Chuggers (and why I’m not a fan of them)

Imagine I walked up to you on the street with my arm outstretched to shake your hand and making direct eye contact with you and smiling. Imagine if the next thing I said or did was to ask you to give me

  • Your name
  • Your credit card or bank details
  • Your mobile phone number
  • Your home address
  • Your email address
  • A copy of your signature

and a range of other personal data. Which I wrote down on a piece of paper and stuck in my bag before thanking you and walking off.

Chances are I wouldn’t get very far in gathering that information. Your natural sense of risk would (or should) kick in. Chances are you’d call the police on me.

But imagine that scenario again with one small change. I’m wearing a polyester jacket with the logo of a charity on it and I’ve got an ID badge hung around my neck and a backpack. What would you do then? Hey, I’m collecting for a charity.

I am a charitable person. I like to support good causes and I like to contribute as much as I can when ever I can to such causes. But I’d say no to me because  of my personal sense of Information risk.

Others base their dislike of Chuggers (Charity Muggers) on the methods that some use to get people to sign up, methods which are often the result of the commission or quota based systems that some of these people work under (and I’ve content elsewhere about why quotas are a BAD idea in the delivery of quality service). Of course, these are methods which charities who use this means of fundraising disavow all knowledge of and disown completely, but which I have witnessed.

My avoidance of chuggers is based simply on good Information Security practice. I don’t like the idea of my data being in a bag around someone’s neck or a plastic zip-lock folder, in a public place.  From a Data Protection of view I’d rather not have to have a real-world test of the compliance of the organisations that run these collection methods with things like the Data Security Breach Code of Practice or the requirement under S2 of the Data Protection Acts to take reasonable and appropriate steps to ensure the security of personal data. Particularly not with my data. The data that is obtained by Chuggers is Personal Data within the meaning of the legislation as it is data that has been obtained with the intention of processing it electronically or of filing it in a relevant filing system, ergo it needs to be treated with care.

I’ve advised clients in the non-profit sector of the potential for brand damage arising from something as simple as one of their Chuggers being mugged and their bag being stolen… or to put it another way: the temporary storage location of an array of personal data. I’m not saying don’t use the method. What I’m saying is your controls need to be very tight.

Among the controls that need to be in place is appropriate training for staff on Data Protection. I’m not sure if such training is happening as many of the techniques I’ve seen or heard of being used to get people to stop could actually be construed as being contrary to the requirement for consent to processing of data to be freely given. That said, a volunteer for one charity came on a Data Protection course I taught a few years back and they stopped using chuggers afterwards.

If the UK experience is anything to go by, my risk aversion is justified. The ICO there has investigated charities for loss of data. It is inevitable that similar will happen here, if it hasn’t already (but if it has I can’t find a reference to it on the Data Protection Commissioner’s website). The root cause in the UK case I link to was a lack of training and awareness that lead to a loss of data.

So how should your chugger experience go? Well, first of all you should know what happens to all this information you have just given them. The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder or clipboard they are holding.

My advice to anyone accosted by a chugger is: if you can’t get away, ask politely for a copy of the charity’s form for you to fill in at your leisure. If they don’t give it to you take their name from their ID badge and report them to their Charity and if the Charity doesn’t take it seriously report it to the Data Protection Commissioner. (If they don’t have an ID badge, assume they are not representing a charity and you’re about to be mugged – react accordingly).

My advice to any Chugger who is careless with their folder or is mugged for their bag… notify your Charity immediately. The Charity should notify the Gardaí as well and make sure they know that there was personal and financial data stolen/mislaid. The charity should also notify the Data Protection Commissioner. As the paper work will not have been processed you won’t be able to notify the Data Subjects directly (as is required under the Code of Practice) so they will likely have to put out a public statement about the loss of data to alert people who have given their details to the risk of identity theft.

Personally, I make my donations either on-line (and I look for PCI compliant payment processors and HTTPS security on the donation page) or over the phone. I have never and will never donate to a charity by means of a chugger, and when faced with a choice I will opt for a charity that doesn’t use them.

Correction from Irish Examiner re: Vatican Closure

After some toing and froing and an email trail that included quotes from the Chairman of TCH (the parent company of the Irish Examiner) at #mediv2012 I finally got clarification from the editor of the Irish Examiner of their Vatican Embassy story (soon to be corrected on-line), which I first blogged about on the 19th of January.

At my suggestion, Dolan O’Hagan (the editor) provided the text of the clarification (which ran in the print edition two weeks ago but never made it online until today) for me to post here to close the loop so to speak. I’ve made the font bigger for the quote so that the text can be more clearly seen.

