I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

Firstly, no-one will believe that they and their organisation will be penalised to that level for a breach. The track record simply isn’t there for one. It is outside the normal sphere of experience. In my experience, when faced with the notional prospect of a monstrous penalty, executives start discounting down on the basis of what is likely to happen. Now, as someone with a light dusting of legal training, I know that that is just gambling. But senior executives gamble all the time. Small business owners gamble all the time. It’s called entrepreneurship though in that context, so that’s OK.

Also, humans are hardwired it seems to be really bad at assessing risks that fall outside their actual experience. So, that €2million/5% of global turnover amounts to a mountain on the horizon to most executives. Yes it’s big and impressive, but it seems so far away that it can be discounted. And hence the “So, what are we realistically going to have to pay out” conversation starts and it then becomes an NPV calculation for the bean counters to determine if there is enough revenue being generated from the breach of the rules to justify breaking the rules.

Hence telcos overcharge because the penalties levied have, by and large, been a lot less than the revenue uplift generated so the breaches became a cost of doing business and there was no incentive to improve processes and quality (which would have reduced costs to the telcos, arguably allowing them to increase profitability on a lower revenue base.. but I digress).

Similar behaviours can be seen in Financial Services, Oil and Gas exploration  – any industry where the revenue uplift of flouting regulation is greater than the likely financial penalty for breaches.

Add to this the fact that in most organisations the focus is short term, booking revenue today is a bigger driver than worrying about an as yet not crystallised penalty at some date in the future. People focus on the thing that is in front of them annoying them.

Which brings me to my toddler.

As someone who strives to be a good parent I know that I have to instil values and principles in my child so she will grow up to be able to make smart choices of her own. She acts up and answers back and does things I don’t approve of on a regular basis. She’s a toddler. That’s her job. As her parent I’ve realised that I’m more effective when I am providing regular minor ‘course corrections’ to her, gently shaping her behaviour as opposed to massive acts of discipline. And, if you can recall your childhood, being deprived of a beloved toy or being kept in when your friends play on the street outside is the toddler equivalent of a €2million fine.

My approach: smaller penalties, careful lectures, engaging on a more direct basis to develop values, reward good behaviours and discourage less desirable antics. This works more effectively I find than the approaches of other parents I might see in the supermarket engaging in “massive acts of discipline”, issuing warnings and threatened penalties, while all along their child mentally discounts the warnings and asks “So, what are you really going to do?”.

(Many of those children I fear will go on to become successful company managers).

My approach to parenting is mirrors in part by the approach that many European governments have taken to promoting improved driver safety and improved compliance with Road Traffic laws. These schemes impose a structured sliding scale of sanctions for different categories of offence. They often go hand-in-hand with the ‘nuclear option’ penalties of substantial fines and loss of driving licenses etc. My approach also mirrors the ‘Zero Defects Policing’ that famously made New York a safer place. And penalty points systems for road safety do allow an increased discretion for law enforcement between a stern talking to and on-the-spot fines or harsher penalties.

They also allow for lesser offences to be cumulative towards a larger penalty. This means that there is suddenly a constant pressure on the motorist to change behaviour. I link here to the Penalty Points scheme that operates in France. And here is the system from Ireland. And (so they don’t feel left out) the one from the UK. All of these systems operate on the basis that drivers who commit even small offences can have penalty points levied against them which add up and which stay levied against them (often with a financial penalty as well) for a period of time after each offence. This encourages longer term thinking. Because if you are on 9 points on your license in Ireland you will think twice about using your mobile phone while driving and having your license to drive revoked for a number of years.

With my daughter, there are some offences she commits as a toddler that will stay on her record until she is a teenager.

So, what has this got to do with Data Protection and proposed penalties that suck?

Penalty points schemes in motoring allow for a low impact, high frequency penalty for repeat offenders. The days of drivers taking chances with drink driving are now, gladly, fading in the rear view mirrors of most EU member states because there is a mechanism for wider enforcement of a range of offences in a quick, easy to understand way. Drivers take more care for fear not of a massive penalty but for fear of building up an accumulation of offences that will trigger a massive penalty over time.

