So, I appear to have caused some consternation with my post over the weekend. To help clarify things, I’ve put together an alternative reality version of the Irish Water Data Protection Notice based on information that has been included in recent media coverage and which is fragmented across a number of documents produced by Irish Water. This is effectively free consultancy for Irish Water and is an incomplete first pass that is intended to illustrate the benefits of layout and structure of Data Protection Notices to improve clarity and communication of purposes for processing of data.
However, the content of this post is (c) 2014 Daragh O Brien and cannot be reused for commercial purposes other than news reporting without prior written permission.
+++++++
Who we are
Irish Water is the new national water utility, which is responsible for providing and managing public water services throughout Ireland. Irish Water is a State-owned company, established under the Water Services Acts 2007–2013.
Irish Water replaces the previous system of 31 Local Authority Water Services departments.
Registered Office
Our registered office is:
Colvill House,
24-26 Talbot Street,
Dublin 1.
Address for Data Protection Queries
Data Protection queries, such as Subject Access requests or requests for data correction, should be sent to:
Data Protection Officer
P.O. Box 860,
South City Delivery Office,
Cork City,
Cork.
You can email queries to us care of dataprotection[AT]water[dot]ie ==>(This email address doesn’t currently exist)
What Data are we processing?
We process a range of data about customers of public water services (Customers) and other users of private water services (Non-Customers).
Data about your property and water services
If your property is connected either a Public water main supply or Public Sewer you are a customer of Irish Water. We will ask you to confirm what kind of water or sewage system you are connected to in order to identify if you are a customer of Irish Water or not.
If you are a customer, we will confirm if you are receiving a bill for a water service from your Local Authority and if the property is used as a private residence or not, and if you are a property owner or a tenant.
We will also seek information about the number of people residing in your property.
Personal Data
The personal data we process about you includes:
Names of account holders,
PPSN numbers for account holders and any resident children (17 years or under)
Customer property address
Customer preferred billing address (if different from property address)
Home land line telephone number
Mobile telephone number
email address
Billing language preference
We will also record calls between Irish Water customer service staff and customers for purposes including quality assurance and training.
Sensitive Personal Data
Irish Water processes sensitive personal data about customers who indicate they wish to avail of special and/or priority services.
This information may include data relating to physical or mental health. In these circumstances we may also process personal data relating to a nominated carer or other person who will deal with correspondence on your behalf.
Personal Financial Data
We will process bank account details for the purposes of establishing recurring direct debits for the payment of Water Services bills.
Other than data you provide to us, what other data do we process about you?
Under Section 26 of the Water Services Act 2013, Irish Water is empowered to seek data from a number of different bodies. As of September 2014, these bodies include:
The Revenue Commissioners
The Residential Property Tenancies Board
The Property Services Regulatory Authority
Local Authorities
The Local Government Management Agency
Electricity Service providers
The Department of Social Protection
Gas service providers
Other bodies or data providers may be specified by the Minister after consultation with the Data Protection Commissioner.
Irish Water may make use of data from 3rd party data service providers for some of the purposes set out below.
Why are we processing it?
Irish Water has a number of specific purposes for processing your personal and sensitive personal data, and for seeking data about you from other sources.
Confirming if you are a Customer of Irish Water
We will process information about your household, its water supply and sewage services, and other related household data to confirm if you are a customer of Irish Water.
Confirming eligibility for allowances
To apply for the Household Water Services Allowance we process your PPS Number to verify your identity and your entitlement.
To apply for the Children’s Water Services Allowance, we process the PPS Numbers of resident children (under the age of 17) to verify the age and identity of the children.
This is a control check process that ensures correct and appropriate allowances are claimed to help ensure accurate application of credits to customer water service bills. For more information on our processing of PPSN please see the relevant section below.
[note: This is the purpose for which PPS Numbers is being obtained. It is good to note that Irish Water are not asking for PPSN for non customers, however that assumes that people won't fill it in in error. I assume Irish Water have a process to purge PPSN details they don't require?]
To generate and distribute customer water service bills and collect monies owed
We will use the name of the registered account holder and the property address, or the alternative billing address, for the purposes of sending Water Service bills to customers.
This data will also be used to support our credit control processes. In the event of non-payment of bills, your data may be passed to debt collection agencies for the purposes of debt recovery, up to and including legal proceedings for non-payment.
Data about language preferences will be used to ensure you receive a bill in the language you select. Sensitive personal data will be processed to allow us to issue braille bills or to arrange for “talking bill” services to be provided to visually impaired customers.
Where a customer availing of special services or priority services has indicated that a carer or other person should receive correspondence on their behalf we will process that person’s data as required.
For Fraud Detection and Prevention and Credit Scoring
Irish Water will use data obtained from various bodies as outlined above to allow us to operate prudent fraud detection and prevention controls.
We may also use data from data services providers for the purposes of customer credit scoring as part of our prudent management of risk.
Marketing
Subject to specific consents, Irish Water may use contact data provided by customers for the purposes of marketing products and services to customers related to their Water Service. This will be subject to specific consents which will be obtained.
For non-customers, Irish Water may use contact data provided to send information about water service availability and to market relevant products and services. Again, this will be subject to specific consents.
Call Recordings
Calls between Irish Water Customer Service staff and customers will be recorded for quality assurance and training purposes, and to confirm details of the conversation if required.
