The DOBlog

Blog

  • An Open Letter to my Information Quality Peers

    The International Association for Information and Data Quality is dead. I just don’t think they have noticed. Perhaps they have been distracted by the critical success of their IDQS14 conference, an event that I was privileged to have been a sounding board about during planning and which my company provided “hands to the pump” for by way of sponsorship, even though we were never going to be able to attend in person.

    You see, I really cared about IAIDQ. I was a Charter Member. I was present at many of the initial meetings in 2003 and 2004 in London where input from Europeans was being sought about the structure and focus of a “professional body for likeminded people working in information and data quality”.

    I was the Director of Publicity (aka VP Marketing) and, for four great years, I was the face and voice of the Association at public meetings world wide. I identified World Quality Day as an event that IAIDQ could and should mark in the annual calendar as a rallying point for members internationally. I lead the “Voice of the Customer” research conducted in 2006-2007 to identify the core values of the Association, as expressed by the membership. That project involved surveying all members at the time (about 300 world wide) and having coffee and talking with as many members and prospective members as I could get in contact with at conferences or over Skype.

    Customer. Community. Collaboration. Commitment. Continuous Improvement. These where the “5C’s” that the customer wanted at the heart of IAIDQ, and it’s what I and many of the Directors I served with worked hard to try to achieve.

    On top of my Publicity role I jumped in to help out on other areas of the Board where input or resource was lacking. The CRM system that has just been implemented by IAIDQ was identified and prototyped by me back in 2006, but implementation to production in a secure and stable fashion was beyond my skillset at the time. I was one of the original team working on the development of IQCP and personally wrote a number of the questions that are on the exam. Heck, I think I’m responsible for Jim Harris of OCDQBLOG (who did his first podcast with me for IAIDQ many years ago).

    But we have failed.

    Despite having a critically successful event in Virginia this year, an event that my company was proud to be behind because it was conceived as a fun (community) event where people could let their hair down and network (collaboration), and do something that the membership and prospective membership would value and enjoy (customer), I have had to conclude that the IAIDQ is dead, but just doesn’t know it yet.

    (For the avoidance of any doubt – I never held any other role on the IAIDQ Board other than Director of Publicity. I did found and lead the Irish Community of Practice and help to found the UK Community of Practice. But that’s all. )

    My view is based on the following:

    Bizarre Board Decisions

    I’ve learned that the Board of Directors dismissed Joy Medved as Director of Events during the conference, but apparently forgot to tell her until a week later. I know Joy and work with Joy. I know she was incredibly passionate about the IAIDQ and was a strong advocate for a “get the basics right” approach to rebuilding the Association.

    I know Joy had expressed frustration with the direction of the Association and was considering resigning. However, when a volunteer Director puts together an event that gets people saying positive things about the Association for the first time in a long time, any sensible Board would work to keep that volunteer engaged and listen to their concerns. Instead, the IAIDQ Board has chosen to dismiss a Director who has done incredible work rebuilding the relationships between IAIDQ and other professional bodies and conference organisers and who envisioned an event that actually met the promise of the “5C” values of the Association.

    That is just bizarre.

    Equally bizarre is the apparent time lag in informing Joy. First rule of business: when you’ve sacked someone, tell them. It seems like it took the IAIDQ leadership a week to pass the message on to Joy. That stinks from a governance perspective.

    Furthermore, it appears that the IAIDQ Board has decided against engaging in collaboration with other organisations. My experience on the IAIDQ Board and as the founder of their first Community of Practice is that to help develop a foothold in new markets or find new ways to serve audiences, collaboration is necessary. No individual or organisation can do all things themselves.

    A key problem that new entrants in to the data space have is figuring out a career and certification path. That is a key problem that needs to be solved for both individuals and employers. Right now it is not being solved. But it can only be solved through collaboration between professional bodies to educate the market.

    But the IAIDQ seems content to keep building walls. That’s just nuts. As an Information Quality consultant and trainer (heck, I teach an IQCP certification syllabus) I regularly hammer people over the head with Deming’s 14 Points. One of those is the need to remove barriers and instil pride of workmanship. Building up walls and pulling up drawbridges can best be described as “odd” and counter-intuitive in an organisation that is supposed to espouse quality management principles and has “Collaboration” as a key core value.

    It also makes it difficult for IAIDQ to establish a point of presence in new markets. The experience of the Irish and UK CoPs evidences what happens when the IAIDQ’s Board doesn’t engage in collaboration – both Communities relied on collaboration with national informatics societies (Irish Computer Society and British Computer Society) to grow and operate. In both cases engagement from the top was required – basic “diplomacy between Heads of State” if you will. It didn’t happen. Both CoPs died away.

    At one point Ireland accounted for over 10% of the IAIDQ’s world-wide membership (approx. 40 people out of approximately 380 members in 2006/2007). Today, there is at most one paid up member here that I know of.

    I hope the view from the IAIDQ’s Ivory Tower is nice.

     Absence of an IQCP ecosystem

    I am a strong believer in the importance of skills certification for Information Quality. I have been a staunch advocate of IQCP and my company was the first in the world to offer IQCP training. It’s likely that I have personally trained or coached more current IQCP holders than anyone else in the world. However, it has been a constant struggle to get engagement. Key information was out of date or full of errors for over two years, despite the errors being spotted by my clients and fed back.

    To an outsider trying to deal with IQCP, it appears that it appears like it is being run as a mini-fiefdom of a small group of people. That is not sustainable, and it does a disservice to the wonderful work that has been done recently by Dan Myers in particular.

