Blog

  • Bank of Ireland Customers – check your balances

    As the May Bank Holiday draws to a close, I’d like to remind customers of Bank of Ireland that they should take a careful look at their account balances this week if they have been using laser (debit card) or ATM services over the weekend. If you do find you’ve been ‘double-dipped’, please let me know via this blog.

    Double Dip confectionery
    Double Dip – Nice Confectionery but leaves a bitter taste if it happens to your bank account
  • Laser-like accuracy

    Word reaches me this morning of yet another incident of Bank Of Ireland double-dipping laser card transactions on or around a Bank Holiday.

    BOI will, doubtless, claim that this is a once off and hasn’t happened before. That’s what they said the last time (when it had actually happened before). Furthermore, I hope that BOI are more certain this time as to the root cause (last time out it was variously “retailer error” or “a software upgrade glitch”).

    And hopefully their process for catching “shadow transactions” which lead to the double-dipping will kick into play and actually refund the customers affected  (which if this glitch is on the scale of their 2009 one could be up to 200,000 card holders).

    For reference the relevant blog posts are:

    http://obriend.info/2009/09/09/bank-of-ireland-double-charging/

    http://obriend.info/2009/09/09/bank-of-ireland-double-charging-a-clarifying-post/

    http://obriend.info/2009/09/10/bank-of-ireland-overcharging-another-follow-up/

    http://obriend.info/2009/10/28/bank-of-ireland-again/

    The issue also featured over on IQTrainwrecks.com.

    My €0.02: This issue appears to manifest itself around Bank Holidays. This suggests a batch load process or some human triggered action doesn’t work correctly when there is a Bank Holiday. Having a process to detect the double-dipped transactions is not a fix, as if it doesn’t work (as seems might be the case here) then the incorrect data gets through.

    BOI might want to pay attention to Ferguson v British Gas, which while a UK case, could be arguable precedent for the view that Irish Courts won’t care how complex your IT systems are if a customer is impacted through a failure of your systems to process information correctly.

    BOI need to identify the precipitating root cause of this problem, based on the data they have available… I’d start with looking at the dates of incidents (BOI should have more data than newspaper headlines to go on) and seeking to confirm or disprove the ‘Bank Holiday hypothesis’.

    Relying on a ‘scrap and rework’ kludge that might itself fail is not a sustainable approach to ensuring information quality or quality of customer service.

  • Doing the right thing

    So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.

    How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?

    What if it turned out that:

    1. The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
    2. Was relatively easily circumvented using free or low cost tools
    3. Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).

    That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).

    A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:

    • Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
    • Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.

    So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.

    Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.

    So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?

    The other price to pay is the privacy cost.

    The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.

    • What ever happened to “Adequate, Relevant, and Not Excessive”?
    • And how bullet proof are you against malicious uploading of content to your website anyway?

    It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context.  Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:

    “It seems to me as if just about anything can potentially get on the list”

    Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.

    An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’,  the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.

    Would that be acceptable in Irish society?

    Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.

    Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.

  • Data Breach Code of Practice

    A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

    That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

    Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

    Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

    What would I like to see from the new Govt which will take the reins of power in the coming week or so?

    1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
    2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
      1. Consolidate and simplify the legislation.
      2. Implement clear penalties for infringement of the Acts and penalise non-compliance
      3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
      4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
    3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
    4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

    Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.

  • CRM Insanity (another update)

    So, I have the phone now. I’m still with Vodafone. I’m a no longer irately angry customer. I’m not a happy one. It will be sometime before I am that. I may still move my landline business just to make a point.

    But my experience in getting the phone sums up the difference between the CRM success of the Vodafone retail store and the CRM insanity of the Vodafone Retail policy.

    No Sims at the Inn

    It turned out that though they had a phone in stock they didn’t have microsims in stock in the shop. Not a show stopper. The manager went to Carphone Warehouse and got one from them for me while his team sorted the phone out and upsold me a case.

    What a clever win. Very little effort for him to do so. Kept me in store longer. I will buy from them again soon (I need a bluetooth kit for the baby-carrier car). I will tell the story of how they didn’t let a stock issue prevent them from satisfying a customer.

    A1 service. It counterbalances my experience on Friday when they told me they had no phones (now I know they were acting under orders).

