Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:
- Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
- Information Quality programmes involve, by definition, the implementation of a Quality Management System
- Information/Data Governance… well, that’s another form of Quality Management System
- Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.
In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:
- Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
- Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
- Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.
Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.
Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.
Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.
At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.
A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.
Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.
Expelling the Papal Nuncio
A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.
The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.
And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.
Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.
The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.
So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).
Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.
The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.
The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.
The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.
The law
There are a few pieces of legislation in Ireland that would come into play here:
- The Data Protection Acts 1988 and 2003
- The Criminal Damage Act 1991
- The Criminal Justice (Theft and Fraud Offences) Act 2001
- The Postal and Telecommunications Services Act 1983
- Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
- The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)
The Data Protection Acts
The Data Protection Acts require that personal data be obtained and processed fairly.
Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).
Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001
Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.
So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.
This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is
- What’s a computer?
- What’s dishonest?
It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.
The 1983 and 1993 Acts
Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being
“listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”
The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.
The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.
Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.
The European Commission rejected DRI’s submission at the time
Electronic Privacy Regulations
The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.
For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.
The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to
- Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
- Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))
Section 4(4) is the doozy I feel.
In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.
My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally, implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.
And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.
Conclusion
The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.
But that is what we do every day now.
The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).
I invite any comments or corrections from more learned colleagues.
Three strikes – you’re out(?)
I’ve recently been pondering the 3-strikes process which is used by eircom to police illegal content uploaders and the Data Protection implications of same. [By way of full disclosure, I used to work there in a role that involved me analysing processes and finding out where they were broken and potentially non-compliant with host of regulations. That said, given that when employed there a big part of my job was to call b*llshit on defective processes and get them fixed or killed, I would not consider myself an apologist for eircom].
The process (as I understand it) is this.
- A person goes onto torrent site and seeds a torrent with copyright protected material.
- As part of seeding the torrent, their IP address is published in the torrent service.
- A 3rd party company monitors torrents and flags to eircom IP addresses and details of copyrighted materials that are being seeded.
- eircom checks the IP addresses provided against the IP addresses in use by customers at the time of the seeding and a letter is produced informing the customer that copyright protected content was being distributed illegally via their account. They are given three chances to prevent this distribution before their account is suspended.
So. What is happening here? An illegal act is being committed in a public place (IP addresses are published in the torrent service). This public data is passed to an ISP who seeks to associate the IP address with a named ‘controller’ of the service, who is then advised that an illegal act was committed using their service and advising them to ensure that the activity ceases. Music labels are not told of the offenders. Personal data of eircom customers is not transferred to music labels.
No data is passed about individual customers to any 3rd party by eircom. eircom acts on public data compiled and processed by a 3rd party on their behalf. Eircom processes this information in order to enforce sections 5.5 and 5.6 of the Terms and Conditions which govern their Broadband service.
The analogy I would draw is with the system for enforcing speed limits using traffic cameras. If your car is on the motorway doing 135kmh and you are snapped by a traffic camera in a GATSO van operated by a private company working on behalf of the authorities, your car registration number and the record of the speed you were doing when snapped is sent for processing against the vehicle licensing database which associates the registration number with a named person (the registered owner of the car). A few weeks after you are snapped you receive a letter in the post with a copy of the photograph, details of the speed, and details of the fine you will have to pay.
An illegal act, in a public place, where a publicly visible identifier can be recorded, which can then be associated with other information to identify the nominated responsible person for the conduct of that vehicle. The parallel is, at least to me, very clear.
It is also very clear that in both the Broadband case and the Traffic camera case that there are certain evidentiary controls that need to be in place to ensure that data is being processed fairly and accurately and appropriate safeguards need to be in place to ensure that data is not processed or disclosed unlawfully.
For example, eircom recently had an issue where a number of customers received warning letters about downloading which did not relate to them. The root cause was a failure of a server to update to Summer Time from Daylight Savings time, meaning the timestamps associated with IP addresses were out by an hour. Accurate timestamping and recording of location data of traffic cameras is also important, as the Australian State of New South Wales and the US city of Long View discovered recently.
Of course, it is important to point out that eircom did not send personal data about Customer A to Customer B. They simply attributed, erroneously, the actions of Customer A to Customer B.