    I was on the Board that initiated the IQCP process. At that time the strategy was that IAIDQ would create an ecosystem within which trainers and content developers could contribute to the body of knowledge and grow the certification. That was a strategy I could get behind and sell as Director of Publicity because it aligned with the 5Cs of the core values.

    It hasn’t happened. IQCP has failed to reach critical mass. But the same levers keep being pulled hoping for a different result.

    No consistent product delivery in nearly 2 years

    A core product of IAIDQ membership is advertised as being the Journal (originally a newsletter issued monthly it became a Journal issued quarterly). From 2005 to 2010 I was among the most frequent contributor of articles to the IAIDQ Newsletter/Journal. I was proud to contribute and it helped me stretch my thinking in the Information Quality space.

    Since 2011 the Journal has appeared four times – twice in 2012, once in 2013 and once in 2014. I volunteered time from myself and one of the team in my business to look at what could be done with the tonnes of content that apparently had been submitted. Like Old Mother Hubbard we found the cupboard to be bare. Not enough content existed to produce an edition.

    An Association that cannot consistently produce a single core product has a problem. Where there is an absence of volunteered content, and an absence of volunteers to package and produce the core product, then there is a problem. And the problem is not one of grand vision. It’s one of basic operations. And the answer to a problem like that is not to leap into something new and hope that that reinflates the passions of volunteers to crank out the goods.

    No Volunteers

    The IAIDQ is failing most of all because it cannot attract or retain volunteers. This has been an issue since 2006/2007at least. I have personally had volunteers who were working with me on Publicity activities when I was a Director walk away because of the conduct of other officers of the Association towards them. Apparently, it hasn’t improved. Those officers are still around, but the volunteers aren’t.

    The lack of volunteers is not unique to IAIDQ. It is a common issue across the not-for-profit/voluntary sector. However, the consensus is that the approach to addressing that is to work the values and, in true quality management fashion, focus on the most important needs of your customers. That’s why IDQS14 was a great opportunity to reboot the Association. IAIDQ’s customers want to have fun and a sense of community because the day job is just so darned stressful. It’s an opportunity missed, I fear.

    Volunteers don’t rally around a vague future strategy, and a strategy does not arise from talking within a sub-set of the leadership group about what might be done. Volunteers need something they can emote with, that taps into their intrinsic motivation to contribute, and pushes them to find the extra hours in their busy days to write articles, phone sponsors, travel to meetings, run a website, co-ordinate events,  sit on conference calls, and generally all the stuff that needs to be done to do the business of an Association.

    One thing I’ve learned running my own business is that not-for-profits are in a perpetual state of “startup” – and that’s where clarity of vision, clarity of values, and prioritisation around the resources you have is essential. If you can’t answer the question “Who will do that?” with a name that is actually on-board to do that thing, it’s not going to get done!

    For many years, I was that name. I was so passionate about IAIDQ that I tapped my insomnia, and my personal finances in some cases, to get things done for the Association, to design marketing materials, man stands, and communicate constantly the core values of the Association to try and attract like minded people. IAIDQ no longer has that pool of people. But it’s not because those people don’t exist. I meet them on twitter and at events all the time. I count some people I’ve never met as friends in the data community. But the IAIDQ is not engaging those passions any more. High-brow dreams of a future method of operating will remain just that. Just like the 80% of startups that fail because they lack the means to execute and the clarity of vision to know what to kill off.

    In March I was asked if I’d be manning an IAIDQ booth at a conference in London. I said no. For the first time in a decade. The passion to contribute is gone. Because the organisation has turned insular. And nobody says “thank you” any more.

    Group Think

    Worst of all I believe the Association has fallen foul of Group Think. Over the years, as a Director and then as a passionate volunteer, and most recently as a candidate for the Presidency, I’ve presented evidence of negative market sentiment, stagnant membership numbers, and the opportunities for expansion through collaboration. As Director Publicity/VP Marketing I took it on as part of my role to challenge decisions at the Board level on whether they aligned with the “5 Cs” of the core values. I was an argumentative little prick, but always accepted the final Board decision once the debate was had.

    But over the years, debate has become more and more the sound of one voice. Increasingly I have found the Board dismissive of evidence and filling in optimistic assumptions where hard assed reality is required. It reminds me of the joke about how the economist was rescued from the desert island: “first assume the existence of a lifeboat”.

    Last year I submitted my candidacy for President, after nearly five years of being asked by various members of the Board and various advisors to the Association and declining it because I had other priorities and wanted to avoid any implication that I’d spent four years as Director of Publicity just to be President. Don’t get me wrong, I feel that the Presidency of the Association as a great honour and a crucially important role. Which is why I didn’t want to take it on at a time when I couldn’t give it 100%.

    Last year I felt it was then or never. I assessed the situation of the Association and submitted a high level strategic plan to address the issues that people I’d connected with in the community had raised with me, often in hushed tones as if they were afraid to speak truth to power.

    The Board, many of whose members had personally called me and quite literally begged me to self-nominate, ultimately voted against my candidacy. I accepted their decision, and still do. But I cannot respect it any longer.

    I firmly believe that the Board ultimately dismissed Joy Medved because she took on my role on the Board of argumentative pricker of consciences, the devil’s advocate against group think and Pollyanna-ish assumptions. She ran an event that was a critical success, one that I and my company were proud to be associated with, and which ticked all the boxes for alignment with the original core values of the Association.

    The Group Thinkers will attempt to rationalise their decision from a number of directions and I fully expect attempts at character assassination (because that was done to me), but as an outsider with experience on the inside it looks very much like vested interests took an axe to the legs of a volunteer whose approach to delivering value to the customer was making them uncomfortable – because it was working, and because she wanted to push others to work hard on delivering core services and core values.

