9 February 2021
ICCL investigation reveals years of delays to major ICT overhaul intended to enable the Irish Data Protection Commission to enforce the GDPR.
Documents obtained by ICCL under the Freedom of Information Act reveal that a major internal ICT project to enable the Irish Data Protection Commission to operate effectively as a GDPR enforcer has been delayed for years.
Five years after announcing that it would move to the new ICT system, and after having spent at least €615,121 on the project, the DPC continues to use antiquated "Lotus Notes" technology.
A former DPC employee told ICCL that using Lotus Notes to organise and handle complicated GDPR complaints handling and investigations is "like trying to run your payroll system with an abacus".
The DPC's ICT project has missed deadline after deadline. It so vast that when ICCL first asked the DPC for information about it, the DPC said that it would take 124 days (“988 hours") to gather all the information about the project.
ICCL is concerned that the staff of the body charged with upholding data rights of all European users of Google, Facebook, and other tech giants, are unable to do so.
Dr Johnny Ryan, an ICCL Senior Fellow, said
"The GDPR gives Ireland a central role in protecting data rights across the entire European Union, monitoring how Google, Facebook, and others use our data. But the DPC is not configured for its digital mission. What we have discovered indicates that it cannot run critically important internal technology projects. How can it be expected to monitor what the world’s biggest tech firms do with our data? This raises serious questions not only for the DPC, but for the Irish Government. We have alerted the Irish Government of the strategic economic risk from failing to enforce the GDPR”.
We have published the internal DPC documents on which this report is based. The report is below.
Press contact: Sinéad Nolan. Email sinead.nolan@iccl.ie or phone +353-87-4157162. See media resources >
New ICT system was intended to enable the DPC to enforce the GDPR
In April 2016, two years before the application of the GDPR, the DPC said its “main goals for GDPR and ePrivacy Readiness” included “implementation of a new website and case-management system”.[1] This was “to be developed in the next 12 months”.
The DPC made it known in its 2017 annual report that moving to a new ICT system was essential for it to be able to perform its tasks under the new GDPR. The system was “required for the DPC to effectively roll-out the new legislation” and would “enhance how the DPC manages queries, complaints and investigations”.[2]
According to internal DPC documents, the planned ICT system would have a role in every aspect of the DPC’s work. It would control “case management, workflow and reporting”,[3] and would be used to manage the “complete case lifecycle from case opening, update through to closure”.[4] This would include “review and approval of case documentation and the transition of a case through different case stages by relevant DPC stakeholders as required.”[5]
The DPC’s planned “fit for purpose” system[6] would also connect to virtually every aspect of DPC staff’s work, including email and calendars.[7]
Another internal DPC document says that the planned system would “support critical DPC process areas – Breach notifications, access requests, complaints handling, assessment, investigation and inquiry processes”.[8] Contractor documentation notes that the new system was needed to “improve throughput and quality of casework”, and to “reduce errors”.[9]
Deadlines missed, year after year
An internal DPC document shows that the DPC viewed it as essential that the new ICT system be ready for the GDPR deadline of 25 May 2018. Missing that deadline “will result in the system implementation being considered a failure”.[10]
But the system that the DPC said would transform it in to an effective GDPR enforcer did not launch for the GDPR deadline of 25 May 2018. In fact, in 2021 it is still yet to be launched.
Instead, DPC staff charged with enforcing digital rights over the world’s largest technology companies are using an antiquated system called “Lotus Notes”.[11] A former DPC employee told ICCL that using Lotus Notes to organise complicated GDPR complaints handling and investigations is "like trying to run your payroll system with an abacus".
The DPC first spoke about the system in 2016, and promised to develop it in 12 months.[12] But the system was not developed, and the following year, in 2017, Helen Dixon said that the new ICT system was a key goal for 2018.[13]
The DPC issued a request for tender in December 2017, giving contractors until late January 2018 to submit proposals.[14] This left only five months before the 25 May 2018 GDPR deadline.
