“madness (or is it Wilmslow?)” | The Cat Herder, Volume 3, Issue 21

In Ireland the police are testing the contact tracing app. In the UK they won't touch it. In the US t   June 7 · Issue #85 · View online In Ireland the police are testing the contact tracing app. In the UK they won’t touch it. In the US they’re empowering all sorts of agencies with (even more) sweeping surveillance powers. 😼 The DEA Has Been Given Permission To Investigate People Protesting George Floyd’s Death www.buzzfeednews.com – Share The Justice Department gave the agency the temporary power “to enforce any federal crime committed as a result of the protests over the death of George Floyd.” The latest word on the HSE Covid Tracker app is that the word hospital has been misspelled in the app. Cianan Brennan @ciananbrennan So the Covid tracker app being trialled misspells hospital, which is a good start 8:36 PM - 5 Jun 2020 Digital Rights Ireland, the Irish Council for Civil Liberties and others published nine principles “for legislators on the implementation of new technologies” aimed at nudging official Ireland with its poor data protection record into doing the right thing. Many of these principles are standard data protection principles which one would hope a state which was interested in abiding by the law and protecting the fundamental rights of its citizens would be planning on abiding by anyway. Or perhaps even going beyond, since trust in the app leads to usage and widespread usage is about the only thing which may lead to effectiveness. We still have a problem with the absence of a government. In order to be effective a sunset clause for this national surveillance programme must be written into legislation. It cannot reside in assurances from caretaker ministers and officials. In the UK the launch of the test and trace scheme without a mandatory data protection impact assessment, a general lack of transparency and some extraordinary long data retention periods led to the beginnings of a legal challenge. Guardian: ‘Privacy group prepares legal challenge to NHS test-and-trace scheme’ This, for one. Track and trace requires trust. If your police forces don’t trust your contact tracing operation then that may be the end of the contact tracing operation.  “Contact tracing systems are based on trust,” said Allyson Pollock, director of Newcastle University’s Institute of Health and Society. “This tells you that the police don’t trust the system and don’t believe data will not be shared more widely, not just with the call handlers but the whole system. "I think the public needs to be asking very serious questions about this.” Sky News: Coronavirus: Police planning their own contact tracing system over concerns about government’s version Later in the week the UK government published some of the contracts it had entered into with a number of technology firms. It is imperative that the same thing happens here in Ireland. “The contracts show that the companies involved, including Faculty and Palantir, were originally granted intellectual property rights (including the creation of databases), and were allowed to train their models and profit off their unprecedented access to NHS data.” The Register: UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data The public sector data controllers are back, baby! This time around it’s Wexford County Council running a dubious drone surveillance operation without a lawful basis. The local authority had been carrying out the surveillance since at least early April, according to documents released under freedom of information legislation, with any allegedly pertinent information to be passed onto gardaí. However, no Data Protection Impact Assessment (DPIA — a prerequisite under the EU’s General Data Protection Regulation for any project involving potential privacy implications) was carried out, while the county council appeared to be at a loss as to what legal basis it had for carrying out the surveillance. Irish Examiner: ‘Wexford County Council used drones without privacy assessment’ This drone operation followed a familiar pattern: First, the thing was done. Then news of the thing appeared in the press (‘Drones used in Wexford caravan parks to monitor compliance with movement restrictions’, Irish Examiner, 26th April 2020) Questions were asked about the thing, Freedom of Information requests were made. (The contents of Wexford County Council’s response to an FOI request made by Rossa McMahon is summarised in this Twitter thread.) Only then did the officials start considering what their lawful basis for this surveillance might be. For any public sector data controllers reading, Section 60 of the Data Protection Act says nothing about lawful bases. It concerns the restriction of data subject rights in some circumstances. It even says this in the title of the section - ‘Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest’. The six lawful bases for processing personal data are set out in Article 6 of the GDPR. You need to have a lawful basis before you process any personal data. You need to carry out a data protection impact assessment if you plan to carry out mass surveillance, also before you process any personal data. Looking through the text of legislation in an attempt to find a lawful basis as some sort of retrospective justification for what you’ve done without a lawful basis is not complying with data protection law. Finally, the number of likes on a tweet is not a justification for doing anything at all, really. In a curiously topical coincidence the Finnish DPA fined a data controller €72,000 for, among other things, processing personal data without a lawful basis and failing to carry out a data protection impact assessment. — In the UK the ICO appears to have taken the fairly unusual position of intimating that data controllers may be sanctioned for notifying the supervisory authority of personal data breaches if such a notification wasn’t deemed necessary. Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law Jon Baines: ‘ICO – report a databreach to us, and we might take action against you’ “The problem with immunity passports isn’t just medical—it’s ethical. Access to both COVID-19 testing and antibody testing is spotty. Reports abound of people who fear they have been infected desperately trying to get tested to no avail. Analysis has shown that African Americans are far less likely than white, Hispanic, or Asian patients to be tested before they end up in the emergency room. Mobile testing sites administered by Verily (a subsidiary of Google’s parent Alphabet) require people to have a smartphone and a Google account. Residents in San Francisco’s Tenderloin district, one of the city’s poorest neighborhoods, were turned away from testing sites because they didn’t have cell phones.” EFF: Immunity Passports Are a Threat to Our Privacy and Information Security Imogen Parker and Elliot Jones have some thoughts on the same topic and the plethora of issues it raises for the Ada Lovelace Institute. “The complexity and richness of these issues highlights the need for serious thought before any system is rolled out, and the evidence, policy, practice and societal implications need monitoring and careful shaping. There are a number of issues and risks involved with the roll-out of a digital immunity certification, some of which can be ameliorated through careful policy design and others which are inherent trade-offs of any such system that need consideration. "The political theorist Langdon Winner famously wrote in 1980: “What matters is not technology itself, but the social or economic system in which it is embedded.” What he meant was that a technology is never neutral. It represents by design political and ethical choices. And this is exactly why we need data ethics as an additional perspective on technologies adopted during the Covid19 pandemic. From AI triage and treatment choices in overloaded hospitals to contact tracing and facial recognition of people with masks. Data ethics is the step beyond privacy technology design and data protection legal compliance. With data ethics we evaluate not only the role of the very data technologies’ design, we evaluate their role in society and the power dynamics they reinforce and produce.” Gry Hasselbalch and Pernille Tranberg also consider the larger structural and power issues in ‘Contact Tracing Apps are Not Just a Privacy Tech Issue. It’s a Question about Power’ The latest practical guidance from Castlebridge is on temperature scans in the workplace, which examines the technical and legal concerns and also, as above, recommends that wider issues be considered when designing and implementing any such system. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

