Household Charge–A Data Protection kerfuffle in the making?

It’s time for my annual “roll a data protection hand grenade under something” blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only I’m less formal here.

This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.

But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear – I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages – increased charges are yet another burden that should be levied carefully.

The website

Cookies

Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the “View Cookies” add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.

On the home page a set of cookies starting with “_utm” are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.

No mention is made in the Privacy Statement that accompanies the website about their use of Google Analytics [Update: The privacy statement was updated this afternoon to include the text referenced below… well done to who ever acted on that to fix it]. This is a breach of the Terms of Use of Google Analytics, which clearly states:

8. PRIVACY

8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

The Privacy Statement on HouseholdCharges.ie does not do this.

Because the Privacy Statement on HouseholdCharges.ie doesn’t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.

This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).

Privacy Statement – Fit for Use?

Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissioner’s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.

Well, actually we don’t. There is no statement about the purposes for which the data is actually being processed. And that’s just the beginning of it.

IP or Not to IP, that is the question.

The Privacy statement proclaims that for “general web browsing” they may capture the “logical address” of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no ‘may’ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.

So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.

Who’s the Daddy.. I mean Data Controller?

Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?

Or to put it another way… who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?

If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.

Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).

What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?

What I’d have expected to see would be something along these lines:

This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.

Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.

It’s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.

Don’t tell me the what, show me the why?

The Privacy Statement tells me that

Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.

So the purposes for which the data is being processed are:

  1. Processing a payment for the charge this year.
  2. Sending a bill to me for the charge next year.

No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.

What information is required to send me a bill?

  • My name
  • My postal address
  • My email address (should be optional if I don’t want to rely on electronic billing)

Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from a  client engagement last year that the DPC takes VERY seriously indeed.

Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the “lawful purpose” of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.

If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.

If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.

I’ll post more on this as I get time to poke around a bit more.

‘Tis the Season to make Data

Ok. Time for a little festivities here on the blog while I oversee (yet another) attempt to migrate the company website to a faster server for 2012.

When I was Director of Publicity of the IAIDQ one of the challenges at this time of the year was preparing the end of year email blast to members and our supporters. The challenge came in the fact that we were dealing with a variety of countries and cultures as an International organisation, and as an organisation that has Community and mutual respect as core values we didn’t want to piss anyone off by expressing Festive cheer in an overly Anglo-saxon Christian-orientated manner.

After all, even Atheists eat turkey, visit friends and watch classic movies at this time of year.

This year, having spent a few sessions helping a client prepare a number of staff for the IQCP certification next year I sat pondering yesterday the MDM challenges posed by the concept of an end of year ritual event that is celebrated across multiple cultures and in many different ways and on varying date ranges within a reasonably defined window of time.

What is the valid range of domain values that label the thing what is being celebrated at the end of December/early January?

So, for a bit of festive fun I’m going to run a competition. Commenters to this post should leave a list (make sure to check it twice) of the domain value labels that they would consider as describing the festivities. Terms like “Holidays” and “Festive Season” are not allowed as they are labels for the domain itself, we’re looking for the values within that domain.

I welcome contributions from different languages, cultures, creeds etc., and if there is a specific date for the celebration in question please add it.

In early 2012 (after the turkey has been devoured and the batteries in my daughter’s toys have finally expired) I’ll pick a winner. The prize will be awarded for a combination of completeness and amusement-value (which is why Jim Harris will have to submit under a pseudonym), and the final winner will be picked randomly from a short list.

The prize will be a copy of The Age of the Platform by my good friend Mr Phil Simon.

Ho Ho Ho.

Facing up to Facebook

I spent a number of hours last night reading and rereading the report from the Irish Data Protection Commissioner on their Audit and Investigation of Facebook. At over 200 pages it was not for the faint hearted but it did set out clearly the findings and the areas of gap and weakness which were identified, as well as a number of surprising twists where Facebook had, almost by accident, started to do things in a sensible manner respectful of privacy.

However, despite the statement from Facebook and the positive tone adopted by the Irish Data Protection Commissioner in media comment, this was not a clean bill of health for Facebook. This was a statement of gaps, with a clear message that the gaps need to be addressed rapidly in advance of a July 2012 rematch. Facebook may not have a bloodied lip from this encounter but the organisation has had (yet another) wake up call to the need to do Privacy better and to do it by design rather than happy accident.

Of course, the Data Protection Commissioner does not come off unscathed in this report either. On my reading of the report there were a number of instances where the operation of Facebook processes contravened either the Data Protection Acts or the ePrivacy regulations. Each of these instances represented a cluster of prosecutable events. But this opportunity seems to have been missed, or at best deferred until another day. As a Privacy professional I am somewhat disappointed by this apparent failure to push the agenda resulting in a somewhat limp, albeit broadly welcomed, outcome.

The key question is What next?