A month before the deadline, internal documents reveal that the DPC’s steering group confirmed that the system was not going to launch in time.[15]
In fact, it would take another three more months before the DPC even came to a decision about what it wanted its external contractor to do. A “statement of work” was finally signed with a contractor in July 2018.[16] The projected cost was €252,350.[17]
An internal planning document shows by June 2018, the DPC started to target a launch date of October 2018 – five months later than the original target date.[18] To avoid missing the deadline again, the DPC decided to launch only the most essential aspects of the new system by this new deadline. But even so, the DPC missed this revised deadline, too.
The DPC’s public 2019 “strategy statement” said that launching a new ICT system would again be a priority action.[19] However, minutes of an internal meeting in February 2019 show that the DPC had not yet initiated procurement of essential components of the ICT system by that time, even though the project was now nine months late.[20] Nor had it begun to train staff to use the system.
The minutes of the February 2019 meeting show that Helen Dixon and her colleagues were concerned that additional costs and procurement could draw the attention of the Government Comptroller and Auditor General (C&AG), particularly since the DPC’s finances had recently been made independent of the Government’s Department of Justice. The minutes of that meeting note: “CNAG have not previously queried costs but as costs will be incurred and DPC will be independent, costs and provider decisions may be queried in the future”.[21]
An internal document reveals that the DPC finally started to procure the infrastructure to host the new Case Management System in July 2019.[22] This was fourteen months after the GDPR deadline.
The minutes of the February 2019 meeting anticipated completion of the project in March 2020.[23] But the DPC missed that deadline, too. Instead of a launch, March 2020 saw the DPC commission a “design review” of the planned CMS and its implementation, with a particular focus on the security of the system.[24] An internal document shows that the project was so far from completion by this date that the contractor hired to conduct the review had to do so “based on the partial documentation as it exists”.[25]
The DPC’s 2019 annual report had announced that it would begin phased implementation of the new ICT system in 2020.[26] Again, this deadline appears to have been missed.
In June 2020 the DPC publicly acknowledged a "classification gap" in how it logs queries, which it said “will close out as the DPC’s new case management system comes on stream”.[27]
In October 2020, when the 2021 Budget allocations from Government were announced, Helen Dixon said that the funding would allow it “to continue with key strategic projects, such as the completion of a new Case Management System”.[28]
Mounting costs
By October 2020, the DPC’s ICT project had cost the taxpayer at least €615,121.[29] This figure does not include the cost of maintaining the antiquated Lotus Notes system, because that cost if borne by the Government’s Department of Justice.
Nor does the €615,121 spent so far include DPC staff time on the project from 2016 onward. The DPC says it did not record the cost of staff time on the project,[30] but it is apparent from the DPC’s first reply to ICCL’s requests for information that the unaccounted staff cost has been enormous: the project is so vast that the DPC has 5,925 pages of records about it.[31] When ICCL first asked the DPC for this information, the DPC said it would take 124 days (“988 hours”) to gather all the information about the project.[32]
In mid-2020, the DPC made a “pre-budget” submission to the Irish Government about the budget it wanted for 2021. The DPC described a need “move such legacy data to the new CMS system and incur associated costs related to physical data migration, organisational change, testing and security proofing the new systems and training of staff on a completely new case management interface”.[33]
That submission warned of a further cost of €450,000 in 2021 from the ICT project, which will bring the accounted cost to over a million euro.[34]
Author: Dr Johnny Ryan.
Thanks to Olga Cronin.
Thanks also to Ken Foxe, who obtained the DPC's 2021 pre-budget submission.
Press contact: Sinéad Nolan. Email sinead.nolan@iccl.ie or phone +353-87-4157162. See media resources >
Notes
[1] 2016 Annual Report of the Data Protection Commissioner of Ireland, April 2016 (URL: https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Annual%20Report%202016.pdf), p. 7. See also “Framework Agreement for the provision and implementation of CRM Software Solutions Supplementary Request for Tender – Lot 1 CRM (On Premises)”, December 2017, Office of Government Procurement, p. 9.
[2] 2017 Annual Report of the Data Protection Commissioner of Ireland (URL: https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Annual%20Report%202017.pdf), p. 45.
[3] “GDPR & ePrivacy Readiness Process and Organisation Design Project: case management system requirements, draft v0.5”, 16 August 2017. Obtained by ICCL under freedom of information, p. 5.
