The DOBlog

Tag: balance

  • Trust us. We’re the Government

    Coverage of some of the structures of the Insolvency Service of Ireland has been rattling through my ears while I work the past few days. What I’ve heard gives rise to an unsettling feeling that the architects of the scheme have decided that the insolvent are a form of unter-mensch for whom some of the fundamental rights that EU citizens enjoy are either put on hold or entirely foregone.

    Data protection is a fundamental right in Europe, enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, as well as in Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). As a fundamental right, according to the EU Commission it “needs to be protected accordingly”.

    Some of what I have heard I can only hope is half-informed speculation, but I fear it may be grounded in reality.

    1. Publication of personal data including name, address, and date of birth on a public register of insolvents. This is problematic as it creates a risk of identity theft in my view. Also – what is the purpose for which this data is being published? How could the same objective be met without putting personal data privacy at risk of unauthorised access? How is this compatible with s2(d) of the Data Protection Acts which require appropriate measures to be taken to keep data safe and secure?
    2. Retention of data on the register after a scheme has been exited. It is rumoured that the details of people listed on the register mentioned above would have their details retained indefinitely. Why? How is this compatible with the requirement under the Data Protection Acts (and the underlying Directive) to retain data no longer than is necessary for the purpose? How would it be compatible with the requirement under the proposed General Regulation for Data Protection to give citizens of the EU a “Right to be forgotten”? What is the function/purpose of retaining information once the agreed scheme has been completed?
    3. Section 186 of the legislation purports to exempt the Agency from Section 4 of the Data Protection Acts. This is the section that allows individuals to get copies of information held about them by Data Controllers. It is a right that is derived from Directive 95/46/EC. While there are grounds under Article 13 of the Directive for a member state to limit subject access requests where it impacts economic or financial interest of the State, I’m at a loss to see how a response to a Subject Access Request for a single person or class of people might impact our economic and financial interests as a State. The test is that the restriction must be necessary not nice to have. Of course, if things are so precarious that a Subject Access Request will tip the economy into a death spiral, then perhaps the Irish people should be told this.

     

    There is a significant imbalance in rights and duties emerging here. Particularly when compared with the secrecy of NAMA and the closeness with which the privacy of significant contributors to the exuberance of the Boom times has been guarded by that Agency. There is also a suggestion that Data Protection rights are optional extras that can be mortgaged as part of entering the process.

    I really do hope I’m wrong about all of this and it is not the data black hole that it appears to be and that personal data privacy will continue to be respected as a fundamental right. After all, when you’ve lost everything else, things like that can be very important.

  • Why (with due respect) Ian Elliott is mistaken

    Ian Elliott is the chairman of the National Board for Safeguarding Children in the Catholic Church. It is an agency of the Catholic Church in Ireland and is not a State agency. It is tasked with ensuring that the Catholic Church in Ireland follows and implements its own child protection guidelines, particularly with reference to allegations of clerical sexual abuse of children.

    It is a difficult job. It is an important job. And it is a function and role that we should be thankful someone is filling.

    However Mr Elliott seems to be operating under the misapprehension that the Data Protection Acts are an impediment to the NBSCCC from doing its job effectively. This is not the first time that this fig leaf has been trundled out.Similar issues raised their heads in 2011 when Bishops refused to cooperate with Mr Elliott on spurious Data Protection grounds that were dismissed by the Data Protection Commissioner. Given that the NBSCCC is in effect an agency of the Church it was a bit odd seeing the middle management of the Church trying to wheedle out of cooperating with it.

    In the present complaint about the Data Protection Acts Mr Elliott cites the example that the Gardaí are not able to pass information to his organisation without there being a risk of “imminent harm” to a child, which causes problems for the processes of safeguarding children. I believe Mr Elliott to be mistaken in his analysis of where the problem lies. Let’s look at this.

    An allegation that someone has committed a criminal offence is sensitive personal data. Information about an identified person contained in such an allegation is personal data. Therefore it can only be disclosed either with the consent of the Data Subject (and in this case the Data Subject is the individual about whom the allegation has been made) or where another exemption under Section 8 of the Data Protection Acts can be identified. The relevant condition that seems to be in dispute here is Section 8(d) which requires that the disclosure is

    Required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property.