By extending the application of the penalty over a longer period, it encourages more long term cultural change in driver behaviour to a more compliant set of habits and behaviours. And they are relatively easy to understand and communicate. If I drive while talking on my mobile phone in Ireland I know that I will get 2 points on my license and a €60 fine. I know I can challenge that in court but if I lose, I’ll have double the points and a €120 fine and I will be on my way to being disqualified from driving.

So I don’t use my mobile phone when driving.

In a Data Protection context a similar scheme could be implemented setting out minimum applicable penalties for a range of Data Protection offences such as failing to have a Privacy Statement/Fair processing notice on a website or failing to take appropriate measures to obtain verifiable consent for direct marketing, or failure to properly outline the fact and purposes of recording CCTV images. The list could be quite long.

This standard bill of offences and penalties could be standardised across Europe and could be at a low enough level that organisations would not be put off by the fines, but equally would be cumulative in nature so that a €480 fine for failing to apply a request to opt-out of direct marketing could quickly add up to a catalogue of offences that result in a €2million fine without any discretion on the part of the Data Protection Authority.

This scheme would give decision makers and Data Protection Officers in organisations a familiar framework to operate in when engaging in mental discounting and would put a floor on the penalty for breaches, just as the Regulation has raised the ceiling. This would change the dynamics of the economic discounting that we all do when faced with the risk of a penalty.

If the list of organisations against whom penalty points was levied in a given year was published (as part of the Annual Reports of Data Protection Authorities) it would also help organisations assess risks involved in choosing suppliers or partners. If an organisation is working through a large number of penalty points then perhaps the management culture isn’t mature enough to do business with, for example. Just like ‘boy racer’ drivers often rack up penalty points (and insurance costs) through immature driving habits.

While it would not bring the mountain any closer to the Data Controllers, it may bring them closer to the mountain.

This suggestion has featured in a number of reviews of the Regulation I have been involved in in Ireland and I wrote about it first as a thought experiment back in 2010. I hope you consider this as a transparent and flexible mechanism for the operation of administrative sanctions by Data Protection Authorities in the EU as part of the development of EU standards as a benchmark approach.

Combined with the enhanced penalties at the upper end of the scale (which repeat penalty point offenders would eventually reach), I believe this would be a fair, transparent, relatively easily administered system that would be easy for even the most ardent mental discounter to get their head around.

Yours

Daragh O Brien

In that post I decided to focus on the non-compliant behaviour of an organisation setting itself out as being the arbiters of compliance with copyright when it came to the data protection/privacy compliance obligations that they appear to either be unaware of or consciously ignorant of (I presume the latter).

I clearly stated that I wasn’t going to talk about the economic impact of inbound links to websites from the point of view of driving search engine relevance, getting sites onto the first page of Google, and generally providing a basis for establishing valuation models for on-line advertising.

It’s not my area of expertise, so I thought it best not to say anything.

But today I searched for “Newspaper Licensing Ireland” in Google.

I was pleasantly surprised to see that, apart from content by or directly about Newspaper Licensing Ireland, there were articles by Broadsheet.ie, McGarrSolicitors, and your humble scribe.

On page 1 of Google. In the top 6 things returned for that search string. In less than 24 hours.

What made this happen? Links. Lots of loverly links being spread through websites and social media networks like, as I described them last night, the “footnotes on the Internet”.

This is what helps drive traffic to websites, making them more valuable pieces of virtual real estate within which to place advertising.

Charging people a fee to put up a sign post to your shop makes no economic sense in the bricks and mortar world. It makes even less sense in online.

After all, links are more properly called “Universal Resource Locators” (URLs). And in this way they are exactly the same as sign posts. They tell people, uniquely, where to find a particular resource. Just like a footnote in book.

Will NLI start charging license fees for those as well? If so, I’m fudged completely as my last two books have LOADS of footnotes in them.