In an article published on January 16 headlined "Public decries closure of embassy to the Vatican" it was stated in the opening paragraph that  the embassy closure "was met with overwhelming opposition from the public with over 93% criticising the move".
The Irish Examiner would like to clarify that it was, in fact, 93% of those who had written to the Dept of Foreign Affairs in the immediate aftermath of the announcement who had voiced opposition to the move – a fact reflected later in the story but not in the opening paragraph due to a copy review error.

While I differ slightly on the claim that the latter part of the story reflected accurately the level of actual uproar about the Vatican closure (I feel that the section in question required some close reading to understand the actual sample size involved which the 93% referred to), I welcome the statement from the Irish Examiner that does go a substantial way to clarifying the issue. I look forward to seeing the promised amendments and clarifications in the on-line edition soon, and once that happens I’ll be gladly closing my complaint with the Press Ombudsman.

Of course, there is an important lesson for anyone producing information that is distributed through multiple outlets – an error may need to be corrected in a timely fashion in multiple locations. As such you will need to know when and where that information was disseminated and what control you have over getting the facts corrected.

(Indeed, under the Data Protection Acts if a Data Controller is informed of an inaccuracy in personal data they have to inform anyone they shared that data with in the previous 12 months who in turn must notify anyone they shared it with etc. Frankly it’s turtles all the way down until the data universe is as correct as it can be made).

Now my hope is that, with the correction on the part of the Irish Examiner, the other publications which picked up the 93% rallying cry will in turn correct their copy so that it reflects the reality of the situation, not hyperbole caused by an error in review.

SOPA, Irish political debate, and keyboard warriors

I work in a knowledge-driven sector (consulting and training). I have written two publications that have ISBN numbers, which makes them books I suppose. They were each over 100 A4 pages long. I’ve written hundreds of blog posts and articles over the years and have a large external hard drive filled with every presentation I’ve given in my topic area (Information Quality, Data Protection, Data Governance) over the past number of years.

In my professional capacity I am a member of a number of professional associations and have a number of professional certifications, all of which have an ethics element which, amongst other things, requires me to respect copyright and to give credit to the works of others when I am using them.

As a presenter I’ve experienced flying in economy class to far flung places to see the person in front of me on the agenda ripping off the presentation I was just about to give because he’d come into possession of an earlier version of my slides from a previous event (in that case I just changed my presentation and explained to the audience why while the guy sat in the front row looking for an emergency exit – perhaps repeatedly saying how much I agreed with his points might have been laying it on to thick).

But the SI that is about to be signed into law is just nuts, aimed solely in my opinion at propping up a dying business model in which KPI indicators that were perfectly valid 10 years ago are falling and rather than pull the levers and turn the knobs in their own business model and evolve, an industry lobby is seeking to pull levers and turn knobs in society as a whole and create a time machine that puts the smoke of 20 years of technology evolution back in the bottle.

I teach and consult on-site with clients. I have also been published in dead-tree formats. e-learning and on-line tutorials and coaching, blogs, internet based publications, e-books all challenge that business model. So is my response to lobby hard for legislation and burn cash in litigation to reverse the universe? No. I’m not a moron. I embrace the opportunities for new business models that the Web provides. I look to build a Platform Business (to borrow from my friend Phil Simon) and I seek to develop new ways to distribute and monetise my services and my knowledge. (So expect to see some things developing from my business over the next few months)

That the Irish Music Industry has strong armed the Government into rushing bad law in in a bad way is irksome in the extreme. That a mortally wounded industry has been able to bully (and yes, I do feel that the approach taken amounts to bullying) a Government into bringing in legislation of a kind that a vibrant and growing industry sector (that would be the Interwebs and Cloud) had lobbied and campaigned against successfully in the US only a few weeks ago galls me. That it is happening when the legal position in Europe has evolved and the clear message from TWO EU Commissioners (including the Vice-President of the Commission) is that Internet Blocking is not an option in Europe (ergo the Commission would be unlikely to penalise Ireland for not having it in place) just sickens me.

But what really sticks in my craw is the pantomime of a Dail debate that we saw last night which makes a mockery of parliamentary democracy in this country. A debate where a perfectly workable alternative piece of legislation that achieves largely the same objectives while balancing the needs and interests of the ISPs (who were NOT consulted or engaged with when the original SI was being prepared) was basically ignored.