    Tweet happens

    Having had no satisfaction over the last few weeks with Vodafone on the phone (or for that matter in store), it took posts on twitter to get the issue resolved. And it was resolved fast. Less than 3 hours later I have the phone that 4 hours ago I believed I was not going to be able to get.

    So, Tweet happens.

    But it shouldn’t. It shouldn’t take an angry customer writing an analytical breakdown of their customer value and posting it to twitter (and Facebook) to get action. That is just wrong as it requires the customer to push for what they are entitled to, and it means that the loudest shoutiest customer gets things done.

    A better way?

    As I stood in the Vodafone store today I noticed how they are doing lots of product pricing offers for customers of both mobile and fixed line business. They should perhaps consider using that as a criteria for rationing phones where supply issues exist. If you are a customer of both, you get preferential treatment for stock. Because you are WORTH more. A customer of the mid-tier Perfect Choice Access package for mobile and a moderate broadband package is worth the better part of €2000 a year to Vodafone just in line rental and connection. They should take preference over virtual customers with an unquantified value.

    That’s just a thought.

  • CRM Insanity (An Update)

    I’ve elected to switch to 3 and have shortlisted some options for the home phone. I made comments to that effect on Twitter this morning.

    At 12:32 today Vodafone Ireland contacted me on Twitter (after I’d posted a few tweets back to this post) and Daz on that team is looking into the situation. As of 13:09, apparently they have managed to secure stock in a local Vodafone store for me.  (Why they couldn’t do this on FRIDAY or any other time I’ve rung them over the past few weeks, or when I went into that shop on Friday, baffles me).

    I’ve indicated I’m holding off going switching until 13:30 today.

    But it appears that to get Vodafone to actually give a shit you have to be either a non-customer who they wish to woo or a high “cost-to-service” complainer who goes very public with problems. That too is just plain insane CRM, which results in people like Steven (who I spoke to on Friday) and Daz having to bear the brunt of customer issues that COULD BE AVOIDED with a bit of sanity.

    I fully accept that Vodafone have supply issues with the iPhone4 (which no other network seems to have BTW). It makes sense to ration the supply and impose some restrictions. But to completely block existing customers from the upgrade makes no strategic sense (unless Voda want to get rid of existing iphone customers to other networks). This is particularly the case for Voda who will soon have a lot of customers who took the 3Gs when it came out on Vodafone looking to upgrade after 12 months on an 18month contract (thereby locking them in to another contract).

    A better approach might be to:

    • Require new customers to enter into a longer contract (“Hey, you can have it. But it is in short supply so you’ll need to give us your soul for 6 months longer to get it”).
    • Allow customers who have been with you less than 24 months to get it but only if they go for certain tariffs.
    • Allow existing customers who are over 24 months on contract to upgrade as normal.

    Supply is rationed. Everyone can GET the phone, but existing customers in good standing have a reward for not churning out to competitor.

    Of course, Vodafone now have the issue that I’m pissed off. And publicly so.

    Just getting me the iphone isn’t going to be enough now (I know I can get it with 3). So there will now be an additional retention cost to be built into the deal (which would be on top of the 1 month credit I’d already been offered due to other screw ups on my account).

    THIS IS AN AVOIDABLE COST, or would have been if they hadn’t had such crappy customer service up to this point. Now it is pretty much required as I can get the same phone for cheaper cost and similar cost per month on the other network, with whom I have no current frustration (Vodafone on the other hand have

    • left me with the wrong SIM card type for the phone I have
    • failed to properly activate my mobile broadband dongle when I upgraded it late last year
    • failed to keep my personal data accurate and up to date as per the Data Protection Acts
    • failed the attitude test about the iphone upgrade)
    • send me direct marketing pieces addressed to “Ms Daragh O Brien”

    By having a screwed up CRM strategy for existing customers, Vodafone have put themselves in the position where they are now negotiating with me to stay, not simply handing me some forms and taking my money.

  • CRM insanity

    So, I have a few niggling problems with my iPhone, including dropped calls and poor call quality leading to lost business. I have been advised (by Vodafone tech support) that a new handset might be required.

    I have upgraded the SIM (which should have been done by Voda when I got the phone but wasn’t).

    Vodaphone have been telling me for the past few weeks that they have no stock. Carphone Warehouse today told me they have stock, just not for existing customers.

    This makes very little sense to me.

