The DOBlog

Tag: Data Protection

  • Stand up for Digital Rights, Ireland.

    In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

    Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

    Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

    However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

    The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

    Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

    It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

    And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.

  • Wrong thinking about Devices

    I’m addicted to the think. Every day, when not thoroughly occupied with the challenges of a client strategy or issue, I find myself drawn to hard thinking. Sometimes I even get people plying me with think.

    Like this past few weeks. Lots of think.

    One thing I’ve been asked to think about is the whole area of Bring Your Own Device, colloquially known as “BYOD”. I understand that this emerged as a term because people hoped that enterprise technology management would be a lot like a college house party. You’d bring a bottle and go home with two bottles of something better than you went with. Which in tech terms might be going with an Android JellyBean device and coming home with an iPhone and a Windows 8 slate.

    But everyone is wrong. The focus is wrong. Because we have in effect focussed on the size, colour, shape, and label of the bottles in our BYOD/BYOB thinking. In doing so we’ve missed the importance of what is in those bottles. Which is important if you find out that you’ve arrived home from your party with two bottles of water when you had been expecting vodka.

    From a process and governance perspective what we are actually dealing with is a classically simple issue that has just been obscured because:

    1. In the old days the company gave you your bottle and you where damn glad to have one (i.e. they provided the technology you used to do things)
    2. We entered the hooplah hype cycle at the time when everyone was jumping up and down like 5 year olds on Christmas morning when they find Santa has left them a bike. – “YAY!!!! TOYS!!!!!

    What we are actually dealing with is a problem not of how to allow people to use their devices but rather a problem of how to give people access to resources in a secure and controlled manner when we don’t own the bottles any more. This requires organisations to do some thinking. What can be done to ensure that people are given access to resources in the right way?

    Some thoughts spring to mind:

    1. Define standards for the bottle (the device) you will let people bring to the barrel to be filled with yummy data/booze. Provide data in 1 litre chunks, or require 32GB capacity and perhaps limit the OS versions you’ll allow
    2. Put a bottle in their pocket: Implement a standard workspace that sits on the device that you can control the parameters of.
    3. Sell them the bottles (i.e stick with only allowing approved company issue devices).

    Of course, the world is a complicated place so when people start using their own device for work purposes it means there is a risk that the red wine you are giving them for work will be mixed with the white wine of their private personal world. That means the practice of giving them a bottle that is marked “WORK” would be sensible.

    By reframing the thinking away from the fact that they are bringing a device to the party but instead looking at how access to data, applications, and other resources will be provided to n variants of platform the organisation can begin to think strategically without getting bogged down in detail.

    It also gives a great branding opportunity for the strategy. This is a strategy for GIVING ACCESS TO OUR RESOURCES. Abbreviated it is a GATOR Strategy.

    So, does your organisation have a GATOR strategy yet? If not, you should really get one. And make it snappy.

  • Striking a balance in Data Protection Sanctions

    It was reported yesterday that the Irish Government has issued a “discussion paper” on the proposed administrative sanctions under the new Data Protection Regulation.

    EDRI has criticised the proposals with reference to the “warning/dialogue/enforcement” approach taken by the Irish DPC. Billy Hawkes has, in the past, been at pains to clarify that the Irish DPC uses dialogue to encourage compliance and also seeks to encourage organisations to raise questions and issues with the DPC to avoid breaches. There is a belief that the “brand impact” of even being spoken to by the DPC about an issue can prompt “road to Damascus” conversions in organisations.

    That is all well and good, but my experience working with organisations is that this can result in management playing a game of “mental discounting” (I’ve written about this before in response to the original draft DP Regulation). If there is a perception that the probability of an actual penalty is low, there is little leverage in appealing to intrinsic motivation of a business manager when his extrinsic drivers for behaviour are pushing the decision towards a “suck it and see” approach.

    Having re-read the discussion paper and EDRI’s response to it I can’t help feel that EDRI may be over-stating the “ask” that is being made here a small bit. They cite it as the “destruction of the right to privacy”, citing the Irish DPC’s own experiences with the Garda Pulse system which has been plagued by reports of breaches in Data Protection since its introduction, despite the Gardaí having a statutory Code of Practice for Data Protection. In 2010 the DPC reported that that Code of Practice was not being implemented in the Gardaí.

