Tag: information as an asset

This was first posted on the Irish Computer Society Data Protection Blog. I am republishing it here as it is my original work and I am putting all my Data Protection musings in one place.

So, the revised e-Privacy Directive has been given legal effect as of 1st July (only a little over a month late). The Data Protection Commissioner has issued revised guidance on the processing of personal data in the context of electronic communications. Some of what is contained in this legislation is new. However, even the new stuff is merely an incremental evolution of the underlying principles of Data Protection to address the privacy concerns presented by new technologies, the maturing of existing technologies, and the emergence of new ways of processing personal data.

The key to ensuring compliance with these revised rules is to ensure that you have a solid understanding of the underlying principles of Data Protection and the role of information in your organisation (it’s meaning and purpose) so that you can better understand how the actions of your staff and the systems you use to interact with your customers might affect your ability to work within the regulations.

An earlier post discussed the likely impact on Cookies from the regulations. In short, you need to understand when, where, how, and why your websites and mobile device apps are writing data to your customer’s “subscriber equipment” [aka the device that is at the end of the telecommunications service connection, be that a physical phone line, wifi, 3G, GPRS, HSPDA etc.]. Once you know that information you can figure out what data storage requires consent and what data storage is essential to the delivery of the information age service.

Another interesting and subtle change is that the Commissioner has removed the ‘grey area’ around collecting email addresses in business networking or similar activities. Before there was an assumption of “one bite free” where you could contact people once but give them the option to opt out of future contact. This is now very categorically an opt-in thing where you are sending emails to an identifiable natural person, particularly where that person is not party to a customer relationship.

You can still avail of the “free bite of the apple” when dealing with non-individually identifiable business entities, and with individuals in organisationswho might reasonably be interested in the product, service, or subject matter of the message.

A worked example might help explain this better.

• Frank is a sales man for BloggoTech. At a trade fair he meets Jerry, who is a purchasing manager from ClientCo, who BloggoTech have an existing relationship with.
• Frank also meets Mary, a marketing manager from ProspectCo. Neither Mary nor ProspectCo are clients of Bloggotech.
• Jerry gives Frank an email address to contact him at: Jerry.Client@ClientCo.ie
• Frank also has ClientCo’s general contact email address: info@clientco.ie
• Mary gives Frank her business card with email, phone, SMS etc.
• The business card also has “info@prospectco.com” as a general contact email address.

Frank can contact Jerry by any contact point he has for him (subject to Jerry making his preferences known) because ClientCo are an existing client who have purchased within the last 12 months. As soon as Jerry asks Frank to stop contact him by whatever contact mechanisms or for whatever purposes, Frank must do so.

Mary, however, poses a problem in light of the revised guidance. If Frank has not gotten her permission to do a follow up contact with her then the only email address he can use is the “info@prospectco.com” email, unless he is communicating with Mary about something that he knows will be of interest to her. Of course, he has the option of sending a fax for her attention (which the company can opt out of), or posting her materials by snail mail (which she can opt out of).

This relates to the fundamental principle that personal data must be obtained fairly, for a specified and lawful purpose.

Many people might protest that requiring people at conferences to get consent before doing a follow up contact is unduly burdensome but it is actually quite simple. When handing over your business cards, simply ask “Is it OK if I drop you an email later in the week with some information about [insert subject matter here] and a link to our newsletter sign up?”. This simple conversation point clarifies that you will be contact the person, and clarifies the context in which you will be communicating with them.

There.. consent obtained.

The real challenge is presented to event organisers who might share lists of delegates at an event with other attendees. Care must be taken to remove any means of electronic contact. But most large data management events I attend provide heavily redacted delegate lists that identify the person and the company, and perhaps their country, but not enough that you could contact them directly from it. So, event organisers need to start thinking about contact information as valuable data which should not be shared.

I’ve had experience with a business networking event sharing my details willy-nilly in an attachment sent to the other 100+ people who had registered for the event (which would be a notifiable disclosure under the Data Breach Code of Practice). The problem could have been prevented by simply having an opt-in box telling me that my details could be shared if I wanted them to be.

In short… designing privacy into the process, not inspecting breaches out.

Companies exhibiting at events need to up their game away from the “business card fishbowl” with a spurious raffle to collate contact details. Again, a little thought can help design a safer and more compliant process (a tick box for consent to further contact for purposes not related to the raffle for example, or clarification that anyone entering the raffle will receive one marketing email). After all, if the guidance from the DPC is that the communication needs to be relevant to the interests of the Data Subject, I might only want to receive communications from the company about the iPad I’ve won.