The debate highlighted how out of touch with their electorate the Government is. Dismissing people who WRITE to you as “key board warriors” is insulting and disingenuous to say the least. I am a keyboard warrior and proud of it. I use my keyboard to effect change in organisations, educate and inform. It is my TOOL. Just as my grandfathers’ tools were pens and typewriters (for one) and trowels and plaster (for the other). My keyboard (and my website) is my own personal printing press with a scope, scale, and reach that Guttenberg could never have imagined.

Bad law, introduced badly, by people who don’t grasp the basics of what they are seeking to regulate and control, with an arrogant dismissiveness of comment and debate from the political class (with notable exceptions) has the makings of a total trainwreck.

As an aside, when I first raised concerns last year about the Fine Gael website I was dismissed  as being “only a blogger”. This keyboard warrior was right, so the track record of arrogant dismissiveness from Government parties has not been good on things internet related.

So I contacted my Government party TDs by phone this morning to express my dissatisfaction. If my keyboard won’t be listened to then I’d better start using my voice.

While we’re all fired up about protecting rights..

Hey you #stopsopaireland people, I’ve got a favour to ask. It’s not a big one. It will take you 30 seconds to do but it may help to make your life a little better

The 30 seconds kicks in as soon as you’ve finished reading this post.

The discussion around #stopsopaireland has focussed on the impact that internet blocking would have on fundamental rights of freedom of expression, and the EU legislative and policy frameworks and case law that exist to support that right and ensure it is protected in a balanced way.

There is another right that is important. The right to Privacy. In particular the right to Personal Data Privacy which is set out in Article 16 of the Lisbon Treaty. It is this Article that provides the basis for the EU’s Data Protection regime, changes to which were announced on Wednesday. Those changes will take a number of years to come into affect, assuming they are not bastardised and watered down beyond all recognition by national parliaments or the European Parliament responding to lobby groups.

But a functioning Data Protection framework is in existence day and it is policed in Ireland by the Data Protection Commissioner. Already this year they have engaged with the Dept of the Environment regarding the Household Charge database and with Dublin City Council regarding the transfer of personal data from Dublin City Council to a private company. And let’s not forget their audit of Facebook last year. And that’s just the high profile stuff that gets in the media. In my professional context I’m aware of the significant number of complaints they help people with each year as they strive to promote compliance with the Data Protection Acts in an increasingly complex information management environment and a financial culture where organisations and governments are trying to to less with more and often cutting the wrong corners in the process.

The Office of the Data Protection Commissioner serves the individual citizen, helping them with advice regarding their rights and acting to investigate and prosecute breaches of those rights. They also serve the Organisation (be that a Government department, a large multi-national, a local football team, or a student company selling jumpers on-line) providing education and advice (when asked) as to what steps should be taken to ensure the right balance is struck between the goals of the organisation and the rights of the individual. They don’t deal with just one sector of the economy. Anywhere personal data is being processed they have a role to play.

Saturday 28th January is World Data Privacy Day. It is one day in the year where Data Privacy is celebrated. Companies and regulators around the world have planned activities and events to celebrate the day (see here and here), but in Ireland it seems to be just another Saturday. Some of you might say that the Data Protection Commissioner should have lead the charge on this but, to be frank, they are under resourced in terms of numbers and budget and need to prioritise their efforts and energies to dealing with the actual and alleged breaches of people’s rights that come through their inbox every day.

So, to celebrate World Data Privacy Day 2012 I’m asking you to write an email to your TD, Minister, or other elected official asking them to comment, tweet, or in some other way make public

  1. Their support for the principles set out in the Data Protection Acts and the proposed revised EU Regulation on Data Protection
  2. Their commitment to ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner.
  3. What one thing they will do by January 2013 to improve their personal knowledge of the Data Protection regulations.

I’ve even put sample text below so you can just cut and paste it. You can use the great contact form at Contact.ie to bulk contact your elected representatives (while you are there, why not donate to support the site), or you ca nmake the message personal and send it yourself from your own computer/phone/device/smoke ring maker. Heck, if you want to phone them or tweet them directly about this fire ahead.

+++ email text

Dear Sir/Madam

I write to you on the occasion of World Data Privacy Day, which is being celebrated globally on Saturday the 28th of January (mark your diary, it’s the same day next year).