    However, this says as much to to me about the attitude to Data Protection in some (but not all) parts of the Irish Public Service then it does about the merits of the Data Protection Commissioner’s approach to encouraging compliance or the specifics of anything that might be discussed on foot of this discussion paper. Furthermore it raises questions for me about the capability and resources that the Data Protection Commissioner has to execute their function effectively in Ireland, and even suggests that there may be informal barriers to the effective operation of their function in the public sector which need to be urgently considered (given that the Office of the DPC is supposed to be independent).

    Given the extent of the negative findings in the interim report on the 2012 audit of the PULSE system I personally would hope that there would be some level of penalty for the Garda Siochana for failing to follow their own code of practice. But that is a different issue to what the Discussion paper actually raises.

    What is being discussed (and what would I like them to consider?)

    The Discussion Paper that was circulated invites Ministers at an Informal Council meeting to consider (amongst other things):

    1. If wider provision should be made for warnings or reprimands, making fines optional or at least conditional upon a prior warning or reprimand;
    2. if supervisory authorities should be permitted to take other mitigating factors, such as adherence to an approved code of conduct or a privacy seal or mark, in to account when determining sanctions.

    It flags the fact that the Regulation, as drafted, allows for no discretion in terms of the levying of a penalty. What is proposed here in the discussion is a discussion of whether warnings or the making of fines optional would be the mechanism to go to rather than scaring the bejesus out of people with massive fines. This in itself doesn’t kill the right to Privacy, but it does potentially create the environment where the fundamental Right to Privacy will die, starved of any oxygen of effective enforcement.

    Bluntly – when faced with a toothless framework of warnings and vague threats, businesses and public sector bodies will (and currently do) play a game of mental discounting where the bottom line impact (in terms of making money or achieving a particular goal) outweigh the other needs and requirements of society. So an organisation may choose to obtain information unfairly or process it for an undisclosed secondary purpose because it will hit its target in this quarter and the potential monetary impact won’t emerge for many more months or years, after an iterative cycle of warnings. The big penalty will be seen as something “far away” that can be worried about later. After everyone’s got their bonuses or their promotions etc.

    If strict statutory liability is the model that is being proposed, and the discussion is to look at watering it down to a stern talking to as a matter of formal policy in the Regulation, I must despair of the wingnuts in my government who even thought that would be a good idea to even suggest this. But I do agree that tying the hands of the Regulators to the big ticket monetary penalties might not work in their interests or in the interests of encouraging compliance with the legislation.

    What is needed is a middle ground. A mechanism whereby organisations can make errors of judgement and be warned, but that the warning will have some sanction with it. The sanction needs to be non-negotiable. But it needs to be transparent and obvious that this is what will happen if you ignore DP rules. It needs to be easily enforced and managed. There should be a right of appeal, but appealing the non-negotiable fixed-penalty should carry with it the risk of greater penalties. And the ability of an organisation to benefit from iterative small penalties should be removed if they are a recidivist offender.

    There is a system that operates like this in most EU countries – it is the Penalty Points system for motoring offences. Hopefully the discussion will move to looking at how a similar system might be implemented for Data Protection offences. The penalties could be tiered (e.g. no cookies notification – €150 fine and 2 points on first offence, €500 and 4 points on second, failure to document processing €500 fine on first offence and 6 points). The points could be cumulative, with the “optionality” of higher sanctions being removed if you were, for example, an organisation with 100 points against you (congratulations, you’ve failed to up your game and now you are being prosecuted for the full tariff). Organisations bidding for public sector contracts could be required to have a “Data Protection Points” score below a certain level.

    This system could be devised in a way that would take account of mitigating factors. If a code of practice was entered in to, and was successfully audited against by an appropriate body, then points could be removed from the “scorecard” at the end of a 12 month period. If there were mitigating factors, a lower level category of offence might actually apply (I’ll admit I’m not sure how that might work in practice and need to think it through myself a little). Perhaps self-notification to the DPC, engagement in codes of practice, mitigating factors or actions etc. would carry a “bonus points” element which could be used to off-set the points total being carried by a Data Controller (e.g. “adopted code of practice and passed audit: minus 3 points, introduced training and has demonstrated improved staff knowledge: minus 3 points).

    Certain categories of breach might be exempt from mitigation, and certain categories of offence, just like with motoring offences, might be a permanent black mark on the organisation’s Data Protection record (e.g.: Failure to engage with DPC in an investigation, failing to take actions on foot of an audit/investigation).