    In effect I’m walking up to Vodafone and saying “hey, I’d like to be handcuffed to you to the tune of at least €720 over the next 12 or 18 months.”

    Vodafone are saying “feck off, we are holding out for someone else who MIGHT come along at some point in the future, we don’t know when.”

    Of course, the policy doesn’t seem to take into account that I’m a home phone customer and a mobile broadband customer.

    That’s another €1000 approx per year just in rental. and I’m out of contract on those too… No barrier to migration.

    It doesn’t take into account that my wife is on Vodafone as well. Another €720 per year approx. She’s out of contract soon too.

    It doesn’t take into account that I’m an ‘influencer’ on the mobile provider purchasing for about 10 other people. All of whom are up for renewal soon. That’s around another €700 per person.

    Then let’s take into account that I’m a blogger and a tweeter with a large network. No direct bottom line impact but there is brand impact.

    So. I’m actually worth about a measurable €10000 to Vodafone.

    Versus the speculative €700 plus an unknown that the new connection (who incidentally isn’t actually buying iPhones at the moment) might be worth.

    Carphone Warehouse told me that in the past week they’ve had a number of customers who have cancelled Vodafone contracts for just this reason.

    So, does the revenue from one speculative customer outweigh the value of a half dozen existing customers?

    I would love to see the data that says it does.

    As markets mature the focus on new customer acquisition metrics becomes increasingly sociopathic and inappropriate. Managing churn is a big challenge in telco. Creating policies that effectively mandate churn is just insane CRM.

    As markets mature the focus needs to be on retaining where the cost of doing so is less than the revenue (and it usually is) or where the strategic value of locking the customer in is worth investing.

    As markets mature the focus has to shift to moving customers up the value chain and maximising share of wallet to underpin ARPU.

    Vodafone had me in lockin across 3 markets. I was happy enough with costs. I was probably going to purchase additional services for my business.

    Now they don’t. And my € 10000 per year customer value will be going to other operators over the coming weeks. Starting with the €1200 I personally spend on mobile and fixed line communications.

    Idiots.

  • In the interest of Electoral Balance

    I’ve written previously about Fine Gael and their issues with avoiding Data Protection pitfalls during this current General Election.

    Some people might have gotten the impression that I’m obsessed with Fine Gael. I’m not. I’m obsessed with Data, specifically the management of data and information in manner that ensures quality outcomes through quality data governed with due regard to relevant legislation.

    On courses I teach on Data Protection and Information Quality I often make reference to “The Joe Duffy Effect” to describe the brand impacts that can arise if organisations don’t take care to manage information as a complex and valuable asset. The term refers to Joe Duffy, a talk radio host on Irish radio. Joe enjoys taking the side of the common man, usually. Occasionally he makes a jape of not getting the point, whether by accident or design we may never know. But organisations who fall foul of the “Joe Duffy Effect” can find themselves fighting rear guard actions against an often intractable foe.

    Last week Joe spoke with Jacob, a South African living in Ireland who had received a pre-recorded voicemail to his phone from Michael Martin. Jacob’s tale can be heard in Technicolour on the RTE website.

    From the call we glean that:

    1. A voicemail was received by Jacob on the 9th of February with a pre-recorded message (which Jacob played)
    2. He has apparently received SMS messages from Fianna Fail with calls for volunteering and campaigning.
    3. He is not a member of Fianna Fail
    4. He has not asked for Fianna Fail to contact him and does not know where they got his number.
    5. The mobile in question is used as an internal work mobile and is not listed. His number is only listed with the Road Safety Authority.

    In the broadcast Joe tells Jacob that we live in a democracy.

    Correct. We live in a democracy. Specifically we live in democracy where we have decided that the Right to Privacy, while not absolute, is a right that must be defended. Just because we are a democracy it does not give politicians an automatic carte blanche to process data regardless of where or how it has been obtained. These rights to privacy are enshrined in law, in the Constitution and in EU Treaty obligations. Yes, there are balances, mitigations and exemptions with respect to how that right is exercised and protected – but it is still a democratic right of the individual.

    During the course of the call, a comment from Fianna Fail was read out saying that they didn’t have Jacob’s number. That is at odds with the evidence – to whit: one recording. And if I’ve learned one thing from watching CSI is that evidence trumps counter claim every day.

