June 7, 2021
"a roulade made entirely of human ears" | The Cat Herder, Volume 4, Issue 21
| |
| June 7 · Issue #134 · View online |
|
|
Bank Holiday edition. This week’s title is courtesy of Marina Hyde. 😼
|
|
|
|
|
|
If any litigious types work in the nexus of privacy & domestic violence, @ still refuses to allow users to block followers, despite 8 years of public requests. Outcome: countless people being stalked & harassed via Spotify, who say blocking is "not on the product roadmap".
|
|
|
|
|
Same old same old
|
The Department of Children AKA the Department of Determined Not To Learn Anything appears to be going above and beyond in its efforts not to fully release personal data to people whose information is contained in the archive of the Mother and Baby Homes Commission of Investigation.
|
|
|
|
I learned there was “health-related” (vaccine trials) info withheld until I sign a consent to have this data sent to my GP, because I, a 61-yr old woman, am evidently incapable of handling it (would they had been so concerned when ramming trial vaccines in me in 1961). /4 https://t.co/Y1R6XL7jkB
|
|
|
|
The Department is asserting it cannot release medical records without first consulting with an appropriate medical practitioner. This assertion is based on a Statutory Instrument from 1989 which was amended by the 2018 Data Protection Act. The SI as amended does not meet the requirements of Article 23 GDPR which clearly lists conditions which must be present in any legislative measure which restricts data subject rights and data controller obligations. |
Last week we (wearily) revisited the Minister for Children’s reversal of position last October on whether the GDPR (a European Regulation which has primacy over any conflicting national legislation) applied to the records in the archive of the Commission. The claim at that time was that the national legislation trumped the European Regulation. This was not the case.
|
The claim now being advanced by the Department is in essence precisely the same.
|
This Twitter thread by Simon McGarr, co-starring Bernie Sanders, puts it better than I can.
|
|
|
|
|
Also following on from last week, the GP data grab in the UK is getting grubbier. It turns out even the NHS wanted to allow more time to allow people to learn more and opt-out should they wish to but the Government is ploughing ahead.
|
The data is moving to a central NHS Digital database, with the Department of Health saying it expects GPs to introduce the system from 1 July. The NHS wanted a delay until September so patients had more time to learn about the system, the BBC has learned.
|
Patient data transfer still set to start in July - BBC News
The government is set to introduce scheme, despite the NHS suggesting a delay until September.
|
The government is meeting growing resistance from the GPs it hopes to compel to hand over their patients’ medical records.
|
All 36 doctors’ surgeries in Tower Hamlets, east London, have already agreed to withhold the data when collection begins on 1 July, the Guardian understands. An email has been circulated to about 100 practices across north-east London calling on them to also consider whether the data collection is legitimate, with the hope that it will spread to many more. The email makes clear the refusal to share the data is technically a breach of the Health and Social Care Act 2012. Privacy campaigners and doctors have raised the alarm about plans, led by the Department of Health and Social Care, to put the medical histories of more than 55 million patients into a new database where they will be made available to the private sector and other researchers.
|
GPs urged to refuse to hand over patient details to NHS Digital | GPs | The Guardian
Senior doctors call on colleagues not to share personal data, in effort to buy time to raise awareness of plans
|
In a comment piece in the Guardian Marina Hyde points out this isn’t the first time this has been tried.
|
Anyway, Care.data failed, because a ragtag band of privacy campaigners, worried doctors and MPs like David Davis campaigned their arses off, meaning that there was public debate and enough people learned about it in time to opt out. Post its collapse, the Care.data plan was described by one statistics professor as “disastrously incompetent – both ethically and technically”. Which sounds like the sort of review Mary Berry would give on Bake Off to a roulade made entirely of human ears, but which arguably has even wider implications. |
The Tories have worked out how to pull off an NHS data grab: do it during a pandemic | Marina Hyde | The Guardian
Taking data from patients in England was so unpopular in 2014 it was shelved. Now it’s happening without the scrutiny, says Guardian columnist Marina Hyde
|
|
Or maybe they could
|
Continuing the military theme from last week, the UK’s armed forces apparently routinely share the personal data of everyone who receives a promotion in a spreadsheet.
