Archive for the 'Data Protection' Category

Yet another Toyota recall

I wrote twice before on product recalls by Toyota and the apparent legislative oversight which meant that there was no legal provision allowing Toyota to obtain records of Toyota owners from the vehicle licensing authorities.

At the time I wrote those posts, the most recent legislation on the issue was the Finance Act 1993 (Section 60) Regulations 2005. Now that Toyota are undertaking another product recall, I discover the  Finance Act 1993 (Section 60) Regulations 2009, which took effect on 25 September 2009 but which, oddly, were not available on the Irish Statute Book when I wrote my posts in 2010 and 2011.

At any rate, the 2009 Regulations revoke and replace the 2005 Regulations and designate specified manufacturers and distributors as being entitled to obtain vehicle licensing records, rather than the generalised category stated in the 1996 Regulations.

So, it appears that I was mistaken, but had no way of knowing it at the time.

New data protection rules on cookies & mandatory data breach reporting for electronic communications providers

 

From George Eastman House

Not those kind of cookies.

Last week, the Minister for Communications, Energy and Natural Resources signed a group of statutory instruments into law which transpose the EU telecommunications reform package.

Among those regulations are the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.

The Regulations are lengthy but the Data Protection Commissioner already has a guidance note online outlining the changes introduced, the most significant being:

  • Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
  • More stringent requirements for user consent for the placing of “cookies” on electronic devices
  • Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls

I previously wrote about mandatory reporting of data breaches in the context of general data protection law (rather than sector-specific rules).

Leo Moore (William Fry) points out that the new rules on cookies do not provide for a lead in time, as was the case in the UK. This will put pressure on operators subject to the rules to get their house in order quickly. He notes:

Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.

For more, try following Ronan Lupton (ALTO), TJ McIntyre (UCD/DRI), Leo Moore (WF) & David Cullen (WF) on Twitter.

Privacy and the press

I wrote a short article for last week’s Sunday Business Post on the super-injunctions story and the conflict between freedom of speech and privacy. It appeared in the Computers and Business magazine and is available here.

It’s a difficult topic to tackle in a short article and some more thoughts on the issue are in my earlier rambling blogpost. However, Karlin Lillington dealt with the issue expertly in last Friday’s Irish Times by contrasting the UK super-injunctions saga with the Irish experience of data protection and retention laws.

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

The surprising reason given for the change to HSE policy on providing patient lists to clergy

This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”

I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.

So, is the new legislation referred to the 8 year old act or the 23 year old one?

The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]

Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.

The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.

It goes on to say that

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.

This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.

Irish data retention law now in force

There has been so much political uncertainty in recent weeks that one wonders what business of Government has gone on unnoticed. One such item of business, I discovered from the A&L Goodbody legislative FAQ referred to earlier, was the passing by the Oireachtas of the Communications (Retention of Data) Act 2011.

This controversial piece of legislation is not available,  as yet, in its final form as none of the Department of JusticeHouses of the Oireachtas or Irish Statute Book have published it.

The President signed the Act into law on 26 January 2011 but, as far as I am aware, this has not been reported on anywhere. The commencement date is not known but the latest draft available does not contain a commencement clause so, if one was not inserted before it was passed by the Oireachtas, it is now in effect.

[Update: I wasn't correct in stating that the introduction of the Act hasn't been reported on. I had missed Eoin O'Dell's reference to its passing on his blog and Karlin Lillington's coverage in the Irish Times. She also covered the Seanad debates on twitter. However, it is still noteworthy that this news has been confined to analysis pieces and has not been headline news, by contrast with other rushed legislation recently signed by the President.]

According to the Internet Service Providers Association of Ireland:

ISPs providing Internet services to the public are now obliged to retain certain data, as set out in the Act, identifying the occurrence of a communication (but not about the content of the communication itself). This must be done for every user, whether they are a private or business customer. In the case of Internet communications the ISP must keep the data for a period of one year … [The] ISPAI regrets [the passing of the Act] despite the trojan efforts of non-government Senators who argued the amendments (which were defeated) aimed at giving greater clarity to the legislation and particularly to minimise its potential to put Ireland at a cost disadvantage to our EU neighbours for Internet based business.

Digital Rights Ireland summarised the effect of the legislation when it was first put before the Oireacthas as follows:

In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year … This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.

The Irish Council for Civil Liberties made submissions to the Department of Justice about the legislation. Digital Rights Ireland took a constitutional challenge against the legislation and that challenge is en route to the European Court of Justice (the Act implements the EU data retention directive).

