You are hereHome › Irish Water - a Case Study in Data Governance and Data Protection
Irish Water - a Case Study in Data Governance and Data Protection
Normally I keep my hobby horse rants for my personal blog. However, Irish Water's continuing issues with Data Protection are a case study in how not to go about implementing processes, controls, and governance for personal data.
A number of issues arise that I've documented over on my personal blog. However, over the weekend and today further issues have cropped up that require some discussion.
Doe Irish Water know what information is mandatory for its purposes?
Irish Water exists to operate and service a public water network, deliver supply, record usage, and generate bills accordingly.
On Twitter, user @psneeze commented that their website form didn't display any indication of what data was mandatory
— Jim Daly (@psneeze) September 22, 2014
He then goes on to put up a screen grab of the "Contact Form" from the Irish Water website.
— Jim Daly (@psneeze) September 22, 2014
If this form is a genuine screenshot (and I have no reason to doubt the tweeter), then I'd have to say that it is very unclear what the data is to be used for. In keeping with the de minimis requirements under the Data Protection Acts, I'd have expected Irish Water to have obtained only the information that was necessary to contact a customer. Phone and/or email address would suffice. Address information might be useful as part of a follow up, but a county/local authority level breakdown would likely be sufficient for the purpose of classifying and streaming any follow up contacts to appropriate staff. Address information could be obtained when necessary by the complicated process of asking for it then.
Because there is no flag indicating what fields are mandatory (i.e. minimum necessary to allow effective contact processes), human nature is that people will fill in all the fields. Leaving Irish Water with potentially a large amount of contact data that it has no purpose for. I assume they have a means of identifying that data and purging it?
Privacy by Design, Privacy Engineering, and Data Governance
The idea of processing the minimum necessary data to achieve a process objective is a key component of the disciplines of Privacy by Design and Privacy Engineering. Privacy by Design will be a core component of the forthcoming EU Data Protection Regulation. A key component of these disciplines is effective Data Governance structures to ensure that decisions about the use and processing of data are made in accordance with agreed upon models. I'm currently working on a book chapter about Data Governance and Regulatory compliance in the context of Agile systems projects. This is an excellent example that I'll be co-opting for use as it appears that the form was designed for pretty first, and function second, which puts data and data compliance way down the pecking order.
Privacy by Design requires it to be FIRST
I love marketing permissions. I love the fun that can be had designing the data model to under pin them and the communication with customers to explain what they've signed up for. I love keeping up to date with the guidance from the Data Protection Commissioner's office on how they are interpreting the relevant legislation now (which does evolve as they encounter new situations, so it's not a 'tickbox' thing, pardon the pun).
Irish Water purports to have a compliant marketing permissions system based on opt-out consent. In other words, you're in the pot to be marketed to unless you have opted out. That is fine for postal marketing and, to a limited extent, land-line calls. But email, SMS, and calls to mobiles require opt-in by and large. Also, even where opt-in is being relied on, care has to be taken to ensure that the consent is informed and freely given. It is also not permitted to apply a "pre-ticked" consent form, and organisations have to be clear about where they got a person's data from when they are contacting them.
Irish Water is a monoply. There is no competitor. The choice, for the majority of the population, is to pay bills to Irish Water or not have water. In a market like that, consumption is a given so it is not necessary to market the core product.
Apparently Irish Water are proposing to provide data to third parties to market services related to water. I would hope they have paid attention to this DPC prosecution around the provision of marketing information to third parties or the sending of promotional emails on behalf of third parties. I have advised organisations on this kind of practice and it can get very messy very quickly. Also, the Data Protection Commissioner recently updated their guidance on Direct Marketing to include the following statement:
"Similarly, selected third parties with whom you share your marketing lists may only market an individual where you have obtained the explicit consent by the individual for marketing by each specific third party.
The upshot of this is that, in order for Irish Water to share their marketing lists with third parties, they need to SPECIFY at the time the data is being obtained or processed who those third parties are. The days of vague wording about "offers that might be of relevance to you" are gone it would seem. And if they are specifying, they need to give at the very minimum an option to opt-out for postal and an opt-in for other forms of marketing.
"But if someone is an existing customer you have a 'soft opt-in' for calls and emails and stuff, don't you?" I often hear. No, outside of commercial contact details, you don't is my usual response.
- Landline phones can be called without an opt-in consent under Section 13(5) of SI336 - Data Controllers have to give an opportunity to withdraw consent and clash against the National Directory Database to exclude people with a blanket opt-out.