Personal Data is being processed via your website without an appropriate Privacy Statement and without any communication of the purposes for that processing. Furthermore, the failure to have such a privacy statement on your site which references the use of Google Analytics is a breach of Section 8 of the terms and conditions that apply to Google Analytics. Failure to obtain consent for the use of the cookies written by Google for the purposes of Google Analytics is a breach of SI336.

You are breaking the law; you risk exposing your company to investigation and prosecution, with financial penalties and brand damage ensuing. Processing personal data without it being obtained fairly for a lawful purpose, and writing 3rd party cookies without consent is illegal and breaches a fundamental Human Right in the European Union.

What do you think?

I may be over egging it a little. I need a cup of tea now and a good sit down.

I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

(But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

…that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

8. PRIVACY

8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.

1. Early consultation with the Data Protection Commissioner to identify and mitigate Data Protection risks in the Household Charge legislation
2. Early consultation with the Data Protection Commissioner to ensure that appropriate mechanisms for data sharing were given effective legislative support within the Household Charge legislation
3. Ensuring clarity about the current and proposed future uses for the (significant) amount of data which is being gathered as part of the registration process
4. Ensuring that the use of PPS Numbers as part of the registration process was clearly and demonstrably being approached in a manner that complies with the requirements of the Social Welfare Consolidation Act 2005
5. Ensuring clarity about who the Data Controller is for the Household Charge scheme (it appears to be de facto the Department at this point, despite the text on the Privacy Statement on their website).
6. Communicating early and often with the public about the charge, its legal basis, the purposes to which data that is being collected will be put to etc. etc.

Instead we have a Minister announcing on national radio that the Government is backing him in reviewing all relevant legislation, including the Data Protection Acts, to allow the Household Charge to be collected. Thankfully the Data Protection Commissioner’s rebuttal of that utter nonsense has been getting more air time since, but I thought it might be worth a quick examination of why the Minister’s comments were total poppycock.

1. The right to Personal Data Privacy, and the existence and role of the Data Protection Commissioner is actually required under Article 16 of the Lisbon Treaty. Since 2008 this has been the basis for the right to personal data privacy which is supported by the Data Protection Acts. Any change to the Acts would need to take in to account the fact that A16 of Lisbon has written these rights (and the role of the Data Protection Commissioner) in to our Constitution. So tinkering with the Data Protection Acts could actually give rise to a constitutional or EU Treaty obligation issue if it’s done carelessly.
2. The Data Protection Acts were not thought up by the Mandarins of the Dept of Justice. The 1988 Act was our enactment of obligations under a European Convention (aka Treaty 108) governing the protection of privacy of personal data and allowing for cross border flows. The 2003 Amendment Act gave effect to Directive 95/46/EC. It gave affect 5 years late. Ireland actually faced sanction by the European Commission for being so late implementing the Directive into national law.

So, in making changes to the Data Protection Acts (which the Data Protection Commissioner rightly says are NOT needed) to make it easier for the Government to comply with the Acts (by removing the tricky bits that basically require joined up thinking, forward planning, and robust governance and controls I suspect), the Minister risks breaching our obligations under an EU Directive (95/46/EC) at a time when the European Commissioner responsible (Vice President of the Commission Vivane Reding) is pushing the boat out on the newly proposed EU Data Protection Regulation which contains further measures to strike appropriate balances between the rights of the individual to privacy and the entitlement of companies and Governments to process personal data.

Unless Minister Hogan is proposing to implement pre-emptively the protections and provisions of the EU Regulation I would suggest that tinkering with the Data Protection Acts would be a costly and embarrassing #FAIL for the the government.