In Ireland the police are testing the contact tracing app. In the UK they won’t touch it. In the US they’re empowering all sorts of agencies with (even more) sweeping surveillance powers.

😼

The Justice Department gave the agency the temporary power “to enforce any federal crime committed as a result of the protests over the death of George Floyd.”

The latest word on the HSE Covid Tracker app is that the word hospital has been misspelled in the app.

Digital Rights Ireland, the Irish Council for Civil Liberties and others published nine principles “for legislators on the implementation of new technologies” aimed at nudging official Ireland with its poor data protection record into doing the right thing. Many of these principles are standard data protection principles which one would hope a state which was interested in abiding by the law and protecting the fundamental rights of its citizens would be planning on abiding by anyway. Or perhaps even going beyond, since trust in the app leads to usage and widespread usage is about the only thing which may lead to effectiveness.

We still have a problem with the absence of a government. In order to be effective a sunset clause for this national surveillance programme must be written into legislation. It cannot reside in assurances from caretaker ministers and officials.

In the UK the launch of the test and trace scheme without a mandatory data protection impact assessment, a general lack of transparency and some extraordinary long data retention periods led to the beginnings of a legal challenge.

Guardian: ‘Privacy group prepares legal challenge to NHS test-and-trace scheme’

Track and trace requires trust. If your police forces don’t trust your contact tracing operation then that may be the end of the contact tracing operation. 