Privacy & Human Rights in Europe

Privacy InternationalPrivacy International have published their latest study reviewing privacy and human rights in Europe.

I contributed to the Irish chapter of the report, along with TJ McIntyre and Colin Irwin. It gives a good overview of current Irish law on privacy and data protection.

The report concludes that, while Europe is the world leader in privacy rights, there remains much work to be done in the field.

The Directive on Data Protection has been implemented across EU member states and beyond, but inconsistencies remain. Surveillance harmonisation that was once threatened is now in disarray. Yet there are so many loopholes and exemptions that it is increasingly challenging to get a full understanding of the privacy situations in European countries. The cloak of ‘national security’ enshrouds many practices, minimises authorisation safeguards and prevents oversight.

The report includes a report card in its key findings, the highlights of which for Ireland include criticisms that Ministerial warrants can override privacy law protections and that powers allowing for interception of VoIP calls are ambiguous.

For more on international privacy law, Morrison Foerster have a very useful library which acts as an online sourcebook.

Another recall: on what legal authority will Toyota get access to owner details?

Toyota announced another recall today.

wrote about car recalls last year. Car manufacturers don’t have ownership details of all cars sold and, in the event that a safety issue arises, needs to get that data from vehicle licensing authorities.

From the US National Archives

Access to this data would normally be prohibited under the Data Protection Acts 1988 and 2003 but was previously facilitated by a set of regulations published by the Department of Finance. The Data Protection Commissioner criticised the unqualified access provided under those regulations and sought their review. I don’t know whether the Commissioner’s comments influenced the Department of Finance, but in 2005 a new set of regulations were published which removed the reference to car manufacturers.

Therefore, in so far as I can tell, the law no longer provides for the provision of car registration data by vehicle registration authorities to car manufacturers. Unless Toyota is otherwise entitled to that data (and I have argued that they are not), the disclosure by the vehicle registration authorities is contrary to the Data Protection Acts.

The new Revenue data protection regime in the Finance Bill 2011

The Finance Bill 2011 seems to have become the key to Ireland’s salvation and our parliamentarians fear allowing democracy to run its course without first passing it.

When the Green Party withdrew from Government yesterday, Eamon Ryan suggested that a scaled-down bill could be passed quickly and that the balance of the provisions could be enacted by the next government. This seems a strange proposition and one might wonder why the next government couldn’t just do the whole job.

Nevertheless, the opposition have taken up that argument with Leo Varadkar memorably suggesting this morning that a “bikini bill” be passed: one which covers the bare essentials. Minister for Finance Brian Lenihan has difficulties with this, as some of the new provisions in the published bill address anti-avoidance measures and their publication has advertised opportunities to exploit tax loopholes. If they are not closed quickly, he argues, further taxes will be lost.

The list of items in the Bill published by the Department of Finance helpfully categorises them as measures which were announced in Budget 2011 and those which are new in the Bill. These type of provisions are often housekeeping and do not address strictly budgetary matters. One which caught my eye is that concerning taxpayer confidentiality.

Section 73 of the Bill would insert a new section 851A to the Taxes Consolidation Act 1997 to provide that taxpayer information held by the Revenue Commissioners is confidential and may only be disclosed in certain circumstances. The Department explains that this

addresses the current lack of a specific tax-related provision governing the confidentiality of taxpayer information provided to Revenue.

An offence of knowingly providing confidential information is included and can be punished by a fine of up to €10,000.

This section is surprising in light of the fact that the data security breach aspects of the Data Protection Acts 1988 and 2003 are currently under review. Indeed, the statement that it “addresses the current lack of a specific tax-related provision governing … confidentiality” suggests that the extensive provisions of the Data Protection Acts are insufficient. The proposition that these insufficiencies could be remedied by a single section in the Taxes Consolidation Act 1997 is implausible.

In 2009, the Data Protection Commissioner undertook a detailed audit of the Revenue Commissioners and the results were generally positive.

The Inspection Team considered that there exists a very high organisational awareness of data protection principles in Revenue. In particular, the presence of a dedicated Data Protection Unit, with designated contact points in the event of any issues arising was considered by the Team to be a very appropriate structure for a public sector entity in possession of high volumes of personal data. There is very clear evidence that a detailed approach has been taken by Revenue to identifying and setting out, via policy documents etc, its responsibilities under data protection legislation. This thorough approach is to be welcomed.