1. It would risk breaching of the obligations under Article 16 of the Lisbon Treaty if the legislation was to be invasive of personal data privacy.
2. It would make a nonsense of the Government’s arguments put forward by Sean Sherlock TD during the #sopaireland debate that the State is bound to implement fully EU Directives. Tinkering with the Data Protection Acts to weaken their protection of personal data privacy flies in the face of the Directive. The Government’s policy needs to be consistent otherwise it will be apparent that the #sopaireland SI had nothing to do with implementing a European Directive, if Directives can be ignored for national reasons (interestingly the scale of variation in national laws for Data Protection is the reason why the Commission has proposed a regulation this time around – direct effect, so no tinkering allowed).
3. Any weakening of Personal Data Protections would be open to question by the Commission on the grounds that there is a clear policy statement from the Commission on Personal Data Privacy in the form of the proposed Regulation, and it is not going the way of a dilution of the individual’s rights. The changes Minister Hogan alludes to (which, I must stress ARE NOT NEEDED and have not actually been set out as a proposal other than as part of a response to a question to the Minister) would actually need to increase the governance and controls over sharing of personal data and ensuring compliance with the new “transparency” requirements under the new Regulations to avoid being viewed as a retrograde step in Ireland’s compliance with a well established EU Directive. Any other form of change to a legal framework that is working (albeit with room for improvement) and which does not prevent the Government doing things if they actually plan for them and put them in a proper Governance framework of process, protocols and correct joined up legislation, would be a hard sell to the Commission (for that read ‘Fricking impossible sell’), at a time when we have other things to be spending diplomatic efforts on, particularly given the philosophical and historical roots of EU Data Privacy policy.

Frankly I think Minister Hogan should stop trying to change the laws that are working and doing their job and focus on ensuring that the laws he is responsible for work and do their job and that the necessary processes, governance, joined up legislation, and controls to make sure that the execution of Government policy happens in compliance with the relevant legislation.

It would be an easy reach for me to pose the question of how the citizens should feel when a Minister in a right of centre party is seriously contemplating diluting fundamental rights to personal data privacy that have their ultimate roots in the actions of a previous right of centre political movement in Europe. But I won’t, because Minister Hogan obviously isn’t seriously contemplating anything of the kind, given the very real barriers that would be in place to such a course of action. He obviously mis-spoke on the radio yesterday but hasn’t had a chance to correct his mistake yet.

What I would hope he does is ensure that the next steps of the Household Charge and any subsequent policies and legislation are enacted in a way that avoids the overworked and under-resourced Office of the Data Protection Commissioner having to field calls and queries from concerned citizens. Designing Privacy controls and respect for personal data rights into the processes from the beginning is the way to achieve this.

In short:

• The Data Protection Acts don’t need to be changed (but other legislation might need to be improved – so DP concerns should be considered at drafting stage in future)
• Changing the Data Protection Acts, unless its to bring things in line with the proposed Regulation early, would create potentially significant legal and political challenges for the Government given the specific rights to Personal Data Privacy in the Lisbon Treaty and the fact that the Data Protection Acts implement EU Directives.
• Minister Hogan was not seriously proposing a dilution of the rights to data privacy of the individual which are enshrined in the Lisbon Treaty. He must have misspoken.
• Privacy by Design is a good way for Minister Hogan to avoid creating expensive calls on the Office of the Data Protection Commissioner and free up resources in the DPC to deal with policing other processors of personal data with their small number of staff (22) and their small budget (€1.2 million).

• Your name
• Your credit card or bank details
• Your mobile phone number
• Your home address
• Your email address
• A copy of your signature

and a range of other personal data. Which I wrote down on a piece of paper and stuck in my bag before thanking you and walking off.

Chances are I wouldn’t get very far in gathering that information. Your natural sense of risk would (or should) kick in. Chances are you’d call the police on me.

But imagine that scenario again with one small change. I’m wearing a polyester jacket with the logo of a charity on it and I’ve got an ID badge hung around my neck and a backpack. What would you do then? Hey, I’m collecting for a charity.

I am a charitable person. I like to support good causes and I like to contribute as much as I can when ever I can to such causes. But I’d say no to me because  of my personal sense of Information risk.

Others base their dislike of Chuggers (Charity Muggers) on the methods that some use to get people to sign up, methods which are often the result of the commission or quota based systems that some of these people work under (and I’ve content elsewhere about why quotas are a BAD idea in the delivery of quality service). Of course, these are methods which charities who use this means of fundraising disavow all knowledge of and disown completely, but which I have witnessed.

