Many clients with whom I have spoken over the past few weeks, particularly those who acquire and hold client data via their online ‘presence’, were eagerly awaiting the findings. Facebook has muscled its way to the top of this very new social media industry, and to a variation of the old saying, ‘when Facebook sneezes, everyone catches a cold’. The implications for all internet service providers would rest on the outcome of the Commissioner’s findings.

So what did we learn? For starters, we now know that the process is very much ‘under way and ongoing’, rather than finished. The engagement has been positive, constructive, and has already led to changes and modifications of their procedures by Facebook staff.

A further report is now expected in July 2012, by which time the Commissioner expects to see evidence that many of the 40-odd recommendations arising from this initial report have been actioned and resolved. They will, Facebook say, take advantage of the Audit to ‘strengthen (their) existing practices’.

Bear in mind that the dubious privilege of conducting this audit fell to the Irish Commissioner, because the data management decisions and strategies being developed at Facebook Ireland set the policy for the social media provider in nearly every country in the world, aside from the US and Canada. A ‘hospital pass’ from his fellow Commissioner in Austria, since that was where the original set of 22 complaints regarding Facebook’s privacy policies was raised.

So watch this space for more definitive guidelines on how on-line interaction and social media can be managed in a manner that protects privacy while evolving as a leading-edge, new technology.

The Facebook story pitches up a classical dilemma for the techno-entrepreneur – how to design, develop and deploy new functionality while remaining in compliance of legislation that was drafted 15 or 20 years previously. The most recent instalment of DP legislation, at European level, was in 1995, when ‘clouds’ were grey and threatening or white and fluffy, and when a ‘hard drive’ was the Friday evening rush-hour commute through Monasterevin. An ‘external hard drive’ was to complete the same journey, on the back of a motorbike, in the rain (OK, I should acknowledge the influence of the good people at the Laughter Lounge here).

I believe that this story is less about Facebook being asked to comply with existing DP legislation. I am reminded almost daily that the real issue here is not about intrusion on our privacy – it is about the gradual but steady reduction of our expectation of privacy. New applications, default settings and time-efficient, convenient processes are geared towards the erosion, bit by bit, of our resistance to our data being visible and accessible to others.

Our new ‘smart’ phone is set to assume that we want to share our GPS location with others in our contacts list; our e-mail provider provides us with pre-set facilities to contact those with whom we are regularly in touch; our social networks assume that the friends of our friends are our friends too, and share our information accordingly. And many of those applications are built to assume that, if we express an interest in ( or ‘like’) a product, a service or an opinion, that this preference should be passed on to the manufacturers or service providers, so that they can contact us directly and tell us, and sell us, more.

This will be a slow but persistent process – a cultural mind-set will not change overnight. But I recognise that erosion in the conversations I have with my own children and their friends – the easy access to social and personal information about friends and ‘frenemies’ is a given, no longer a novelty.

In my view, the challenge for the DP Commissioner, in working with Facebook and others in this industry, will not be to rein them in and impose compliant structures. It will be to challenge the assumptions and executive mind-set which is defining the (almost) global policy of these organisations. I am neither hopeful nor optimistic about the outcome, but we at the ICS will continue to fight the good fight!
Have a peaceful and restful Christmas, use the .bcc field for your Christmas greetings, and challenge every and all attempts to collect your personal data. And check our web-site (www.ics.ie) for information on our upcoming course and DP events.

All in all I welcome the findings (and at 40 or so discrete findings it is not a clean bill of health by any stretch of the imagination regardless of spin and positioning) but feel that, given the breadth of potential scope for any audit and the limited resources and time available to the DPC’s office, it was inevitable that some issues could be missed.

I am personally dismayed that the DPC did not prosecute some or all of the offences that they identified, particularly those in relation to breaches of the ePrivacy directives (where clear penalties and court precedents exist). A high profile prosecution would have made it a lot easier dealing with clients and prospective clients as it would have focussed the attention on issues.

Also a number of unasked questions remain unanswered. For example, what is the position of Apps which process data outside the EEA? Does Facebook as a Data Controller not need to ensure that these apps (processors) are undertaking their activities in “safe countries” or under terms consistent with the Model Contracts approved by the European Commission.

I’d like to think that this is part of a long term strategy by the DPC to develop a “poster child” for compliance (“hey, look… if Facebook can do it so can you”), whittling down issues and changing the Facebook mindset over time.

But I am fearful that proper regulation and enforcement of Data Protection rules may be seen by the Irish Government as a barrier to enticing foreign investment in the data storage and services sectors and as such the independence of the DPC’s office may be threatened and its ability to effectively carry out its duties may be weakened.

The Office of the Data Protection Commissioner does a sterling job with a small cohort of staff, a massive remit and scope of responsibility, and a budget that, in their 2010 Annual report was less than €1.5 million. My instinct is that they opted not to blow that budget on prosecutions and instead elected to work the network of International authorities (Canada’s OPC, various German Authorities, the FTC) to keep the pressure on to drive change rather than levy penalties.

After all, any visit to Courts with a prosecution is a roll of the dice as to whether the judge accepts the full weight of the offences and agrees the penalties requested. The DPC could have spent quite a lot to achieve, in effect, the same result.

However, I await with interest the findings of the rematch in July 2012. Will Facebook win gold for privacy then? Or will we see the true stamina of the Data Protection Commissioner in a legal tussle? All we can hope for is either an Olympic performance from the “New Facebook” or a Herculean stand by the DPC in defence of individual privacy.

The full final text is expected in January, with a 2 year implementation window being mooted.

Among the criticisms I’ve seen levelled at the Regulation is that it is “longer than the Directive it will replace”. Yes. It is. But that’s because it has had to do more than just replace the existing Directive it has had to:

• Update the Directive with new concepts such as the “Right to be Forgotten” and increased duties of transparency
• Introduce new penalty structures (which were previously the preserve of the national enabling legislation that transposed the Directive) such as the 5% of Global turnover penalty for breaches of the legislation.
• Define new governance structures for Data Protection in Europe at the EU level and between countries.
• Imposes sanctions on Data Processors who act beyond the terms of their processor agreement (currently the only sanction is for the Controller to sue in Contract law, assuming a contract exists).
• Adapt the existing regulations and governance models to things like Social Networking, Cloud computing and mobile devices.
• Figure out how to deal with extra-EU entities selling into the Internal Market (easy.. they will have to comply with our rules now).

Buried among the new changes was one aspect that jumped out at me was the introduction of lower value “administrative” financial penalties for smaller incidents of breaches of the legislation. I for one hope that that proposal makes it into the final draft of the Regulation as it would provide a tiered approach to penalties and put something tangible between the “softly softly encourage compliance” and “hit Controller with full prosecution”

Another reason why I’d be interested to see this make into the final Regulation can be found in this post here (in which I argue in favour of just this form of small scale fines based system)

(Yes folks, you read it on this blog first).

Basically, whether you are registered on Facebook or not, clicking on the “Like” button on a site that has integrated Facebook’s Like Button creates a record that you have expressed a preference about that link. If you are a registered Facebook user, that is associated with your profile and forms part of the personally identifiable data Facebook holds about you. However, even if you are not registered Facebook your IP address is logged.

This data is then passed to servers outside the EU for processing and storage as part of Facebook’s database of user activity which is used as part of their media and advertising business.

The Data Protection Commissioner in the German province of Schleswig-Holstein has ruled that this is illegal under EU Law (specifically Directive 95/46/EC). However, under Facebook’s Privacy Policies the actual regulatory authority responsible for Facebook’s activities globally outside of the United States and Canada is the Irish Data Protection Commissioner, who has noted the German decision.

A complaint is to be lodged by an Austrian Privacy lobby group about Facebook to the Irish DPC, according to TheJournal.ie.

Much of the comments on the Journal.ie article are between people trying to explain how Facebook’s Like button actually works and the implications for personal privacy.

Perhaps this video produced by m’learned colleague Mr Hugh Jones for a competition run by the Irish Data Protection Commissioner and sponsored (ironically imho) by Google a few years ago might put things in context. The video is concerned with CCTV primarily, but switch the CCTV emphasis to tracking of what you are doing on-line and you’ll get the message.

(we can’t embed the video but the link is below)

Who’s watching You?

Left to their own devices and absent any control or governance framework that can verify that what is to be done has been done (in its entirety) and has been done in keeping with the requisite standards under the agreement outsourcers may deviate from task, get creative, or just get down right sloppy and careless.

When the outsourcing relationship consists of a chain of parties (an Irish entity, a UK entity, entities in 3rd countries) then things become even more complicated.

The Data Protection Acts require that Data Controllers put in place a contract in writing with Data Processors. This contract should, at a minimum, include specifications as to the security standards and protocols that should be in place. Ideally it should also grant the Data Controller a right of audit and inspection of those standards.

Things get really interesting when you bring multiple processors into the mix because the Data Controller continues to carry responsibility through the chain of contracts (or absence of contractual chain).

The Data Controller has to be able to look through the layers of contract and see the Data Processor at the end and be sure that they are acting in a manner that is consistent with the requirement of the parent agreement between them and Processor 1.

And if the data is moving around jurisdictions (such as out of the EEA) this becomes even more critical.

So. When you are engaging a chain of data processors to do things on your behalf, it is important to remember that it is turtles all the way down. And if not turtles than at least Processors, contracts, and data.

In the introduction to his report into Privacy and the Media in 1990, Sir David Calcutt QC defined privacy as:

“…the right of the individual to be protected against intrusion into his or her personal life or affairs … by direct physical means or by publication of information”.

In light of those recent headlines, it is clear that Calcutt’s definition was as accurate as his report was ineffective. Every day we are getting further details about the extent of this intrusion – the seemingly endless lengths to which some individuals would go in order to ‘get the story’.

One interesting thing about this story is the fact that we, the general public, knew it was happening as far back as 2005, when newspaper employees were imprisoned for the role they played in accessing the mobile phone messages of staff working for the British royal family. A number of further stories followed based on information gleaned from the messaging services of actors, actresses and ‘B-List’ celebrities. In fact, we did not stamp our collective foot in indignation until the news broke that these same ‘investigators’ had accessed the phone messages of a young kidnap victim, giving her distraught parents the (ultimately mistaken) hope that she was still alive.

Very often, we read these stories, shake our heads, and turn the page. Privacy breaches are what happen to other people, mostly those whose lives are lived in the full glare of the media – the stars, the millionaires, the ‘red carpet’ set. Which probably explains why so few of us have taken the very simple steps to prevent a similar breach of our own privacy. Because Calcutt’s definition applies to us all – we have our own lives and personal affairs, equally deserving of protection from intrusion.

Many people are still unaware that their mobile phones are delivered with a built-in feature which was initially designed by the mobile service providers to allow users to access their mobile phone voice messages from a different phone. Simply placing a “5” before the mobile number, e.g. for the voice-mail of 087 1234567, dial 087 5123 4567, and follow the usual prompts to listen to your messages. For ease of access, almost all mobile phones are configured with a factory default setting of “0000”. The vast majority of mobile phone users have never changed these default settings.

