"detected one student 1100 times!” | The Cat Herder, Volume 4, Issue 26

Full-stack failure to give effect to data subject rights in the public sector, the CSO doesn't feel i   July 11 · Issue #139 · View online Full-stack failure to give effect to data subject rights in the public sector, the CSO doesn’t feel inclined to tell you what it might be up to with your health data, pilot programs. 😼 Reuters @Reuters A beauty salon in Dubai is offering microchip manicures to their clients by painting on a chip that can store social media accounts https://t.co/5OIFss0pUH 12:35 AM - 9 Jul 2021 “Anyone who has had a test or been vaccinated will have their data given to the CSO. We do not know what benefit there will be, if any, to these patients from this data gathering and research,” he said. Data rights group concerned as CSO collects Covid information www.irishexaminer.com – Share Digital Rights Ireland seeks clarity about the way information on Irish citizens is being collected and stored A spokesperson for the CSO is quoted as saying “for operational security reasons we do not publish copies of DPIAs”. There is nothing to stop the CSO redacting or removing the elements of the DPIA which relate to security and the integrity and confidentiality principle while publishing the rest of the DPIA covering purposes, necessity and proportionality. The kneejerk refusal to publish anything which would provide more transparency around this processing of health data is not a good look for the CSO. The Department of Children continues to refuse to fully release health records from the archive of the Mother and Baby Homes Commission of Investigation. It continues to rely on a baffling interpretation of an inapplicable statutory instrument from 1989. Department 'in breach of EU law' unless it gives health records to Mother and Baby Home survivors www.thejournal.ie – Share Survivors and experts have said a GP should not be involved in the process. The Minister and his Department repeated their position in various fora during the week. A response to a parliamentary question. The article above. This despite having received correspondence from the DPC a month ago telling them this approach was “not appropriate to the circumstances.” Simon McGarr @Tupp_Ed The DPC says; "Concerning SI 82/1989, I have had reason to re‐examine the Department’s approach to dealing with SARs pertaining to health data and I am of the view that the manner in which the Department is handling such requests is not appropriate to the circumstances." 4:03 PM - 9 Jul 2021 Correspondence obtained by the Clann Project using FOI reveals that the Department had been made aware of the existence of the statutory instrument by Tusla. Tusla is probably not a body the Department should be relying on for advice on data protection. Having been made aware of the existence of the inapplicable SI officials in the Department proceeded to make some creative leaps of interpretation which led to SI 82/1989 becoming a ban on any data controller ever releasing anyone’s health data without first engaging in a “consultation procedure” with a GP. Article Eight Advocacy @ArticleEightIE This interpretation doesn't even pass the most basic common sense check. Do the Minister and his officials really think that no health data has been released to anybody in the entire country without a "consultation procedure" at any point in the last 32 years? 8:52 AM - 9 Jul 2021 It is approaching the mid point of July. The archive of the Mother and Baby Homes Commission of Investigation transferred to the Department at the end of February. The Department is still not properly responding to what are probably the most high profile Subject Access Requests made in this country since the introduction of the GDPR. This follows on from the Commission of Investigation itself not responding properly to Subject Access Requests. This illustrates that large scale systemic problems with giving effect to data subject rights persist across the public sector in Ireland. NHS Covid app may change as rules change, Grant Shapps says - BBC News www.bbc.com – Share The transport secretary says the app’s sensitivity may need to be reduced as restrictions change. The DPC