My avoidance of chuggers is based simply on good Information Security practice. I don’t like the idea of my data being in a bag around someone’s neck or a plastic zip-lock folder, in a public place.  From a Data Protection of view I’d rather not have to have a real-world test of the compliance of the organisations that run these collection methods with things like the Data Security Breach Code of Practice or the requirement under S2 of the Data Protection Acts to take reasonable and appropriate steps to ensure the security of personal data. Particularly not with my data. The data that is obtained by Chuggers is Personal Data within the meaning of the legislation as it is data that has been obtained with the intention of processing it electronically or of filing it in a relevant filing system, ergo it needs to be treated with care.

I’ve advised clients in the non-profit sector of the potential for brand damage arising from something as simple as one of their Chuggers being mugged and their bag being stolen… or to put it another way: the temporary storage location of an array of personal data. I’m not saying don’t use the method. What I’m saying is your controls need to be very tight.

Among the controls that need to be in place is appropriate training for staff on Data Protection. I’m not sure if such training is happening as many of the techniques I’ve seen or heard of being used to get people to stop could actually be construed as being contrary to the requirement for consent to processing of data to be freely given. That said, a volunteer for one charity came on a Data Protection course I taught a few years back and they stopped using chuggers afterwards.

If the UK experience is anything to go by, my risk aversion is justified. The ICO there has investigated charities for loss of data. It is inevitable that similar will happen here, if it hasn’t already (but if it has I can’t find a reference to it on the Data Protection Commissioner’s website). The root cause in the UK case I link to was a lack of training and awareness that lead to a loss of data.

So how should your chugger experience go? Well, first of all you should know what happens to all this information you have just given them. The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder or clipboard they are holding.

My advice to anyone accosted by a chugger is: if you can’t get away, ask politely for a copy of the charity’s form for you to fill in at your leisure. If they don’t give it to you take their name from their ID badge and report them to their Charity and if the Charity doesn’t take it seriously report it to the Data Protection Commissioner. (If they don’t have an ID badge, assume they are not representing a charity and you’re about to be mugged – react accordingly).

My advice to any Chugger who is careless with their folder or is mugged for their bag… notify your Charity immediately. The Charity should notify the Gardaí as well and make sure they know that there was personal and financial data stolen/mislaid. The charity should also notify the Data Protection Commissioner. As the paper work will not have been processed you won’t be able to notify the Data Subjects directly (as is required under the Code of Practice) so they will likely have to put out a public statement about the loss of data to alert people who have given their details to the risk of identity theft.

Personally, I make my donations either on-line (and I look for PCI compliant payment processors and HTTPS security on the donation page) or over the phone. I have never and will never donate to a charity by means of a chugger, and when faced with a choice I will opt for a charity that doesn’t use them.

At my suggestion, Dolan O’Hagan (the editor) provided the text of the clarification (which ran in the print edition two weeks ago but never made it online until today) for me to post here to close the loop so to speak. I’ve made the font bigger for the quote so that the text can be more clearly seen.

In an article published on January 16 headlined "Public decries closure of embassy to the Vatican" it was stated in the opening paragraph that  the embassy closure "was met with overwhelming opposition from the public with over 93% criticising the move".
The Irish Examiner would like to clarify that it was, in fact, 93% of those who had written to the Dept of Foreign Affairs in the immediate aftermath of the announcement who had voiced opposition to the move – a fact reflected later in the story but not in the opening paragraph due to a copy review error.

While I differ slightly on the claim that the latter part of the story reflected accurately the level of actual uproar about the Vatican closure (I feel that the section in question required some close reading to understand the actual sample size involved which the 93% referred to), I welcome the statement from the Irish Examiner that does go a substantial way to clarifying the issue. I look forward to seeing the promised amendments and clarifications in the on-line edition soon, and once that happens I’ll be gladly closing my complaint with the Press Ombudsman.

Of course, there is an important lesson for anyone producing information that is distributed through multiple outlets – an error may need to be corrected in a timely fashion in multiple locations. As such you will need to know when and where that information was disseminated and what control you have over getting the facts corrected.

