"every few keystrokes" | The Cat Herder, Volume 3, Issue 24
|
Documentation, reports, accidental data controllers. It’s been a busy week.
😼
In a very encouraging move the Data Protection Impact Assessment, source code and a number of supporting documents for the HSE’s Covid Tracker mobile device app were published.
These have all been made available in a GitHub repo.
The data protection impact assessment itself is a solid and comprehensive piece of work which describes the way the app works, assesses necessity and proportionality and identifies risks and measures taken to mitigate those risks.
Much data protection compliance requires showing your work. The accountability principle requires data controllers to be able to demonstrate how they are compliant. To individual data subjects, to the supervisory authority, to journalists and to anyone else . A data controller stating they are compliant - a reasonably common occurence in public and private sector projects in Ireland - is not in any way sufficient. Processing on subjective grounds such as legitimate interests requires an assessment and balancing test. A data protection impact assessment has to show that the controller has thought through the likely results of a processing operation and attempted to minimise any negative outcomes for individuals. A data protection notice with detailed information about the processing activities has to be provided.
All this adds up to transparency, which helps to build trust. And the joint controllers have done a belated good job here.
However, great big questions about whether the app will actually work effectively enough to support contact tracing efforts remain.
When reading through the documents made available on Friday a few things jumped out.
Location, location, location
One condition which has to be adhered to by public health authorities and app developers in order to use the Apple - Google exposure notification API is that the app cannot access other services on the device which would reveal personal data such as location and contacts.
The European Data Protection Board guidelines state that “Information on the proximity between users of the application can be obtained without locating them. This kind of application does not need, and, hence, should not involve the use of location data.”
The HSE and the Department of Health have taken an extremely narrow interpretation of this restriction and attempted what looks like a workaround which infringes on the spirit if perhaps not the letter of this.
Rather than accessing location by activating the GPS service on the device, individuals are given the option of manually entering their location as part of what is called the COVID Check-In function, as well as some demographic information such as sex and age range.
(There’s also more than a hint of gamification in this aspect of the app, identified in the proportionality assessment as satisfying the “desire to contribute”. A mock-up screen shown in the product explainer prominently displays the number of total check-ins nationally. While certainly novel I don’t think bolting a crude Skinner box onto what is supposed to be a contact tracing app is a reasonable argument for acquiring and processing this data.)
On examination of the ‘COVID Contact Tracing App: User Perspectives and Experience Research’ document which was also published, the interest in collecting and processing location data becomes even more apparent.
Within Two Kilometres
Focus group participants were asked the following questions.
There are two instances in this document in which the COVID Check-in function is described as “the main function of the app” (pages 13 and 16).
The information gathered using this function, while optional, is identified as anonymous data in the DPIA and is shared with the CSO as such.
Is Considered Anonymous
The CSO has multiple other detailed datasets in its possession which could be used to identify or individuate individuals in this one. Therefore it seems a bit of a stretch to unilaterally declare the data anonymous and share it.
‘Not identifiable by the HSE" is not the same as anonymous, though the HSE seems to think it is, based on its COVID-19 data protection notice.
Indeed, the ‘Behavioural Change Subgroup Report April 2020’ document mentions this data being overlaid with other national datasets by the CSO.
The Data Protection Commission’s review of the DPIA devotes a section to “Collaboration with the CSO” (pages 17, 18) which reminds the data controllers that a “high bar has been set against which controllers must satisfactorily demonstrate that personal data is anonymised” and recommends
In the spreadsheet tracking the data controllers’ implementation of the DPC’s recommendations - also published on Friday, and somewhat curiously written by the Office of the Government Chief Information Officer within the Department of Public Expenditure and Reform rather than anyone from either of the two joint data controllers - there is a commitment to add anonymity assessment details to the DPIA and data protection notice. The DPIA states that “[O]ngoing review of the symptom data sent by the HSE to the CSO to identify and remove risks of re-identification attacks will be performed” but is silent on the risks of inadvertent re-identification within the CSO.
Finally …
Overall this is an extremely significant moment for public sector data processing in this country. The level of transparency (finally) on display here is what is required by controllers to meet their obligations under data protection law, and is pretty much a first for the Irish state.
This data protection impact assessment and accompanying suite of documentation and the willingness to engage with the Data Protection Commission and others show a level of maturity which has been lacking in many other projects.
For example, the brief analysis above would not have been possible without the publication of these documents.
This is a yardstick against which all future public sector data processing projects will be measured.
—
In Northern Ireland they’re quite understandably ignoring the wreckage of the NHSX app and going it alone.
The app, based on the Apple/Google model, will be released within weeks.
Some hospitality businesses in Ireland will be reopening from tomorrow, June 29th. There will be many accidental data controllers. There may well be many complaints to the DPC as a result.
Guardian: Businesses face privacy minefield over contact-tracing rules, say campaigners
On Friday the DPC published a short guidance document, ‘Data Protection implications of the Return to Work Safely Protocol’ (direct link to PDF), which offers advice for employers processing the personal data of employees but says nothing about businesses processing the personal data of customers.
Now there’s a new government in place it is presumably only a matter of time before the new minister for Social Protection, Community and Rural Development and the Islands is encouraged by her officials to engage in a photo opportunity with a giant Public Services Card.
The choice made will be a key test of the depth of the new minister’s wisdom.
The DPC published its review of ‘Regulatory Activity Under GDPR 2018-2020’ a day before the European Commission published its own review, ‘Two years of application of the General Data Protection Regulation’.
—
The European Data Protection Board published a new database of One Stop Shop / Article 60 decisions.
—
Facebook’s attempts to fight an order made by Germany’s competition regulator were knocked back in Germany’s highest civil court during the week. “We have no doubt that Facebook has a dominant market position on the social network market and that it misuses its position,” said presiding judge Peter Meier-Beck of the Federal Court of Justice in Karlsruhe.
- “Purpose-built applications distributed through the App Store and Google Play Store allow the Trump and Biden teams to speak directly to likely voters. They also allow them to collect massive amounts of user data without needing to rely on major social-media platforms or expose themselves to fact-checker oversight of particularly divisive or deceptive messaging.” ‘The Trump 2020 app is a voter surveillance tool of extraordinary power’ by Jacob Gursky and Samuel Woolley in MIT Technology Review.
- “What Google and Apple did on April 10 was to make a huge, global public health policy decision — a decision that I believe should be the preserve of elected governments. They alone had determined where the balance was between privacy and public health should lie. And they plumped firmly on the side of individual privacy. Governments were not to be trusted” writes Tom Loosemore in Business Insider. One of the primary reasons we’re in this situation is because governments have allowed these companies to grow to this scale with minimal oversight and regulation. Paul Bernal had some more thoughts on this piece (Twitter thread).
- “In any event, on the path the UK government has chosen for lifting the lockdown, the only way to stay on top of the situation is to collect enough data to spot new outbreaks early and stop them fast. The good news is that there are ways to do this without taking unnecessary risks with everyone’s personal data. The question is whether the government has left itself enough time to get it right.” ‘The UK needs a track-and-trace system we can trust with our data’ by Chris Yiu.
Endnotes & Credits
- The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
- As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
- The image used in the header is by Krystian Tambur on Unsplash.
- Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
- Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.