Personal rights, particularly personal rights in relation to information and personal data, have been in the media a lot this past month. Much of the coverage could have been avoided had proper attention been paid to the requirements and obligations under the Data Protection Acts 1988 and 2003 which apply equally across a wide range of industry sectors, including Government

To celebrate World Privacy Day I would ask you to consider issuing a statement either by traditional press release, a blog post, or a tweet, that will tell your electorate where you stand on the following questions:

  1. Do you support the principles set out int he Data Protection Acts and in the proposed revised Regulation on Data Protection announced this past week by Vice President of the European Commission Viviane Reding?
  2. Are you committed to  ensuring the Office of the Data Protection Commissioner is properly funded and resourced to allow it to execute its duties under the Acts and the Lisbon Treaty in an effective and truly independent manner, as is required under EU Directive and the Lisbon Treaty?
  3. What one thing will you do by this time next year to improve your personal knowledge of the Data Protection regulations.

Of these three questions, the second is one I feel is important.  Personal data is the currency of the new economy and it is a valuable commodity. The Regulator for the Personal Data Industry is the Data Protection Commisioner. One of the key lessons of the Financial crisis is that for a Regulator to be effective they must be correctly resourced and independent of Government or industry influences.

I appreciate your time on this and look forward to seeing your press release, blog post, or tweet expressing your support for #DataPrivacyDay, the principles of Data Protection, and the office and role of the Data Protection Commissioner.

====ends===

If you get responses please post a comment below so I can see what uptake (if any) there has been from our political classes.

 

 

 

New rules, Old roots, Old attitudes

So, today the European Commission is announcing new rules for Data Protection and Privacy in the EU (and the EEA countries and those countries seeking accession to the EU). There is hype and hoopla about the rules and what they mean, particularly for organisations conducting business on-line, companies based outside the EU selling into the EU, standardisation of penalties, and realignment and consolidation of the Regulatory and Enforcement regime.

Oh yeah, and it is being done by Regulation which means the rules will be the same across the EU.

But at its heart the fundamental principles remain the same. Organisations who seek to process personal data of individuals need to make sure that the ‘deal’ is fair. After all, to paraphrase Commissioner Reding’s comments at the DLD conference in Munich earlier this week

Personal information is the currency of the Information Age

And as with all markets where items of value are traded, checks and balances need to be in place to ensure the asset is valued appropriately and treated with care. Hence the focus in the new Regulation on concepts such as Privacy by Design, ensuring appropriate training of staff, specific requirements re: organisational governance and internal controls and clarity of documentation about the meaning, purpose, and methods of use of personal data. There is an economic trade off required to obtain the thing that is of value. That trade off is good management of Personal Data through the life cycle of the Information Asset.

As a Data Governance and Information Quality guy I’m glad to see that the legislators in my third area of passion have finally caught up with the need to ensure organisations have defined Quality Systems with defined decision rights and accountabilities over Information as an Asset.

So, while many of the rules are new, their roots are old. Based on my reading of the version of the Regulation that was leaked just before Christmas revealed a Regulation with one foot in the camp of Fundamental Human Rights (and the trade offs that need to be made there for economic activity to take place) and the other firmly in the camp of Quality Management practices and principles, with a clear focus on creating a Constancy of Purpose in management towards the goal of striking a sensible balance and ensuring a fair deal in the processing of personal data.

And that is where the problem begins.

There is a window now for national governments and the European Parliament to make contributions to the Regulation. Many in national government and the EP will make sensible contributions that will evolve the framework and make it easier to implement in practice.

However, in a month where one Government Minister acted in blissful ignorance of the Data Protection Acts one week, another flew a policy kite that would require an illegal extension in scope of the database being built by the first Minister, and where the unelected officials of the largest City Council in the country appear to be unable to point to the legitimate grounds on which they transferred the personal data of over 100,000 residents to a private company, I hold out little hope of sensible debate and dialogue from the Irish body politic.

In a month where we greeted the year (for the second year in a row) with a story about poor planning of projects involving personal data (both under the stewardship of the same person) I hold out little hope of sensible engagement from the Irish body politic.

And in a month where the reversal of a bad law to control copyright on the Internet (SOPA) after leading websites across the world “went dark” we find a Junior Minister of the Government, in the Department that is in charge of attracting and retaining exactly those companies who opposed the US law, seeking to implement a similar law by Statutory Instrument with no debate or discussion, even after the legal position and EU policy position has changed in relation to Internet blocking, and only the opinions of the dying industry this law would protect seem have been sought in advance, I hold out little hope for the Irish Body Politic not to make an arse of this.

And as for the Irish media… with a few notable exceptions the absence of attention to Data Protection issues (except where it involves embarrassing a Government Minister and the copy can be lifted from this blog) is staggering. So yet again I hold out little hope of sensible engagement.