Setting aside the exposure of journalistic deviousness, at the core of the phone hacking story is a lesson in human inertia – the physical inability to convert good intentions into simple, straightforward actions. In this case, to change the basic security setting on your mobile phone from the factory setting (“0000”) to a more secure pin number of your choice.

By failing to do this, anyone with your mobile number can, in principle, access your voice-mail. Not that we are encouraging people to do so, of course. That would be a breach of your privacy.

As the owner of the mobile phone, all you need to do is access the phone’s voice-mail (usually by dialling “171”), go to the main menu and follow the prompts to change the default pin number to a code that only you will know.

Consider a list of the many, many people who have your mobile number, just as you have the numbers of many others. Friends, work colleagues, business contacts, competitors, service providers.

Now make a list of the last 10 messages which people left on your phone – words of kindness, affection, criticism and complaint; appointments, cancellations, sales orders, meeting times and places. Job offers, perhaps, or juicy gossip!

Now combine the two lists – how many of the people on List #1 would you like to have unfettered access to the messages on List #2.

Lastly, consider this – human nature tells us that, as they read this note, most people are wondering about two things:

1. Whether they have changed the default pin number on their voice-mail, and
2. Whether you have changed yours.

By my reckoning, you have approximately 3 minutes from the time you read this sentence to change your default settings, before curiosity gets the better of them! So off you go and make those changes – you can thank me later!

This public service message was brought to you by the Irish Computer Society, which provides training and advice on all aspects of Privacy and Data Protection. Our public course dates are posted on our web-site at www.ics.ie, or call 087 241 6892 for details (or to leave a voice-mail!)

To clarify our communication to the mobile operators we suggested that the remote access feature be offered on an opt-in basis.  We did not seek removal of the service as we are aware of many reasonable uses.  The key outcome sought is that the operators, if they have not already done so, need to do something to address the security risk inherent.  Making remote access to voicemail an opt-in option seems to us to be a sensible starting point, since we believe relatively few people use it.  However, there are other solutions which we have already discussed with the mobile operators and which they are bringing to the table which will likely achieve the same objective

In short, the nuclear option is off the table (at least for now), with operators being required to take actions to address the security risk.

This of course does not lessen the need for individuals who may in the future opt-in to have remote access to their voicemail to take precautions to ensure the security of their personal information. Relying on a default pass code is not clever. It is akin to leaving your car unlocked with valuables on the seat.

Ultimately, there are limits to what operators can do to reduce the risks inherent in remote access and the individual will need to take some responsibility for their own security. Otherwise who knows… in the future the DPC may need to take actions to secure your data for you by shutting down remote access.

[clarification: the DPC has issued a clarification to this which we have detailed in this subsequent post]

This is in response to the News of the World scandals which have highlighted the risks associated with remote access to voice mail and the requirements under Regulation 4(4) of the new Electronic Privacy regulations which came into effect on the 1st of July. Regulation 4(4) requires telecommunications service providers to notify their users as to any risks to security in the network and the steps to be taken to mitigate those risks, along with details of any costs associated with those steps.

Given that mobile phone contracts are currently provided with voice mail systems which can be accessed remotely by dialling into a variant of the mobile phone number and keying in a default pin code, which is generic to ALL users, and given the high profile security risks highlighted by the News of the World scandal, there is a clear risk to the security of personal data (voicemail messages) in the way the system currently works.

However, the Commissioner’s stance may be somewhat draconian and dogmatic. In the face of a clear security risk they are asking for the service to be suspended. In the words of Gary Davis, Deputy Data Protection Commissioner:

“Who does it serve to be able to access the messages left on your mobile phone?

Individuals need to take responsibility for the security of their own data and take steps to protect it, in the same way as they secure other items of value that they own like their car, their home, or their credit cards. Failure to do so will result in the facility to access voicemail being taken away from them. So,

• If you lose your phone you won’t be able to access your voice mails until you get a replacement phone
• If you leave your phone at home you won’t be able to access your voice mails until you get home and get your phone.
• If your battery dies you won’t be able to access your voice mails until you get the phone charged

Having both had my phone stolen once and having left my phone behind  me at home or in the office on countless occasions, and having had my phone battery die while out and about, I’ve often made use of the ability to dial in and change my outgoing message and listen to the messages that have been left to me from a payphone or a colleagues mobile.

While these are conveniences, they do answer the Deputy Commissioner’s question as to who would need to access  messages remotely. The real question is how, when remote access is required in certain circumstances, how can that be achieved in a secure and user-friendly manner?

1. Can operators do more to encourage and educate people on how to change their voicemail pass codes?
2. Can operators assign random pass codes to accounts rather than relying on a default?
3. Could the remote access system be made “on request”, so that if you lose your phone you can request remote access to be permitted, at which point a pin code could be generated for the individual?
4. Could remote access be switched to being a requested value added service which people would need to pay (a little) extra to have?

Ultimately, the Commissioner’s response to the situation highlights the need for individuals to take responsibility for their own personal data security in a way that suits their personal needs or have phone operators or the Commissioner take a “one-size fits all” response to identified weaknesses. This is in keeping with the balance that is at the core of Data Protection – the need to balance the rights to privacy of the individual against the interests of companies and the capability of technology.

Anyone receiving the scam text message is advised not to call the number provided but to report the incident instead to the Data Protection Commissioner on 057 868 4800.” (The Irish Times, 12 July, 2011)

There is something curiously coincidental about the above news article, appearing as it did in the week following the publication of new legislation in relation to direct marketing and electronic communications. The fraudsters must have had their tongues firmly in cheek when they decided to use the Commissioner’s name and office as the vehicle for their scam.

As a colleague pointed out, they should perhaps have given this more thought – the office of the Commissioner is uniquely placed to call on individuals with the forensic IT skills to track the perpetrators back to proverbial back bedroom in which the project was hatched. Please watch this space for progress reports.

In the meantime, never, ever give out your PIN, PPSN or any personal data without first checking that the requestor is both authorised and permitted to do so. Very few organisations seek or require this data.

The new legislation has been a couple of years in the pipeline, and finally put some structure and formality around practices and guidelines which had been in circulation in the marketing, promotional and direct mailing industries in recent times.

The changes set clear requirements on how such organisations should use electronic communications technology to engage with clients and conduct marketing campaigns, while protecting the rights and preferences of members of the public. As Mr. Hawkes said at the launch event, “Individuals must be able to enjoy the benefits of new technology, while at the same time remaining in control of their privacy”.

It covers how organisations should provide timely notification to individuals prior to including them in marketing campaigns, whether those campaigns are conducted via e-mail, SMS, fax, phone-call or through the use of on-line ‘cookies’. Members of the public are entitled to expect that they will not be included in such campaigns unless they have ‘opted in’, or at least that they have a pre-existing relationship with the sales or marketing organisation.

And there is a welcome obligation regarding data retention – on our regular Data Protection training courses at the ICS, I am often asked, “How long can we keep contact lists?”. The recent changes say that marketing data and distribution lists on clients, or potential clients, as long as it has been legitimately acquired, should be used within 12 months at most, and each correspondence should offer the recipient the option to ‘opt out’ of further campaigns.

Data not used or updated within a 12-month period should be deleted, on the basis that it is no longer current, and the original ‘opt in’ or client interest in the product or service can no longer be assumed.

The Irish Computer Society has a mandate to raise awareness and provide training in relation to IT-related disciplines, and offers regular, public courses on Data Protection and Privacy legislation. Check our web-site at www.ICS.ie, or contact Hugh Jones at +353 87 241 6892 for upcoming course dates.

The key to ensuring compliance with these revised rules is to ensure that you have a solid understanding of the underlying principles of Data Protection and the role of information in your organisation (it’s meaning and purpose) so that you can better understand how the actions of your staff and the systems you use to interact with your customers might affect your ability to work within the regulations.

An earlier post discussed the likely impact on Cookies from the regulations. In short, you need to understand when, where, how, and why your websites and mobile device apps are writing data to your customer’s “subscriber equipment” [aka the device that is at the end of the telecommunications service connection, be that a physical phone line, wifi, 3G, GPRS, HSPDA etc.]. Once you know that information you can figure out what data storage requires consent and what data storage is essential to the delivery of the information age service.

Another interesting and subtle change is that the Commissioner has removed the ‘grey area’ around collecting email addresses in business networking or similar activities. Before there was an assumption of “one bite free” where you could contact people once but give them the option to opt out of future contact. This is now very categorically an opt-in thing where you are sending emails to an identifiable natural person, particularly where that person is not party to a customer relationship.

You can still avail of the “free bite of the apple” when dealing with non-individually identifiable business entities, and with individuals in organisations who might reasonably be interested in the product, service, or subject matter of the message.

A worked example might help explain this better.

• Frank is a sales man for BloggoTech. At a trade fair he meets Jerry, who is a purchasing manager from ClientCo, who BloggoTech have an existing relationship with.
• Frank also meets Mary, a marketing manager from ProspectCo. Neither Mary nor ProspectCo are clients of Bloggotech.
• Jerry gives Frank an email address to contact him at: Jerry.Client@ClientCo.ie
• Frank also has ClientCo’s general contact email address: info@clientco.ie
• Mary gives Frank her business card with email, phone, SMS etc.
• The business card also has “info@prospectco.com” as a general contact email address.

Frank can contact Jerry by any contact point he has for him (subject to Jerry making his preferences known) because ClientCo are an existing client who have purchased within the last 12 months. As soon as Jerry asks Frank to stop contact him by whatever contact mechanisms or for whatever purposes, Frank must do so.

Mary, however, poses a problem in light of the revised guidance. If Frank has not gotten her permission to do a follow up contact with her then the only email address he can use is the “info@prospectco.com” email, unless he is communicating with Mary about something that he knows will be of interest to her. Of course, he has the option of sending a fax for her attention (which the company can opt out of), or posting her materials by snail mail (which she can opt out of).

This relates to the fundamental principle that personal data must be obtained fairly, for a specified and lawful purpose.

Many people might protest that requiring people at conferences to get consent before doing a follow up contact is unduly burdensome but it is actually quite simple. When handing over your business cards, simply ask “Is it OK if I drop you an email later in the week with some information about [insert subject matter here] and a link to our newsletter sign up?”. This simple conversation point clarifies that you will be contact the person, and clarifies the context in which you will be communicating with them.

There.. consent obtained.

The real challenge is presented to event organisers who might share lists of delegates at an event with other attendees. Care must be taken to remove any means of electronic contact. But most large data management events I attend provide heavily redacted delegate lists that identify the person and the company, and perhaps their country, but not enough that you could contact them directly from it. So, event organisers need to start thinking about contact information as valuable data which should not be shared.

I’ve had experience with a business networking event sharing my details willy-nilly in an attachment sent to the other 100+ people who had registered for the event (which would be a notifiable disclosure under the Data Breach Code of Practice). The problem could have been prevented by simply having an opt-in box telling me that my details could be shared if I wanted them to be.

In short… designing privacy into the process, not inspecting breaches out.