Sky News: Coronavirus: Police planning their own contact tracing system over concerns about government’s version

Later in the week the UK government published some of the contracts it had entered into with a number of technology firms. It is imperative that the same thing happens here in Ireland.

The Register: UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data

The public sector data controllers are back, baby! This time around it’s Wexford County Council running a dubious drone surveillance operation without a lawful basis.

Irish Examiner: ‘Wexford County Council used drones without privacy assessment’

This drone operation followed a familiar pattern:

• First, the thing was done.
• Then news of the thing appeared in the press (‘Drones used in Wexford caravan parks to monitor compliance with movement restrictions’, Irish Examiner, 26th April 2020)
• Questions were asked about the thing, Freedom of Information requests were made. (The contents of Wexford County Council’s response to an FOI request made by Rossa McMahon is summarised in this Twitter thread.)
• Only then did the officials start considering what their lawful basis for this surveillance might be.

For any public sector data controllers reading, Section 60 of the Data Protection Act says nothing about lawful bases. It concerns the restriction of data subject rights in some circumstances. It even says this in the title of the section - ‘Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest’.

The six lawful bases for processing personal data are set out in Article 6 of the GDPR. You need to have a lawful basis before you process any personal data.

You need to carry out a data protection impact assessment if you plan to carry out mass surveillance, also before you process any personal data.

Looking through the text of legislation in an attempt to find a lawful basis as some sort of retrospective justification for what you’ve done without a lawful basis is not complying with data protection law.

Finally, the number of likes on a tweet is not a justification for doing anything at all, really.

In a curiously topical coincidence the Finnish DPA fined a data controller €72,000 for, among other things, processing personal data without a lawful basis and failing to carry out a data protection impact assessment.

—

In the UK the ICO appears to have taken the fairly unusual position of intimating that data controllers may be sanctioned for notifying the supervisory authority of personal data breaches if such a notification wasn’t deemed necessary.

Jon Baines: ‘ICO – report a databreach to us, and we might take action against you’

• “The problem with immunity passports isn’t just medical—it’s ethical. Access to both COVID-19 testing and antibody testing is spotty. Reports abound of people who fear they have been infected desperately trying to get tested to no avail. Analysis has shown that African Americans are far less likely than white, Hispanic, or Asian patients to be tested before they end up in the emergency room. Mobile testing sites administered by Verily (a subsidiary of Google’s parent Alphabet) require people to have a smartphone and a Google account. Residents in San Francisco’s Tenderloin district, one of the city’s poorest neighborhoods, were turned away from testing sites because they didn’t have cell phones.” EFF: Immunity Passports Are a Threat to Our Privacy and Information Security
• Imogen Parker and Elliot Jones have some thoughts on the same topic and the plethora of issues it raises for the Ada Lovelace Institute. “The complexity and richness of these issues highlights the need for serious thought before any system is rolled out, and the evidence, policy, practice and societal implications need monitoring and careful shaping. There are a number of issues and risks involved with the roll-out of a digital immunity certification, some of which can be ameliorated through careful policy design and others which are inherent trade-offs of any such system that need consideration.
• "The political theorist Langdon Winner famously wrote in 1980: “What matters is not technology itself, but the social or economic system in which it is embedded.” What he meant was that a technology is never neutral. It represents by design political and ethical choices. And this is exactly why we need data ethics as an additional perspective on technologies adopted during the Covid19 pandemic. From AI triage and treatment choices in overloaded hospitals to contact tracing and facial recognition of people with masks. Data ethics is the step beyond privacy technology design and data protection legal compliance. With data ethics we evaluate not only the role of the very data technologies’ design, we evaluate their role in society and the power dynamics they reinforce and produce.” Gry Hasselbalch and Pernille Tranberg also consider the larger structural and power issues in ‘Contact Tracing Apps are Not Just a Privacy Tech Issue. It’s a Question about Power’
• The latest practical guidance from Castlebridge is on temperature scans in the workplace, which examines the technical and legal concerns and also, as above, recommends that wider issues be considered when designing and implementing any such system.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.