    The Future

    I fully expect the IAIDQ Board to continue to pursue a vague and uncertain strategic plan, one that assume the existence of volunteers who give a damn. But I don’t hold out hope for the future of the Association. Its heart is gone. Its values, defined by the many, have been cast aside because they have become inconvenient to a few.

    From our founding vision of an International community of like-minded people who were passionate about Information and Data Quality, I fear that the IAIDQ has been hollowed out to a US-centric vipers’ nest of vested interests that has turned its back on its customers as it chases its tail, blissfully happy in the ignorance of how the world of professional associations has moved or how its actions towards volunteers, supporters, and others makes it look.

    Commercially, my company will continue to provide training in IQCP to clients who request it or to whom we are currently committed, but we will be looking to the market for an alternative as soon as possible as we cannot rely on a certification provider who will likely not exist in 12 month’s time.

    The idealist me of 2004 who signed on to help found IAIDQ hopes I’m wrong about the present and the future of IAIDQ and that, in this 10th anniversary year something will change. But the realistic me of 2014 fears I’m not.

    To paraphrase the sci fi character Dr Who: “Does the IAIDQ look tired to you?”

    Update: What can be done?

    A trusted advisor suggested I make this read less like a rant (which I didn’t intend it to be) and more like constructive criticism by putting on my consultant’s hat and making some suggestions for improvement.

    Looking at IAIDQ as a consultant, I would make the following recommendations:

    Do this:

    1. Clearly and publicly define who your customer is and what the most important needs are of that customer that the Association is going to meet – and HOW.
    2. Tailor ambition to capability, at least until such time as core value proposition elements are stable and the customer can see clear value in being associated with IAIDQ.
      • Ensure that there is a value proposition for members, something that they can see is worth their dollars/euros/zloti
      • Make sure that deliverables happen regularly and as promised. Agile methods might be appropriate, but waiting for perfection in all things is worse than delivering a “beta”.
    3. Create a simple vision of the future that people can get behind. And COMMUNICATE IT
    4. Build bridges with other organisations. Lots of bridges. That is a collaboration and community strategy that aligns with the principles espoused by Deming, Juran, and other pioneers in Quality.
    5. Develop a habit and practice of ‘inclusivity and reward’, where volunteers and contributors can feel that their voice is heard and their contributions are valued.
    6. Give careful consideration to the meaning of the word “International” in the Association’s name. Use it or lose it.

    Don’t do this:

    1. Craft a master plan strategy for the future without being clear on what distinct need you are serving.
    2. Define a vision and a plan for the future that ends with “and then we will have the volunteers come on board to do this”. Lots of non-profits make that mistake.
    3. Overestimate your capacity for delivery and capability for change, based on an assumption that volunteers will appear. Assume they won’t and work from there.
    4. Attempt to deliver an all encompassing “one-size-fits-all” offering without having robust alliances in place

    These are basically the 10 things I’ve been saying for a number of years as a Director, volunteer, and member of the IAIDQ.

    They apply to that body, but they are universally applicable to all professional membership organisations that rely on volunteers to deliver the goods. Hopefully someone will read this and learn from it. It might even be the IAIDQ.

     

  • Adequate, Relevant, Not Excessive

    For the last number of weeks we have been told by the Government and by Irish Water that PPS numbers are required by Irish Water for the purposes of validating entitlement to allowances. We have been told that not providing the information will result in people not being able to have their water bills reduced by the credit amounts. The invasiveness of the request for data, particularly data about children, by a private company (albeit one operating to provide a public utility service) has sparked much concern and discussion. I think it has, in no small way, helped make Data Protection issues more relevant and personal for the citizen.

    This morning we are told that the budget announcement will include the introduction of a tax credit for low and middle income earners for their water. This will be in addition to the existing household water allowances. Other provisions are mooted on the social welfare side of the fence to alleviate financial impact on lower income families.

    So. The Government is proposing using the Revenue systems and the Social Welfare systems to implement a system where by the cost of water services provided by a utility company. Which raises the question: if the Government can achieve this objective through the existing Revenue and Social Protection systems, which do not require PPSN data to be shared with a private company (notwithstanding the existence of legislation to allow it to be done), what does this mean for the necessity and proportionality of existing provisions that do require this to be done, in processes that exist to achieve broadly the same objective (reduction of cost to households of water service charges)?

    Three weeks ago I asked this question in relation to the current system of allowances: could the same goal have been achieved through different means that did not require a private company to process PPSN data? I blogged about it here and set out a high level alternative approach.

    Assuming the mechanism that is used to implement the proposed budget changes is broadly in line with the structure I outlined, the question must be asked now what is necessary and not excessive about the processing of PPSN data by Irish Water if a broadly similar impact on the household bottom line can be delivered in the Budget through existing public sector processes/systems?

    I’m sure there is a clear and compelling difference I’m missing that makes the PPSN relevant and not excessive for the objectives of Irish Water.

    <update><update 2 – tweaked again to correctly reflect a nuance in DRI v Ireland>

    One of my erudite and learned colleagues has pointed out that the European Court of Justice recently reiterated the critical nature of the proportionality, relevance, necessity, and not excessive elements of data processing, even where there is a bit of a law that, on the face of it, allows the processing. The CJEU held in Digital Rights v Ireland that, even where there is a statutory basis, processing of personal data must be done in a manner that is proportionate to the need, relevant to the objective, necessary for achieving that objective, and not excessive to achieving that objective – basically the key tests under Article 8 of the European Charter of Fundamental Rights that we all signed up to under the Lisbon Treaty.