- Sending an SMS marketing message (which is lumped in with email in the definitions in SI336) requires opt-in consent under Section13(7) of SI336. You need to have obtained freely given, informed, unabmiguous consent - there is a loophole here we will come to shortly.
- Calls to mobile numbers require prior opt-in consent under Section 13(6) of SI336. This is OPPOSITE of the position for landlines (despite what might appear from the DPC's summary table in their guidance). Either you have consent for the call or you have confirmed consent with the NDD. There are not that many mobile numbers opted in for marketing calls on the NDD.
- Email marketing requires opt-in consent under Section 13(4) of SI336 - there is a small loophole though.
- Postal marketing is opt-out at the moment under Section 2 of the Data Protection Acts and is not covered by SI336.
The "soft opt-in" loophole arises solely in the context of SMS and email where there is a prior commercial relationship (Section 13(11)), and under conditions that include the following:
- The products are the organisation's own products or services.
- The products or services offered are of a similar kind to those originally purchased
- The customer is given a chance to opt-out of this marketing FOR FREE
- The sale of the product or service occured within the last 12 months, or the data has been used for marketing in the last 12 months and not opt-ed out of
Irish Water apparently will be selling products or services from other organsiations that are of a different kind to that being provided by Irish Water. Therefore the "soft opt-in" for electronic marketing should not apply here.
A Small Update after Irish Water on Primetime 2014-09-23
Irish Water's Head of Commnications was on RTE on the 23rd September. Among the points of explanation she brought out was a statement that Irish Water's marketing on behalf of third parties would be in the form of bill inserts with information about products or services related to water conservation. Bill inserts are a form of postal direct marketing. It's direct marketing because the marketing material is sent to an identified individual rather than to "the householder".
As postal direct marketing, the bill inserts would be subject to an opt-out. From what was said on Prime Time, it would seem that these bill inserts would be from third parties and not Irish Water (as a monopoly provider of a utility service they have no real related products to sell per se).
However, if Irish Water's marketing strategy is to promote "water related products and services" by way of bill inserts and postal direct marketing, it does beg the question why they require email addresses, mobile numbers etc. Which brings us back to my earlier query about what is the minimum data necessary for Irish Water to achieve the purpose of measuring use, calculating bills, delivering and collecting on bills, and maintaining the water services network.
</end of update>
It would appear that Irish Water has a problem with their consent processes. Apparently, when people called the phone number Irish Water provided for as an option for their opt-out, they were told that it could not be done.
This indicates one of three things to me from a Data Governance perspective:
- Either staff are not trained properly in the systems and processes. This raises a concern around the appropriateness of "organsiational and technical" capabilites to protect personal data.
- The processes and systems in the call centre have not been designed to correctly support the standard Data Protection compliance workflow that has been promoted in the Data Protection notice.
- There is a reliance on the hard copy forms or letters to process opt-out requests (or opt-in requests).
With millions spent on consultants I'm bemused that a basic element of call centre/contact centre/CRM functionality has not been designed in. Again, this links back to the concepts of Privacy by Design and Privacy engineering. It also brings us back to the topic of information quality - is the "information product specification" in Irish Water fit for purpose?
Was the requirement to be able to do all this descoped to save time/money? The old project management joke is you can have it cheap, fast, or good, but not all three. Given the lack of quality, I'd have to wonder.
Finally, in the consent process there is a small but significant breach of SI336. The number people call is a 1890 number. This is a LoCall number. Not a freephone number. Therefore, if you don't want to rely on the postman, you do not have a mechanism to provide or withdraw consent that is "without charge" as required under the legislation.
What to do?
This is where I would rant on on my personal blog. Here I will be circumspect.
If I was asked to advise Irish Water, I'd suggest they come to the IGQIE2014 conference in The Marker Hotel in November. There they can learn about Privacy by Design, Data Governance, and other important stuff
I'd also suggest that people take a look at the submission we made with Digital Rights Ireland to the DPER consultation on the Data Governance and Sharing Bill. It is relevant in this context.
I'd also suggest:
- Review of process maps and data flow diagrams to confirm the purpose of critical data
- Review data model to confirm it can support opt-in and opt-out consenting for multiple purposes/multiple 3rd parties
- Invest in a proper Permissions Management portal for customer data that allows for transparency.
- Stop ignoring the customer and start communicating, building trust, and designing in compliance.
The customer is the ultimate arbiter of quality in the context of Data Privacy. If they are surprised by what you are doing with their data, then you are doing it wrong.