Adapting to the new Data Protection landscape will require individuals to change their mind set. But I fear that the entrenched attitudes in the body Politic and the traditional media may be such that Ireland (the little nation that faced trade sanctions in 2003 for not implementing Directive 95/46/EC by 1998 as we were required to) will fail to step up to the plate and drive the change in thinking and attitude necessary to achieve sustainable and sustained change in Data Protection practices in Ireland.

W. Edwards Deming wrote in his famous 14 Points for Transformation that it was essential for the transition that organisations “Institute Leadership”. I see precious little leadership in this area from our politicians and only dazzling pin-pricks of illumination from the main stream media. So I must keep my hope guarded in the face of the likely knee jerk reactions against the changes and the almost inevitable white noise of ignorance until the Regulation passes into law with a direct effect sometime in 2014.

Prove me wrong. Please.

Lies, damned lies, and statistics

On Monday the 16th January 2012 the Irish Examiner ran a story that purported to have found that 93% of the Irish public “decried” the decision of the Minister for Foreign Affairs to close Ireland’s embassy in the Vatican City State. The article detailed how they had undertaken a review of correspondence released under the Freedom Of Information Act which showed that 93% of people in Ireland were against the closure. To cap it off, the article was picked up in the Editorial as well.

Except that that isn’t what they had uncovered. The setting out of the statistics they had found in the sensationalised way they presented them was a gross distortion of the facts. A distortion that would, to paraphrase Winston Churchill, “be half way around the world before the truth had its boots on”).

Demotivational poster about data

What they had uncovered is that of the 102 people who wrote in to the Minister for Foreign Affairs about the issue, 93% of them expressed a negative opinion about the closure. The population of Ireland is approximately 4.5 million people. 95 people is closer to 0.000021%. While I may not have the academic qualifications in Mathematical physics that my famous comedian namesake has but I know that 95 people (that’s 93% of 102) is slightly less than 93% of the Irish public

Or, to put it another way, significantly and substantially below the statistical margin for error usually applied in political opinion research by professional research companies.

Or to put it another way, over 99% of the population cared so little about the closure of the Vatican Embassy that they couldn’t be bothered expressing an opinion to the Minister.

Of course, the fact is that there were letters written about this issue. And the people who wrote them were expressing their opinion. And 93% of them were against the closure.  In fact, in defending themselves on Twitter against an onslaught of people who spotted the primary school maths level of error in the misuse of statistics in the article, the Irish Examiner twitter account repeatedly states that (and I’m paraphrasing the actual tweets here slightly) “for clarification we did point out that the analysis was based on the letters and emails”. But it is inaccurate and incorrect to conflate the 93% of negative comment in those letters to the entire population as the sample size is not statistically valid or representative being

  1. Too small (for a statistically valid sample of the Irish public you would need between 384 and 666 people selected RANDOMLY, not from a biased population. That’s why RED C and others use sample sizes of around 1000 people at least for phone surveys etc
  2. Inherently biased. 93% of cranky people were very cranky is not a headline. The population set is skewed towards one end of the distribution curve of opinion you would likely find in the wider population.

Then today we see a story in the Examiner about how Lucinda Creighton, a Junior Minister in the Dept of Foreign Affairs is backing a campaign to reopen the embassy because

there’s a very strong, and important and sizeable amount of people who are disappointed with the decision and want to see it overturned and who clearly aren’t happy

What? Like 93% of the Public Lucinda? Where is your data to show the size, strength, and importance of this group? Have you done a study? What was the sample size?

As a benchmark reference for what is needed for an Opinion Poll to validly represent the opinions of the Irish Public, here’s what a reputable polling company says on their website:

For all national population opinion polls RED C interview a random sample of 1,000+ adults aged 18+ by telephone. This sample size is the recognised sample required by polling organisations for ensuring accuracy on political voting intention surveys. The accuracy level is estimated to be approximately plus or minus 3 per cent on any given result at 95% confidence levels.

Anything less than that is not statistically valid data and can’t be held out as representing the opinion of the entire public.

As an Information Quality Certified Professional and an active member of the Information Quality Profession on an International level for nearly a decade I am ethically bound to cry “BULLSHIT!!” on inaccuracies and errors in  information and in how it is presented. The comments from Ms Creighton are a good example of what that is important in the Information Quality and wider Information Management profession. If bullshit analysis or analysis based on flawed or inherently poor quality data is relied upon to make strategic decisions then we invariably wind up with bullshit decisions and flawed actions.

And that effects everything from conversation with family, chats in the pub, business investment decisions, political decision making, through to social policy. Data, Information, and Statistics are COOL and are powerful. They should be treated with respect. People publishing them should take time to understand them so that their readers won’t be mislead. And care should be taken in compiling them so that bias does not skew the results.