    What this means is that where a less intrusive option might exist that can achieve the same goal, the relative impact on privacy must be assessed and the measures taken cannot go beyond what is required to achieve those objectives (see paragraph 46 of the CJEU ruling in Digital Rights v Ireland). And that assessment of proportionality needs to take into account the appropriateness and existence of safeguards where “personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data” (to quote from paragraph 55 of the CJEU ruling).

    The CJEU struck down an entire Directive on that basis. Given that the State appears able to introduce additional tax credits in the budget, it would suggest that a less intrusive option does exist, and did exist at the time the data processing for Irish Water was being devised. Absent a very compelling reason why this is different, or why the processing of PPSN by Irish Water is proportionate to the objective of reducing cost to households (and it would probably have to be good enough to get past the CJEU, who struck down a Directive because those supporting the action didn’t have their homework done) the alternative option might indeed need to be adopted.

    The upshot: The Government needs to have clarity in their homework as to why Irish Water is processing PPSN data versus it being handled via the Social Welfare and taxation systems. That clarity has, thus far, not been entirely forthcoming. And the clarity needs to show why it is proportionate, relevant, and not excessive to do it the way it is being done.

    (I knew all that of course but didn’t want to bore people with too much detailed law talking).

    </update></update 2>

  • Irish Water: Quality by Design

    Irish Water: Quality by Design

    Having failed the Privacy by Design Test, Irish Water have lurched into one of my other specialist areas today, Information Quality. This story in the Irish Times http://www.irishtimes.com/news/environment/some-householders-having-trouble-reading-water-meters-1.1959841 relates to the quality of information presentation in the design of some of the meters used by Irish Water. It also relates to data quality characteristics such as adequacy, precision, and accuracy, and how Irish Water don’t seem to be able to grasp the customer perspective.

    Some back ground information for people first:

    Information Quality Management is the application of quality management principles to the management of information. It’s what I do. I’ve done it for longer than I’ve done Data Protection. I consider data protection compliance to be a component of or a subset of Information Quality.

    The key determinant of quality is, in all cases, the customer. Danette McGilvray (a very good friend of mine and mentor, and one of the pioneers in the field of information quality) defines “Quality Information” as information that is fit for any or all required purposes. Dr Tom Redman (who lead the Data Quality labs in Bell Telecom in the 1980s and was one of my first mentors in the field, and who now guest lectures in UCC and the IMI) defines data as being of good quality if they are “fit for their intended uses in operations, decision making, and planning”. Larry English (another mentor of mine early in my career, and who I had the honour of hosting at a conference in Dublin a few years ago) stressed the importance of the “product specification” for information, particularly in the context of the process goals or objectives for an employee or customer.

    So… data is of good quality if it can be used. That quality is a product of design.

    Irish Water have implemented a number of processes and policies that call for the consumer to be able to have an accurate reading of their water consumption. As the water consumption is billed in litres, allowances are provided in litres, and bills will be a calculation of litres consumed minus allowances times the price per litre, consumers would reasonably be assumed to have a reasonable expectation that they might read their bill in litres.

    Given that, if you have a leak, you want to find it quickly before it floods out and costs you money, it’s only reasonable that consumers would be able to read their meters in litres. This is particularly the case given that Irish Water were telling people that that’s the way to check for leaks

    Given that ever other meter that is attached to a home (gas meter, electricity meter) allows people to see their consumption from the smallest unit so that issues of leaks or over consumption (the infamous electric immersion heater) can be quickly identified, it’s a reasonable paradigm to replicate and give consumers the same user experience.

    But no. Irish Water has installed meters that obscure part of the meter dials so that the micro-level (hundreds, tens and ones) are obscured.  It’s like giving you a lovely big telly and hiding one edge behind the curtains.

    Irish Water argues that it’s all OK because the measurement in cubic meters of water and that is enough for an accurate meter reading. A cubic meter being 1000 litres. Or EUR5. Or 1.8% of the annual bill for an “average” family. Or a waste of 999 litres of water when a leak could be detected earlier by watching the red numbers spin around like the electricity meter when the immersion is on.

    Irish Water argues that the meters in question comply with an EU standard. Standards are a minimum, and they are also technical standards. The objective of quality is to meet or exceed the customer’s expectation.

    The customer wants to be able to find if they have a leak anywhere quickly, because 999 litres of water can do a heck of a lot of damage, even if the cost is only EUR5. The customer wants to have some transparency on their consumption. The customer wants to have sufficiently granular and timely information that they can make quick decisions about their water consumption patterns.

    Therefore, from the perspective of the customer, a blocked meter dial that prevents them spotting a problem until the 1000th litre rolls down the drain, is as useful as a chocolate teapot and does not provide quality information.

    Irish Water’s defence of themselves relies on a standard that is actually a technical engineering standard for meters, in the same way as the calibration of the fuel pump in your local petrol station is done to a standard. But if your petrol station owner obscures the screen on the pump so you can’t see how much fuel you’ve pumped into your car, that still leaves you with a data quality and customer service problem.

    Irish Water has meters some of which are obscured. But all of them are outside, where the cold lives, and all of them need a cover to be levered off and then for the little numbers on the dial to be visible. A challenge for able bodied people in their thirties, but doubtless a nightmare for the infirm or elderly. The customer experience does not appear to have been considered.

    From the perspective of the end customer, the bill payer, a meter that has obscured digits is not fit for purpose. The information it produces is not accurate enough for operations or decision making in that household. It’s crappy data quality and yet more case study material of how customer focus is essential in quality management and compliance. A meter that is outside, where the cold lives, requiring tools and effort to get at, and which can only be read accurately by a remote sensor device in a van, was never intended to be read by customers, was it.

  • Washing the Defectives

    Washing the Defectives

    I’m away places foreign at the moment, delivering a keynote on data protection and data governance stuff in an EU country where everyone was shocked and horrified to hear what a cack handed job of Data Protection compliance Irish Water was making.