    In effect he is stating that the Gardaí (or possibly the Attorney General who would likely have advised the Gardaí) are taking the view that there is no imminent harm therefore there is no lawful grounds for onward disclosure. That does not mean that the Gardai are not retaining the data and processing it themselves. Such processing however would fall under the protection of Section 62 of the Garda Siochana Act 2005 which places certain restrictions on the disclosure of data by members of An Garda Siochana, particularly related to investigations or other operational information. Breaches of this section of the Garda Siochana Act carry potentially significant penalties (and as they are a criminal conviction could be at best career limiting for members of the force).

    As the NBSCCC is not a State body that investigates criminal offences Section 8(b ) does not apply to them. As child safety in the Church is not a matter of National Security Section 8(a ) does not apply. As there is no legal advice being sought (the Gardaí are not asking the NBSCCC for a legal opinion) and there are no legal proceedings Section 8(f ) doesn’t apply. And given that the subject of an allegation is unlikely to have consented to their data being disclosed, the Consent exemption cannot be relied on.

    Which leaves us with Section 8(e). Section 8(e) is what I believe Mr Elliott was actually alluding to (but I may be mistaken). Section 8 (e) allows for the disclosure of information where it is

    Required by or under any enactment or by rule of law or order of a court

    So the Data Protection Acts contain a provision which would enable the sharing of data by the Gardai with the NBSCCC in any or all circumstances Mr Elliott might wish. He just needs legislation to allow it. This could be either primary legislation or a Statutory Instrument. Primary legislation would have the added benefit of giving some scope to making the role of the NBSCCC more formal. Any form of legislation would potentially provide a framework for properly balanced sharing of information from other State Agencies.

    The legislation would, of course, have to include some outlining of the protocols and security controls and limitations on processing that would be applied to the data but that is simply good practice.

    But (and here is the important bit) the Data Protection Acts would not need to be touched. The Junior Minister with responsibility for Children would simply need to legislate for some thought through Child Protection rules that would enable balanced and appropriate sharing of information.

    The risk in touching the Data Protection Acts is that you could create a situation where the Risk Committee of any employer could potentially seek disclosure from the Gardaí of any reports of specific criminal offences or reports of possible offences committed by current or prospective employees (unless you write the NBSCCC specifically into the legislation, which is derived from an EU Directive that is about to be replaced with a Regulation so… eh… not really possible). That is a dangerously broad and clumsy tool to apply. The law of unintended consequences is still on the metaphorical statute books after all.

    Mr Elliott, I politely submit that your analysis – or perhaps the media’s one-sided interpretation and reporting of it – is flawed. Leave the Data Protection Acts alone. Government – legislate for a clear exemption under Section 8(e ) and solve the problem the right way.

    Of course if the Data Protection Acts are going to be opened up the logical thing to do- given the impending Data Protection Regulation- would be to legislate on the basis of the principles in the Regulation. Beating the rush so to speak and definitely putting a stamp on the Irish EU Presidency. And I’ve a shopping list of other things…

  • Newspaper Licensing Ireland–a return

    The last post was a little long and analytical. Having reread the great post on McGarrSolicitors.ie I thought I’d reframe my Data Protection take on this in terms that might be more familiar.

    Personal Data is being processed via your website without an appropriate Privacy Statement and without any communication of the purposes for that processing. Furthermore, the failure to have such a privacy statement on your site which references the use of Google Analytics is a breach of Section 8 of the terms and conditions that apply to Google Analytics. Failure to obtain consent for the use of the cookies written by Google for the purposes of Google Analytics is a breach of SI336.

    You are breaking the law; you risk exposing your company to investigation and prosecution, with financial penalties and brand damage ensuing. Processing personal data without it being obtained fairly for a lawful purpose, and writing 3rd party cookies without consent is illegal and breaches a fundamental Human Right in the European Union.

    What do you think?

    I may be over egging it a little. I need a cup of tea now and a good sit down.

  • Newspaper Licensing Ireland– some thoughts

    This post is about the website of Newspaper Licensing Ireland, who have recently written to a non-profit organisation whose aims I wholeheartedly support, seeking license fees for linking to newspaper content published on the internet by the newspaper publishers. McGarr Solicitors, who are acting for Women’s Aid, have published a detailed analysis of the situation and the questions raised on their website, which I link to in the confidence that the McGarrs won’t come looking for a pound of flesh in return.Sticky buns perhaps, but nothing worse.

    I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

    (But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

    What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

    I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

    What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

    …that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

    My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

    So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

    All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.