Privacy Kit

Subscribe
Archives
September 20, 2020

Abomination | The Cat Herder, Volume 3, Issue 36

GMI again. Tony Abbot's Instagram. Re-identification ain't hard. Nor is medical confidentiality. This
 
September 20 · Issue #100 · View online
The Cat Herder
GMI again. Tony Abbot’s Instagram. Re-identification ain’t hard. Nor is medical confidentiality. This is the hundredth issue of this newsletter. So thank you all for reading.
😼

Because internet service providers often assign public IP addresses dynamically, different people end up using the same numeric internet address on different days or after reconnecting to their ISP. The family in question had been using the identified IP address, just not on the day the illegal material was uploaded to Facebook.
Family wrongly accused of uploading pedo material to Facebook – after US-EU date confusion in IP address log • The Register
www.theregister.com – Share
Site accessed on 10/11/2016… is that November 10 or October 11?
—
Just because the entity responsible for the data breach says “the risk of identification was low” doesn’t mean this is actually the case. In 2002 Latanya Sweeney “found that 87 percent of the U.S. population could be identified by just three data points: zip code, date of birth and gender.” Her paper used data from 1996, almost a quarter of a century ago and before Google even existed. Re-identification has become significantly easier since then.
The health body said the data of 18,105 Welsh residents was viewable online for 20 hours on 30 August.
Most cases gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, Public Health Wales (PHW) said.
Coronavirus: 18,000 test results published by mistake - BBC News
www.bbc.com – Share
Full names were not published, but people living in care homes are more at risk of being identified.
—
In Ireland the HSE appears to have overruled the Covid Tracker App which leaves a question mark over the effectiveness of the app.
Concern over confusion surrounding close contacts at Drogheda school
www.rte.ie – Share
Teachers at one of the country’s largest second-level schools have expressed concern at what they say are mixed messages they received from the HSE in relation to being deemed a close contact of a person with Covid-19.
“Women do not lose their right to medical confidentiality simply because they are pregnant,” said Clare Murphy, director of external affairs at BASP, pointing to a survey of 725 women carried out by the charity that found 60% felt alcohol consumption data should not be shared without consent.
“I think it’s a really quite shocking state of affairs, and we are very surprised that this is the path that Nice have gone down,” she said. “What we’ve ended up doing is creating this climate in pregnancy which leads to real heightened anxiety, stress, worry and huge maternal guilt, particularly if something goes wrong.”
Plans to record pregnant women's alcohol consumption in England criticised | Politics | The Guardian
www.theguardian.com – Share
Pregnancy charities suggest the guideline could fall foul of data protection regulations
It is happening here.
It is happening here.
It’s approaching four years since Genomics Medicine Ireland, now known as Genuity Science, first popped up in a typically gushing RTE business segment. Since then we’ve had multiple reports of questionable data gathering practices (Crumlin children’s hospital, January 2019; Temple Street children’s hospital October 2019) and still no clarity on the legality of all this; a PR company approaching the Taoiseach on the company’s behalf and asking for “benediction”; said Taoiseach recording a video testimonial which appears to have been deleted recently; a “widespread compliance and supervision” examination launched by the Data Protection Commission in November 2019 with no visible outcome as yet; two rounds of investment by the Irish state’s venture capital arm, the latter for an eye-watering $70 million; a loss of €37.7 million; shifts in ownership, corporate and management structure and a name change; and in the week just gone an unflattering starring role on Liveline.
Karlin Lillington has been writing about the unusual manner in which Ireland is approaching national genomics for quite some time. (“In a 2018 memo from one such meeting, a Department of Health official wrote: “It is fair to say that [Genomics Medicine Ireland] were not overly concerned with the policy or legal context but with how the regulations impacted on what they are doing.”)