The Data Protection Acts do not provide a shield behind which people who commit offences can hide. The right to Privacy is not an absolute one and must be balanced. So long as the processing of the data is done in a manner which does not infringe privacy or result in unwarranted disclosure of personal data companies have a legitimate interest in ensuring that they can enforce the terms and conditions of contracts that are entered into.
Where people chose to commit an illegal act in a public manner, or where through neglect or lack of domestic control they allow such acts to be committed, then a polite but firm reminder of their duties as parties to the contract is to be expected. Where that reminder is provided without personal data being disclosed to 3rd parties (as was the case previously) then this is a half-way house that balances competing rights but which must be kept under constant scrutiny to ensure that there is no scope creep, function spread, leakage or abuse.
As the May Bank Holiday draws to a close, I’d like to remind customers of Bank of Ireland that they should take a careful look at their account balances this week if they have been using laser (debit card) or ATM services over the weekend. If you do find you’ve been ‘double-dipped’, please let me know via this blog.
Double Dip - Nice Confectionery but leaves a bitter taste if it happens to your bank account
Laser-like accuracy
Word reaches me this morning of yet another incident of Bank Of Ireland double-dipping laser card transactions on or around a Bank Holiday.
BOI will, doubtless, claim that this is a once off and hasn’t happened before. That’s what they said the last time (when it had actually happened before). Furthermore, I hope that BOI are more certain this time as to the root cause (last time out it was variously “retailer error” or “a software upgrade glitch”).
And hopefully their process for catching “shadow transactions” which lead to the double-dipping will kick into play and actually refund the customers affected (which if this glitch is on the scale of their 2009 one could be up to 200,000 card holders).
For reference the relevant blog posts are:
http://obriend.info/2009/09/09/bank-of-ireland-double-charging/
http://obriend.info/2009/09/09/bank-of-ireland-double-charging-a-clarifying-post/
http://obriend.info/2009/09/10/bank-of-ireland-overcharging-another-follow-up/
http://obriend.info/2009/10/28/bank-of-ireland-again/
The issue also featured over on IQTrainwrecks.com.
My €0.02: This issue appears to manifest itself around Bank Holidays. This suggests a batch load process or some human triggered action doesn’t work correctly when there is a Bank Holiday. Having a process to detect the double-dipped transactions is not a fix, as if it doesn’t work (as seems might be the case here) then the incorrect data gets through.
BOI might want to pay attention to Ferguson v British Gas, which while a UK case, could be arguable precedent for the view that Irish Courts won’t care how complex your IT systems are if a customer is impacted through a failure of your systems to process information correctly.
BOI need to identify the precipitating root cause of this problem, based on the data they have available… I’d start with looking at the dates of incidents (BOI should have more data than newspaper headlines to go on) and seeking to confirm or disprove the ‘Bank Holiday hypothesis’.
Relying on a ‘scrap and rework’ kludge that might itself fail is not a sustainable approach to ensuring information quality or quality of customer service.
Doing the right thing
So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.
How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?
What if it turned out that:
- The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
- Was relatively easily circumvented using free or low cost tools
- Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).
That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).
A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:
- Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
- Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.
So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.
Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.
So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?
The other price to pay is the privacy cost.
The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.
- What ever happened to “Adequate, Relevant, and Not Excessive”?
- And how bullet proof are you against malicious uploading of content to your website anyway?
It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context. Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:
“It seems to me as if just about anything can potentially get on the list”
Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.
An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’, the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.
Would that be acceptable in Irish society?
Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.
Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.
Data Breach Code of Practice
A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.
That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.
Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.
Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.
What would I like to see from the new Govt which will take the reins of power in the coming week or so?
- Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
-
Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
- Consolidate and simplify the legislation.
- Implement clear penalties for infringement of the Acts and penalise non-compliance
- Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
- Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
- Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
- Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.
Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.
CRM Insanity (another update)
So, I have the phone now. I’m still with Vodafone. I’m a no longer irately angry customer. I’m not a happy one. It will be sometime before I am that. I may still move my landline business just to make a point.
But my experience in getting the phone sums up the difference between the CRM success of the Vodafone retail store and the CRM insanity of the Vodafone Retail policy.
No Sims at the Inn
It turned out that though they had a phone in stock they didn’t have microsims in stock in the shop. Not a show stopper. The manager went to Carphone Warehouse and got one from them for me while his team sorted the phone out and upsold me a case.
