Itâ€™s time for my annual â€œroll a data protection hand grenade under somethingâ€ blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only Iâ€™m less formal here.
This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.
But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear â€“ I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages â€“ increased charges are yet another burden that should be levied carefully.
Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the â€œView Cookiesâ€ add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.
On the home page a set of cookies starting with â€œ_utmâ€ are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.
The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.
The Privacy Statement on HouseholdCharges.ie does not do this.
Because the Privacy Statement on HouseholdCharges.ie doesnâ€™t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.
This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).
Privacy Statement â€“ Fit for Use?
Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissionerâ€™s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.
Well, actually we donâ€™t. There is no statement about the purposes for which the data is actually being processed. And thatâ€™s just the beginning of it.
IP or Not to IP, that is the question.
The Privacy statement proclaims that for â€œgeneral web browsingâ€ they may capture the â€œlogical addressâ€ of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no â€˜mayâ€™ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.
So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.
Whoâ€™s the Daddy.. I mean Data Controller?
Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?
Or to put it another wayâ€¦ who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?
If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.
Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).
What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?
What Iâ€™d have expected to see would be something along these lines:
This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.
Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.
Itâ€™s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.
Donâ€™t tell me the what, show me the why?
The Privacy Statement tells me that
Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.
So the purposes for which the data is being processed are:
- Processing a payment for the charge this year.
- Sending a bill to me for the charge next year.
No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.
What information is required to send me a bill?
- My name
- My postal address
- My email address (should be optional if I donâ€™t want to rely on electronic billing)
Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from aÂ client engagement last year that the DPC takes VERY seriously indeed.
Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the â€œlawful purposeâ€ of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.
If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.
If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.
Iâ€™ll post more on this as I get time to poke around a bit more.