Small Print, Big Headache
Over the past few months I’ve been involved in a number of events related to Cloud Computing and have had countless conversations about the pros and cons of outsourcing, as well has having studied a number of business arrangements that boiled down to someone being a Data Processor for someone else, a Data Controller.
I have found that my message in each of these apparently disparate situations can now be boiled down to:
- It’s the Information, Stupid and
- The Fine Print can feck you up frustrate your intent and
- If you can’t find who is responsible for the thing, then it is you who is responsible.
These mantras span the domains of Data Protection, Data Governance, and Information Quality, but for the purposes of this post I’ll be using examples from the Data Protection sphere.
On a Role?
In one situation I’ve looked at recently, a company providing event registration services emailed someone who’d registered for an event using their service. The email recipient had not, to their knowledge, signed up to receive emails from the company. When we looked into the Privacy Statement and Terms and Conditions, it became clear that the event registration service company was muddled about their role in the whole situation as they believed they were both a Data Controller and a Data Processor and that, we assume by reason of declaring themselves a Data Controller, they felt they could email anyone who’s details where on their databases.
Without wishing to prejudge any investigation that the Commissioner might make on this case (I believe a complaint has been filed) the reality of the situation is this:
- The provider of the event registration service acts as a Data Processor on behalf of event organisers, who are the Data Controllers for personal data submitted for each event.
- As Data Processors, they can only use personal data provided for event registration for the purposes permitted by the Event Organisers (the Data Controllers), unless they have fairly obtained consent from the Data Subjects (and it should be clearly give consent, not consent by omission) to use personal data provided for registration to Event X run by Company Z to send direct marketing from the event registration service provider.
- Where they capture that consent and have that personal data under their control, then they become Data Controllers – but only where there has been fairly obtained consent. The use of that data in any other context would likely constitute an unauthorised disclosure (and would require the Data Controller to make a note of it to be compliant with the Code of Practice on Data Security Breaches).
The Contracts and Terms and Conditions that underpin processes to gather personal data on an “outsourced” basis need to be very clear as to who the Data Controller is and who the Processor is and the rights, responsibilities and disclosures of that data. Any fuzziness is a recipe for disaster and an invitation to the “law of unexpected effects”.
Full disclosure – Castlebridge Associates had been trialling the service provided by this company, but in light of the muddled thinking here we are looking elsewhere.
Caveat Emptor
I have also recently come across a “User Agreement” that underpins the processing of personal data by a company who provide room reservation services in the hospitality industry. The company in question is based in Ireland, so the Data Protection Acts apply to them, and by reason of the function they perform they are Data Processors.
The Data Protection Commissioner made it very clear at a recent Cloud Consulting event that there is an immutable responsibility on Data Processors to ensure the security of personal data which they process on behalf of a Data Controller. So I was unpleasantly surprised to find a contractual condition in this service agreement which purported to absolve the service provider of any liability for loss or damage to data, regardless of whether the loss was foreseeable or the risk had been brought to the attention of the company.
Frankly this is utter hogwash and is an attempt to transfer the burden of risk back to the Data Controller and the Data Subject and remove any responsibility from the Data Processor which may or may not be enforceable in law as it flies full in the face of Data Protection principles.
However, it does highlight the need to carefully read your terms and conditions so you can understand where the risk is. As things stand, a Data Controller agreeing to those terms is risking being in breach of the Data Protection Acts.
Completeness of Critical Information
When you are defining roles and responsibilities as part of a Governance process or in the terms of a Privacy Statement or Data Protection policy, a number of “Information Quality” issues arise:
- If you are defining a job role to be responsible for things, make sure someone is going to actually fill those shoes. A job title with no warm body to do the job is worthless.
- If you are taking a “boiler plate” set of Privacy policy statements (which I would actually advise against – your data and your processes are your unique source of value) then you had better make sure to fill in all the “customisable” bits or else you will have a document that is as useful as a chocolate fireguard.
I have had the misfortune in the past few weeks to read a number of “Privacy Statements” which are required (amongst other things) to identify the organisation who is the “Data Controller” in which the Data Controller is identified as a legal entity called ” [INSERT COMPANY NAME HERE] “. I have sought them on the Company Registration Office website to no avail.
Shifting Burdens
Outsourcing the processing of data, whether to the Cloud or elsewhere, does result in a certain level of burden being shifted. If you are running an event, for example,, it is easy to sign up to a service which handles all your event registration and payment processing rather than having to build it yourself.
However, the contractual agreement which under pin the outsourcing of those burdens will often bring with them a burden of making sure the document is actually complete and clearly reflects the nature of the agreement you are entering into, or carry with them the risk of the other party to the agreement seeking to shift the burden for risks back on to you, even if you are not in a position to actually mitigate the risk.
The challenge has, to many respects, shifted away from one of technology issues, back to the old reliables of defining and governing human interactions by way of contracts and written agreements. If you don’t pay attention to the small print you could be sowing the seeds of a big headache down the line.