(Indeed, under the Data Protection Acts if a Data Controller is informed of an inaccuracy in personal data they have to inform anyone they shared that data with in the previous 12 months who in turn must notify anyone they shared it with etc. Frankly it’s turtles all the way down until the data universe is as correct as it can be made).

Now my hope is that, with the correction on the part of the Irish Examiner, the other publications which picked up the 93% rallying cry will in turn correct their copy so that it reflects the reality of the situation, not hyperbole caused by an error in review.

In my professional capacity I am a member of a number of professional associations and have a number of professional certifications, all of which have an ethics element which, amongst other things, requires me to respect copyright and to give credit to the works of others when I am using them.

As a presenter I’ve experienced flying in economy class to far flung places to see the person in front of me on the agenda ripping off the presentation I was just about to give because he’d come into possession of an earlier version of my slides from a previous event (in that case I just changed my presentation and explained to the audience why while the guy sat in the front row looking for an emergency exit – perhaps repeatedly saying how much I agreed with his points might have been laying it on to thick).

But the SI that is about to be signed into law is just nuts, aimed solely in my opinion at propping up a dying business model in which KPI indicators that were perfectly valid 10 years ago are falling and rather than pull the levers and turn the knobs in their own business model and evolve, an industry lobby is seeking to pull levers and turn knobs in society as a whole and create a time machine that puts the smoke of 20 years of technology evolution back in the bottle.

I teach and consult on-site with clients. I have also been published in dead-tree formats. e-learning and on-line tutorials and coaching, blogs, internet based publications, e-books all challenge that business model. So is my response to lobby hard for legislation and burn cash in litigation to reverse the universe? No. I’m not a moron. I embrace the opportunities for new business models that the Web provides. I look to build a Platform Business (to borrow from my friend Phil Simon) and I seek to develop new ways to distribute and monetise my services and my knowledge. (So expect to see some things developing from my business over the next few months)

That the Irish Music Industry has strong armed the Government into rushing bad law in in a bad way is irksome in the extreme. That a mortally wounded industry has been able to bully (and yes, I do feel that the approach taken amounts to bullying) a Government into bringing in legislation of a kind that a vibrant and growing industry sector (that would be the Interwebs and Cloud) had lobbied and campaigned against successfully in the US only a few weeks ago galls me. That it is happening when the legal position in Europe has evolved and the clear message from TWO EU Commissioners (including the Vice-President of the Commission) is that Internet Blocking is not an option in Europe (ergo the Commission would be unlikely to penalise Ireland for not having it in place) just sickens me.

But what really sticks in my craw is the pantomime of a Dail debate that we saw last night which makes a mockery of parliamentary democracy in this country. A debate where a perfectly workable alternative piece of legislation that achieves largely the same objectives while balancing the needs and interests of the ISPs (who were NOT consulted or engaged with when the original SI was being prepared) was basically ignored.

The debate highlighted how out of touch with their electorate the Government is. Dismissing people who WRITE to you as “key board warriors” is insulting and disingenuous to say the least. I am a keyboard warrior and proud of it. I use my keyboard to effect change in organisations, educate and inform. It is my TOOL. Just as my grandfathers’ tools were pens and typewriters (for one) and trowels and plaster (for the other). My keyboard (and my website) is my own personal printing press with a scope, scale, and reach that Guttenberg could never have imagined.

Bad law, introduced badly, by people who don’t grasp the basics of what they are seeking to regulate and control, with an arrogant dismissiveness of comment and debate from the political class (with notable exceptions) has the makings of a total trainwreck.

As an aside, when I first raised concerns last year about the Fine Gael website I was dismissed  as being “only a blogger”. This keyboard warrior was right, so the track record of arrogant dismissiveness from Government parties has not been good on things internet related.

So I contacted my Government party TDs by phone this morning to express my dissatisfaction. If my keyboard won’t be listened to then I’d better start using my voice.

The 30 seconds kicks in as soon as you’ve finished reading this post.