Facebook has given undertakings to the DPC to have taken certain actions by January and to have completed or be demonstrably progressing other actions by July 2012. Will the DPC issue enforcement notices in 2012 if these undertakings have not been complied with?

Will we see the David of the Data Protection Commission (total staff less than 20 and a total budget in 2009/2010 of less than €1.5million to run a Data Protection Authority in a country that is host to some of the most complex data processing companies in the world and wants to entice more in) staring down the giant of Facebook armed only with the pebble of SI336 of 2011 and the slingshot of the Data Protection Acts 1988 and 2003? Given that Facebook’s global turnover is estimated at being in the region of US$1.5 billion. Given that their recent settlement with the FTC requires them to keep their privacy nose clean, they would doubtless fight any prosecution to the fullest as it affects their core business.

So, our under resourced, under funded, and increasingly overstretched Data Protection Commissioner seems to be wisely avoiding fights that it would find costly to win. But in this it is possible that they are playing for time.

While the national government here seems to have been happy to long finger Data Protection reforms (to the point that we were 8 years late enacting the legislation to support Directive 95/46/EC) the noises from the European Commission are that the long awaited revised Directive will actually arrive in January as a Regulation. This will change the nature of the DPC’s role as they will become in effect the local outpost of a larger, more standardised and federalised Data Protection regime.

This will result in larger penalties for breaches. It will also introduce increased requirements for transparency around data processing, including clearer obtaining of consent and clearer documentation of internal controls and processes.

All of which are elements of the findings in the Facebook Audit.

The next question is What now?

The Data Protection Commissioner has stated that this report is the beginning of a longer term and long running series of engagements with Facebook. In other words, they will be working them over regularly to raise standards. With the Regulation expected to take until 2014 to come into full effect, this would give ample time to fix the problems that have been found thus far and any new balls of crazy that the Facebook cat would care to spit out on our collective shoes.

Of course, this would require the Government to step up to the plate and properly resource the DPC and begin to promote Ireland as a good place to run compliant businesses. The era of light touch/no touch regulation of Data Protection needs to come to an end as we move into the era of Balanced Privacy.

My personal thoughts on the Facebook Audit

This post was originally published on the Irish Computer Society Data Protection blog. I am republishing it here as it is my original work and I am moving my Data Protection musings into one place.

Over on my personal blog [this one] I’ve written a short piece about my thoughts re: the Facebook Audit by the DPC.

All in all I welcome the findings (and at 40 or so discrete findings it is not a clean bill of health by any stretch of the imagination regardless of spin and positioning) but feel that, given the breadth of potential scope for any audit and the limited resources and time available to the DPC’s office, it was inevitable that some issues could be missed.

I am personally dismayed that the DPC did not prosecute some or all of the offences that they identified, particularly those in relation to breaches of the ePrivacy directives (where clear penalties and court precedents exist). A high profile prosecution would have made it a lot easier dealing with clients and prospective clients as it would have focussed the attention on issues.

Also a number of unasked questions remain unanswered. For example, what is the position of Apps which process data outside the EEA? Does Facebook as a Data Controller not need to ensure that these apps (processors) are undertaking their activities in “safe countries” or under terms consistent with the Model Contracts approved by the European Commission.

I’d like to think that this is part of a long term strategy by the DPC to develop a “poster child” for compliance (“hey, look… if Facebook can do it so can you”), whittling down issues and changing the Facebook mindset over time.

But I am fearful that proper regulation and enforcement of Data Protection rules may be seen by the Irish Government as a barrier to enticing foreign investment in the data storage and services sectors and as such the independence of the DPC’s office may be threatened and its ability to effectively carry out its duties may be weakened.

The Office of the Data Protection Commissioner does a sterling job with a small cohort of staff, a massive remit and scope of responsibility, and a budget that, in their 2010 Annual report was less than €1.5 million. My instinct is that they opted not to blow that budget on prosecutions and instead elected to work the network of International authorities (Canada’s OPC, various German Authorities, the FTC) to keep the pressure on to drive change rather than levy penalties.

After all, any visit to Courts with a prosecution is a roll of the dice as to whether the judge accepts the full weight of the offences and agrees the penalties requested. The DPC could have spent quite a lot to achieve, in effect, the same result.

However, I await with interest the findings of the rematch in July 2012. Will Facebook win gold for privacy then? Or will we see the true stamina of the Data Protection Commissioner in a legal tussle? All we can hope for is either an Olympic performance from the “New Facebook” or a Herculean stand by the DPC in defence of individual privacy.

The EU Data Protection Regulation

This post was originally published on the ICS Data Protection Blog. It is republished here as it is my original work and I am putting my Data Protection musings in one place.

Earlier this month we saw the leaking of a late draft of the forthcoming EU Data Protection Regulation.  Yes. That’s right. Regulation. In other words direct effect, standardised legal framework across Europe, less wriggle room at local level, and no waffling and stalling by national parliaments as they butcher a Directive into national law.