Companies exhibiting at events need to up their game away from the “business card fishbowl” with a spurious raffle to collate contact details. Again, a little thought can help design a safer and more compliant process (a tick box for consent to further contact for purposes not related to the raffle for example, or clarification that anyone entering the raffle will receive one marketing email). After all, if the guidance from the DPC is that the communication needs to be relevant to the interests of the Data Subject, I might only want to receive communications from the company about the iPad I’ve won.

The new rules are built on old principles. If you understand the principles and take them to heart you can begin to develop strategies for using the new rules to your advantage.

The text of the Act has not yet been published, however, the note proceeds on the assumption that no material changes from the Act as amended in the Select Committee on Justice, Equality, Defence and Women’s Rights in Dáil Éireann have subsequently been made.

What does the Act do?

The Act requires “service providers” (persons engaged in the provision of a publicly available electronic communications service or a public communications network by means of a fixed line, mobile telephones or the Internet) to retain specified data for specified periods (as set out below) and to make it available to the Irish police, Irish army and Irish taxation authorities in specified circumstances, by way of a “disclosure request”.

The period of retention for data and the retention requirements will depend on the type of data:

Data Type: Fixed network telephony and mobile telephony data.

Period of Retention: 2 years from the date on which the data was first processed (reduced from 3 years under the CJA 2005)
Retention Requirements: Data to be retained includes data necessary:

1. to trace and identify the source of a communication (calling telephone number, name and address of subscriber or registered user);
2. to identify the destination of a communication (number dialled, name and address of subscriber or registered user);
3. to identify the date and time of the start and end of a communication;
4. to identify the type of communication (telephone service used);
5. to identify the equipment used (calling and called telephone number, the International Mobile Subscriber Identifier (“IMSI”) and the International Mobile Equipment Identity (“IMEI”) of called and calling parties, and date and time of the initial activation of a pre-paid anonymous service and cell ID from which it was activated); and
6. to identify the location of mobile communication equipment (cell ID at the start of the communication and data identifying the location of cells by reference to their cell ID during the period in which the communication is retained).

Data Type:Internet access, internet email and internet telephony data

Period of Retention: 1 year from the date on which the data was first processed
Retention Requirements: Data to be retained includes data necessary:

1. to trace and identify the source of a communication (user ID, telephone number, name and address of the subscriber or registered user to whom an Internet Protocol (“IP”) address, user ID or telephone number was allocated);
2. to identify the destination of a communication (user ID or telephone number of recipient of an Internet telephony call as well as the name and address of the recipient of a communication)
3. to identify the date, time and duration of the communication (date and time of the log-in and log-off of the Internet access service, together with the IP address and user ID of the subscriber or registered user as well as the date and time of the log-in and log-off of the e-mail service or Internet telephony service);
4. to identify the type of communication (the Internet service used); and
5. to identify the equipment used (the telephone number for dial-up access and the digital subscriber line (“DSL”) or other end point of the originator of the communication).

The Act does not apply to the content of communications transmitted by means of fixed network telephony, mobile telephony, internet access, internet e-mail or internet telephony.

Main Provisions of the Act

The Act has provisions dealing with the following:

• the obligation to retain data;
• security measures to be applied to the data;
• access to the data – disclosure requests by the Irish police, army and taxation authorities;
• reports and statistics to be prepared by members of the Irish police, army and taxation authorities;
• the complaints procedure; and
• review of the Act by a High Court judge and the duties of the judge.

Conclusion

The Act brings Irish law into line with EU directives on the matter and seeks to strengthen the digital hand of law enforcement agencies with respect to crime, whilst also more clearly delineating the circumstances in which a disclosure may occur.

The Background

De Beers entered into an agreement with the Government of Botswana, to move certain operations to Botswana. This required the development of software support systems. De Beers did not have a common software system across various countries it operated in, nor a common system across various departments and De Beers decided to take the opportunity to develop a global software system for supply chain management.

An initial, short-term contract (the “IAP”) was entered into with Atos, to allow Atos to analyse the business requirements of De Beers, so that Atos would be better placed to enter into a fixed-price contract for the project. Once the IAP completed, the final contract was entered into in November 2007.

However, delays in completion of the project ensued. Delays were identified as early as November 2007 and Judge Edwards-Stuart found that the reasons for the delays were attributable to both parties. By April 2008 it was necessary to agree a revised timetable and this was done. However, in the meantime, Atos issued an invoice (the “Milestone Payment”), which De Beers refused to pay due to dissatisfaction with delays and the quality of the work being performed by Atos.

Atos, on the other hand, claimed that the progress of their work had been delayed by a lack of co-operation from De Beers staff and increases and changes in the scope of the work to be performed. Atos presented De Beers with an ultimatum – either De Beers renegotiate the contract by the end of May 2008 or Atos would suspend all work. De Beers would not agree to this and Atos suspended all work. Both parties claimed that the other had repudiated the contract and claimed damages.

The Central Issue

The central issue was determined by Judge Edwards-Stuart to be whether either party had repudiated the contract, which gave rise to issues of causation and quantum of damages.

Having examined the case-law on repudiation of contracts, the Judge examined whether any of Atos’ four grounds that De Beers had repudiated the contract could be sustained:

• A list of minor breaches by De Beers of terms of the contract (such as a delay in providing technical documentation, amounting to £23,000) but the Judge felt that none of these (nor all of them cumulatively) were of sufficient seriousness to constitute repudiation of the contract;
• De Beers refused to make the Milestone Payment – whilst this was a breach of contract, it was considered not to be a repudiatory breach as this was capable of being easily remedied through payment;
• De Beers made it clear that they would not entertain Atos’ contractual right to time extensions or increased payments and the Change Control Procedures contained in the contract – it was noted that a time extension was granted in the plan agreed in April 2008 and this implied an acceptance of the terms of the contract by De Beers, rather than a repudiation; and
• On the day on which Atos’ threat to cease work was to be carried out, a De Beers staff member reclaimed security passes from the Atos staff members – on the facts of the case this did not amount to repudiation as it was merely a security measure and reflected the inevitable outcome at that stage in the dispute.

On the other hand, the Judge sustained De Beers’ claim that Atos had repudiated the contract through their conduct in the termination and re-negotiation dispute. Atos had offered to complete the contract on different terms, rather than the terms originally agreed. In addition, the offer was subject to De Beers’ agreement to waive any claim that it might have against Atos in relation to Atos’ delivery to date. The Judge pointed out that this was something upon which Atos had no contractual right to insist upon. Significantly it was noted that “There is a very significant difference between being willing to complete a project and being willing to fulfil a contract. Atos may have been genuinely prepared to do the former, on its own terms but that was itself inconsistent with a willingness to do the latter”.

Damages were calculated by the Judge on the basis that, due to an issue which De Beers deemed confidential and refused to disclose, the Judge was not convinced that the software would ever have been used by De Beers. This substantially reduced the claim by De Beers. The Judge then calculated the sums which De Beers would have had to pay Atos, had the contract been performed in full, including the withheld payment, and Atos’ accrued and future claims on termination. The net claim by De Beers was then calculated at approximately £1.4 million, from an original claim of £8.68 million.

In conclusion, the decision in this case does not create any new legal precedents with respect to repudiation of contract. However, the decision is quite useful as practical guidance for parties engaged in a contractual relationship, for whom the contract is not progressing on a satisfactory basis.

Some Lessons to Learn

The lessons to be extracted include:

• It is not advisable for a supplier to suddenly ‘down tools’ regardless of any difficult relationship with their customer. This may be considered to be repudiation of the contract;
• Be aware of the reputational damage which might arise out of litigation. During the trial internal Atos memo prepared by David Cunningham, a senior Technical Architect in Atos, revealed that “In short, what is missing is systems analysis. This seems to be something of a lost art (within Atos Origin at any rate), and l am at a loss to understand why. To build a system of this size and complexity it is an essential activity”; and
• Activities and decisions, taken on a commercial basis, may have profound implications for assessing repudiation of contract, as well as damages.

In summary, the Court found that:

• UPC’s facilities were being used by subscribers to infringe copyright;
• UPC is however a “mere conduit” within the meaning of the E-Commerce Directive (2000/31/EC) but that did not prevent the possibility of injunctive relief being granted against it in appropriate circumstances;
• the relevant Irish provision, Section 40 (4) of the Irish Copyright and Related Rights Act 2000 (“the Act”), is limited by its terms to “removal” of material and does not enable the Court to grant an order requiring an ISP to implement a graduated response system removing infringers from the Internet;
• the filtering and blocking solutions proposed by the record companies, which intercepted illegal filesharing transmissions and sent warnings or diverted the subscriber to legal download sites, also did not amount to “removal” of material within the terms of Section 40(4) of the Act;
• the European Copyright in the Information Society Directive (2001/29/EC), which provides that Member States must provide rightsholders with the ability to apply for injunctions against intermediaries, does not require any reconstruction of the limited but unambiguous language of Section 40(4) of the Act; and
• accordingly there was no power for the Court to order injunctive relief either requiring ISPs to (i) implement measures to prevent illegal filesharing; or (ii) block subscriber access to a particular website.

The record companies brought the action in June 2009 seeking an injunction against the Irish ISP, UPC, requiring it to stop the copyright infringement of its subscribers and for UPC to block the well known website, The Pirate Bay. During the 5 week trial, evidence was given on various technical solutions, such as filtering and blocking and a three strike or graduated response system, which the record companies suggested could be implemented by UPC to prevent illegal filesharing on its network.

Such a three strikes policy, for example, is the subject of legislation in a number of countries, including the HADOPI law in France, but no such legislation exists in Ireland at present. Instead, the record companies took the case under Section 40(4) of the Copyright and Related Rights Act 2000, which provides as follows:

“(4) Without prejudice to subsection (3), where a person who provides facilities referred to in that subsection is notified by the owner of the copyright in the work concerned that those facilities are being used to infringe the copyright in that work and that person fails to remove that infringing material as soon as practicable thereafter that person shall also be liable for the infringement.”

Subsection (3) of the Act provides that the mere provision of facilities for enabling the making available of copies of a work shall not be considered itself the act of making available for copyright infringement purposes.

Mr Justice Charleton, sitting in the Commercial Court division of the High Court, accepted the record companies’ evidence that UPC’s customers are using its broadband facilities to steal copyright material and that such activity is devastating the business of the music industry. However he found that the section of the Act relied on did not provide a basis for the injunctive relief sought.

Charleton J. noted the legislative developments in other countries such as the UK, France, Belgium and the United States. These developments reinforced to the Court that the reliefs sought by the record companies, namely the power to block or disable access to Internet sites, to interrupt and divert a transmission and to cut off Internet access in controlled circumstances, were not covered by Section 40(4) of the Act.

The judge was conscious of the doctrine of separation of powers and noted that for the Court to grant an injunction on the basis not of law, but of economic abuse or moral turpitude, would lead the Court beyond its powers into the legislative arena. Ireland therefore requires a legislative solution to deal with the issue of illegal filesharing.

The Background

In 2000, BSkyB went to tender in relation to a multimillion pound “Customer Relationship Management” system to support a number of its UK call centres. BSkyB hoped to cut costs and improve service by rolling out this new system.