The Commissioner made a number of compliance recommendations and recommend that Revenue undertake a privacy impact assessment of any proposal to extend its investigative powers. Given that the report was overwhelmingly positive it is unclear where the impetus for section 73 lies (though TJ McIntyre speculates that it may have something to do with recent alleged wrongdoing by Revenue officials, uncovered by internal audits).

There are a number of aspects of the Data Protection Acts that could benefit from reform; not least the fact that the Acts do not provide for a straightforward offence of breaching data security, as is now proposed for Revenue data. Rather, it is an offence:

  • to ignore a notice issued by the Data Protection Commissioner in respect of personal data;
  • for a data processor to disclose personal data without the authority of the relevant data controller;
  • to gain access to personal data held by a data controller and to disclose it to another person.

This last offence does not apply to an employee of the data controller and so section 73 would seem to catch Revenue employees where the Data Protection Acts would not. However, the penalties in the Data Protection Acts reach a maximum of €100,000, in contrast with the €10,000 maximum fine envisaged in the Finance Bill. In the UK, the maximum fine is £500,000.

The Data Protection Acts are lacking in enforcement teeth to deal with willful data security breaches. Instead, they provide for a system of co-operation and escalated engagement with data controllers. Nevertheless, the decision of the Department of Finance to go it alone on this issue is disappointing and section 73 of the Finance Bill once again fragments Irish law on a particular area rather than seeking to improve the general law that applies to everyone.

If citizens deserve to have such a protection in place in respect of Revenue data, why not health or employment data?

  • Update: It was reported today (25/01/11) that a Donegal civil servant allegedly accessed personal data at the Department of Social Protection in Letterkenny and passed that data to a private investigator who subsequently sold it to insurance companies. This is precisely the type of data security breach that section 73 is aimed at, but section 73 will be limited to the Revenue Commissioners and so will not cover the Department of Social Protection. As I asked yesterday, if a protection like section 73 is necessary for Revenue data, why not for other data?

TJ McIntyre looks at some other IT law aspects of the Finance Bill here and here. From a practical perspective, it is also noteworthy that the Bill (section 75) proposes to allow payment of taxes by credit card. While this may facilitate the Revenue Commissioners, it would not appear to be a prudent move for indebted taxpayers who might avail of the facility.

If you didn’t friend the Department of Social Protection, one of your “friends” snitched

The stories about the Department of Social Protection’s use of Facebook to detect fraud raised more questions than they answered.Someone talked! So, I requested details from the Department of its use of social networking.

Here’s the relevant part of the response:

Social networking sites, such as Facebook, are not a systematic part of the Department’s on-going targeted fraud and error control activities.

Circumstances, however, may give rise to a member of staff examining publicly available information on the internet, for example following receipt of a report from a member of the public making reference to relevant information on social networking sites.

Information from such sources is not used as evidence to terminate a claim in payment but may result in a review of entitlement by the Department.

On a point of information, at the end of August 2010 (latest figures available)

  • over 7,200 anonymous reports were made to the Department’s Central Control Division. (Reports are also made directly to scheme areas and public offices which are not included in that figure).
  • 500,000 reviews approx. were completed by the Department. Investigations which refer to social networking sites would be negligible in an overall context.

As only information which is publicly available on social networking sites is accessed in such investigations, the cooperation of the operators of such sites is not needed. The Department has not accessed, or sought to access, information on social networking sites which is not available to the public at large.

The above doesn’t necessarily get the Department around the requirements of the Data Protection Acts and it is not clear what the Department does with data submitted to it by members of the public which is not publicly available online.

Did you friend the Department of Social Protection?

Over on the Irish Computer Society’s data protection blog yesterday, Daragh O’Brien wrote about the news that the Department of Social Protection is monitoring Facebook when investigating suspected welfare fraud.

Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.

© Brian Solis

After all, this guy doesn't believe in privacy.

This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:

“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.

It comes as a surprise to me* that the Department could access post office details (and: what are those details?) and phone records without a court order or the consent of the data subject, but Facebook apparently believes this is the done thing. It’s an important point because Facebook’s privacy policy purports to allow the company to hand over your information.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.

It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.

From the comments made by Facebook to the Irish media, it appears that Facebook has an off-hand attitude to the specifics of Irish law on this point and its privacy policy suggests that the company will err on the side of caution in assisting a State agency. It won’t surprise many that Facebook might not rush to defend your privacy.

The incident is certainly worthy of investigation by the Data Protection Commissioner.

* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.



Follow

Get every new post delivered to your Inbox.

Join 3,005 other followers