|
A former Army source told The Register the practice of sharing newly promoted people’s personal details in a spreadsheet accessible by the entire 80,000-strong British Army was routine, but said: “Normally this is passworded and kept on the intranet.”
|
UK Special Forces soldiers' personal data was floating around WhatsApp in a leaked Army spreadsheet • The Register
Bizarre promotion practice leads to near-inevitable breach
|
|
|
The statement itself is vague, as it doesn’t specify whether it’s considering federal law, states laws, or both. It also doesn’t explain, as the other part did, why TikTok needs this data. It doesn’t define the terms “faceprints” or “voiceprints.” Nor does it explain how it would go about seeking the “required permissions” from users, or if it would look to either state or federal laws to guide that process of gaining consent.
|
TikTok just gave itself permission to collect biometric data on US users, including ‘faceprints and voiceprints’ – TechCrunch
A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content. This includes things like “faceprints and voiceprints,” the policy explained. Reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric […]
|
|
|
EDPB Chair, Andrea Jelinek said: “2020 and the COVID-19 pandemic significantly altered how we live and work. Given the increasing presence of data-driven technologies in addressing the pandemic, the awareness of data protection rights among individuals and organisations has never been more critical. It is important to note that the 2020 lockdowns in all our countries did not mean a slowdown of the EDPB’s activities. 2020 was marked by many major developments in the EU data protection legal sphere, requiring the EDPB’s expertise and guidance.”
|
|
|
It is interesting to note that both the summary and full decision mention that the “scope of the inquiry did not concern whether the Department’s amendment complied with its transparency obligations under the GDPR.” Since the amendment made concerned increasingly Jesuitical interpretations by the department of the meaning of the word “biometric” one can only wonder why, during the whole investigation process, the DPC did not see fit to examine compliance with the transparency obligations
|
|
|
-
“Sadly, history informs that the use of Ministerial Directions to define lawful processing of personal data has been a recipe for unaccountability and secrecy. For example, it was the use of Directions made under the Telecommunications Act 1984 which, until the Snowden revelations, legitimised the bulk personal data collection capabilities of the national security agencies for over three decades … I should make my position clear: I am at an age where many things are, shall we say, “going South”; if some or all of my medical records could help someone else then I am all for it. What I am not for, is my medical records being exposed to a set of shysters by accident or design. Sadly, there are many such shysters around in the high tech arena; recent press coverage about PPE tells us that some are friends with Governmental decision makers.” The Hawktalk Blog on the NHS data grab.
-
“I would argue that people separated from family and/or cared for by the state should be understood to have a particularly strong right to all of their personal data including mixed personal data; because their right to the personal data is also their right to identity; it is their right to family; it is their right to accountability for how they were treated by the state; it is their right to access justice in the event that they allege abuse; it is their right to the cessation of enforced disappearances or other continuing situations of violation of private or family life; it is their right to the truth and reparation where they have suffered abuse; and it is their right to freedom of expression and to contribute to the national historical record if they so choose.” From a presentation by Maeve O'Rourke to a discussion on Children’s Rights and Alternative Care hosted by the Council of Europe Committee for the Rights of the Child, as part of the UN Committee on the Rights of the Child (UNCRC) Day of General Discussion (DGD) on this theme.
-
“In terms of next steps, companies will need to carefully consider the New SCCs to determine which of the Models applies to their data transfer scenarios, how they and other parties will comply with contractual obligations in the New SCCs and how they will roll out the New SCCs over the next few months both for intra-group transfers but also data transfer to vendors and other third parties. Companies will also need to consider the use of New SCCs in the context of their Schrems II data transfer assessment projects, final guidance on which is due to be published by the European Data Protection Board shortly.” Francesca Blythe and William Long of Sidley cast an eye over the European Commission’s new Standard Contractual Clauses.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Bank Holiday edition. This week’s title is courtesy of Marina Hyde.
😼
The Department of Children AKA the Department of Determined Not To Learn Anything appears to be going above and beyond in its efforts not to fully release personal data to people whose information is contained in the archive of the Mother and Baby Homes Commission of Investigation.
The Department is asserting it cannot release medical records without first consulting with an appropriate medical practitioner. This assertion is based on a Statutory Instrument from 1989 which was amended by the 2018 Data Protection Act. The SI as amended does not meet the requirements of Article 23 GDPR which clearly lists conditions which must be present in any legislative measure which restricts data subject rights and data controller obligations.