So, having had no joy or actual engagement from the Irish Examiner on the issue I forwarded my complaint to the Press Ombudsman yesterday pointing out that the article would seem, based on the disconnect between the headline, the leading paragraph, and the general thrust of it, to be in breach of the Code of Practice of Press Council of Ireland.

I just hope they can tell the difference between lies, damned lies, and fudged statistics. (This Yes Minister clip about Opinion Polls shows how even validly sampled ones can be biased by question format and structure in the survey design).

Household Charge Data Protection: Part 4 – The Circle of Trust

Phil Hogan has stated on RTE news that the problems with the Privacy Statement have been fixed.

They haven’t (and for record purposes I’ve taken a PDF copy of the current Privacy Statement to track future evolutions). The problem with not complying with Google’s Terms and Conditions has been fixed. The problems with:

  • Lack of clarity re: the Data Controller has not been addressed. While it is tempting to say that the Controller is Government, in practice there needs to be a single entity who is driving and directing the gathering and collation of the data. Who is the ‘controlling mind’? While this may be set out in legislation somewhere it is a requirement of the Data Protection Acts that it be brought into the light and made clear to people who they are providing their data to. Suggested wording might be:

The Data Controller for the Household Charge is the Department of the Environment. The Department makes use of a number of Data Processors to help administer the charge, provide IT facilities and services to support this website, and to securely process payments made. These Data Processors include: The Local Government Management Agency (LGMA), the various Local Authorities, and Realex Payments.

Under the legislation, the Department has delegated to Local Authorities the responsibility for the day-to-day administration and operation of the Household Charge such as issuing Certificates of Discharge etc and in that context Local Authorities will have access to your personal data for those administrative and customer service purposes.

The LGMA is a shared services organisation providing administrative and back-office support to Local Authorities. In that context they will have access to and will process your personal data in order to provide support for website issues, to assist the Department and Local Authorities in the administration of the Household Charge through the analysis of data, production of reports, and provision of on-line customer support for this website.

That took me all of 30 seconds to draft. It should be at the beginning of the Privacy Statement.

  • Lack of clarity around the purposes to which the data will be put. While the Privacy Statement as it stands is fairly specific (stating payment processing, issuing reminders of future liability, issuing receipts etc.) the media statements about potential future uses of the data and the data which is actually being obtained (see Elaine Edward’s article in the Irish Times today [scroll to bottom] which points out that the process asks for the type of water supply you have and type of property etc ) suggest either that there are other future purposes that have not been disclosed, or data is being captured which is not relevant or is excessive to the stated purposes.

The primary purpose for which we are processing your information is to enable you to pay the Household Charge and to enable us to administer the Household Charge, as required under the relevant legislation, through the issuing of receipts, waiver notices, certificates of discharge, and the issuing of reminders for payment and notifications of liability in the future.

We are also capturing data about you and your property in order to establish a higher quality database of Residential Properties in the State for the purposes of supporting the efficient, fair, and cost-effective roll out of future property or service related charges and to provide a key information resource to the Department and Local Authorities about the nature and make-up of the residential properties in the State to support the planning and delivery of services and facilities in the future in a more cost-effective manner.

  • Lack of clarity regarding the periods for which data will be retained still persists. While the purposes of the retention are required in the legislation, the retention of data indefinitely is not allowed under the Data Protection Acts. How long does data need to be retained to issue a Certificate of Discharge? Is the personal data being retained as a standing database of property owners? (again.. that would be a purpose that would have to be stated).

In order to support the administration of the Household Charge and to permit the discharge of obligations under the legislation by Local Authorities and/or the Department, your personal data will be retained for the period of time you are the owner of a Residential property in the State. This will enable us to locate your records and issue receipts, Certificates of Discharge, reminder notifications, settlement of arrears on sale of property etc without having to require you to re-register for the Household Charge every year.

Data relating to persons who cease to be the owners of Residential properties in the State who have no outstanding liability will be retained for two years from the date of sale to allow for the re-issuing of Certificates of Discharge etc. in that period.

Data relating to persons who cease to be owners of Residential properties with arrears will be retained for six years to allow us to pursue outstanding amounts and for two years from the date of final discharge or settlement of any outstanding arrears.

Again, this is just a brain dump of what might be in a more ‘fit-for-purpose’ Privacy Statement, but it highlights the need to have thought through the key purposes for which data will be used so you can figure out how long you need to hold it for. So long as there is a lawful purpose for the retention and that is flagged to the Data Subject the ‘deal’ between Controller and Subject is fair and balanced.