This week in the wake of Monday’s Liveline she yet again laid out the glaring problems with this approach by the state. Exploitable governance structures, failures in transparency and what can only be described as sharp practice in making the minimum possible effort - during a pandemic - to notify affected individuals.
Leaving database gathering and management in the hands of private companies significantly limits national control – especially in Ireland’s vague and lacking regulatory environment – and places domestic researchers in a funding bind, where a commercial entity is the only option.
Cianan Brennan had a good piece in the Irish Examiner on the same topic
“The fact that Ireland hasn’t considered the ethical problems involved in the collation of this data is an abomination,” says the industry source.
“For €10m we could have a national genome project which benefits those taking part. Private industry, its responsibility is to make profits via therapeutic products. You have to presume that such concerns make decisions which will be beneficial to them,” they say.
“These companies are not questioned in terms of risk-benefit ratios. That is fine in terms of reputational risk, but your genome is another ball game. It’s like a naked picture of you. If you knew someone was taking one you wouldn’t let them. In Ireland we’ve chosen the most exploitative model possible.”
The calculated grades for the Leaving Certificate have generated plenty of controversy. The Department of Education and Skills did not give students automatic access to their class rank order, but since this is personal data students have a right to access a copy of it under Article 15 of the GDPR.
There’s a guide for any students who would like to do so, including a sample Subject Access Request available on the datasubject.ie website. This is an Article Eight Advocacy project, which I’m involved in.
Or un-regulators, in some situations
Or un-regulators, in some situations
The Norwegian DPA fined the Norwegian Public Roads Authority 400,000 Kroner (~€37,400) for further processing of personal data in a manner which was incompatible with the original purpose and for failing to erase personal data within seven days.
—
The Belgian DPA fined a politician €5,000 for sending unsolicited political emails to a data subject.
—
As the budget approaches it was interesting to see Senator Malcolm Byrne of Fianna Fáil publicly call for “increased resources” for the DPC. Senator Byrne seemed more concerned about the DPC not having the resources to deal with TikTok rather than the array of intransigent and / or incompetent public sector data controllers in this country. We’ll see what comes of it all.
  • “I didn’t think anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly become crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this?” Alex Hope AKA mangopdf talks responsible disclosure, non-functioning contact forms and endless bureaucracy in ‘When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number’.
  • “Why does this matter? Because it feels as though we’re at a point in time where it’s hard for many people to imagine alternatives to the tech systems that we have right now. And here is this opportunity for the government to build out spaces for collaboration with the public in a range of new ways. Governments have been listening to and deferring to management consultants about how to tech for so long that some of the prominent public tech voices sound just like them.” Bianca Wylie on ‘Using Government IT to Teach and Build Public Infrastructure’.
  • “To be absolutely clear: we should be concerned about the impacts of social media, we need to work to rein in the power of these tech companies, we need to be willing to have the difficult discussion about what kind of society we want to live in…but we should not believe that the people who got us into this mess—who lacked the foresight to see the possible downsides in what they were building—will get us out of this mess. If these insiders genuinely did not see the possible downsides of what they were building, than they are fools who should not be trusted. And if these insiders did see the possible downsides, continued building these things anyways, and are now pretending that they did not see the downsides, than they are liars who definitely should not be trusted.” A comprehensive critical review of ‘The Social Dilemma’, showing on a Netflix near you, from Z.M.L. on LibrarianShipwreck.
—
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