Last week we (wearily) revisited the Minister for Children’s reversal of position last October on whether the GDPR (a European Regulation which has primacy over any conflicting national legislation) applied to the records in the archive of the Commission. The claim at that time was that the national legislation trumped the European Regulation. This was not the case.
The claim now being advanced by the Department is in essence precisely the same.
This Twitter thread by Simon McGarr, co-starring Bernie Sanders, puts it better than I can.
—
Also following on from last week, the GP data grab in the UK is getting grubbier. It turns out even the NHS wanted to allow more time to allow people to learn more and opt-out should they wish to but the Government is ploughing ahead.
The government is set to introduce scheme, despite the NHS suggesting a delay until September.
The government is meeting growing resistance from the GPs it hopes to compel to hand over their patients’ medical records.
Senior doctors call on colleagues not to share personal data, in effort to buy time to raise awareness of plans
In a comment piece in the Guardian Marina Hyde points out this isn’t the first time this has been tried.
Taking data from patients in England was so unpopular in 2014 it was shelved. Now it’s happening without the scrutiny, says Guardian columnist Marina Hyde
Continuing the military theme from last week, the UK’s armed forces apparently routinely share the personal data of everyone who receives a promotion in a spreadsheet.
Bizarre promotion practice leads to near-inevitable breach
A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content. This includes things like “faceprints and voiceprints,” the policy explained. Reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric […]
The European Data Protection Board published its Annual Report for 2020.
—
The DPC published a decision relating to an own-volition inquiry into actions taken by the Department of Employment Affairs and Social Protection in July 2018 to amend its Data Protection Notice / Privacy Statement. The DPC decided that the department had not infringed Article 38(1) and Article 38(3) of the GDPR.
It is interesting to note that both the summary and full decision mention that the “scope of the inquiry did not concern whether the Department’s amendment complied with its transparency obligations under the GDPR.” Since the amendment made concerned increasingly Jesuitical interpretations by the department of the meaning of the word “biometric” one can only wonder why, during the whole investigation process, the DPC did not see fit to examine compliance with the transparency obligations
-
“Sadly, history informs that the use of Ministerial Directions to define lawful processing of personal data has been a recipe for unaccountability and secrecy. For example, it was the use of Directions made under the Telecommunications Act 1984 which, until the Snowden revelations, legitimised the bulk personal data collection capabilities of the national security agencies for over three decades … I should make my position clear: I am at an age where many things are, shall we say, “going South”; if some or all of my medical records could help someone else then I am all for it. What I am not for, is my medical records being exposed to a set of shysters by accident or design. Sadly, there are many such shysters around in the high tech arena; recent press coverage about PPE tells us that some are friends with Governmental decision makers.” The Hawktalk Blog on the NHS data grab.
-
“I would argue that people separated from family and/or cared for by the state should be understood to have a particularly strong right to all of their personal data including mixed personal data; because their right to the personal data is also their right to identity; it is their right to family; it is their right to accountability for how they were treated by the state; it is their right to access justice in the event that they allege abuse; it is their right to the cessation of enforced disappearances or other continuing situations of violation of private or family life; it is their right to the truth and reparation where they have suffered abuse; and it is their right to freedom of expression and to contribute to the national historical record if they so choose.” From a presentation by Maeve O'Rourke to a discussion on Children’s Rights and Alternative Care hosted by the Council of Europe Committee for the Rights of the Child, as part of the UN Committee on the Rights of the Child (UNCRC) Day of General Discussion (DGD) on this theme.
-
“In terms of next steps, companies will need to carefully consider the New SCCs to determine which of the Models applies to their data transfer scenarios, how they and other parties will comply with contractual obligations in the New SCCs and how they will roll out the New SCCs over the next few months both for intra-group transfers but also data transfer to vendors and other third parties. Companies will also need to consider the use of New SCCs in the context of their Schrems II data transfer assessment projects, final guidance on which is due to be published by the European Data Protection Board shortly.” Francesca Blythe and William Long of Sidley cast an eye over the European Commission’s new Standard Contractual Clauses.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