    I was hoping to leave Irish Water alone. But they’ve apparently gone and done another SideShow Bob on it and trodden on yet another Data Protection compliance rake.

    So. We now have covert surveillance by a company. I’m sure that’s something that the DPC has had some thoughts on in the past. But before we do that, we need to distinguish between recordings by the police, or revenue/customs authorities and recordings by private individuals or companies. The distinction is simple: the police can process data (i.e. record) where the processing is necessary for the prevention, detection, investigation, or prosecution of an offence. Their law enforcement function gives them a little lee way around things like fair processing notices etc (it defeats the purpose of a police covert surveillance operation if they have to have a big, visible sign and flashing lights).

    With regard to other forms of CCTV recording, the Gardai have produced this helpful document for people who are installing CCTV systems. It’s not as helpful as it might seem at first as its focus is on ensuring that the recordings are admissible in court as evidence and it spends a lot of time on the rules of evidence for CCTV in court. It fails to mention that CCTV recording constitutes processing under the Data Protection Acts and, therefore, requires that the Eight Principles of the Data Protection Acts be complied with by anyone who is not a member of a law enforcement agency in the State. The Data Protection Commissioner’s Guidance on CCTV can be found here.

    Use of recordings, particularly covert recordings, is a very tricky and complex area to get right from a Data Protection point of view as you are balancing competing rights.

    1. The data must be obtained fairly
    2. It must be obtained for a specified and lawful purpose
    3. It cannot be used for a purpose that is not compatible
    4. It must be kept safe and secure
    5. It should be kept accurate, complete, and up to date
    6. It must be adequate, relevant, and not excessive (i.e. proportionate to the purpose)
    7. it should be retained for no longer than necessary for the purpose
    8. Data subjects have a right of access

    Fair Obtaining/Processing/Not incompatible use

    Where covert CCTV is installed by an organisation to investigate a specific instance of an offence, then the DPC has historically taken the view that this is reasonable, but only if it does not infringe on the rights of people who are not committing that offence. Given that peaceful protest is not an offence, covert recording is excessive unless there is an offence being committed, but a public CCTV system with appropriate Fair Processing notice and statement of recording and the purposes for that recording would be OK . The relevant case study from the DPC is here. – note it is filed under both CCTV and “Fair Obtaining”.

    The DPC picked up the thread again in 2009 with a complaint about covert CCTV filed against Westwood Fitness. Again the issue for the DPC was the fairness and transparency of the processing. Specifically they stated that:

    any monitoring must be a proportionate response by an employer to the risk he or she faces taking into account the legitimate privacy and other interests [of others]

    and thatthe

    in terms of meeting transparency requirements, staff must be informed of the existence of the CCTV surveillance and also of the purposes for which personal data are to be processed by CCTV systems.

    In the Westwood case, Westwood stood down their CCTV, terminated all staff disciplinary proceedings that were based on CCTV evidence, and were found to have breached the Data Protection Acts.

    If Irish Water are engaging in recording for the purposes of prevention or investigation of criminal activity that might occur, any use AT ALL for any other purpose is incompatible with that, so sharing, distribution etc., except to An Garda Siochana in the course of an investigation, would be unlawful.

    [Update – inserting a statement of the bleedin’ obvious]

    But if An Garda Siochana are already present, for the purposes of preventing crime, detecting its occurrence, and taking action if criminal acts take place, what is the lawful purpose of any recording? CCTV is used in shops because the gardai are not there all the time so need to have some tools to help them track down ne’er-do-wells when a crime occurs as, despite earnest hopes to the contrary, Doctor Who’s blue police box never really made it as a default tool in modern policing.

    So, what is the specific purpose for which Irish Water is engaged in recording, covert or overt, at water meter protests, given that the constabulary are already in attendance?

    [/update]

    Suggestion:

    1. Add a section to the Irish Water Data Protection notice to the effect that “from time to time, in order to help ensure the safety of our installers and contractors,  and for the purposes of preventing and detecting criminal activity, we may use CCTV recording equipment in the vicinity of engineering works on behalf of Irish Water. These recordings will be retained for XX days”.
    2. Don’t use a covert surveillance system disguised as workers. Use a massively visible camera and an audible warning (for the blind among us) that alerts people to the fact of recording. It will either deter criminal acts or lead to one happening. It all depends on how Irish Water handle the escalation.
    3. Don’t act like you are sanctioned and authorised police officers engaging in covert surveillance. Even though there are exemptions for law enforcement under the Data Protection Acts, constitutional privacy rights still apply and even the Gardai are bound by certain rules and protocols on the use of covert video surveillance under the Criminal Justice (Surveillance) Act 2009, not least that a senior officer can only approve surveillance of an individual for 72 hrs for an “arrestable offence”. Revenue published a useful guideline to their interpretation of that legislation in 2010. TJ McIntyre put it here. Of course, if you are standing in a place to which the public has access (i.e. on the road) that means the 2009 Act may not apply even if the Gardai are recording you, but the Data Protection Acts still do!
    4. If there are specific individuals who Irish Water wish to gather evidence against in relation to the commission of offences, then I would suggest filing an appropriate complaint with the Gardai and allowing them to make the decision as to the appropriate approach to evidence gathering and the handling thereof.

    Subject Access Request

    Irish Water should bear in mind that, as Data Controllers, they are subject to subject access requests for information that is recorded by CCTV (whether overt or covert) or by way of photography or audio recording.  The address to write to to make a request is on the Irish Water website (www.water.ie).