    So, what is the Data Protection issue here:

    • Fair Obtaining – Jacob is not a member of the party and was not aware of how his number came to be called and texted. Granted his phone seems to be for work purposes, but the electronic Privacy regulations apply to business as well as personal data. Also, while he may use the phone for work purposes a big question to ask here is who is paying the bill – him, or a company. If he pays the bill the phone may actually be a personal phone used for business purposes (Sole Trader data is a tricky area in Data Protection land).
    • Governance and control of data and/or data processors – Fianna Fail claimed not to have Jacob’s number. The fact that a Fianna Fail party message was left by voicemail and various SMS messages were sent to him suggests that they do. Or if not them then someone working on their behalf. Under the Data Protection Acts, the Data Controller is responsible for the actions of the Data Processor unless the Data Processor acts outside the parameters of the formal contract in writing that governs the Data Controller/Data Processor relationship. So… while it may be true that FF HQ don’t have Jabob’s number, someone processing data on behalf of Fianna Fail does. Fianna Fail not knowing whether or not they had the data suggests a weakness in internal control and governance.
    • Accuracy – Joe D. suggested to Jacob that maybe the messages were being sent because of a wrong number. Personal data needs to be kept accurate and up to date. FF should have taken steps to correct the error rather than denying that they have the data. Ultimately FF carry the can for the actions of the Data Processor.

    Of course, there is the distinction to be made between normal “direct marketing” and the processing of personal data by a candidate for elected office. Basically during an election personal data is “fair game” for politicians, provided they have obtained it correctly first and have clear consents for contact. Which puts the discussion of “auto dialling” or “power dialling” on the table. According to the Data Protection Commissioner’s website:

    The use of automatic dialling machines, to call individual subscribers at random for direct marketing purposes, is prohibited, unless subscribers’ consent has been obtained in advance.  Unsolicited fax messages to individual subscribers are likewise prohibited.

    That is why it is important to know who the “subscriber” is to Jacob’s phone. If it is a limited company or similar legal entity, then it is not a call to an “individual” subscriber. If it is his phone or he is a sole trader or part of a partnership, then it is possible that he is an “individual subscriber” and as such the use of an autodialler to RANDOMLY call numbers for direct marketing would be illegal. Dialling from a preloaded list is OK. So long as the list has been fairly obtained and takes into account NDD Opt-out requests etc. And then there is the grey area of the Political exemptions from the Data Protection Acts.

    The DPC has issued guidelines to all political parties before the election. My sense is that these guidelines may have been breached in this case.

    During previous election campaigns, the Commissioner received numerous complaints from individuals in receipt of unsolicited SMS (text) messages, emails and phone calls from political parties and candidates for election.  In many cases, the individual had no previous contact with the political party or candidate and was concerned at the manner in which their details were sourced.  Subsequent investigations revealed that contact details were obtained from sources such as sports clubs, friends, colleagues and schools.  Obtaining personal data in such   circumstances would constitute a breach of the Data Protection Acts, as there would be no consent from the individual for their details to be obtained and used in this way.

    So.. Fianna Fail need to know where their Data Processors are getting their data from. The evidence says they have Jacob’s phone (and who knows who elses’) but don’t know they have Jacob’s phone. That suggests that the Data Controller is not in Control of the Data. Which is a problem in and of itself.

    Fine Gael are not the only Data protection flaunters in this election. Fianna Fail have had their moments too. The Green Party STILL don’t have a Privacy statement. And I’m sure the others have slipped up along the way as well. But that is a discussion for another day.

  • There is oft a slip twixt tweet and twolicy

    This blog post is basically the text of an audioboo I recorded at 9:30 this morning which has disappeared into the ether ne’er to be found.

    Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

    What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

    knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

    This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

    Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

    1. See my house
    2. See my neighbours’ houses

    They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

    The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

    Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

    This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

    The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

    If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

    If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

    However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

    The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

    Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

    Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

    Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

    Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

    Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

    b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

    [edit to clarify some points raised by @tjmcintyre]

    Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

    carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

    Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

    But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

    [/edit]

    So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

    I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

    [update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

     

     

  • If you’re going to wave a sword, know where the pointy bit is

    Over the weekend two Irish newspapers (Irish Examiner and Sunday Tribune) reported that one of our leading Trade Unions had filed a complaint with the Data Protection Commissioner on behalf of staff who had received letters by courier from their employer with whom they are engaged in an industrial relations dispute.

