There are many variations on pithy sayings about assumptions and the risk they present. They are unanimous in their admonitions that to rely just on an assumption when engaged in planning or executing tasks invites failure and headaches. Necessity may be the Mother of Invention but Assumptions are the Mother of all screw ups (diligent readers will recognise that I’ve cleaned that up for easily shocked readers).

The risk of assumption is no less apparent than in the area of Governance, and Information Governance in particular. Patently stupid and damaging decisions are taken every day on the basis of assumptions about information and the controls, regulations, and procedures that need to be in place around its use. For example, organisations assume they can use the PPSN (Ireland’s Social Insurance Number) as a unique identifier for customers, despite the fact that the uses that a PPSN can be put to lawfully (and by whom) are clearly set out in the Social Welfare Acts.

Within organisations seeking to define and execute effective controls over information it is often the case that things are done with data because they always have been done that way and, as a result, people assume that that is the way things should be done. This can result in data being processed or shared without valid lawful reasons (or conversely data not being disclosed where it might lawfully be done because someone assumes it can’t). It can result in a meaning and purpose being associated with a data field or recorded fact because people have assumed that is the case, resulting in confusion and degradation of data quality.

Over the past week I’ve been reminded of one example of Assumption at work in the management of fundamental data and another of Assumption’s influence in fundamental Governance of government…

The Data Quality Assumption

When I teach my Data Protection Practitioner courses I often use the example of a Data Migration project I lead a number of years ago where data was being migrated from a billing system (actually 4 of them) into a Single Customer View. The core billing system had a field in it called “JUNK MAIL”. That field allowed two values, Yes or No. As part of the Migration planning I convened a workshop to confirm the business rules for the migration. I asked if “JUNK MAIL = Y” meant that people WANTED junk mail. 50% of the room said Yes. 50% said No. So I asked the question a different way. “Does ‘JUNKMAIL=N’” mean that they want Junk Mail. Unsurprisingly, the room was split 50/50 again.

It transpired that an assumption was being made about the meaning of the Junk Mail field (actually two assumptions) which meant that some staff believed that “JunkMail = Y” meant the customer wanted Junk Mail. Other staff assumed the opposite, that “Junk Mail=Y” meant that the customer wanted to OPT OUT of receiving junk mail.

The net result: Assumptions about the meaning of the data meant that we could not migrate that data because it could not be relied upon as accurate. The company had to engage in a communication process with customers to validate and verify the data so that the Junk Mail flag was correctly applied.

More recently I was intrigued by why the Irish Government saw fit to introduce a section in the Finance Bill (section 73) creating an offence of a Breach of Confidentiality in relation to Tax payer data. Surely this was duplicating key provisions of the Data Protection Acts and was potentially going to be a source of confusion. I did a bit of digging around though and found out the reason why this section is a valid and important bit of legislation because of the Assumption it makes real and tangible. In doing so I found myself being drawn back to my academic study of taxation law and my almost interminable arguments with my Tax Inspector father (now retired) about the logic, rationale and intricacies of the Irish Taxation system and the principles on which it operates.

Under Irish Law, FOI for Public bodies works hand in glove with Data Protection regulations to provide a balance between a respect for the Privacy of the individual and the need for openness and transparency in the conduct of the affairs of State. In some instances, FOI takes precedence over Data Protection as the need for transparency is often greater than the need for privacy. At all times best efforts are made to strike the best balance between the two goals.

A while ago, an Irish journalist made a request to the Irish Tax Authorities, the Revenue Commissioners, for information about the expenses paid to certain politicians. There seems to have been an assumption that Ireland compensated politicians for expenses on the same basis as the UK with a straight “Euro for Euro” or “Pound for Pound” rebate. This is not the case. In Ireland this is dealt with through the tax system through an often complex system of allowances and credits against other income, often involving information about other parties who are not the person claiming the allowance in question (for example their spouse if they are jointly assessed for tax purposes etc.)

The FOI legislation allows for a Public Body to refuse to release information where there is a clear Duty of Confidence. this duty has to be clearly established in law. It is not enough to assume that this duty of Confidence exists. The Revenue Commissioners sought to rely on the fact that there is a historical assumption of confidentiality of taxpayer information under their control over and above the general principles of the Data Protection Acts.

However this is not the case as, in the words of the Information Commissioner:

…it is well established that the constitutional right to privacy is not an unqualified one. For instance, in the case of Cogley v RTE [2005] 2ILRM 529, Dunne J. concluded that the constitutional right to privacy was not unqualified and must be balanced against other “competing and significant” rights or interests.

Accordingly, it seems to me that, by suggesting that the “high water mark of any constitutional rights” in respect of one’s tax affairs is in respect of any details whose disclosure is “not permitted by law for the time being in force”, if disclosure of details is permitted having regard to a thorough analysis of the cited provisions of the FOI Act, it cannot, in my view, be the case that disclosure is not permitted by law, or by the Constitution.

In short, despite the assumption that there was a Duty of Confidence for Tax Payer data, there was no provision in the law “for the time being in force” that actuallysaid that such a Duty existed. Therefore, there needed to be steps taken in the Finance Bill to ensure that such a duty was inserted to resolve the inconsistency between the assumed state of reality and what reality actually was.

In the absence of this essential housekeeping the appalling vista was that the personal details of any tax payer might be sought under FOI regulations and each case would need to be assessed and reviewed and a decision taken on what information could be provided on a case by case basis. The presumption that your tax affairs of a Self Employed person are between them, their accountant, and the Taxman would no longer hold.

S.73 of the Finance Bill addresses that assumption.

Organisations would be well advised to ensure that the Governance Policies, Procedures, and work practices that they have in place are built on validated and verified fact and not assumptions and historic tradition. This requires Sacred Cows to be taken out and prodded to see if they have substance. It requires employees and management alike to have the confidence and ability to recognise when the Emperor is running around butt-naked.

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.