting for a “paywall” that will keep enquiries out the Government is ignoring an internal dissatisfaction with status quo that can be leveraged to trigger and hopefully sustain Data Governance change in the Irish Public Sector. By knowing the cost of everything and the value of nothing, an opportunity to improve is being foregone.

· Free Information, Open Data: Fees are inconsistent with Open Data Strategy

Frankly my head is spinning trying to figure out what the strategic position regarding information is from the Government.

On one hand you are promoting “Open Data”, while on the other you are proposing changes that will make it harder for citizens (not just journalists) to get access to information in accordance with their rights.

Ultimately, it is my professional view that the very Data Governance and Information Quality benefits that the proposed “paywall” is forgoing in the context of FOI will inevitably emerge as challenges and barriers to producing Open Data that can be relied upon for service planning, development of applications, guiding investment strategies etc.

The “pre-packed” reporting solutions outlined above (which I believe were raised by Gavin Sheridan during the legislative consultation period) are Open Data. By implementing these and addressing root causes for current issues and inefficiencies in the FOI model in Ireland the Government has an opportunity for a double-win. Instead we are presented with cognitive dissonance where the Government trumpets Open Data with one hand but claws back Information Freedom with the other, while forgoing any operational efficiency benefits which would arise from tackling root causes in Data Governance practices.

· Breaking Down Silo Thinking in the Public Service

The Haddington Road Agreement aims to improve efficiency and effectiveness in the Public Sector and to reduce costs. Ultimately it will need to break down the traditional “silo” thinking that exists in all large organisations, and the provisions regarding staff mobility hint to that.

However the proposed charging structures under the FOI proposals run counter to this strategic vision. If one was cynical it could be described as a “Silos Charter” given that additional charging will be tied to the number of administrative units in which data is being processed.

What controls are being implemented to ensure that there is no fragmentation of administrative units to split data processing within FOI-able entities? In the absence of controls it is inevitable that fragmentation will exist, particularly in the context of processes, projects, or functions that might be of notable interest to people seeking to exercise their FOI rights.

On the other hand, improving Data Governance (data standards, meta-data, master data, clarification of data ownership rights, rules and accountabilities) and seeking to identify common methods for developing and delivering standardized reports would inevitably result in a breaking down of silos and the promotion of cross-functional ways of working within the Public Service.

However, hiding the silos behind a paywall appears to be the easy path which the preferred choice of the Government.

Conclusion

There is a significant potential opportunity to drive change in the governance and management of information in the Irish Public Sector. This change aligns with the objectives of Open Data and has potentially far reaching benefits beyond just FOI effectiveness.

A PayWall, which is what an uncapped open-ended application fee is in practice, removes this driver and allows both current inefficiencies to fester and current efficiencies to remain siloed, and deprives the citizen of their opportunity to find out answers to their questions of Government. Raising the paywall potentially beyond the reach of individuals, freelance journalists, and mainstream media is a dangerous retrograde step for transparent democracy.

FOI is the Parliamentary Question for the individual – it should not be locked away behind a paywall