What a clever win. Very little effort for him to do so. Kept me in store longer. I will buy from them again soon (I need a bluetooth kit for the baby-carrier car). I will tell the story of how they didn’t let a stock issue prevent them from satisfying a customer.
A1 service. It counterbalances my experience on Friday when they told me they had no phones (now I know they were acting under orders).
Tweet happens
Having had no satisfaction over the last few weeks with Vodafone on the phone (or for that matter in store), it took posts on twitter to get the issue resolved. And it was resolved fast. Less than 3 hours later I have the phone that 4 hours ago I believed I was not going to be able to get.
So, Tweet happens.
But it shouldn’t. It shouldn’t take an angry customer writing an analytical breakdown of their customer value and posting it to twitter (and Facebook) to get action. That is just wrong as it requires the customer to push for what they are entitled to, and it means that the loudest shoutiest customer gets things done.
A better way?
As I stood in the Vodafone store today I noticed how they are doing lots of product pricing offers for customers of both mobile and fixed line business. They should perhaps consider using that as a criteria for rationing phones where supply issues exist. If you are a customer of both, you get preferential treatment for stock. Because you are WORTH more. A customer of the mid-tier Perfect Choice Access package for mobile and a moderate broadband package is worth the better part of €2000 a year to Vodafone just in line rental and connection. They should take preference over virtual customers with an unquantified value.
That’s just a thought.
CRM Insanity (An Update)
I’ve elected to switch to 3 and have shortlisted some options for the home phone. I made comments to that effect on Twitter this morning.
At 12:32 today Vodafone Ireland contacted me on Twitter (after I’d posted a few tweets back to this post) and Daz on that team is looking into the situation. As of 13:09, apparently they have managed to secure stock in a local Vodafone store for me. (Why they couldn’t do this on FRIDAY or any other time I’ve rung them over the past few weeks, or when I went into that shop on Friday, baffles me).
I’ve indicated I’m holding off going switching until 13:30 today.
But it appears that to get Vodafone to actually give a shit you have to be either a non-customer who they wish to woo or a high “cost-to-service” complainer who goes very public with problems. That too is just plain insane CRM, which results in people like Steven (who I spoke to on Friday) and Daz having to bear the brunt of customer issues that COULD BE AVOIDED with a bit of sanity.
I fully accept that Vodafone have supply issues with the iPhone4 (which no other network seems to have BTW). It makes sense to ration the supply and impose some restrictions. But to completely block existing customers from the upgrade makes no strategic sense (unless Voda want to get rid of existing iphone customers to other networks). This is particularly the case for Voda who will soon have a lot of customers who took the 3Gs when it came out on Vodafone looking to upgrade after 12 months on an 18month contract (thereby locking them in to another contract).
A better approach might be to:
- Require new customers to enter into a longer contract (“Hey, you can have it. But it is in short supply so you’ll need to give us your soul for 6 months longer to get it”).
- Allow customers who have been with you less than 24 months to get it but only if they go for certain tariffs.
- Allow existing customers who are over 24 months on contract to upgrade as normal.
Supply is rationed. Everyone can GET the phone, but existing customers in good standing have a reward for not churning out to competitor.
Of course, Vodafone now have the issue that I’m pissed off. And publicly so.
Just getting me the iphone isn’t going to be enough now (I know I can get it with 3). So there will now be an additional retention cost to be built into the deal (which would be on top of the 1 month credit I’d already been offered due to other screw ups on my account).
THIS IS AN AVOIDABLE COST, or would have been if they hadn’t had such crappy customer service up to this point. Now it is pretty much required as I can get the same phone for cheaper cost and similar cost per month on the other network, with whom I have no current frustration (Vodafone on the other hand have
- left me with the wrong SIM card type for the phone I have
- failed to properly activate my mobile broadband dongle when I upgraded it late last year
- failed to keep my personal data accurate and up to date as per the Data Protection Acts
- failed the attitude test about the iphone upgrade)
- send me direct marketing pieces addressed to “Ms Daragh O Brien”
By having a screwed up CRM strategy for existing customers, Vodafone have put themselves in the position where they are now negotiating with me to stay, not simply handing me some forms and taking my money.