EDS (now HP Enterprise Services) was successful in the bid. Delivery commenced in July 2000 under what was known as the ‘Prime Contract’.
The project was ultimately unsuccessful. In particular the time critical delivery points were not met and the fixed budget was exceeded. The anticipated budget was £47.6 million, of which approximately £7 million comprised profit. The original implementation date was 1 March 2002. BSkyB claimed that the work wasn’t completed until four years later and that the cost was some five times the original budget. Notably, BSkyB claimed damages of some £709 million. BSkyB has been awarded in excess of £200 million. Hewlett Packard is reportedly planning to appeal the decision.

The Case

In general terms, the core of the BSkyB case was:

1. EDS made various misrepresentations in relation to resources, time, costs, technology and methodology which were either fraudulent or negligent;
2. To the extent that EDS was fraudulent, it should not be entitled to rely on the £30 million cap on liability under the contract. It is generally not possible to limit liability for fraud hence the high level of damages claimed;
3. EDS breached the Prime Contract because it failed to deliver, to properly resource the project and to exercise reasonable skill and care or conform to Good Industry Practice.

While BSkyB was not successful in relation to a number of its specific claims under the above general headings, it was substantively successful. In particular, the Court found that EDS was liable for fraud in relation to some of the representations it made leading up to being awarded the Prime Contract. If EDS had not made those representations, BSkyB would not have continued with EDS as a supplier.

Some Lessons to Learn

De-Risk Communications With Customers

It is essential that engagement with customers, particularly in critical negotiations or in troubled projects, is conducted in a controlled and substantiated manner. There is an interesting, and well reported passage in the judgment regarding the credibility of one of the EDS key witnesses. It was submitted in evidence that at ‘The 12 October Meeting’ a revised project plan was produced to the customer and the managing director of the EDS CRM business was reported to have said to the customer “ This is the plan, you can either agree with it or we will take you out into the car park and…”. While there was much dispute about this evidence, the point to note is that, chance remarks and comments made in the heat of the moment, under pressure to win or save deals or in a seemingly joking or informal manner, can ultimately be given a very public hearing and analysis in court where there is a dispute.

It is possible that a corporation can be liable for the fraud of its employees. One of the key witnesses here was found to have been dishonest during the pre-contract sales process. It was confirmed by the court that it is the “directing mind and will” of the corporation that must be considered when determining whether the corporation has knowledge of the fraud. All personnel involved in the bidding, sales and negotiation process should be properly vetted and should be properly and regularly trained in relation to mitigation and managing risk.

The Importance of a True Representation

Customers like to be assured. Assurances can help win deals. Here much of the judgment focussed on the nature of the representations made by EDS. In legal terms, misrepresentations can be made innocently, negligently or, in the worst case, fraudulently.

Where a supplier is giving assurances to a customer, it is essential that they can be substantiated by a proper process. The judge in this case specifically commented on the fact that there was surprisingly little documentation relating to the process by which EDS prepared its response to the BSkyB tender.

Track Bid Activity, Stress Test Bid Statements

A few practical tips on de-risking bids can be taken from the judgment:

1. avoid making definitive statements in correspondence to customers regarding commitment to timelines and resourcing requirements without having first carried out a proper exercise to identify available resource and actual cost;
2. do not make unqualified commitments to provide appropriately experienced resource where that is contingent on a recruitment drive in the open market to bring in the relevant skill sets. Evidence was submitted to the court in the form of email from EDS management stating that there would be a serious resourcing shortage (this was during the “dot com boom”) if the company was successful in the BSkyB bid. While the court found that EDS had reasonable grounds for believing it could resource the project with appropriately qualified and experienced personnel, and so there was no misrepresentation on the issue, it is a notable point because there will always be a natural tension, particularly in the current market, between the need to maintain recruitment freezes and operate on reduced resources but to aggressively go out to win business;
3. have a good paper trail documenting all behind the scenes bid activity to demonstrate that representations being made to customers are being supported by demonstrable activity on the ground;
4. have a centralised document control process for drafting and approving critical bid and contractual documentation;
5. when assessing the amount of elapsed time required to meet a delivery date, do not rely on a ‘feel from experience’ as to what is achievable. Always follow-up with a demonstrable planning, sequencing and resourcing exercise;
6. ensure that risk registers and issues arising from review checkpoints during the bid process are actually addressed.

Security breaches – the International experience

The US was the first jurisdiction to legislate specifically for security breaches. This was in direct response to a number of high profile incidents involving household name American companies where customer data was either lost, stolen or compromised as a result of defects in their security procedures. California was the first State to introduce so called “Security Breach Notification” legislation. This legislation required any company conducting business in California which maintained computerised data about Californian residents to notify those residents if their unencrypted personal information was acquired by unauthorised persons. 38 further States and the District of Columbia followed California’s lead and introduced their own security breach notification legislation. More recently, the State Senate in California has passed measures that will require more extensive notification to consumers of any data breaches; establish a central reporting centre for breaches and permit local prosecution of identity theft.

In the UK, pressure for security breach notification type legislation has started to build following a number of high profile security breaches. In February 2007 the Nationwide Building Society was fined Stg£980,000 by the Financial Services Authority following the theft in August 2006 of a laptop from the home of a Nationwide Building Society employee. In December 2007 the Financial Services Authority imposed a fine of Stg£1.26 million on Norwich Union Life arising from weaknesses in their systems and controls which allowed fraudsters to use publicly available data, such as names, addresses and dates of birth to impersonate Norwich Union customers and obtain sensitive details from its call centres. Falsified written surrender requests were submitted and in 74 cases funds totalling approx Stg£3.3 million were paid out to accounts controlled by the fraudsters. Attempts were made to obtain fraudulent surrenders in a further 558 cases. Confidential customer information relating to the policies was released in almost all of the 632 cases, and in some cases this included the customer’s full bank account details.

Under the UK Financial Services and Markets Act 2000 the reduction of financial crime is a regulatory objective for the Financial Services Authority. The Financial Services Authority’s Principles for Business constitute requirements that are imposed on entities that are regulated by that Act. Principle 3 obliges regulated firms to have “adequate risk management systems”.

In October 2007 in what has been the biggest loss of personal data in the UK to date, HM Revenue and Customs disclosed that computer discs containing details of 25 million child benefit recipients which had been sent to the National Audit Office had gone missing. The Chairman of HM Revenue and Customs resigned; Chancellor Alistair Darling had to make a Commons Statement; Prime Minister Gordon Brown issued a public apology, and Kieran Poynter, Chair of PriceWaterhouseCoopers was appointed to conduct an independent investigation.

The UK equivalent of the Irish Data Protection Commissioner – the Information Commissioner, stated that this incident and its aftermath marked a turning point for data protection in the UK. The UK Government have indicated their commitment to strengthening the powers of the Information Commissioner by enabling him to carry out inspections of organisations which collect and use personal information and to put in place new sanctions for the most serious breaches of the data protection principles.

Security breaches – the Irish experience

Up until this year there has been relatively little reported coverage of any significant Irish data security breaches. The Data Protection Commissioner’s Annual Report for 2004 did include details of a security breach incident involving the Midland Health Board in which client data had been inadvertently disclosed to a research body.

In February of this year, media reports picked up on responses given to two Fine Gael parliamentary questions directed at all Government departments, which indicated that in the recent past, up to 80 laptops held in various Government departments had gone missing.

Then on 20 February, it was reported that a laptop containing personal data relating to more than 170,000 Irish blood donors was stolen from an employee of a US company (the New York Blood Centre (NYBC)) that was carrying out some software upgrade work for the Irish Blood Transfusion Service (IBTS). The data was in New York because the IBTS was upgrading its software that it used to analyse its data, and that it had engaged the services of NYBC, a public service blood bank, under a data protection and transfer agreement to do this.

Under the terms of the agreement, the IBTS exported on an encrypted CD a selection of log files generated from transactions on its computer system to commence the building of the software application. The CD was encrypted with a 256 bit encryption key. The records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key.

This incident is likely to give rise to calls for a review and possibly an audit by the Irish Data Protection Commissioner into the security procedures and measures in place in State agencies and Government bodies.

Security breaches – the Irish legal position

The relevant legislation in Ireland is the Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003. This imposes a number of relevant obligations:

• data controllers (entities that either alone or with others control the contents and use of personal data) and data processors (entities that process personal data on behalf of data controllers (this would cover activities such as payroll processing, but could also include entities carrying out software development or upgrade work where the software program processes personal data)) are required to implement “appropriate security measures” against unauthorised access, alteration, disclosure or destruction of data, particularly where data is being transmitted over a network;
• data controllers must comply with certain other “data protection principles” including that any personal data obtained and processed by them is done so “fairly” and that such data is not further processed in a manner which is incompatible with the specified and legitimate purposes for which it has been obtained;
• where data controllers engage data processors to process data on their behalf, they must do so pursuant to a legal contract that as a minimum, imposes equivalent security obligations on the data processor and requires that the data processor carries out such processing only on and subject to the instructions of the data controller;
• data controllers may not transfer personal data from Ireland to countries outside the EEA that do not ensure adequate levels of data protection (such as eg: the US), unless such transfers come within one of the limited number of grounds set out in the legislation. One such ground is where the transfer is done pursuant to contractual terms that have been specifically approved by the EU for data transfers.

Is there a requirement in Ireland to notify data subjects in the case of security breaches?

The Data Protection Acts 1988 and 2003 do not impose an explicit obligation on data controllers to notify data subjects if there has been a security breach. This does not mean that such an obligation cannot be implied. One of the data protection principles with which data controllers must comply is that their obtaining and processing of data must be done “fairly”. In order for such processing to be “fair” certain information has to be given to the data subject. In some instances, this can include “information as to the recipients or categories of recipients of the data”. It could follow from this that if there is a security breach, the data controller may need to notify the data subject of the breach in order to ensure that the processing of the data was “fair”.

On becoming aware of their security incidents, both the Midland Health Board and the IBTS notified the Data Protection Commissioner’s Office. The IBTS has also confirmed that it is writing to each donor affected by the incident.

What are the implications of a security breach in Ireland?

Failure to comply with the data protection principle requiring organisations to implement “appropriate security measures” is not by itself an offence under the data protection legislation. It is an offence for a data processor or an employee or agent of his to knowingly disclose personal data processed by him without the prior authority of the data controller. It is also an offence for any person to disclose to another person any personal data to which they have obtained access without the prior authority of the data controller or the data processor who keeps the data (this offence is directed very much at “hacking”).

Apart from criminal offences, data controllers and data processors owe a duty of care to data subjects as regards their dealings with any personal data relating to the data subjects. If they are in breach of this duty, and the data subject suffers loss as a consequence, then the data subject is legally entitled to take a civil action against the data controller or data processor for damages. Notwithstanding that this right of action has existed since the Data Protection Act was first introduced in 1988 (almost 20 years ago now) no such action has been taken to date.