The discussion around #stopsopaireland has focussed on the impact that internet blocking would have on fundamental rights of freedom of expression, and the EU legislative and policy frameworks and case law that exist to support that right and ensure it is protected in a balanced way.

There is another right that is important. The right to Privacy. In particular the right to Personal Data Privacy which is set out in Article 16 of the Lisbon Treaty. It is this Article that provides the basis for the EU’s Data Protection regime, changes to which were announced on Wednesday. Those changes will take a number of years to come into affect, assuming they are not bastardised and watered down beyond all recognition by national parliaments or the European Parliament responding to lobby groups.

But a functioning Data Protection framework is in existence day and it is policed in Ireland by the Data Protection Commissioner. Already this year they have engaged with the Dept of the Environment regarding the Household Charge database and with Dublin City Council regarding the transfer of personal data from Dublin City Council to a private company. And let’s not forget their audit of Facebook last year. And that’s just the high profile stuff that gets in the media. In my professional context I’m aware of the significant number of complaints they help people with each year as they strive to promote compliance with the Data Protection Acts in an increasingly complex information management environment and a financial culture where organisations and governments are trying to to less with more and often cutting the wrong corners in the process.

The Office of the Data Protection Commissioner serves the individual citizen, helping them with advice regarding their rights and acting to investigate and prosecute breaches of those rights. They also serve the Organisation (be that a Government department, a large multi-national, a local football team, or a student company selling jumpers on-line) providing education and advice (when asked) as to what steps should be taken to ensure the right balance is struck between the goals of the organisation and the rights of the individual. They don’t deal with just one sector of the economy. Anywhere personal data is being processed they have a role to play.

Saturday 28th January is World Data Privacy Day. It is one day in the year where Data Privacy is celebrated. Companies and regulators around the world have planned activities and events to celebrate the day (see here and here), but in Ireland it seems to be just another Saturday. Some of you might say that the Data Protection Commissioner should have lead the charge on this but, to be frank, they are under resourced in terms of numbers and budget and need to prioritise their efforts and energies to dealing with the actual and alleged breaches of people’s rights that come through their inbox every day.

So, to celebrate World Data Privacy Day 2012 I’m asking you to write an email to your TD, Minister, or other elected official asking them to comment, tweet, or in some other way make public

1. Their support for the principles set out in the Data Protection Acts and the proposed revised EU Regulation on Data Protection
2. Their commitment to ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner.
3. What one thing they will do by January 2013 to improve their personal knowledge of the Data Protection regulations.

I’ve even put sample text below so you can just cut and paste it. You can use the great contact form at Contact.ie to bulk contact your elected representatives (while you are there, why not donate to support the site), or you ca nmake the message personal and send it yourself from your own computer/phone/device/smoke ring maker. Heck, if you want to phone them or tweet them directly about this fire ahead.

+++ email text

Dear Sir/Madam

I write to you on the occasion of World Data Privacy Day, which is being celebrated globally on Saturday the 28th of January (mark your diary, it’s the same day next year).

Personal rights, particularly personal rights in relation to information and personal data, have been in the media a lot this past month. Much of the coverage could have been avoided had proper attention been paid to the requirements and obligations under the Data Protection Acts 1988 and 2003 which apply equally across a wide range of industry sectors, including Government

To celebrate World Privacy Day I would ask you to consider issuing a statement either by traditional press release, a blog post, or a tweet, that will tell your electorate where you stand on the following questions:

1. Do you support the principles set out int he Data Protection Acts and in the proposed revised Regulation on Data Protection announced this past week by Vice President of the European Commission Viviane Reding?
2. Are you committed to  ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner, as is required under EU Directive and the Lisbon Treaty?
3. What one thing will you do by this time next year to improve your personal knowledge of the Data Protection regulations.

Of these three questions, the second is one I feel is important.  Personal data is the currency of the new economy and it is a valuable commodity. The Regulator for the Personal Data Industry is the Data Protection Commisioner. One of the key lessons of the Financial crisis is that for a Regulator to be effective they must be correctly resourced and independent of Government or industry influences.