published a tranche of new case studies which have not previously featured in its annual reports. — The Italian supervisory authority fined Foodinho €2.6 million for using discriminatory algorithms to manage its food delivery employees. — Several of the German DPAs published “interim results of the audit of websites of media companies with regard to the use of cookies and the integration of third-party services”. Carlo Pilitz has a summary of the findings. TL;DR - “Most of the websites examined do not comply with the legal requirements for the use of cookies and other tracking techniques.” “A Chinese gene company selling prenatal tests around the world developed them in collaboration with the country’s military and is using them to collect genetic data from millions of women for sweeping research on the traits of populations, a Reuters review of scientific papers and company statements found … One BGI study, for instance, used a military supercomputer to re-analyze NIFTY data and map the prevalence of viruses in Chinese women, look for indicators of mental illness in them, and single out Tibetan and Uyghur minorities to find links between their genes and their characteristics.“ From ‘China’s gene giant harvests data from millions of women’ by Kirsty Needham and Clare Baldwin for Reuters Investigates. "But there’s one thing Greenlight makes it very hard for parents to control: What the company does with the mountains of sensitive data it collects about children. Greenlight reserves the right to share that personal information—including names, birth dates, email addresses, GPS location history, purchase history, and behavioral profiles—with “ad and marketing vendors,” “insurance companies,” “collection agencies,” and the catch-all category of “other service providers,” according to its privacy policy. Greenlight’s policy also says that it can use the data it collects to deliver “tailored content” advertisements, a kind of marketing that youth privacy and education advocates say is particularly manipulative and damaging for children.” From ‘Debit Card Apps for Kids Are Collecting a Shocking Amount of Personal Data’ by Todd Feathers for VICE. “Other trends identified include data protection authorities being hamstrung from enforcing existing protections by a serious lack of resourcing. This is exacerbated by the fact that, as EDRi has argued, existing laws relating to biometric data suffer from serious margins of discretion, loopholes, grey areas, and potential for deliberate misapplications of rules (such as mis-using consent as a legal basis) in ways that are de facto permitting biometric mass surveillance practices in the EU. Activities to embed and expand biometric mass surveillance practices have frequently been shrouded in secrecy and labelled as “pilots” in cynical attempts to avoid regulatory scrutiny.” From ‘The Rise And Rise Of Biometric Mass Surveillance In The EU: A legal analysis of biometric mass surveillance practices in Germany, the Netherlands and Poland’ [direct link to PDF] published by the EDRi and the Edinburgh International Justice Initiative and written by Luca Montag, Rory Mcleod, Lara De Mets, Meghan Gauld, Fraser Rodger, and Mateusz Pełka. Speaking of pilot programs, “In 2019, the Santa Fe Independent School District in Texas ran a weeklong pilot program with the facial recognition firm AnyVision in its school hallways. With more than 5,000 student photos uploaded for the test run, AnyVision called the results “impressive” and expressed excitement at the results to school administrators. “Overall, we had over 164,000 detections the last 7 days running the pilot. We were able to detect students on multiple cameras and even detected one student 1100 times!” Taylor May, then a regional sales manager for AnyVision, said in an email to the school’s administrators.” Taken from ‘This Manual for a Popular Facial Recognition Tool Shows Just How Much the Software Tracks People’ by Alfred Ng for The Markup. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Full-stack failure to give effect to data subject rights in the public sector, the CSO doesn’t feel inclined to tell you what it might be up to with your health data, pilot programs.