Maintenance and Construction Activity
Irish Water may process your personal data for the purposes of conducting visits to premises, arranging for required works to be carried out at premises, and other construction and maintenance activities necessary to ensure the delivery of a public water service.
Health and Safety and Risk Assessment
Irish Water may process your personal and sensitive personal data for the purposes of ensuring compliance with Health and Safety obligations, ensuring appropriate water supplies for people with certain medical conditions, and the conducting of risk assessments associated with the management of the public water supply.
Your PPSN – what we will do with it
Irish Water is entitled to request your PPS Number and the PPS Numbers of under Schedule 5 of the Social Welfare Consolidation Act 2005. PPS Numbers provided will be stored securely by Irish Water.
Your PPS Number will only be used to determine if you are entitled to water services allowances. PPS Numbers will be verified with the Department of Social Protection and a simple confirmation of entitlements will be received from them. No other data will be exchanged or processed for this purpose.
PPS Numbers will be retained by Irish Water for [NEEDS A RETENTION PERIOD AND PURPOSE POST VALIDATION OF DATA AT APPLICATION]
Only customers of Irish Water are required to provide us with their PPSN. Users of private water services should not submit this data to us as we do not have a purpose for processing it.
[note: I've flagged this already, but an exception handling process to ensure ppsn is not processed for non-customers by mistake would be a good control here.]
Sharing Data/Disclosure of Data
Irish Water may share data with companies who provide services to Irish Water for the purpose of carrying out our business functions as outlined above. Companies providing data processing services to Irish Water do so under a formal contract and are required to process data only for the purposes specified by Irish Water and must ensure they have appropriate organisational and technical measures to prevent unauthorised access to, alteration of, or disclosure of your data.
Irish Water may disclose or transfer data to a third party in the event of the business being purchased in part or entirely by that third party.
Irish Water may also disclose data if required to do so in order to comply with a legal obligation, or to protect the rights, property, or safety of Irish Water, its customers, or other relevant third parties, or if required to do so on foot of a search warrant, court order, or where required under a Statutory duty.
Irish Water may share data with third parties for the purposes of fraud detection and prevention and as part of credit risk reduction.
Transfer of Data Outside the European Economic Area
Personal Data held by Irish Water may be transferred to or accessed from countries outside the European Economic Area. The reasons for data to be transferred may include, but are not limited to:
Outsource Customer Support services
IT Technical support services
Software development and support
Data hosting and back up services
Fraud Detection, Prevention, and Credit risk management
Transfers to countries outside the European Economic Area will be carried out subject to specific contract terms and other relevant controls, such as transfer to appropriate countries on the European Commission Safe Countries List or alternative appropriate mechanism under the Data Protection Acts.
[note: The original Irish Water Data Protection notice forces consent to this EEA transfer provision. The Data Protection Commissioner is clear that relying on consent in this case requires the consent to be unambiguous and freely given. In the original form, the consent was not unambiguous as it didn't specify any purpose or what data. Also, given that Irish Water is a monopoly and we have no option but to fill out the registration form, the consent being sought was not freely given].
Data Retention
Irish Water has a defined Data Retention Policy.
[note: I assume they have a defined retention policy. What I would suggest here is that for each key purpose a time period be established]
Exercising your Data Protection Rights
Under the Data Protection Acts you have the right to:
Request a copy of personal data held about you by Irish Water (Subject Access Request)
Request Irish Water correct or delete incorrect or inaccurate data about you
Request Irish Water cease processing your data for specific purposes, such as Direct Marketing
Subject Access Requests
To request a copy of your data you should send a request in writing to:
Data Protection Officer
PO Box 860
South Delivery Office
Cork City
Cork
Irish Water may request additional proof of identity from applicants for the purposes of verification to ensure data is disclosed only to the relevant individual.
Irish Water may charge a fee of up to €6.35 for Subject Access requests.
Change Direct Marketing Preferences
To change your Direct Marketing preferences you should send your request to:
FREEPOST,
Irish Water,
Data Protection Opt-out,
PO Box 860,
South City Delivery Office,
Cork City
Alternatively you can phone Irish Water on 1890 278 278 to update your marketing communications preferences.
Other Requests
Other requests should be sent to:
Data Protection Officer
PO Box 860
South Delivery Office
Cork City
Cork
Marketing Consents & Permissions
email: I would like to receive marketing communications by email (YES/NO) [this is an opt-in consent]
SMS: I would like to receive marketing communications by Text message (YES/NO) [this is an opt-in consent]
Mobile Call: I would like to receive marketing calls on my mobile phone (YES/NO) [needs to default to NO as this is an opt-in consent]
Landline: I would like to receive marketing calls on my land line phone (YES/NO) [this can be an opt-opt consent]
Postal Mail: I would like to receive marketing material by post (YES/NO) [this can be an opt-out consent]
[note: The Article 29 Working group and the DPC have indicated that preticked boxes on web forms are not valid consent as the consent is not freely given. Including them here is possibly not ideal given that the form isn't online.
The application form contains only one single Opt-out tick box for both electronic and postal marketing. This does not meet the requirements of SI336. As I haven't received my pack yet I can't comment on the on-line application process and whether it has better compliance with the ePrivacy regulations requirements (SI336)
Also it is important to note that the application form for Irish Water does not capture any electronic contact data for non-customers, therefore non-customers will be marketable to only via postal mail at this point on an opt-out basis]