    Use of Contractors to take recordings (Data Processors)

    If Irish Water has engaged a firm to engage in covert recording, that firm are a Data Processor. Irish Water will be liable for any unlawful acts of that Data Processor. The recent prosecutions of private investigators for unlawful obtaining of information should be a warning to any organisation engaging 3rd parties to obtain data on individuals through blagging, surveillance, or other means, that the Data Protection Acts apply and are being enforced.

    Irish Water need to ensure that there is a contract in place covering this activity and the means by which the data is being obtained, processed, stored, and retained.

    Retention

    Irish Water need to have a retention period for these recordings. The current “for as long as required by law” response from Irish Water’s customer service team is, frankly, insipid nonsense. The DPA does not specify a period for retention, so you need to nail down either a policy (28 days) or a specific statutory purpose, and exemptions to that (i.e. “or for the duration of a criminal prosecution and related appeals”).

    The Kicker

    Of course (and this is where I will INSTANTLY become unpopular with all the people who’ve been hanging off my earlier missives on Irish Water’s Data Protection woes) ANYONE ELSE who is engaged in recording for anything other than a “domestic purpose” needs to be very careful that they too are not breaching the Data Protection Acts.

    Journalists have a journalistic exemption they can rely on where there is an intent to publish a story. Sean Q Ó Pobail who wants to post the video to Youtube needs to bear in mind that the domestic exemption is not the same as a “non-business” use. A recent case on CCTV has raised these issues and the Advocate General’s opinion (which may or may not be followed by the CJEU) was that video surveillance of others could not be considered exclusively “personal” within the meaning of the Directive, although it could be within the scope of “domestic” processing. However, when that processing extended into a public space, it could not be considered exclusively domestic due to its impact on others, who may wish to protect their privacy. There is a good analysis of that case here.

    So, while Joan Bruton might jump on a minefield by complaining about the smartphones and tablets being used, the people engaging in recording need to be aware that the Data Protection Acts can cut both ways and care should be taken with the use of and disclosure of any images that are recorded.

    Of course, you might be able to argue that the recording by protestors would fall under a “legitimate interests” exemption where they are using the recordings to document the lawfulness of their actions and peaceful nature of their protests. That still can carry with it an obligation to comply with a Subject Access request. If there is an intention to produce a news item for publication (online, on air, in print media) then that would likely be covered by the journalistic exemption under the DPA and all that goes with that.

    But if protestors are intending to use recordings as a tool of intimidation against Irish Water workers (who are, like it or not, simply doing a job to put bread on the table and keep a roof over their heads) or to gather “intel” on Irish Water staff, then complaints about Irish Water recording them ring somewhat hollow.

    If you are publishing, pay attention to the need to protect privacy even in a publication – are you ready to redact faces from videos? Do you know how?

    If you are just recording in an attempt to intimidate… please stop and think how it makes you feel when someone does it to you. Don’t be a hypocritical asshat with an iPhone.

    Suggestion: Protestors engaged in recording also clearly state and communicate their purpose for recording events in the area. Journalists try to identify themselves when covering large public events, if you are a “citizen journalist” don’t hide behind the keyboard – identify yourself as such. If you are engaging in journalism, be a responsible journalist. Balance free speech with respect for privacy. Be a better person for it.

     

    Conclusion

    Both sides here should educate themselves quickly on the issues and risks involved in recording in public places. Both sides need to put in place appropriate protocols to ensure that they are complying with the Data Protection Acts. Covert recording is invasive and disproportionate in most circumstances, and one of the touted benefits of CCTV is not the recording but the deterrent effect of people being aware that recording is happening. If everyone declares their recording, their purposes for recording, and other items necessary for compliance with the DPA, we might at least reach a stage of mutually assured destruction, an audio visual cold war.

    But at least we’ll have some respect for fundamental rights.

  • Irish Water channelling Alec Guinness

    Irish Water channelling Alec Guinness

     

    Irish Water is working hard on Twitter and in other forums to convince itself, if not us, that all is well with regard to their Data Protection policies and procedures.

    In response to questions raised about the retention of data, specifically PPSN data once allowance entitlements are validated and personal data of non-customers, Irish Water have trotted out the standard 140 character line. Their response is essentially a variation on the following:

    Data will be stored in Irish Water, after a customer ceases to be a customer but not longer than is required by law.

    It is that response that has prompted my choice of image for this post. Those of you over the age of 12 will recognise Alec Guinness in one of his most famous mortgage paying roles, Obi Wan Kenobi in the original Star Wars. And why does my brain make this connection?

    These aren’t the droids you’re looking for. You can go about your business. Move along” (waves hand enigmatically)

    Unfortunately for Irish Water many of us are not as feeble minded as an Imperial Storm Trooper in a fictional universe. These Jedi Mind Tricks don’t work. We have a detailed specification for the specific droids we are seeking and we are pretty sure those are they.

    1. What is the specific purpose for the processing and retention of non-customer data by Irish Water? (i.e. why are they processing data about people who are not connected to a public water supply?)
    2. What is the retention period for that data? Why is it being retained? What is the basis for the retention period that has been selected that makes that retention proportionate? Which law are they operating within for their retention period?
    3. What is the retention period that Irish Water are applying to PPSN data provided to them? Why is that data being retained (for what purpose) given that the sole purpose Irish Water has for processing PPSN data is the validation of entitlements, suggesting that once that purpose has been completed the data should be deleted.

    These are simple questions. They should be easy to answer if appropriate efforts were made to conduct Privacy by Design based compliance with the Data Protection Acts.

    Once this grumpy old Storm Trooper gets a coherent and credible answer I’ll gladly move along.

  • Morning Ireland, Irish Water, and Data Protection clarifications

    Elizabeth Arnett of Irish Water was on Morning Ireland this morning. Some good and important clarifications given.