The full final text is expected in January, with a 2 year implementation window being mooted.

Among the criticisms I’ve seen levelled at the Regulation is that it is “longer than the Directive it will replace”. Yes. It is. But that’s because it has had to do more than just replace the existing Directive it has had to:

  • Update the Directive with new concepts such as the “Right to be Forgotten” and increased duties of transparency
  • Introduce new penalty structures (which were previously the preserve of the national enabling legislation that transposed the Directive) such as the 5% of Global turnover penalty for breaches of the legislation.
  • Define new governance structures for Data Protection in Europe at the EU level and between countries.
  • Imposes sanctions on Data Processors who act beyond the terms of their processor agreement (currently the only sanction is for the Controller to sue in Contract law, assuming a contract exists).
  • Adapt the existing regulations and governance models to things like Social Networking, Cloud computing and mobile devices.
  • Figure out how to deal with extra-EU entities selling into the Internal Market (easy.. they will have to comply with our rules now).

Buried among the new changes was one aspect that jumped out at me was the introduction of lower value “administrative” financial penalties for smaller incidents of breaches of the legislation. I for one hope that that proposal makes it into the final draft of the Regulation as it would provide a tiered approach to penalties and put something tangible between the “softly softly encourage compliance” and “hit Controller with full prosecution”

Another reason why I’d be interested to see this make into the final Regulation can be found in this post here (in which I argue in favour of just this form of small scale fines based system)

(Yes folks, you read it on this blog first).

It’s Data and Contracts all the Way Down!

The Tallaght Hospital story is a salutatory tale of what can go wrong when engaging third parties to perform any service for your organisation.

Left to their own devices and absent any control or governance framework that can verify that what is to be done has been done (in its entirety) and has been done in keeping with the requisite standards under the agreement outsourcers may deviate from task, get creative, or just get down right sloppy and careless.

When the outsourcing relationship consists of a chain of parties (an Irish entity, a UK entity, entities in 3rd countries) then things become even more complicated.

The Data Protection Acts require that Data Controllers put in place a contract in writing with Data Processors. This contract should, at a minimum, include specifications as to the security standards and protocols that should be in place. Ideally it should also grant the Data Controller a right of audit and inspection of those standards.

Things get really interesting when you bring multiple processors into the mix because the Data Controller continues to carry responsibility through the chain of contracts (or absence of contractual chain).

The Data Controller has to be able to look through the layers of contract and see the Data Processor at the end and be sure that they are acting in a manner that is consistent with the requirement of the parent agreement between them and Processor 1.

And if the data is moving around jurisdictions (such as out of the EEA) this becomes even more critical.

So. When you are engaging a chain of data processors to do things on your behalf, it is important to remember that it is turtles all the way down. And if not turtles than at least Processors, contracts, and data.

Turd Polishing

In the course of a twitter conversation with Jim Harris I used the phrase “turd polishing” to describe what happens when organisations try to implement check-box based data governance or Compliance programmes, or invest in business intelligence or analytics strategies without

  • fixing the data which under pins those strategies
  • addressing the organisational cultural and structural issues which have lead to the problem in the first place.
I have witnessed this happening with organisations who, for example, decide that investing in e-learning with a “learning kpi” (x% of staff having reached y% pass mark on an multiple choice exam with a 1 in 4 chance of guessing the right answer) is their approach to evidencing culture change and the embedding of learning.
Of course, this fails miserably when
  • The cultural message is that data job isn’t as important as the Day Job
  • The management practice is to game the system (why take all your staff off the phones to do the learning when you have one person on the team who knows it who can do the exams for everyone with their logins?)
  • Management look only at the easy numbers (the easily gathered test scores at the end of an assessment period).
  • If management seek to rule by fear or quota (“hit these numbers and those numbers or else….”)
If management seek to overlay a veneer of good governance on an unaligned/misaligned  and otherwise outright broken Quality Culture that doesn’t seek to value or maximise the value of their Information are engaging in little more than Turd Polishing. Turd Polishing can be seen in organisations that value Scrap and Rework over re-engineering as a way to address their quality goals. Turd Polishing can be seen in organisations that fudge reports to Regulators or announce “reviews” of issues that everyone has already identified the root causes of around the water coolers and coffee jugs.
No amount of elbow grease and turd polish will change the underlying essence of what is being done. Nothing will improve, but increasing amounts of polish will be required to dress up the turd as a sustainable change programme.
The alternative is to call a turd a turd but work with it to bring out the special properties of manure that can help promote growth and give rise to sweet smelling flowers. That requires spade work and patience to bring about the change of state from turd to engine of growth. But no polishing is required.
In summary – turd polishing gives you a shiny turd that is still a turd. Digging into the manure can lead to you coming up roses.