  • Disclosure to third parties. The Privacy Statement is silent on this. The media, and the Data Protection Commissioner, have rightly focussed on the proposals to suck data from Utility companies, but the disclosure of data is as important. The Privacy Statement needs to be clear about who data might be disclosed to by the Controller and the basis for that disclosure.

Data provided as part of the Household Charge registration process may be disclosed to the Department of Social Protection or the Revenue Commissioners in order to support the administration of the Social Welfare system and the fair collection of other tax revenues. Such disclosures will be on the basis of specific requests arising from an investigation or as a result of legislative requirements currently in existence of which emerge in the future. All such disclosures of data will be undertaken in compliance with the Data Protection Acts and the minimum data necessary to achieve the purpose of the request will be disclosed. Where we believe there to be evidence of criminal activity or fraud data may be disclosed to the investigating authorities to support the detection and prosecution of any offences.

Again, this is just a brain dump. But it again illustrates that by stopping and thinking BEFORE you rush to obtain data you can improve transparency and identify the controls and governance you would likely need to have in place before you start.

  • The Data Protection Acts suggest that a Fair Processing Notice/Privacy Statement include any other information that the Data Controller considers will make the processing more fair. The obtaining data from 3rd parties should, in my view, be bumped into the Privacy Statement as well in this context  to make it CLEAR to people that this is a potential power and the basis on which it would be used. At the risk of pre-empting the protocols that the Department and the Data Protection Commissioner are agreeing, one possible wording for such a section might be

In order to investigate cases of non-payment of the Household Charge the Department or a Local Authority may, on a case by case basis, make a request to a Utility Company or other provider of services as specified by the Minister in the legislation for information about services provided to an address. This information will be sought for the purposes of identifying if the property is inhabited. Information which may be sought in this context would include the name of the account holder with the Utility company/service provider.

I was disheartened yesterday to hear the Minister constantly fall back on the mantra that the information provided on the site would be secure. That is not the point I’ve been making, and that is not where the Data Protection Commissioner’s concerns lie.

Security of Information (no offence to my friends in the InfoSec world) is just one of 8 Principles that needs to be complied with under the Acts, the Directive, and under our Lisbon Treaty obligations (Personal Data Privacy is a fundamental right of EU citizens).

The other 7 require Data Controllers to stop and think about what they are doing, what information they need to do that, how long they will need to keep that information for, who might need to look at that information, and a whole host of other factors over and above whether the site uses SSL and whether the data is encrypted on the server and other technical and practical security concerns.

It is even more disheartening when I see evidence of good work to try and ensure good security was designed in being undermined by a lack of focus on ensuring the other aspects required to balance the right to Privacy against the legitimate interests of the State were equally planned for and designed in.

This approach of “Privacy by Design” is what builds and sustains a Circle of Trust between the Data Controller and the individual.

In the case of the Household Charge that circle has been broken and will be difficult to restore.

If I was Taoiseach Kenny I’d be commenting on Minister Hogan’s Report Card: “Must try harder”.

 

It was 12 months ago today…

[Note: This post was drafted before Christmas and before the kerfuffle this week about the Household Charge]

It’s been a busy 12 months. Data Protection and Information Quality challenges are increasingly being faced up to by Irish businesses. A new Data Protection Regulation (yes, Regulation, not Directive) is in the offing which will change the landscape still further and lead to even more convergence of the fields of Information Quality, Information Governance, and Data Protection.

Looking back on the past 12 months I must say thank you to the “good eggs” who helped along the way and remember back to the first issue that captured the media headlines in 2011, just before the general election.

That’s when Fine Gael, in a mad dash to embrace social media in their campaigning ignored the Data Protection Acts, prompting this post from me. That post was followed by a number of others (here, here and here). The story also ran in the media for a number of weeks, helped by the fact that the website (which was already a Data Protection disaster area was hacked because it secured very well).

12 months on and we have seen Facebook politely nudged in the direction of improved compliance. But our political classes continue to ignore the Data Protection legislation in policy proposals and in local campaigning.

  • Want to integrate data and collate data from multiple sources for the purposes of tax collection? – then you need to do it in a way that balances risk to privacy and ensures security of the data
  • Want to send Christmas emails to your consitutents? then make damned sure you have consent for that because it is not an exempted activity under the Acts (it is not part of running for political office and it is not part of the operation of their elected office, it’s marketing).