The new rules are built on old principles. If you understand the principles and take them to heart you can begin to develop strategies for using the new rules to your advantage.

First published on the Irish Computer Society Data Protection Blog. Republished here as it is my original work and I’m putting all my Data Protection musings in one place.

So, this day next week (26th May) will see the introduction into Irish Law of Directive 2009/136/EC. It’s a tweak to the existing electronic privacy regulations. The ones that relate to spamming by fax, email and SMS and carry penalties of up to €5000 per breach.

[update: Well the deadline came and went without the Irish Government enacting the legislation. We await further developments]

[Update 2: Legislation in effect from 1st July 2011. See Data Protection Commissioner website for Guidance Note]

These new regulations relate to Cookies, those little text files which are written to your computer by websites. Of course, it’s not just text files. Flash also has a version of ‘cookies’ to help track your interactions with flash movies or activites (so if you go away you can restart where you left off rather than having to go back to the beginning – for example in an e-learning package). The intention of the Directive is (amongst other things) to improve the personal privacy of internet users by controlling the use of cookies.

While the intent of the Directive (to come into effect in a Statutory Instrument next Thursday) is relatively straightforward, the practicalities of implementing it may be challenging for organisations. Added to that there is a level of unawareness about the issue in Ireland, particularly on the business side of organisations. This will actually be the biggest challenge to Compliance.

Organisations now need to step back and stop thinking of cookies and web development as a techie issue. Cookies are a data asset of the organisation which you use to achieve certain goals and purposes. The key key issues that need to be considered are:

• What are your processes and their objectives?
• How do cookies help you achieve those goals?
• What information do you need to be writing to cookies to achieve your goals?
• What things/services that people want to use on your site won’t work without cookies?

The Regulations set out two sets of conditions where the use of the cookies is permitted. Either:

1. You have gotten informed consent from the Data Subject by way of providing prominent and accessible information about your use of cookies and providing some means of recording the consent to those purposes (fyi: this cannot be a ‘passive’ process) OR
2. Being able to identify that the use of the Cookies is strictly necessary for the delivery of services explicitly requested by the subscriber

Being a little bit blunt about this, the first condition is only slightly more onerous than the existing requirements on websites who process personal data about individuals who have to provide a coherent statement of what they are going to use the personal data for (most don’t in my experience – the standards of some that I have looked at over the past few years often leaves a lot to be desired and is indicative of a ‘tick the box’ approach to Compliance).

The second condition however gives a conditional pass, similar to the Lawful Processing condition of ‘Necessary to complete a contract’ under section 2 of the Data Protection Acts 1988 and 2003. Basically if you can demonstrate that the thing that the customer wants to do (and has asked to do) can’t be done without having a cookie to temporarily store some data on the subscribers ‘terminal equipment’.

So. How do you do that? And how do you identify which of the cookies your site and processes are writing fall into the camp of needing to be flagged and consented to and which ones fall into the ‘doable because we can’t deliver without it’?

By stepping back and looking at the MEANING and PURPOSE of the information you are writing to the devices of people who are visiting your site you can start to make informed business driven choices about what needs to be changed and why in terms of how your websites work. This means having to look at the process flow and information flow underpinning your website and informing yourself about what is being done where, why, how, and by whom.

I can’t upload graphics to this blog, but over the next few weeks I’ll post some articles over on my company website that will examine some of the approaches to doing that kind of analysis as part of an Information Governance framework that will support Data Protection goals. However, it is important to note that this is not a job (just) for techies because you need to be very clear on the “Just because you can doesn’t mean you should” aspects of Data Protection. This must be lead by the Business leadership of the organisation because, ultimately, they are the people who will have to explain to the Data Protection Commissioner, the Courts, and Joe Duffy what the cookies on the website were doing.

When you write a cookie to someone’s device (pc, phone etc.) you are essentially renting space from them to store information about them or their behaviour or what their interactions might be. Individuals can limit your ability to rent that space using browser settings to block cookies, but at the current state of the art these are somewhat crude tools and, in the case of Flash, are not actually a complete set of tools (you need to do different things to block Flash Cookies).

The forthcoming regulations seek to introduce a rebalancing of the rights and duties relating to the information stored by and represented in cookies in line with the spirit and practice of Data Protection law and Privacy rights. It will take time for that balance to settle, but those who take the time now to understand the meaning and purpose of cookies they are using and their role in the processes running on their websites will be in a much stronger position to meet future Compliance standards under these regulations.