Quite apart from any potential criminal or civil proceedings, there is another equally serious ramification, namely the very significant reputational damage that can be caused by adverse media coverage and publicity following security incidents where an organisation is considered not to have had effective security controls and procedures in place.

Conclusions

There is no question that the issue of security breaches is becoming more significant, and it is likely that we will see more enforcement action in this area. In next month’s legal e-bulletin we will look at some of the steps that organisations can take to improve their compliance.

On 10 July 2000 President Mary McAleese applied her digital signature on the Electronic Commerce Bill. In doing so, Ireland became the second country in the world to use a digital signature to sign a bill into law. The Electronic Commerce Act, 2000 (the ‘Act’) gave legal recognition to electronic signatures. This e-bulletin will examine the various forms of electronic signatures which can be used, touch briefly on the technology behind these signatures and consider the extent to which the various forms of electronic signatures have been used in the nine years since the Act came into force.

Legislative Framework

The law has recognised telegraphic communications as far back as the mid-19th century and faxed signatures since the 1980s. In the late 1990s the European Commission was keen to ensure that electronic signatures would be given legal recognition and would be admissible in court in all Member States. This lead to the adoption in December 1999 of the Directive on a Community Framework for Electronic Signatures (the “Directive”). The Act transposed the Directive into Irish law. It sets out the legal framework for recognition and non-discrimination in respect of electronic signatures and for the regulation of Certification Service Providers.

The Act defines an electronic signature as:

‘Data in electronic form attached to, incorporated in or logically associated with other electronic data which serves as a method of authenticating the purported originator and includes an advanced electronic signature.’

Two forms of electronic signature would meet the criteria of this definition: simple electronic signatures and advanced electronic signatures. The law will recognise a wide range of simple electronic signatures, which range from typing your name in the signature block of an electronic document, sending an email confirming you accept to be bound by certain terms and conditions, to the more common form of clicking an ‘I accept’ box which indicates that the user is accepting certain terms and conditions.

The Act adopts the definition of an advanced electronic signature as found in the Directive stipulating that an advanced electronic signature must be a signature that is:

1. uniquely linked to the signatory;
2. is capable of identifying the signatory;
3. is created using means that the signatory can maintain under his sole control;
4. is linked to the data to which it relates in such a manner that a subsequent change of the data is detectable.

The Act does not discriminate in favour of one type of electronic signature; however, the Act does require that advanced electronic signatures are used in relation to certain documents, where the law requires that such documents be executed by seal, or where a document is required to be witnessed. It was a deliberate policy of the Irish Government not to mandate that advanced electronic signatures would be required in any other particular circumstances but rather the Government wanted the market to determine in which circumstances advanced electronic signatures would be required.

Neither form of electronic signatures may be used for the creation of wills, trusts, enduring powers of attorney or for acquisitions and disposals of land.

The technology of Advanced Electronic Signatures (AESs)

AES’s assure the recipient of a digital document to which an AES has been applied that the sender, and no other party, has digitally signed the document. This is achieved by a combination of algorithms. Typically, two ‘keys’ are used: (i) the private key, which is known only to the signatory and is used to create the digital signature and change the message into encrypted form; and (ii) the public key, which when applied to a message which has been encrypted using the signatory’s private key, decrypts the message and verifies the identity of the signatory and that the message has not been altered. The public key could be placed on the signatory’s website or sent separately to the recipient.

In order to add an additional layer of security independent third parties, known as a ‘Certification Service Providers’ (“CPS’s”), can be used. CPS’s certify the authenticity of the signatory’s public key, which confirms that the public key originates from the signatory and not from a fraudulent impersonator. This method is known as ‘public key infrastructure’ or PKI.

Paper Signature versus Advanced Electronic Signature

AES’s have an inherent feature which can prove whether a document has been altered after being signed. Metadata in the document can provide a trail as to when and how a person may have altered the document. In this regard AES’s hold an advantage over traditional signatures by hand, in that they can also authenticate the fact that the document has not been altered after signature.

Take-up of Electronic Signatures

There has been widespread take-up of simple electronic signatures since the introduction of the Act. Such signatures have become ubiquitous in electronic commerce and used by all when contracts are formed online. However, there has not been the same level of take-up for AES’s. In its 2006 progress report on the implementation of the Directive, the European Commission recognised that there had been a low take-up of AES’s in Europe. Although AES’s provide a technological means to certify the identity of the signatory, it seems that parties continue to prefer to sign in person when they feel a need to ensure that the signatures on a document are authentic.

AES’s do provide some key advantages which businesses should consider. They offer the advantage of ensuring that the document has not been tampered with after its signature and allow for identity certification without the parties having to meet face-to-face.

The Act was not solely concerned with electronic signatures, it provided more broadly for the legal recognition of information in electronic form (i.e. data, all forms of writing and other text, images, sound, codes, computer programmes, software, databases and speech) and ensured that the introduction of information in electronic form as evidence in court could not be challenged simply on the grounds that it was not in hard-copy or that it was in electronic form. It is, however, open for an opposing party in court to challenge the legal effectiveness, reliability and probity of electronic evidence, to the same degree as can be done with other forms of evidence.

More than half of European websites selling electronic goods are in breach of EU consumer law

A recent survey commissioned by the European Commission has found that 55% of online retailers of electronic goods were in breach of European consumer legislation. The Commission carried-out a Europe-wide sweep involving 28 national consumer enforcement agencies.

The Commission chose to investigate the online sale of electronic goods as these goods are among the most popular product categories bought over the internet. The Commission estimated the value of online sales of consumer electronics in the EEA to be €6.8 billion in 2007. In 2008, a quarter of consumers who made purchases online, bought an electronic product.

The increase of online consumer purchases has led to better choices and prices for consumers. Consumers in smaller jurisdictions, such as Ireland, can now seek to obtain goods at better prices online, than those offered in their local stores. The Commission is keen to promote cross-border sales within the EU. In its view, online commerce in Europe is still largely confined within national borders. Obstacles to cross-border expansion include language and regulatory barriers, as well as low consumer confidence on issues such as delivery and payment.

The rise in online consumer sales has been matched by a rise in consumer complaints, 34% of complaints handled by European consumer enforcement agencies, including Ireland’s National Consumer Agency, relate to the sale of electronic goods.

The following are examples of non-compliance which were highlighted by the Commission’s survey:

• failure to give proper contact information;
• failure to inform the consumer of their right to return the goods within seven days;
• misleading the customer in relation to their right to a full-cash refund if goods were not of merchantable quality.

In order to assist online retailers to comply with their legal obligations we set-out below some of the key provisions which govern online sales. This list merely highlights important rules, it is not an exhaustive guide and retailers should bear in mind that traditional consumer legislation, such as the Sale of Goods Act, applies equally to both online and off-line consumer sales.

Information: the retailer’s name and postal address and email address, company registration number (if the retailer is a company), membership details (if the retailer is the member of a trade or professional association), the retailer’s VAT number, should all be easily, directly and permanently available on the retailer’s website.

Pricing: prices should be clear and unambiguous, in particular, they must indicate whether they are inclusive of tax and delivery costs.

Contracting: the website should make clear the steps involved in completing the contract on-line, whether the contract will be stored by the retailer and/or permanently accessible and in which languages the consumer may place an order. Consumers should be given an opportunity to review their order to check for errors before submitting it. Orders must be confirmed by an electronic means accessible to the consumer, this confirmation should repeat the information and pricing details set-out above and inform the consumer of its right of return.

Right of return: consumers have seven days from the receipt of any goods ordered online to cancel their order, without having to give any reason for doing so, and receive a full refund. This right does not apply for certain specified categories of goods, such as goods which are custom made, unsealed computer software, audio or video recordings, goods which would expire (fruit and vegetables) or newspapers, periodicals and magazines. Consumers shall not be liable for any costs save for the direct costs of returning the goods. This right of return must be brought to the consumer’s attention by the retailer both before the consumer places the order and in the retailer’s confirmation of the order.

In order to ensure that a website is compliant with relevant consumer legislation it is advisable to have the website’s terms legally reviewed, this is particularly the case where the website actively solicits sales from jurisdictions outside of the retailer’s home jurisdiction, as to the extent that local consumer law in an EU Member State provides greater rights for consumers than in the retailer’s home jurisdiction, the retailer will also have to comply with consumer law in the consumer’s home jurisdiction.

Possible liability for online recommendations made by a trade association in respect of its members

The Court of Appeal in England has recently found that a trade association which made assurances on its website about the financial standing and capacity of its members could possibly be liable should a visitor to the website rely on those assurances and these assurances later turn out to be untrue.

This case concerned the Swimming Pool & Allied Trades Association (“Spata”). Spata operated a website which stated that Spata members had been vetted, were financially solvent and their work was guaranteed by Spata. Mr Patchett chose a contractor from the Spata website’s list of members. Unfortunately, the contractor became insolvent before completing the work. Mr Patchett then claimed that Spata was guilty of negligent misstatement. In defence Spata argued that the contractor in question was only an affiliate Spata member and not a full member, that the vetting process and guarantee only applied to full Spata members and that the website directed users to order Spata’s full information pack before choosing a contractor. This pack would have indicated that the vetting process and guarantee only applied to full members and that the contractor in question was not a full member.

The Court noted that certain facts made it reasonable for internet users to rely on statement made on Spata’s website. Spata set itself up as the authority on swimming pool contractors, almost a regulator of them. The goal of its website was to encourage people to use the contractors listed there as members. Spata knew that people would rely on the statements on its website. Further, the website was not targeted at the public in general, but rather at a limited class of people, namely those considering using a contractor to install a swimming pool.

In this case, the Court held that because the website stated that users should ask for the full information pack on members before choosing a contractor, Spata was not liable to Mr Patchett. It is implicit in this judgment that had the website stated that all Spata members were solvent, without any qualification being included in any other documents which were brought to the users’ attention, then the trade association could have been liable.

The effect of this judgment is that where a website of this kind supplies information as definitive and encourages people to rely on that information, the operator of that website may be held liable where people do rely on the information, and such reliance causes damage. The message is clear, website operators should be sure as to the accuracy of the statements which they make on their websites.

Reservation of Company Names

From the 1 September 2009, it is now possible to reserve a company name with the Companies Registration Office for a maximum period of 28 days before the company is incorporated. This could prove useful where start-ups wish to secure a particular name while they prepare the other documents necessary to register an Irish company.

Direct Marketing – Increased Penalties

The sending of unsolicited direct marketing communications is regulated by the EC (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (the ’2003 Regulations’). The 2003 Regulations set out the extent to which persons engaging in direct marketing activities by electronic means (including phone, fax and email) must obtain the recipient’s consent before sending such communications.

The general principle is that prior consent of the recipients must be obtained before sending marketing to such individuals. A recipient can notify the sender of such communications that they no longer wish to receive such communications or notify this preference to the National Directory Database and senders of electronic marketing communications must abide by the recipient’s choice. The 2003 Regulations have been amended by the EC (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (the ’2008 Regulations’) which came into force on 13 December 2008.