I appreciate your time on this and look forward to seeing your press release, blog post, or tweet expressing your support for #DataPrivacyDay, the principles of Data Protection, and the office and role of the Data Protection Commissioner.

====ends===

If you get responses please post a comment below so I can see what uptake (if any) there has been from our political classes.

Oh yeah, and it is being done by Regulation which means the rules will be the same across the EU.

But at its heart the fundamental principles remain the same. Organisations who seek to process personal data of individuals need to make sure that the ‘deal’ is fair. After all, to paraphrase Commissioner Reding’s comments at the DLD conference in Munich earlier this week

Personal information is the currency of the Information Age

And as with all markets where items of value are traded, checks and balances need to be in place to ensure the asset is valued appropriately and treated with care. Hence the focus in the new Regulation on concepts such as Privacy by Design, ensuring appropriate training of staff, specific requirements re: organisational governance and internal controls and clarity of documentation about the meaning, purpose, and methods of use of personal data. There is an economic trade off required to obtain the thing that is of value. That trade off is good management of Personal Data through the life cycle of the Information Asset.

As a Data Governance and Information Quality guy I’m glad to see that the legislators in my third area of passion have finally caught up with the need to ensure organisations have defined Quality Systems with defined decision rights and accountabilities over Information as an Asset.

So, while many of the rules are new, their roots are old. Based on my reading of the version of the Regulation that was leaked just before Christmas revealed a Regulation with one foot in the camp of Fundamental Human Rights (and the trade offs that need to be made there for economic activity to take place) and the other firmly in the camp of Quality Management practices and principles, with a clear focus on creating a Constancy of Purpose in management towards the goal of striking a sensible balance and ensuring a fair deal in the processing of personal data.

And that is where the problem begins.

There is a window now for national governments and the European Parliament to make contributions to the Regulation. Many in national government and the EP will make sensible contributions that will evolve the framework and make it easier to implement in practice.

However, in a month where one Government Minister acted in blissful ignorance of the Data Protection Acts one week, another flew a policy kite that would require an illegal extension in scope of the database being built by the first Minister, and where the unelected officials of the largest City Council in the country appear to be unable to point to the legitimate grounds on which they transferred the personal data of over 100,000 residents to a private company, I hold out little hope of sensible debate and dialogue from the Irish body politic.

In a month where we greeted the year (for the second year in a row) with a story about poor planning of projects involving personal data (both under the stewardship of the same person) I hold out little hope of sensible engagement from the Irish body politic.

And in a month where the reversal of a bad law to control copyright on the Internet (SOPA) after leading websites across the world “went dark” we find a Junior Minister of the Government, in the Department that is in charge of attracting and retaining exactly those companies who opposed the US law, seeking to implement a similar law by Statutory Instrument with no debate or discussion, even after the legal position and EU policy position has changed in relation to Internet blocking, and only the opinions of the dying industry this law would protect seem have been sought in advance, I hold out little hope for the Irish Body Politic not to make an arse of this.

And as for the Irish media… with a few notable exceptions the absence of attention to Data Protection issues (except where it involves embarrassing a Government Minister and the copy can be lifted from this blog) is staggering. So yet again I hold out little hope of sensible engagement.

Adapting to the new Data Protection landscape will require individuals to change their mind set. But I fear that the entrenched attitudes in the body Politic and the traditional media may be such that Ireland (the little nation that faced trade sanctions in 2003 for not implementing Directive 95/46/EC by 1998 as we were required to) will fail to step up to the plate and drive the change in thinking and attitude necessary to achieve sustainable and sustained change in Data Protection practices in Ireland.

W. Edwards Deming wrote in his famous 14 Points for Transformation that it was essential for the transition that organisations “Institute Leadership”. I see precious little leadership in this area from our politicians and only dazzling pin-pricks of illumination from the main stream media. So I must keep my hope guarded in the face of the likely knee jerk reactions against the changes and the almost inevitable white noise of ignorance until the Regulation passes into law with a direct effect sometime in 2014.

Prove me wrong. Please.