    While I’m all in favour of seeing discussion and comment on the Data Protection Acts in Irish media, I am dismayed to see poorly explained use of the legislation and am concerned that this might be a precedent setting strategy that results in nonsensical and vexatious complaints diverting the already limited resources of the Data Protection Commissioner’s Office (only 20 people) away from dealing with the many real and valid complaints and queries they get each day.

    Yes, Aer Lingus have duties to their employees under the Data Protection Acts to keep their data safe and secure, to only process it for specific stated purposes, and to only process data in a way or quantity that is relevant and not excessive to the stated purposes. However the Data Protection Acts do NOT prevent employers engaging in legitimate communication with staff members using legitimate 3rd party Data Processors to do so, so long as there are appropriate controls in place and the original intent to engage in that communication is consistent with the purposes for which the personal data was originally provided to the employer.

    From the media coverage, it appears that IMPACT’s position is that employers can’t write to their staff because personal data is shared with 3rd parties (in this case a courier company but it could just as easily be An Post).

    IMPACT may have grounds for a complaint if Aer Lingus specifically targeted the communication to members of the Trade Union using information contained in the HR or payroll systems of Aer Lingus (e.g. deduction of trade union dues at source). This issue was specifically addressed by the Commissioner in relation to attempts by the Dept of Education to deduct pay from teachers who took industrial action based on the fact that the Dept was processing a payroll deduction at source facility. However, Aer Lingus appear to have used the fact that the staff member is not on the payroll (i.e. is not being paid) as the trigger for the letter, this issue may not arise.

    The Union may have grounds for proposing that by sending a batch of letters out to individuals at a time of industrial strife, the courier company could deduce that the addressees were Trade Union members. But, in that context, it must be suggested that Aer Lingus should have appropriate contract terms with the courier company regarding security and unauthorised secondary processing (e.g. making a list) (I’ve written about this on my company’s website today). In addition, if Aer Lingus are sending letters to staff in relation to their work schedules and their contracts of employment they could probably be able to rely on lawful processing conditions under Section 2a and Section 2b of the Data Protection Acts.

    IMPACT may have grounds to argue that there was excessive processing as it seems mobile phone numbers were provided to the Courier company as well. However, Aer Lingus might take the position that that was felt to be a necessary step to ensure delivery of the letters could be made in a timely manner. Again, this might fall under a lawful processing condition under S2a or S2b of the Acts.

    For example, Dell made my mobile number available to the UPS driver who delivered my computer. Likewise they made my mobile number available to the support technician who replaced my keyboard. It all depends on the validity of the purpose and whether a valid Lawful Processing condition can be met. There were lawful processing reasons there in relation to the execution of a contract. Consent was not required (but was asked for).

    What is clear from the media coverage is that:

    1. If you engaging a Data Processor (in this case the Courier) you need to be clear what the minimum necessary information is to achieve your objective and share no more than this. Aer Lingus might argue that the provision of mobile phone numbers was necessary to ensure delivery was made as quickly as possible. The key question to ask is whether the same objective can be met in other ways (for example, would it have been better for Aer Lingus to get the Courier company to report to them on undelivered letters and for Aer Lingus to ring around where delivery was not successful?)
    2. If you are a Data Controller and you are sending letters or otherwise processing personal data during a time of industrial unrest, you should be very clear the purposes for the processing and the specific lawful processing conditions you will be relying on.
    3. If you are a representative body presenting a story to the media or making a complaint you need to be clear what the grounds are for the complaint you are making. Querying the legitimate use of a courier company to send letters and implying threats to the security of staff as a result does a disservice to everyone. Specifically pointing out that the provision of certain data may have been excessive or that the airline had not ensured appropriate security of the data by way of a contract with their Data Processor clearly highlights lack of care or

    Dragging the Data Protection Acts in to the middle of an Industrial Relations dispute should be done with care. To do so without clarity as to the specific nature of the complaint and the specific characteristics of the breach that you suspect will result in a waste of the resources of the Commissioner’s Office and will serve to only compound the half-truths and untruths that abound about the Data Protection law in Ireland.

    Using the Office of the Commissioner as a negotiating tool is disingenuous and does a disservice to the important role that the Commissioner continues to play in the development of compliant and trustworthy practices in Irish commercial life.