• The 2008 Regulations increase the fine for summary offences under the amended 2003 Regulations from €3,000 per offence to €5,000 per offence. The position remains that each unsolicited communication, email or call made in contravention of the amended 2003 Regulations is to be treated as a separate offence.
• The amended 2003 Regulations now allow offences to be prosecuted on indictment. A body corporate found guilty of an offence on indictment will be liable to face a fine not exceeding €250,000 or 10% of the turnover of that body corporate (whichever is the greater).

In practice, the Director of Public Prosecutions (‘DPP’), based on his opinion as to the seriousness of the conduct, makes a recommendation as to whether the offence should be tried summarily or on indictment, indictment carries higher penalties, the presiding judge then decides whether or not to follow the DPP’s suggestion.

• If an offence under the amended 2003 Regulations has been committed by a body corporate, and it is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of an officer of that body corporate, that officer commits a separate offence and is liable to be proceeded against and punished as if that officer had committed the offence. However, the amended 2003 Regulations also provide that an officer of a body corporate may be proceeded against for an offence committed by a body corporate regardless of whether that body corporate itself has been proceeded against or been convicted of the offence committed.
• An individual found guilty of an offence on indictment will be liable to face a fine not exceeding €50,000.
• Of particular note is the newly introduced Regulation 13(9C) which provides that in proceedings for an offence under the amended 2003 Regulations, if the question of whether or not a person ‘consented’ to receiving an unsolicited communication or call is in issue, the onus of establishing that the person consented to receipt of the communication or call lies on the defendant.

The Data Protection Commissioner, Billy Hawkes, has welcomed the introduction of the 2008 Regulations and has reminded ‘persons engaged in direct marketing activities that [the Data Protection Commissioner's] Office continues to pay close attention to the whole area of unsolicited communications by telephone, fax, email or text message’. The Commissioner further stressed that ‘Ignorance of the law is not an acceptable excuse for non-compliance and [he] will have no hesitation in applying the full force of the new regulations to offenders’.

We advise our clients to exercise caution before making unsolicited contact with their past customers for marketing purposes. Unless those customers have specifically agreed to receive such communications, then those communications could be unlawful.

The Data Protection Commissioner can prosecute without first attempting to resolve the issue amicably. The Data Protection Commissioner’s office received a number of complaints from people who had received unsolicited mobile phone text messages from Realm Communications offering a free stay in one of 20 Irish Hotels. If recipients of the text messages wished to avail of this offer they were required to telephone a premium-rate phone number.

Under the EC (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 it is an offence for a person to send unsolicited communications for the purposes of direct marketing without the consent of the recipient. Each communication gives rise to a separate offence, at the time of that these communications were sent this offence was liable, on summary conviction, to a fine not exceeding €3,000.

Further to the complaints which the Data Protection Commissioner received, his office issued 60 summonses against Realm Communications in the District Court.

Realm applied for and was granted leave to seek judicial review of the Commissioner’s decision to institute summary proceedings without first attempting to negotiate a settlement with the person who is alleged to be in breach of the data protection legislation.

The Data Protection Commissioner responded that the legislation did not give rise to any prior requirement to mediate and that his office was free to deal with enforcement issues as it saw fit whether it be with or without recourse to litigation. The Commissioner pointed out that mediation would not be effective for repeat offenders.

During the judicial review proceedings in the High Court, Mr Justice McCarthy found that there was nothing in the Data Protection Directive or applicable subordinate legislation which obliged Member States to provide for attempted amicable resolution prior to enforcement. The Commissioner is therefore free to take enforcement action in relation to breach of Data Protection legislation whether without first attempting to amicably resolve the issue with the alleged wrongdoer.

EU Data Centre Code of Conduct

The EU has recently published a voluntary Code of Conduct for data centres (the ‘Code’). The Code is primarily aimed at driving efficiencies in the use of power in data centres. Power consumption is a key issue for data centre operators and users. There are clear cost and environmental considerations attached to the use of power.

Historically, data centres were designed to be able to cope with large operational and capacity changes. Many older data centres use design practices that are now outdated. Some of these older data centres are housed in buildings that were designed for humans rather than machines, where air is refreshed often on the assumption that humans rather than machines are in the building, or where the entire building is heated and then the server room is cooled by air-conditioning to provide a suitable environment for the IT equipment.
Power-unit effectiveness (‘PUE’) provides a way to measure the ratio of power delivered to IT equipment compared with the total amount of power used by the facility. PUE allows data centre managers to see how much power is driving the actual IT equipment versus non-IT elements such as cooling and lighting. Modern state-of-the-art data centres can attain a PUE rating of 1.2 or better. A typical enterprise data centre is likely to achieve 2.0 or worse.

The Code outlines general principles on power efficiency and guidelines for data centre owners and operators. It represents a significant marketing opportunity for data centre owners and occupiers to certify compliance. Customers now have a benchmark against which to evaluate and differentiate data centre providers. Many public sector tenders require tenderers to demonstrate their environmental credentials and adherence to this Code is an achievable way to do this.

The Code is not compulsory but is a useful reference point for customers of data centres and a good marketing tool for data centre service providers.

Data security breaches

Security breaches began to fill more and more column inches in Ireland in 2008. In February, media reports disclosed responses given to two Fianna Gael parliamentary questions directed at all Government departments, which indicated that more than 80 laptops had gone missing in various government departments. In the same month, news broke of the theft of a laptop containing the personal data of more than 170,000 Irish donors from an employee of a US company (the New York Blood Service) that was carrying out some software upgrade work for the Irish Blood Transfusion Service.

This was followed in April by the revelation that four laptops had been stolen from Bank of Ireland in 2007. The theft had only come to the attention of Bank of Ireland’s management in February of this year and the bank only notified the Data Commissioner’s Office in April. Together the stolen laptops contained personal data relating to 31,500 Bank of Ireland customers. The data involved related to life assurance policies, policy applications and mortgage information. As a result of these breaches, the Data Commissioner’s Office began an investigation into the reasons why the personal data, including sensitive medical data, had been stored on the laptops, the security measures used by the bank, and the reasons for the delay in reporting the loss.

As a result of these revelations, the Minister for Justice Dermot Ahern announced in October that a data review group was being set up to conduct a review of Irish data protection legislation. The group will be chaired by a former Secretary General at the Department of Finance, Eddie Sullivan and will include the Data Protection Commissioner Billy Hawke. The chief focus of the team’s work will be to examine whether changes are required to Irish data protection legislation to deal with security breaches. The group will also be asked to examine the issues of mandatory reporting of breaches as well as possible penalties. As the law currently stands both here and in the UK, there is no explicit statutory obligation to notify the Data Protection Commissioner, or any affected data subject, of a data security breach. On 28 November Dermot Ahern agreed terms of reference and membership for this review group. The Group has already held its first meeting and will announce specific details of its consultation process in the near future.

Garda Commissioner asks telecoms providers to retain data

It was reported in the media in November 2008 that the Garda Commissioner had sent a letter to all Irish mobile broadband providers asking that they retain browsing information on their customers so that they could be used in criminal investigations. It is understood that the intention of the Garda Commissioner was to make the retention of internet data a requirement of all mobile broadband providers. The request for real-time web-browsing information, in other words the content or the web address (URL) of every web page browsed by users of mobile handsets, palmtop devices or 3G modems, goes beyond the European Union’s Data Retention Directive (the “Directive”), which was due to be implemented by the Government on 15 September 2007, but has still not been implemented. The Government intends to implement the Directive by way of a Statutory Instrument and has produced a draft Statutory Instrument to this effect. The Directive does not provide for the retention of content and this has led to the Deputy Data Protection Commissioner, Gary Davis, expressing his concern over the Garda Commissioner’s request.

The Government’s draft Statutory Instrument allows for the retention of traffic information relating to phone and mobile calls, which are already retained in Ireland under the Criminal Justice (Terrorist Offences) Act, 2005, and also introduces new requirements for the retention of internet data. However, the content of telephone calls or e-mails, or details on web-pages browsed, is excluded from the scope of the Directive so the draft Statutory Instrument, if implemented, may bring Irish law into conflict with European law.

Ryanair swoops down on screen scrapers

In July 2008 Ryanair declared war on travel websites which it alleged were engaged in ‘screen scraping’. Screen scraping is the term used to describe the technique whereby a computer program extracts data from the display output of another program. The websites accused of screen scraping by Ryanair included travel websites that sold-on Ryanair flights and those websites that obtained Ryanair flight and price data for the purposes of price comparison and booking services. During the summer, Ryanair successfully secured injunctions against the German website Vtours.de in Germany, against BravoFly Limited in Ireland and against eDreams in Spain. Subsequently, Ryanair announced on 11 August that they would cancel any bookings made illegally through third party websites.

This announcement by Ryanair resulted in harsh criticism from the National Consumer Association and led to an investigation by the Directorate-General for Energy and Transport of the European Commission (“DG TREN”) to assess the compatibility of Ryanair’s actions with EC Regulation 261/2004 on the rights of air passengers (this Regulation establishes community-wide rules on compensation and assistance to passengers in the event that they are prevented from boarding aircraft and in the event of flight cancellations or long flight delays).

DC TREN sought clarification from Ryanair on its new practices on 20 August. Following a typically robust response by Ryanair to DG TREN (the exchange of correspondence was published on Ryanair.com), DG TREN announced in September that it had ended its inquiry and would not be taking any action against Ryanair. However, DC TREN noted that it had not received any actual complaints from passengers and it reiterated its warning to Ryanair that if a passenger was denied boarding, EU Regulation 261/2004 would apply and that the passenger would be entitled to reimbursement and assistance.

Screen scraping and price comparison/booking facility services raise a number of legal issues (several of which were argued by Ryanair in its response to DG TREN), including that such activities can:

• result in other users of the website being denied access (or slow down or frustrate their use of the website by reducing the website’s response times);
• breach the terms and conditions of use of the website including terms as to linking;
• breach the website owner’s copyright (including database rights);
• breach the website owner’s trademarks; and
• amount to “passing-off” or wrongful interference with economic interests or contractual relations.

They also raise interesting consumer law issues as to whether the underlying terms of the website or the transaction comply with Unfair Contract Terms in Consumer Contracts legislation as well as issues arising under EU Regulation 261/2004 on air passenger rights noted above.

Further developments in this area can be expected in the new year as other organisations realise the potential of taking similar actions as Ryanair and as consumer and other regulatory bodies become involved.

Privacy – landmark decision: Herrity v Associated Newspapers (Ireland) Limited

In a decision of the High Court in July 2008, Ms Justice Dunne held that the right to sue for damages for breach of the constitutional right to privacy is not confined to actions against the State or State bodies or institutions, but can extend to actions against private individuals. This is the first Irish case to recognise that an individual can take an action in Ireland against a private person or entity for breach of its constitutional right to privacy. The right to privacy, although not specifically expressed in the Constitution, has long been recognised by the Irish courts as one of the unenumerated and unspecified personal rights that are guaranteed by the Constitution.