[4] ibid., p. 6.
[5] ibid., p. 8.
[6] Final Report 1 January - 24 May 2018 https://www.dataprotection.ie/sites/default/files/uploads/2018-11/DPC%20annual%20Report%202018_0.pdf p. 5.
[7] “GDPR & ePrivacy Readiness Process and Organisation Design Project: case management system requirements, draft v0.5”, 16 August 2017. Obtained by ICCL under freedom of information. p. 5.
[8] “CMS and Website Projects. GDPR Readiness Programme”, Data Protection Commission, 13 June 2018, Obtained by ICCL under freedom of information, p. 10.
[9] “Statement of Work: Data Protection Commissioner”, Codec. Obtained by ICCL under freedom of information. 13 July 2018, p. 2.
[10] “Data Protection Commissioner Case Management System Prioritisation of Requirements for Phase 1 Release”, 14 March 2018. Obtained by ICCL under freedom of information. p. 2.
[11] Final Report 1 January - 24 May 2018 https://www.dataprotection.ie/sites/default/files/uploads/2018-11/DPC%20annual%20Report%202018_0.pdf p. 5.
[12] 2016 Annual Report of the Data Protection Commissioner of Ireland, April 2016 (URL: https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Annual%20Report%202016.pdf), p. 7.
[13] 2017 Annual Report of the Data Protection Commissioner of Ireland (URL: https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Annual%20Report%202017.pdf), p. 11.
[14] “Framework Agreement for the provision and implementation of CRM Software Solutions Supplementary Request for Tender – Lot 1 CRM (On Premises)”, December 2017, Office of Government Procurement, p. 1.
[15] “CMS and Website Projects. GDPR Readiness Programme”, Data Protection Commission, 13 June 2018, Obtained by ICCL under freedom of information, p. 11.
[16] “Statement of Work: Data Protection Commissioner”, Codec. Obtained by ICCL under freedom of information. 13 July 2018, p. 1.
[17] ibid.
[18] “CMS and Website Projects. GDPR Readiness Programme”, Data Protection Commission, 13 June 2018, Obtained by ICCL under freedom of information, p. 16.
[19] DPC Statement of Strategy for 2019 (URL: https://www.dataprotection.ie/sites/default/files/uploads/2019-02/Statement%20of%20Strategy%202019.pdf), p. 15.
[20] “DPC Projects Governance Meeting”, 18 February 2019. Obtained by ICCL under freedom of information. p. 4.
[21] ibid., p. 1.
[22] “DPC CMS Infrastructure / Solution Architect Requirements. Scope of work”, 19 July 2019. Obtained by ICCL under freedom of information, p. 1.
[23] “DPC Projects Governance Meeting”, 18 February 2019. Obtained by ICCL under freedom of information. p. 4.
[24] “Data Protection Commission: client management system design review”, Evros, 13 March 2020, Obtained under freedom p. 5.
[25] ibid., p. 5.
[26] 2019 Annual Report of the Data Protection Commission of Ireland, p. 75 https://www.dataprotection.ie/sites/default/files/uploads/2020-02/DPC%20Annual%20Report%202019.pdf
[27] DPC Ireland 2018-2020: Regulatory Activity Under the GDPR, June 2020 (URL: https://www.dataprotection.ie/en/news-media/latest-news/dpc-ireland-2018-2020-regulatory-activity-under-gdpr), footnote 8, page. 15.
[28] "Data Protection Commission statement on funding in 2021 Budget", Data Protection Commission, 13 October 2020 (URL: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-statement-funding-2021-budget).
[29] DPC costs provided by DPC to ICCL, under freedom of information request.
[30] Letter Tom Walsh to Johnny Ryan, Regarding FOI Request – Decision Letter, 22 January 2021, pp 2-3.
[31] Letter Tom Walsh to Johnny Ryan, Regarding FOI Request – FOI-48-2020, 6 November 2020.
[32] Letter Tom Walsh to Johnny Ryan, Regarding FOI Request – FOI-48-2020, 6 November 2020.
[33] 2021 Pre-budget submission, p. 23.
[34] ibid.