GMI again. Tony Abbot’s Instagram. Re-identification ain’t hard. Nor is medical confidentiality. This is the hundredth issue of this newsletter. So thank you all for reading.

😼

Site accessed on 10/11/2016… is that November 10 or October 11?

—

Just because the entity responsible for the data breach says “the risk of identification was low” doesn’t mean this is actually the case. In 2002 Latanya Sweeney “found that 87 percent of the U.S. population could be identified by just three data points: zip code, date of birth and gender.” Her paper used data from 1996, almost a quarter of a century ago and before Google even existed. Re-identification has become significantly easier since then.

Full names were not published, but people living in care homes are more at risk of being identified.

—

In Ireland the HSE appears to have overruled the Covid Tracker App which leaves a question mark over the effectiveness of the app.

Teachers at one of the country’s largest second-level schools have expressed concern at what they say are mixed messages they received from the HSE in relation to being deemed a close contact of a person with Covid-19.

Pregnancy charities suggest the guideline could fall foul of data protection regulations

It’s approaching four years since Genomics Medicine Ireland, now known as Genuity Science, first popped up in a typically gushing RTE business segment. Since then we’ve had multiple reports of questionable data gathering practices (Crumlin children’s hospital, January 2019; Temple Street children’s hospital October 2019) and still no clarity on the legality of all this; a PR company approaching the Taoiseach on the company’s behalf and asking for “benediction”; said Taoiseach recording a video testimonial which appears to have been deleted recently; a “widespread compliance and supervision” examination launched by the Data Protection Commission in November 2019 with no visible outcome as yet; two rounds of investment by the Irish state’s venture capital arm, the latter for an eye-watering $70 million; a loss of €37.7 million; shifts in ownership, corporate and management structure and a name change; and in the week just gone an unflattering starring role on Liveline.

Karlin Lillington has been writing about the unusual manner in which Ireland is approaching national genomics for quite some time. (“In a 2018 memo from one such meeting, a Department of Health official wrote: “It is fair to say that [Genomics Medicine Ireland] were not overly concerned with the policy or legal context but with how the regulations impacted on what they are doing.”)

This week in the wake of Monday’s Liveline she yet again laid out the glaring problems with this approach by the state. Exploitable governance structures, failures in transparency and what can only be described as sharp practice in making the minimum possible effort - during a pandemic - to notify affected individuals.

Cianan Brennan had a good piece in the Irish Examiner on the same topic

The calculated grades for the Leaving Certificate have generated plenty of controversy. The Department of Education and Skills did not give students automatic access to their class rank order, but since this is personal data students have a right to access a copy of it under Article 15 of the GDPR.

There’s a guide for any students who would like to do so, including a sample Subject Access Request available on the datasubject.ie website. This is an Article Eight Advocacy project, which I’m involved in.

The Norwegian DPA fined the Norwegian Public Roads Authority 400,000 Kroner (~€37,400) for further processing of personal data in a manner which was incompatible with the original purpose and for failing to erase personal data within seven days.

—

The Belgian DPA fined a politician €5,000 for sending unsolicited political emails to a data subject.

—

As the budget approaches it was interesting to see Senator Malcolm Byrne of Fianna Fáil publicly call for “increased resources” for the DPC. Senator Byrne seemed more concerned about the DPC not having the resources to deal with TikTok rather than the array of intransigent and / or incompetent public sector data controllers in this country. We’ll see what comes of it all.

  • “I didn’t think anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly become crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this?” Alex Hope AKA mangopdf talks responsible disclosure, non-functioning contact forms and endless bureaucracy in ‘When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number’.
  • “Why does this matter? Because it feels as though we’re at a point in time where it’s hard for many people to imagine alternatives to the tech systems that we have right now. And here is this opportunity for the government to build out spaces for collaboration with the public in a range of new ways. Governments have been listening to and deferring to management consultants about how to tech for so long that some of the prominent public tech voices sound just like them.” Bianca Wylie on ‘Using Government IT to Teach and Build Public Infrastructure’.
  • “To be absolutely clear: we should be concerned about the impacts of social media, we need to work to rein in the power of these tech companies, we need to be willing to have the difficult discussion about what kind of society we want to live in…but we should not believe that the people who got us into this mess—who lacked the foresight to see the possible downsides in what they were building—will get us out of this mess. If these insiders genuinely did not see the possible downsides of what they were building, than they are fools who should not be trusted. And if these insiders did see the possible downsides, continued building these things anyways, and are now pretending that they did not see the downsides, than they are liars who definitely should not be trusted.” A comprehensive critical review of ‘The Social Dilemma’, showing on a Netflix near you, from Z.M.L. on LibrarianShipwreck.

—

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.