This case concerned an action taken by a married woman for wrongful invasion of privacy arising from a series of articles published by the defendant which dealt with the plaintiff’s relationship with a priest. The defendant also published the transcripts of telephone conversations between the plaintiff and the priest, which had been illegally obtained from a phone tap conducted by a private detective (who was hired by the plaintiff’s estranged husband).

In its defence, the defendant pleaded that it had acted in accordance with the right to freedom of expression, in particular in publishing material in the public interest. Although the court recognised that the right to freedom of expression usually prevails over the right to privacy in the hierarchy of constitutional rights, it noted that the right to freedom of expression is not an unqualified right. The court took the view that in light of the facts and circumstances of the case, where the right to freedom of expression asserted by the defendant is the publication of material obtained unlawfully, then the right to privacy would prevail.

The court awarded the plaintiff ordinary and aggravated damages of €60,000 for breach of privacy and exemplary damages of a further €30,000 for the use of transcripts of telephone conversations that had been obtained unlawfully.

Record companies take Eircom to court over illegal downloads

In March 2008, the four biggest record companies brought a High Court action aimed at forcing Eircom to take measures to prevent its networks being used for the illegal downloading of music. This was the first action of its kind taken against an internet service provider, rather than individual illegal downloaders and was prompted by growing concern within the music industry about the scale and cost of illegal downloading. Sales in sound recordings have fallen by 30% in the past six years, from €146m in 2001 to €102m in 2007.

The action, brought by EMI Records (Ireland), Sony BMG Entertainment (Ireland), Universal Music (Ireland) and Warner Music (Ireland), seeks orders under the Copyright and Related Rights Act, 2000 restraining Eircom from infringing copyright in the sound recordings owned by, or exclusively licensed to them, by making available (through Eircom’s internet service facilities) copies of those recordings to the public without the record companies’ consent. The record companies also challenged Eircom’s refusal to use filtering technology to filter peer-to-peer traffic and block specified recordings from being shared. Eircom told the record companies in October 2007 that it was not in a position to run filtering software, such as that provided by the US-based Audible Magic Corporation, on its servers.

Eircom filed its defence in May 2008 rejecting the claims and contending that the record companies have no cause of action against it. The case is currently at hearing.

Whatever 2009 may hold – a very happy, prosperous and successful new year to you all from the Information Technology and Commercial Contracts Law Group at Matheson Ormsby Prentice!

Data Protection Commissioner Annual Report 2006

During 2006 the Data Protection Commissioner focused on a number of wide ranging issues, many of which involved the use of technology. Increasingly, he is also having to consider and address the privacy challenges that rapidly evolving technologies such as social networking sites present. In 2006 companies such as Bebo, Myspace and Facebook came to his attention through both positive and negative media coverage. His responsibility relates solely to the data protection issues that arise in relation to these sites. One of his main concerns is what consent has been given for the processing of personal information on these sites? This goes to the issue of the age and maturity of the individuals involved in using the sites. Another issue concerns the right of an individual to seek the blocking of any personal data in relation to them that is incorrect or that was placed on the site without their consent.

In his 2005 Annual Report the Data Protection Commissioner drew attention to the data protection issues that the use of RFID can give rise to. In his 2006 Annual Report he reports that there is now an industry momentum towards the greater use of RFID technology, so we can expect more developments in this area.

During 2006 the Data Protection Commissioner stepped up noticeably his use of the legal powers of enforcement that are available to him under the Data Protection Acts 1988 and 2003. This trend is likely to continue in the future and one can expect to see a more aggressive approach being taken by the Commissioner towards enforcement generally.

Guidance

The 2006 Annual Report also includes guidance on a number of issues that have given rise to specific public concern. These include:

• mobile telephone companies and requests from local authorities for customer data: The Commissioner was surprised to learn that telephone companies were being contacted by local authority litter wardens seeking details of mobile telephone ownership. This arose in the context of litter wardens finding mobile phone top up receipts that were causing litter. There was a suggestion that such information was being provided seemingly without question in some cases, and without the backing of an enactment or by a rule of law or order of court.
• the use of publicly available data for direct marketing purposes: Here the Commissioner examines the re-use of personal data that is obtained from publicly available documents and sources (such as the Companies Registration Office and the weekly lists of planning applications and planning decisions published by local authorities) for direct marketing purposes.
• the use of electronic mail for direct marketing purposes: This is an area where his office is increasingly being called upon to engage proactively. He has issued a detailed guidance note on the use of electronic mail for direct marketing purposes to assist not only individual subscribers, but also persons engaged in direct marketing activity.
• the outsourcing of ICT projects and the hosting of patient files in the health centre: This is an area where there has been an increase in queries to his office. His Guidance emphasises the need for security measures; suitable contracts being in place between the data controller and data processor; policies on retention periods being established and for the employment contracts of the employees of the IT / hosting services company to reflect a duty of confidence regarding data accessed during the course of their activities. He also highlighted the need to comply with the various restrictions on the transfer of personal data outside of the EEA.

Work Programme for 2007

In 2007 the Commissioner proposes to continue his ongoing crackdown on the problems posed by unsolicited text messages to mobile phones and intends to continue to work to try to integrate privacy at the initiation stage in relation to new proposals and technologies.

Statistics

The statistics concerning inquiries and complaints make interesting reading. The website of the Office of the Data Protection Commissioner (www.dataprotection.ie) received over 20,000 inquiries and was accessed over 69,000 times from Ireland.

There was a very significant increase in the number of complaints received in 2006 over 2005. Much of this increase was attributable to complaints over breaches of the Privacy and Electronic Communications Regulations and related mainly to cold calls being made to the home and unsolicited text messages to mobile phones (these accounted for 39% of all complaints received).

Complaints Investigated

In his Annual Reports the Data Protection Commissioner gives details of some of the cases he has investigated during the year. A trend of recent Annual Reports has been that the Commissioner has started to “name and shame” organisations that have been the subject of a complaint. In 2006 he investigated:

• unsolicited direct marketing and the sanctions available to him to address intrusive practices, including his contacts with a number of telecommunications companies;
• a number of cases where he has had to adjudicate on the obligations of the media to comply with their obligations under the Data Protection Acts 1988 and 2003 and the extent to which the “public interest” exemption applies to them;
• the failure of a leading computer manufacturer during the reporting period to ensure properly that its direct marketing practices were fully compliant with the Data Protection Acts, particularly as regards recording the preferences of individuals not to receive any further material;
• the failure of a Dublin night club to comply with an access request for CCTV footage;
• the gathering of extensive personal data by both public and private sector bodies.

Conclusion

Over the course of future Legal e-Bulletins we will:

• provide a general outline of how data protection works and explain the main obligations for data controllers and data processors insofar as they are relevant for the technology sector;
• explain the relevance of the restrictions on the transfer of personal data outside of the EEA to countries that do not ensure “an adequate level of protection” such as the US and how these restrictions can impact in the technology sector;
• examine what companies in the technology sector must do to comply with the data protection requirements if they engage agents, sub-contractors or other service providers to undertake activities on their behalf if those activities involve the “processing” of personal data;
• outline the rules that apply to the use of personal data for direct marketing;
• explain what companies in the technology sector must do to make sure that their websites comply with the data protection requirements and the Data Protection Commissioner’s Guidance on Privacy Statements and Websites.

In the next Legal e-Bulletin we will look at the information requirements that certain companies who are subject to the European Communities (Companies) (Amendment) Regulations 2007 must display on their website and which came into effect on 1 April 2007.

There are some super sessions for primary school teachers.  Nigel Lane, a primary school teacher in Co. Kildare is giving a workshop on Blogging Basics, a must for any teacher interested in blogging with their class.  Anne McMorrough is going to be giving a great session on different tools she uses in her classroom, including iPod apps and other web apps.  Edchat, which is a Twitter chat every Monday is a good session for anyone interested in using Twitter.   Another couple of interesting talks for technophobes would be Getting Started with ICT in the Classroom and ICT for Technophobes.  Both talks will give the very basics from teachers who have discovered ICT tools for learning that are easy to use.

There’s loads of other sessions on Google Apps, Twitter, Cloud Computing and more!  The Friday evening is a Teachmeet where teachers give 2-7 minute talks on topics that they’re interested in.  It’s fast, informal and fun, (and there’s a bar too!) You should check out http://www.cesi.ie for more details and register.  It’s the best value CPD you’ll ever get!

It is good to question what we see, as all too often we adhere to the life script that everyone else is happily playing out – for me Eli Pariser’s book The Filter Bubble helped me to once again question what we take as the truth, in his case the internet that is presented to us.

But what if there is a school filter bubble?

I am going to look at this as a parent and as a teacher.

My son is my favourite subject and there isn’t really any known limit to the amount I want to know about his day and what he is up to. He has been in full time school for just over a year and I still would love to follow him around for a day. But the message from school and what we find out as parents is only such a tiny fraction of what is happening at school.

We digest the presented message of school, of our children’s learning and the finer intricacies of what is taking place. The PR machine of school is crafting a message about the business of learning. And what a tough task that is because (a) learning is one of the most complex processes in the universe because of the number of factors that effect it and (b) the message is aimed at a (more than) captive audience – as parents we always want to know more.

It may come across that I am bashing school-home communications a bit – well the key thing for me – being a professional in the education sector – is that I know only a sliver of what is happening in my son’s learning life at school. Really only a fraction, the fraction that is communicated, shared at parents evening or in the odd newsletter or word at the classroom door. I don’t think that is enough.

Why should I just accept the school filter bubble?

How is it possible with all of the technology tools that build knowledge sharing, participation, crowd-sourcing, communities and overcome physical and social barriers to make connections, tools that side-step language and time differences and allow us instantaneous communication – that we still don’t have the true capacity to experience what is happening at school instantly, more easily, more quickly and more intuitively.

Well we should and one day we can make it happen.

–

Pic Cost savings in The Netherlands: Now you see it, now you don’t by opensourceway

Welcome to 1JR’s class blog. We are a class of ground breaking inventors, unstoppable creators and powerful thinkers. We learn cooperatively together but most importantly with a shared dream of success and impact. We are shaping the future and grabbing every opportunity life throws our way. Join us as we work hard to reap the rewards…after all, to appreciate the beauty of a snow flake, you’ve got to stand out in the cold.

These 5 and 6 year olds must have a great time!

Class 1JR at Rosendale Primary School

All too often we don’t co-construct our curriculum with the children in our class. What occurs is a complete lack of clarity about where, as a group of learners, we are heading. In fact the direction we are going in is all too often very much laid out for the learner – the route is set by the teacher and the outcomes are already known.

Curriculum planning in this vein doesn’t cater for the tangent or the divergent thinker- well it might entertain it briefly but will eventually settle back on the steady path to where we were always going.

Curricular of this ilk are not setup for serendipity. If I knew exactly the music that was going to be played on the radio all of the time, well in advance and had no control over it, I would miss out on those beautiful moments when you hear a wonderful track that hasn’t been played for ages and there you are in that completely unexpected moment savouring every note.

Much of this is to do with teacher control and the lack of willingness to let go of the reins and venture from the path a little. But it is also to do with a lack of ambition about what we plan, many models of curriculum, as well as units of work, are legacy systems:

A legacy system is an old method, technology, computer system, or application program that continues to be used, typically because it still functions for the users’ needs, even though newer technology or more efficient methods of performing a task are now available.

