Blog Post

Data Privacy Day (DPD), celebrated annually on Jan. 28, is an international effort centred on “Respecting Privacy, Safeguarding Data and Enabling Trust.” As data protection issues have moved into the sphere of broad consumer interest here in Ireland, one of the ways organisations, particularly state and semi-state bodies, have taken to engendering public trust in their data systems is through the oft quoted line “in consultation with the Data Protection Commissioner.”

As the current Data Commissioner, Helen Dixon, points out:

…public bodies will mention quite deliberately that ‘this was done in consultation with the Data Protection Commissioner’. I suppose what they are trying to do is to give confidence to data subjects (citizens) that they have gone through a rigorous process and an analysis and that they believe what they are proposing is lawful.

But as three hot-button topics on today’s theme of Data Privacy Day illustrate, the assurance of “consultation” is not the guarantee of data security and personal privacy consumers might hope for, nor should we be confident our data is being gathered lawfully when we see it:

1/ The Primary Online Database (POD)

The Department of Education is currently rolling out POD, in which they intend to store sensitive, private data on every individual primary school child, including their racial profile, psychological assessments, special needs, religion, and PPS number, until that child is at least 30 years old. Significant concerns have been raised about the need for this data, the use of this data, the ability of schools to safely store and securely transfer this data, and the length of data retention, and a campaign is now underway calling on the Minister for Education to scrap POD.

On January 8th, the Minister for Education reassured the public “that the Department had consulted with the Data Protection Commissioner.” The Data Commissioner, however, stated on the 26th of January “…there’s an inadequate explanation of why they need it and why they need to hold it for as long as they are holding it.”

2/ Eircode

The new national postcode system due to roll out next year has long been a contentious subject, with groups including DRI believing that uniquely identifying each individual household in Ireland creates significant privacy and data protection issues. On the 19th of November, Eircode’s Patricia Cronin told an Oireachtas Committee “On foot of our engagement with the Data Protection Commissioner, we have also undertaken a privacy impact assessment… to determine if there is a potential impact on anyone’s privacy.”

While this sounds very reassuring, the Office of the Data Protection Commissioner has repeatedly raised concerns about Eircode, and the Data Commissioner herself was most recently quoted as saying that it is “difficult to say as yet what kind of harms, if any, may derive from the use of a unique code to identify each individual home in the state.“

3/ Irish Water

In September, Irish Water began registration for water charges, including requiring the PPS numbers of the account holder and any children in the household. Speaking in July, Irish Water’s Elizabeth Arnett said, “As you can imagine a utility like ours will hold a lot of data from our customers. So we have an ongoing engagement with the Data Protection Commissioner.”

Following enormous public outcry, a change in legislation and intervention by the government, Irish Water was forced to announce at the end of November that it would no longer ask for PPS numbers, and that all PPS numbers held by them would be scrubbed— thought this statement, too, contains the ominous phrase “in consultation with the Office of the Data Protection Commissioner.”

In the most recent Annual Report of the Data Protection Commissioner, former commissioner Billy Hawkes had this to say about the commitment of Irish State agencies to the safeguarding of the data they hold on us:

Our audits of State organisations have, in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State… Failure to treat personal data with respect can only lessen the trust that should exist between the individual and the State.

It’s not a reassuring quote, any more than the statement “in consultation with the Data Protection Commissioner” has been shown to be. Digital Privacy Day is a timely reminder that vigilance in what data we give and to whom, how they use that data and for how long, is rarely misplaced.