Information Quality Change – the Doctor Who effect

I’m a big science fiction fan. I make no apologies about this fact. One of my favourite science fiction characters is The Doctor, the lead character in the

The 9th Doctor outside his Tardis

The 9th Doctor

BBC’s iconic series of the same name. In a genre that often falls for the easy charms of technology to drive a story, The Doctor (a 930 year old, two-hearted time travelling Time Lord from the Planet Gallifrey) invariably highlights and thrives on the Human Factor – the innate potential, ingenuity and power of the human beings (a lesser species) who he befriends, protects, and travels with.

Over the years I’ve tried to adopt and adapt some of the principles of The Doctor’s approach to leading Information Quality and Governance change projects:

There is nothing that can’t be solved by confectionery

The good Doctor in a number of his incarnations (4th, 6th, 7th, and 8th as memory serves)  was renowned for, in moments of high tension, proffering some confectioneries (specifically Jelly Babies) to help lighten the mood and distract thought. They were an incredible tool that enabled him to befriend others and buy time to develop cunning plans. Doctor Who Jelly Babies (video montage)

The key lesson is that it is often useful to have a “quirky” way to break down barriers and get conversations going. The Doctor has Jelly Babies. I’ve used various props. Kathy Hunter of DQM Group made extensive use of home baked cakes and biscuits when she was in a previous role to help open conversations.

It’s Bigger on the Inside

The Doctor’s space ship/time machine is a Blue Box. It is a Blue Box because the advanced circuitry that let it change appearance to blend in in different timelines got stuck on “Blue Box” on a trip to London around 1963 (the year the series was first broadcast). The thing about the Blue Box is that it is “bigger on the inside”, a fact that The various companions’s to The Doctor remark on whenever they enter the Blue Box for the first time. Bigger on the Inside (Youtube) . Invariably, The Doctor takes the surprise in his stride, often forgetting how big a shot it is to people when they see the size of his Blue Box for the first time.

The Doctor’s Blue Box is called the TARDIS, which stands for Time and Relative Dimensions in Space. By being able to engineer time and space The Doctor’s race, the Time Lords could build infintely large space craft that could fit into a small space (like the back of a props van on a TV show).

What’s the parallel with Information Quality? Well, those of us who have worked in Information Quality often forget that it is a discipline that is very much “bigger on the inside”. When people look at Information Quality from the outside, they might be forgiven for thinking that it has the general dimensions of a Blue Box (so to speak) and it is only when they venture inside that they realise there’s more to it than meets the eye. If your perception of IQM is that it is Data Profiling and some Cleansing, it can be quite a shock when you uncover the Change Management challenges, the human psychology issues, and the legal and regulatory issues that can affect Information Quality strategies.

Often we hard-core practitioners take it for granted that its is bigger on the inside, because we’re on the inside looking out.

People First, Technology Second

Quite apart from the long running love affair The Doctor has had with the Human Race, every adventure winds up with The Doctor being outrageously brilliant as a Time Lord, but more importantly inspiring and encouraging brilliance in his Companions and others around him. Whether it is calling in favours from old enemies (in return for some jelly babies perhaps) or rallying demoralised troops in the face of battle or unnatural enemies, The Doctor puts people first, often appearing willing to sacrifice himself to protect others.

Technology is applied in innovative and outlandish ways to meet the objective of protecting people. Even The Doctor’s trusted sonic screwdriver is not used as a tool in its own right but as a means of enabling things to happen and for information to be gathered to support decision making.

From an information quality management point of view it is important that we remember this lesson – the technology should not dictate the solution and, ultimately, it is people who are the brilliant and innovative sources of solutions to problems. A Data Profiler will tell you that the data looks broken. A human being will figure out the best solution (new business rule, new tools etc).

In short, to paraphrase The Doctor: “People are FANTASTIC!!”

Conclusion

I’m very much of the view that we can learn a lot from arts and literature about ourselves and who we can aim to be in how we approach things. Science fiction TV programmes are no different to the works of Shakespeare in this regard. Perhaps we can achieve more sustainable successes in our Information Quality travels by learning some lessons from The Doctor:

  1. Everybody likes Jelly babies – (what is your equivalent?)
  2. Not everyone can see that this is actually Bigger on the Inside… and when they step into the world of Information Quality it can be a bit of a shock to the system.
  3. Technology doesn’t fix things. People fix things, occasionally using technology to get there. Remember that people are FANTASTIC!!

The missing link in Compliance and Governance

Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

  • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
  • Information Quality programmes involve, by definition, the implementation of a Quality Management System
  • Information/Data Governance… well, that’s another form of Quality Management System
  • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

  1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
  2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
  3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

Expelling the Papal Nuncio

A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.

The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.

And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.

Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.

The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.

So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).

Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.

The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.

The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.