If the direction of a unit is already laid out, involving the learner in the direction is fruitless, for the learner at least, for no alteration can be made anyway.

In his book How Children Fail, John Holt reflected in 1958:

It has become clear over the year that these children see school almost entirely in terms of the day-to-day and hour-to-hour tasks that we impose on them. This is not at all the way the teacher thinks of it. The conscientious teacher thinks of himself as taking his students (at least part way) on a journey to some glorious destination, well worth the pains of the trip.

He continues to explain that he recognises a disconnect with what we as teachers perceive as a learning journey and how children truly see this. How many schools do you think could still be described in these terms?

At one of our partner schools in South London the pupils of Rosendale Primary School negotiate their learning. They have a clear direction and input into the course that is going to be set – not only that they have the ability to define how they get there. The pupil’s prior knowledge, skills, interests and passions are the starting point for much of the project learning that takes place.

With a vested interest the pupils at Rosendale have a much clearer understanding of the learning as a journey – they know what needs to be done and have made choices that help to define this and make it real and meaningful to them. It is not simply a set of tasks imposed on them by a legacy system.

Most of the time with these more open models we have to set our course into the unknown a little, we have to be willing to take the path less trodden.

When the teachers and Year 3 and 4 pupils of Thorney Close Primary School took on the challenge of running their own TEDx we didn’t know if we would be successful, there were a great deal of unknowns. At one point we didn’t have a venue because Take That were playing at the Stadium of Light!

With uncertainty often comes failure and we felt that for real and so did the children, but would they learn from it – absolutely!

Here are some reflections on the process by one of the teachers involved:

I learnt to trust the children and to let them go in the direction they want, trust that they’re going to make the right decisions with a little bit of guidance but not as much structure as we normally would give. So to sit back more and to listen more, and just ask the odd few questions – without waiting for that answer that the teacher wants to hear.

One of my favourite ways to describe this sense of a general direction, unclear and yet thoughtfully open, is the idea of a “fuzzy goal”. Taken from the opening to the wonderful book Gamestorming by Sunni Brown, David Gray and James Macanufo – a fuzzy goal can both describe our philosophical approach to change as well as the direction of a student led unit.

Like Columbus, in order to move toward an uncertain future, you need to set a course. But how do you set a course when the destination is unknown? This is where it becomes necessary to imagine a world; a future world that is diferent from our own. Somehow we need to imagine a world that we can’t really fully conceive yet—a world that we can see only dimly, as if through a fog.

Pic navigation (cc) by marfis75

Recognised for providing a significant contribution to the development and understanding of information and its associated technologies in the delivery of healthcare, the conference is the focal point for those interested in Healthcare Informatics in Ireland to network with their peers and learn about the latest developments in Healthcare ICT.

This year’s HISI Conference and Scientific Symposium will reflect current developments in healthcare computing, associated technologies and communications infrastructures within Ireland and in the wider international context. The conference will include a panel of international experts. Health Informatics CEO of the year from the US as the keynote speaker and Matthew Swindells, Chair of BCS Health, will also be speaking at this years’ event. More information will be available soon on www.hisi.ie and in Autumn Newsletter.

Call for Papers: HISI invites the submission of Papers and Poster Presentations for the 2010 conference before September 17th.

Check out the official HISI website for regular updates.

In 70% of cases the cybercrime perpetrators were external agents; insiders were implicated in 48% of cases and business partners in 7%. (The numbers exceed 100% because many cases involved multiple parties.) Misuse of privilege was the most common problem, but hacking and malware remain big threats. Most attacks were not considered highly difficult, and victims generally had evidence of the breaches in their log files.

You can read a brief summary of the report’s findings at FiercehealthIT and the full 2010 Data Breach Investigations Report in PDF format is available onlline here.

• iPhone Nutrition: This application allows you to enter in a food and get all the nutritional information on it you’ll need.
• Symptom Navigator: Get an idea of what you might be suffering from with this tool that allows you to easily navigate a range of symptoms.
• iPharmacy: With iPharmacy you can browse through thousands of drug descriptions, illness symptoms, and drug side effects and interactions all right through your phone.
• Medicomatic: Medical professionals can analyze symptoms and read about a variety of diseases and illnesses through the iPhone using this helpful database.
• Bio Dictionary: For those who don’t have a huge knowledge of biological and medical terms, this dictionary can be a quick and easy way to look things up and stay on top of any health issue.

For further and regularly updated information, check out the iPhone Health Apps website that offers a database of over 2,000 apps.

The short video is a light-hearted introduction to IBM’s vision of a Smarter Planet … and what it means for our health systems. Check it out.

This special one-day HISI conference is being held to recognise the visit to Ireland of the Board of the International Medical Informatics Association (IMIA). We hope this event will provide an opportunity to learn from international experience and to gain a better understanding of the shared challenges and opportunities we face as healthcare IT specialists. In the 42 years since its foundation, IMIA has served to promote the advancement of healthcare through the application of informatics developments in clinical practice and healthcare management. It has recognised that we share many common challenges across the globe. Critically, it has fostered a mutual respect and understanding between clinicians and informatics professionals, as the only sustainable platform upon which practical improvements can be made in healthcare IT.

This conference is being held at a defining period for publicly funded healthcare systems throughout the world. Ireland Inc. represents a live and emerging case study which has parallels throughout the developed world. While the IMF has forecast a global economic contraction of about 1½% this year, most commentators now agree on a GNP decline of 8-10% in Ireland, followed by a further 3% negative growth in 2010. In Ireland, current year expenditure on publicly funded health and social services now accounts for as much as 45% of the total national tax revenue. With effective increases in taxation biting hard (by up to 20%) into take-home salaries, coupled with a doubling of real unemployment in just a year, we must all now face-up to the underlying challenge of escalating costs of public healthcare systems and question the sustainability of this form of provisioning in the medium term.

However, in the short-term, we are faced with the more immediate challenge of survival, as current tax revenue simply cannot afford to sustain healthcare spending levels. In Ireland, this comes at a very unfortunate time as the programme of healthcare transformation, led by the Health Service Executive, may well be crippled by an inability to invest in the future. Should this happen, we will all be faced with a far worse taxation burden in the future and a much poorer healthcare service.

If there is anything to be gained from the current global economic meltdown, it is the loud wake-up call to re-evaluate our current ingrained aspirations, assumptions and “ways of doing things around here”. The White House Chief of Staff, Rahm Emanuel, recently advised that “one should never waste a good crisis”. So, this period may well be defined by a new willingness to face-up to the stark realities of public healthcare and take a more mature and responsible attitude to promoting reform, whether as tax payers, healthcare providers, patients, carers, doctors, nurses or trade-union bodies.

Some of our most pressing responsibilities are:

• An ageing population which will drive further increases in demand for healthcare within the next 10 years – this is an unstoppable trend!
• Lifestyle choices (evidenced by increasing Body Mass Index and per capita alcohol consumption) which are already placing a huge burden on the healthcare system and this will rise exponentially unless we can tackle the problem at source – personal accountability!
• Healthcare outcomes which are poorer in Ireland for many conditions despite the high spending levels – clearly, we have an urgent need to re-think delivery processes and structures, both on the clinical practice side and on the provisioning cost dimension!
• Rising wealth which has promoted unrealistic aspirations for a uniformly high-quality healthcare, while appearing unwilling to bear increased taxation – someone’s got to pay!
• A need to balance health promotion and disease prevention with the exponentially increasing costs of high-acuity treatments, as well as an evaluation of the efficacy of advanced health technologies.

While we are all conscious of these underlying challenges, to-date we appear to have been incapable of tackling them with a collective determination – perhaps it’s just like we pretended the Celtic Tiger was a durable species…!

By way of contrast, the Obama administration has now begun to confront the far greater problems facing US healthcare. Evidence of their commitment to health informatics is the recent allocation of up to $19 billion in a stimulus budget for health IT spending, with a determination to achieve nation-wide implementation of electronic patient record systems by 2014. Regrettably, Ireland has been very slow to realise the potential of health IT, and we spend less than half of 1 per cent (i.e. ‘½’%) of the annual public healthcare budget on IT. While money alone is never going to transform Irish healthcare, a lack of spending on areas critical to healthcare transformation, will further reinforce the ineffi cient rigidities which confound our health system daily. Neither will IT on its own bring about a radical transformation of clinical and operational practice.

We need a sustained and choreographed effort that must include:

• Clinical practice change;
• Healthcare management and organisation change;
• Re-design of healthcare delivery models and operational practices; and
• Support from the tools, techniques, systems and expertise available from health IT.

But, given where we’re starting from in Irish healthcare IT, we need much more than academic exhortation to achieve meaningful change in a realistic time frame of not more than 4-5 years. We desperately need to assemble a full poker hand of five trump cards:

1. Motivation: Clearly, the flames are leaping high from our ‘burning platform’ for healthcare transformation. The need for change really exists in absolute terms. We must now face-up to this need, honestly, and collectively – politicians, tax payers, healthcare professionals, patients and carers, and especially our very vocal representative bodies.
2. Direction: Despite the many volumes of expert opinion in virtually every care group sector, and the never-ending debate about private vs. public systems, we have not set-out a clear and viable model for end-to-end healthcare delivery in Ireland which accommodates the multitude of different needs and provisioning approaches (public, private, and voluntary). This is not a simple task and is not amenable to a political quick-fix as often advocated; nor can we simply transpose healthcare delivery models that appear to work in other jurisdictions, as these are all context-specific.
3. Powerful Friends: IT has not been held in high regard in Irish healthcare (albeit, for all the wrong reasons) but the old tapes must now be changed. We need IT based transformation to be championed at the highest administrative, political, institutional and commercial levels. We need a pragmatic consensus approach which includes: Ministers for Health and Finance; back- benchers and opposition spokespersons; Healthcare administrators – HSE, DoHC, Clinical Leaders, Healthcare IT vendors, and international key opinion leaders (such as IMIA).
4. Proven Successes: We need to demonstrate quickly that IT can really make a tangible, significant and very public difference in: clinical outcomes, better access, increased patient safety and resource efficiencies.
   Health Informatics Professionals: Finally, we need to cultivate a cohort of health informatics professionals, cross-trained in both the technical skills of computer science and the clinical knowledge of the healthcare application domain. This may well be the most difficult challenge, as the current supply of health IT professionals is totally inadequate throughout the developed world.

Equipped with these five trump cards, we could feel confident that IT can be used to good effect both in terms of near-term crisis management and in longer-term sustainability. But if we’ve learned anything from the recent economic crisis it is that we are now operating well beyond the boundaries of normality and planning certainty. We cannot afford the luxury of single, large-scale all ‘singing n’ dancing’ IT solutions. Instead, we must embrace the reality of a multitude of collaborating systems and applications, which must become interoperable (even at a basic data exchange level) if we are to make progress towards a more effective, scalable and efficient healthcare system.

By Professor Gerard Lyons, President of HISI