    The scheme could be administered at an EU level by the EDPB, with the points accumulated by organisations operating in multiple member states either being cumulative or averaged based on a standardised list of key offences. Member States could be free to add additional offences to this list locally, within the spirit and intent of the Regulation.

    That would be an innovative idea, based on a model that has been proven to have an influence on compliance behaviour in motoring. And it would provide a transparent mechanism that would ensure that warnings could be given, advice could be sought, and positive engagement could be entered into by Micro Enterprises, SMEs, and large corporates. It would provide a relatively low impact mechanism for levying and collecting penalties from organisations who are in breach (penalties could potentially be collected as part of annual tax returns as a debt owed to the State), and it could be used to reward organisations who are taking positive actions (“bonus points”).

    Finally, it would give the basis of a transparent scorecard for organisations seeking to evaluate data processors or other service providers (in the same way as Insurance providers use penalty points data for motoring to assess driver risk), and it would give a clear escalation path to the full sanctions in the Regulation (e.g. 100 points and you go straight to full penalties).

    What it does not give is a death spiral of warnings that don’t amount to penalty and as a result give a platform for organisations to ignore the Right to Privacy. It is an evolution of the conciliatory approach to encouraging compliance but one that is given teeth in a manner that can be transparent, easily explained, and standardised across the EU27.

    I’ve written about this in 2010 and 2012. Maybe the time is right for it to be discussed?

  • Support your Local Sheriff–why the DPC needs us to help them help us.

    Problem Statement

    The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

    And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

    Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

    Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

    If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

    1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
    2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.

    (more…)

  • Household Charge–A Data Protection kerfuffle in the making?

    It’s time for my annual “roll a data protection hand grenade under something” blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only I’m less formal here.

    This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.

    But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear – I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages – increased charges are yet another burden that should be levied carefully.

    The website

    Cookies

    Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the “View Cookies” add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.

    On the home page a set of cookies starting with “_utm” are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.

    No mention is made in the Privacy Statement that accompanies the website about their use of Google Analytics [Update: The privacy statement was updated this afternoon to include the text referenced below… well done to who ever acted on that to fix it]. This is a breach of the Terms of Use of Google Analytics, which clearly states:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    The Privacy Statement on HouseholdCharges.ie does not do this.

    Because the Privacy Statement on HouseholdCharges.ie doesn’t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.

    This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).

    Privacy Statement – Fit for Use?

    Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissioner’s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.

    Well, actually we don’t. There is no statement about the purposes for which the data is actually being processed. And that’s just the beginning of it.

    IP or Not to IP, that is the question.

    The Privacy statement proclaims that for “general web browsing” they may capture the “logical address” of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no ‘may’ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.

    So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.

    Who’s the Daddy.. I mean Data Controller?

    Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?

    Or to put it another way… who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?

    If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.

    Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).

    What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?

    What I’d have expected to see would be something along these lines:

    This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.

    Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.

    It’s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.

    Don’t tell me the what, show me the why?

    The Privacy Statement tells me that

    Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.

    So the purposes for which the data is being processed are:

    1. Processing a payment for the charge this year.
    2. Sending a bill to me for the charge next year.

    No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.

    What information is required to send me a bill?

    • My name
    • My postal address
    • My email address (should be optional if I don’t want to rely on electronic billing)

    Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from a  client engagement last year that the DPC takes VERY seriously indeed.

    Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the “lawful purpose” of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.

    If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.

    If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.

    I’ll post more on this as I get time to poke around a bit more.

  • Setting tone from the Top

    In the rush to adopt new technologies and new ways of working, particularly When an organisation embarks on a change to systems and processes it is often very easy to get caught up in the whirlwind of enthusiasm for the new technology and the promised benefits of new ways of working.

    Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.

    2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.

    Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.

    Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).

    Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.

    Indeed, back as far as 2004 the Data Protection Commissioner wrote:

    It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law

    In 2009’s annual report the Commissioner also wrote that:

    Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.

    So… the issues? (more…)

  • Bruce Schneier on Privacy

    Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

    One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

    Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

    This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

    I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

    But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

    Is Information Quality Management a “Green” industry flying under a different flag?

  • The Who/What/How and Why

    Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
    While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
    On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
    I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

    Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
    The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
    Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
    In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
    That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
    But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

    So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
    To paraphrase Deming – we need to work on our processes, not their outcome.

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.