The new EU Regulation will impose a reworking of old rules on all data controllers and processors. I expect we’ll here griping and complaining about the changes and fluster from bank bench TDs. But the core rules are 24 years old this year. Anyone who hasn’t gotten their head around them at this stage needs to consider how lucky they’ve been to date that they haven’t been hit with investigations or fines.

Will 2012 be the Year of Privacy? All the pundits think it will be. I expect to see Data Protection concerns being more prevalent in the media. I just hope our political classes are on the right side of the discussion and not bumbling into breaches as they have done before.

 

Household Charge – A Data Protection Kerfuffle (Part 3)

So, in the interests of trying to figure out what the purpose for requesting the PPSN from persons registering for the Household Charge I took a look at the pdf forms that are available from the HouseholdCharge.ie website.

Form HC12N sheds a little bit of light on this as, in Note A on the form, as it tells us that

PPSN (also known as RSI number) is unique to each individual and is used to distinguish between individuals with similar names or addresses.

So it is being used as a matching key, a unique identifier for citizens accessing public services. Which is what it is designed to be used for, under strict controls. The control set out in the Social Welfare Consolidation Act 2005 require the PPSN to be used by Register Users for specific purposes. The details for the Department of the Environment’s use of  the PPSN can be found on the Department of Social Protection website.

Deduping data is one of the uses. But not for a Household Charge. For other schemes. Specifically New House and Thatching grants and the Rental Accomodation Scheme. All of which require transfers of data around the Dept of Environment and the Dept of Social Protection, the Revenue Commissioners and Local Authorities. All of which is similar to what might need to happen to effectively administer a household tax.

But such a scheme isn’t actually listed as a use. It isn’t even noted as a planned future use. Therefore, the published records indicate that this might not be a lawful purpose (there is a caveat around the information on the DSP website regarding its completeness). And I note with dismay that the record for the Dept of the Environment was last updated in 2008. That’s a whole Government ago.

Open Data is a big buzz word in Government circles around the world. But Open Data starts with Openness ABOUT Data and being transparent enough about what will be done with data that citizens can trust. There are doubtless good reasons and valid purposes for the gathering of data. Government must ensure appropriate governance so that the information citizens can refer to about how their data is used can be reliably accessed and relied upon.

Mushroom Management styles are contrary to the spirit and intent of the Data Protection regulations.

The Household Charge Data Protection Kerfuffle (Part 2)

I don’t normally blog twice in day but I also don’t like to write 40000 word blog posts.

So here is part 2 of the post I wrote earlier (with thanks to @brianhonan for pointing out some stuff on the twitterbox).

Data Retention

The Privacy Statement for HouseholdCharge.ie states that

The Local Government (Household Charge) Act 2011 provides for the issuing of receipts and certificates of discharge, waiver and exemption on request. To enable a local authority meet these statutory requirements your data will be securely retained in the system.

Great. That tells me the statutory basis for some of this processing. But it doesn’t tell me how long the data is actually going to be retained for. As VAT isn’t payable/chargeable on a tax the retention period that applies under the VAT acts wouldn’t apply, and in the context of Income tax Revenue require me to hold data, not the other way around (but they do hold data, and hold it quite securely).

I would assume a receipt would issue as a matter of course (at which point, no need to retain data) , as would certificates of discharge (I assume). I’m not sure about the waivers and exemptions… I would have assumed that that was a seperate process where by you would register your grounds for waiver or exemption and be excluded. (Unless of course data has been disclosed to the LGMA by another department, e.g. DSP, either in bulk or on record by record basis that would allow them to perform look ups to verify eligibility for waivers or exemptions).

So, I’m hard pushed to find a reason for retention longer than 12 months (and I’m basing that on the need to have the data to send a reminder in 11 months time). But the waivers and exemptions bit might give a reason for asking for the PPSN.. but not from everyone, just from those applying for a waiver or an exemption -anything else is still excessive processing for the purposes stated.

Rolling up the Tinfoil Hat

One element of comfort I find in the opacity of the Privacy Statement is that for all the elements it is missing that would add transparency, those that it has place some constraints on current and future uses.

In my last post I pointed out at the only two purposes that they state that data is being processed for are processing payments and sending reminders. When we look at the Retention Period bit we find a few more (issuing receipts, Waivers and Exemptions).

Which means there are a discrete set of stated specific purposes for which this data can be used. And no more.

Therefore, to roll up the tin foil hat a little, fears that the Government might be building a property register on the sly can be allayed by the fact that any such use would not be lawful as it has not been spelled out as a purpose for the data you are providing.