😼

Digital Rights Ireland seeks clarity about the way information on Irish citizens is being collected and stored

A spokesperson for the CSO is quoted as saying “for operational security reasons we do not publish copies of DPIAs”. There is nothing to stop the CSO redacting or removing the elements of the DPIA which relate to security and the integrity and confidentiality principle while publishing the rest of the DPIA covering purposes, necessity and proportionality. The kneejerk refusal to publish anything which would provide more transparency around this processing of health data is not a good look for the CSO.

The Department of Children continues to refuse to fully release health records from the archive of the Mother and Baby Homes Commission of Investigation. It continues to rely on a baffling interpretation of an inapplicable statutory instrument from 1989.

Survivors and experts have said a GP should not be involved in the process.

The Minister and his Department repeated their position in various fora during the week. A response to a parliamentary question. The article above. This despite having received correspondence from the DPC a month ago telling them this approach was “not appropriate to the circumstances.”

Correspondence obtained by the Clann Project using FOI reveals that the Department had been made aware of the existence of the statutory instrument by Tusla.

Tusla is probably not a body the Department should be relying on for advice on data protection.

Having been made aware of the existence of the inapplicable SI officials in the Department proceeded to make some creative leaps of interpretation which led to SI 82/1989 becoming a ban on any data controller ever releasing anyone’s health data without first engaging in a “consultation procedure” with a GP.

It is approaching the mid point of July. The archive of the Mother and Baby Homes Commission of Investigation transferred to the Department at the end of February. The Department is still not properly responding to what are probably the most high profile Subject Access Requests made in this country since the introduction of the GDPR. This follows on from the Commission of Investigation itself not responding properly to Subject Access Requests. This illustrates that large scale systemic problems with giving effect to data subject rights persist across the public sector in Ireland.

The transport secretary says the app’s sensitivity may need to be reduced as restrictions change.

The DPC published a tranche of new case studies which have not previously featured in its annual reports.

—

The Italian supervisory authority fined Foodinho €2.6 million for using discriminatory algorithms to manage its food delivery employees.

—

Several of the German DPAs published “interim results of the audit of websites of media companies with regard to the use of cookies and the integration of third-party services”. Carlo Pilitz has a summary of the findings. TL;DR - “Most of the websites examined do not comply with the legal requirements for the use of cookies and other tracking techniques.”

• “A Chinese gene company selling prenatal tests around the world developed them in collaboration with the country’s military and is using them to collect genetic data from millions of women for sweeping research on the traits of populations, a Reuters review of scientific papers and company statements found … One BGI study, for instance, used a military supercomputer to re-analyze NIFTY data and map the prevalence of viruses in Chinese women, look for indicators of mental illness in them, and single out Tibetan and Uyghur minorities to find links between their genes and their characteristics.“ From ‘China’s gene giant harvests data from millions of women’ by Kirsty Needham and Clare Baldwin for Reuters Investigates.
• "But there’s one thing Greenlight makes it very hard for parents to control: What the company does with the mountains of sensitive data it collects about children. Greenlight reserves the right to share that personal information—including names, birth dates, email addresses, GPS location history, purchase history, and behavioral profiles—with “ad and marketing vendors,” “insurance companies,” “collection agencies,” and the catch-all category of “other service providers,” according to its privacy policy. Greenlight’s policy also says that it can use the data it collects to deliver “tailored content” advertisements, a kind of marketing that youth privacy and education advocates say is particularly manipulative and damaging for children.” From ‘Debit Card Apps for Kids Are Collecting a Shocking Amount of Personal Data’ by Todd Feathers for VICE.
• “Other trends identified include data protection authorities being hamstrung from enforcing existing protections by a serious lack of resourcing. This is exacerbated by the fact that, as EDRi has argued, existing laws relating to biometric data suffer from serious margins of discretion, loopholes, grey areas, and potential for deliberate misapplications of rules (such as mis-using consent as a legal basis) in ways that are de facto permitting biometric mass surveillance practices in the EU. Activities to embed and expand biometric mass surveillance practices have frequently been shrouded in secrecy and labelled as “pilots” in cynical attempts to avoid regulatory scrutiny.” From ‘The Rise And Rise Of Biometric Mass Surveillance In The EU: A legal analysis of biometric mass surveillance practices in Germany, the Netherlands and Poland’ [direct link to PDF] published by the EDRi and the Edinburgh International Justice Initiative and written by Luca Montag, Rory Mcleod, Lara De Mets, Meghan Gauld, Fraser Rodger, and Mateusz Pełka.
• Speaking of pilot programs, “In 2019, the Santa Fe Independent School District in Texas ran a weeklong pilot program with the facial recognition firm AnyVision in its school hallways. With more than 5,000 student photos uploaded for the test run, AnyVision called the results “impressive” and expressed excitement at the results to school administrators. “Overall, we had over 164,000 detections the last 7 days running the pilot. We were able to detect students on multiple cameras and even detected one student 1100 times!” Taylor May, then a regional sales manager for AnyVision, said in an email to the school’s administrators.” Taken from ‘This Manual for a Popular Facial Recognition Tool Shows Just How Much the Software Tracks People’ by Alfred Ng for The Markup.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.