    1. She confirmed PPSN would only be used for the purposes of validating allowance entitlements. That differs from the commentary in yesterday’s Irish Times in the context of landlords and tenants, but clears up the confusion. Irish Water will not be using the PPSN for a purpose not covered in their Data Protection Notice. Therefore, a lot of the concerns I raised yesterday here should prove unfounded as that use is not going to happen and I can only hope and assume that Irish Water have implemented appropriate internal governance to ensure that the temptation to stretch the scope of use of PPSN is resisted. My experience in organisations is that temptation to process data “because we can” is often very difficult to overcome and needs a strong governance culture to push back on rash impulses

    Given that the DPC has expressed concern that there is a lack of clarity in the Data Protection Notice regarding the use of PPSN, it would be worth Irish Water investing time to ensure that the permitted use of PPSN is clearly communicated in the Data Protection notice and clearly reflected in internal policies and governance.

    1. The only 3rd parties that data will be shared with will be contractors delivering services on behalf of Irish Water, or Data Processors in Data Protection terms. There will be no sharing of data for marketing purposes. Again, this is a welcome clarification that should be reflected by appropriate wording in their Data Protection Notice. The wording that is there is reasonably good, but an example of the kind of person or kinds of purpose would help people understand better the processing involved. For example: “Examples of these kinds of 3rd parties would include maintenance engineers who would be provided with customer address and contact information for the purpose of carrying out maintenance on meters or doing ‘first fix free’ repairs for customers, contractors providing IT development or support services or related activities, or contractors providing bill processing or similar services.”)
    2. Ms Arnett clarified that Irish Water would only be engaging in postal marketing by way of bill insert and that this was something that people could opt out of. That is compatible with SI336 and the DPA, but needs to be clarified further in their Data Protection Notice which, as of this morning, still says

      Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by text message, email, post, landline or in person about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    Based on the clarification given verbally by Ms Arnett, this should now read:

    Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by post about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    These are important clarifications. They should be included in Irish Water’s Data Protection Notice which, while improved, can be improved further.

    However there are a number of points that need to be clarified by Irish Water still. Among those are the following:

    1. What is the retention period that will be applied to PPSN data once allowances are validated? “For as long as permitted by law” is a nonsense as the DPA doesn’t provide a specific retention period (it says “no longer than necessary for the purpose for which the data was obtained”). So either the data is dumped immediately (to comply with the DPA requirement) or it is retained for defined period for a secondary related purpose that is not incompatible with the validation of allowances (the statutory purpose for which Irish Water was permitted to request and process PPSN). Clarification is needed on that point. “For the length of a piece of string” is a platitude not a policy.
    2. What are the purposes for which email, mobile phone, or landline data that might be provided will be used for? For example, is that data needed to contact customers in emergencies? Clarification is important to help restore trust and compliance with the DPA.
    3. The retention period for “non-customer” data should be clarified. Irish Water’s social media team have been stating that it will be retained until such time as the information is verified. Is this an audit process where the data will be clashed against LPT data or Dept of Environment data to identify people who are claiming to be non-customers but are (perhaps through innocent mistake)? If so, that is a purpose for processing of non-customer data that needs to be stated in the Data Protection Notice. If there is no billing purpose, no allowances purpose, and no audit/verification purpose, I am unclear what the purpose for retaining this data is (and would have to ask why money is being spent processing data that has no purpose). It there is a purpose for processing non-customer data, it should be clearly communicated so that such data is obtained and processed fairly for a specified and lawful purpose as required under the DPA.

    There are other questions that I’m sure Irish Water will be able to answer soon as well such as:

    • What happens if you have a birth or a death in your family? How can you update the allowances etc.
    • What happens if you move house? How do you transfer over allowances? How will personal data be kept accurate and up to date in that context?

    It is also worth noting that, since the sixth of September, Irish Water have slowly made steps to improve their communication of Data Processing purposes. Almost a month. Played out in the media. Almost a month, during which time the DPC went from being disengaged to being actively involved. Almost a month in which trust in Irish Water was damaged by inconsistent and incomplete communication. Almost a month for the tip of the iceberg (the Data Protection notice) to begin to be hammered into shape, but clarifications are still required and communication still needs to improve.

    Privacy by Design thinking applied to the life cycle of information (which includes “PLANNING”) could have helped avoid a lot of this. One of the key points of Privacy by Design is it puts the customer at the centre of focus. It also puts Privacy at the Design stage in any initiative… and a month spent in design and in ensuring clarity of process, consistency of communication, and transparency of Data Protection Notice would have been a month well spent by Irish Water.

    [I’m speaking on Data Protection, Data Governance, and Privacy by Design at EDBI in London next month and at IGQIE2014 in Dublin on the 7th of November. Tickets are still available for IGQIE2014 and discounted student rates are available for the morning session.]

  • For Feck’s Sake Irish Water, I’ve got a day job…

    Stopped to take a breather for lunch. Saw this from TJ McIntyre (a man who knows his onions when it comes to Data Protection and Privacy).

    I’ve covered off the issues with the marketing consents for Irish Water on my company site.  The total confusion here effectively makes any implied or explicit consent for marketing open to challenge on the grounds that it was not unambiguous. Irish Water need to step up, stop faffing around, and fix this. It is a total disaster and it is getting in the way of me doing my real job. Also, the consent Irish Water are relying on isn’t Opt-In, its Opt-out.

    I’m not against Water Charges, I’m against what I see as an inevitable waste of 10%-35% of turnover in Irish Water due to poor data quality management, leading to manual work arounds and scrap and rework, and I’m against approaches to obtaining and processing personal data that frankly seem to be oblivious to the national and EU legislation that should be governing that processing.

    I’m against €82.4 million being spent on consultants who don’t seem to know how to approach this kind of project correctly given the gaping issues that exist in a data management context. And I’m against me having to be the paramilitary wing of the Data Protection Commissioner’s office asking key questions in public the day before it all kicks off that should have been addressed in private months ago during the design phase. And I’m against any absence of accountability or stewardship over critical data. That just irks me.

    I’ve got a day job and clients to serve. conferences to prepare keynote presentations and tutorials for, and a conference of my own to run. The mental exercise of analysing Irish Water was fun, but frankly it’s like shooting fish in an over-engineered under-designed barrel at this point.

    So, for all the Irish Water people reading this:

    1. Please come to IGQIE2014 in November. You will learn something you really need to know
    2. Ask you boss if you can hire my company to help you figure this stuff out. We’re pretty good at it. And we’ve got friends who are good at the bits we’re not good on. We will be a rounding error on €82.4 million.
    3. Please try to stop screwing up on your data management and data protection issues quite so publicly because when people ask me about a think I’m wired to look at it and figure it out. They find me on twitter and look to me for answers, and I feel obliged to try to help explain because you are doing such a crappy job of it. This stuff made me trend for Ireland. I hate trending for Ireland.

  • A blatant advert for IGQIE2014

    igqie2014-flyerflyerigqie2014-flyer
    I normally try to keep business and personal blogging separate for a variety of reasons *koff* domestic exemption to DPA *koff* but as this site is getting a lot of hits recently about Irish Water stuff, and as the conference my company is running is DIRECTLY RELEVANT to the subject, I thought I’d post a little snippet about it.

    IGQIE2014 – (Information Governance and Quality Ireland to give it its full title) is an event Castlebridge Associates is running on the 7th of November in the Marker Hotel in Dublin. The day is aimed at connecting the dots between the legal principles of Data Protection and Privacy in the EU and the coal-face challenges of data modelling, information quality, and data governance necessary to achieve compliance and deliver happy customer outcomes.

    In the morning session we have three presentations from:

    • Fergal Crehan – Barrister at Law and expert on EU Data Protection and Privacy law. Fergal has been directly involved in a number of key cases in Ireland and at the CJEU on Data Protection issues.
    • Michael G Morrow: Michael is an expert in Data Modelling. He’s going to be talking about  the need for business engagement in the Data Model design and engineering process.
    • Me – I’m talking Data Governance, Data Protection, Privacy by Design, Privacy Engineering, and Data Engineering. Aim is to link Fergal and Michael’s themes together in something educational.

    In the afternoon we have three of the world’s leading experts on Data Governance, Information Quality, and Information Architecture coming to deliver parallel tutorials.

    Full details can be found on http://igq.ie

    Early bird ticket deals expire TODAY

    Student tickets are available for the Morning only.

    A flyer is attached to this post for you to download and share.

    igqie2014-flyer

  • Reposted: Irish Water, the letter from the DPC, and what it all means

    [On the 24th September I posted this. I’ve updated it to insert relevant updates in other posts in context]

    This evening the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    “The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: Today I posted this which looked at the apparent lack of a “signed off” movers/leavers process for when people change address and the data protection and operational implications. That is basic utility billing stuff, and is also a basic requirement under the Data Protection Acts – at least to have the mechanism by which changes to data can be made in the course of a customer life cycle.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    Update: I wrote this this morning following an Irish Times report that Irish Water would use PPSN as part of debt collection. This is not a stated purpose, and is not the “sole purpose” that the DPC had recognised and approved of.  It appears Irish Water are unclear internally about things that the Regulator believes they are clear about]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identifywhere possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Accurate and Up-to-date – Irish Water and changing data

    So, via Twitter I’ve learned that Irish Water don’t have a process defined yet for people moving house. Well, they have one defined but its “not signed off on yet”. This is a pretty basic process that exists in all utilities, satellite TV companies, and fixed line phone companies. Its the one you rely on to ensure that the bills are correct at the point of hand over.

    Given that Irish Water are billing quarterly, that means that people are inevitably moving in or out of a property during a billing period. This will lead to what is known as “broken period billing” in utilities. When I worked in telco, it was the handling of these scenarios that gave rise most often to billing errors, particularly where the broken period for billing crossed a VAT period or where the preparation of a final bill involved the calculation of and application of credits on final bills etc.

    This is tricky stuff, which is why it is good they are taking their time about it. However, if true, the absence of such a process or procedure NOW means that:

    1. Irish Water is in breach of the Data Protection Acts which requires Data Controllers to keep data “accurate and up to date” , at least accurate enough and up to date enough for their purposes. Having the wrong name associated as bill payer on a property is inaccurate for their purposes. They don’t need to ensure accuracy per se, but they need to have a defined process where by changes to data can be made. That’s the kernel of the obligation in the DPA and, let’s not forget it, a fundamental right under EU law under Article 8 of the Charter on Fundamental Rights.
    2. Bills will inevitably be sent to the wrong people, potentially in the the wrong amounts, which will potentially affect collections processes.

    It looks more and more like the data design here and attention to data changes in customer life cycle is appallingly bad. I do hope that the tweeter got the wrong end of the stick when they were talking to Irish Water, but my optimism is rapidly going down the outflow pipe.

    This stuff is really, really basic. However it means having to think about your data as more than just “stuff that lives in the database” and treat it as an asset that is subject to certain fundamental governance requirements.

    We’ll be touching on a lot of these topics at IGQIE2014 on the 7th of November, and I’m teaching about it at conferences in Belgium and the UK in the mean time. I was struggling for examples….