“madness (or is it Wilmslow?)” | The Cat Herder, Volume 3, Issue 21
|
In Ireland the police are testing the contact tracing app. In the UK they won’t touch it. In the US they’re empowering all sorts of agencies with (even more) sweeping surveillance powers.
😼
The Justice Department gave the agency the temporary power “to enforce any federal crime committed as a result of the protests over the death of George Floyd.”
The latest word on the HSE Covid Tracker app is that the word hospital has been misspelled in the app.
So the Covid tracker app being trialled misspells hospital, which is a good start
— Cianan Brennan (@ciananbrennan) June 5, 2020
Digital Rights Ireland, the Irish Council for Civil Liberties and others published nine principles “for legislators on the implementation of new technologies” aimed at nudging official Ireland with its poor data protection record into doing the right thing. Many of these principles are standard data protection principles which one would hope a state which was interested in abiding by the law and protecting the fundamental rights of its citizens would be planning on abiding by anyway. Or perhaps even going beyond, since trust in the app leads to usage and widespread usage is about the only thing which may lead to effectiveness.
We still have a problem with the absence of a government. In order to be effective a sunset clause for this national surveillance programme must be written into legislation. It cannot reside in assurances from caretaker ministers and officials.
In the UK the launch of the test and trace scheme without a mandatory data protection impact assessment, a general lack of transparency and some extraordinary long data retention periods led to the beginnings of a legal challenge.
Guardian: ‘Privacy group prepares legal challenge to NHS test-and-trace scheme’
Track and trace requires trust. If your police forces don’t trust your contact tracing operation then that may be the end of the contact tracing operation.
Later in the week the UK government published some of the contracts it had entered into with a number of technology firms. It is imperative that the same thing happens here in Ireland.
The Register: UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data
The public sector data controllers are back, baby! This time around it’s Wexford County Council running a dubious drone surveillance operation without a lawful basis.
Irish Examiner: ‘Wexford County Council used drones without privacy assessment’
This drone operation followed a familiar pattern:
- First, the thing was done.
- Then news of the thing appeared in the press (‘Drones used in Wexford caravan parks to monitor compliance with movement restrictions’, Irish Examiner, 26th April 2020)
- Questions were asked about the thing, Freedom of Information requests were made. (The contents of Wexford County Council’s response to an FOI request made by Rossa McMahon is summarised in this Twitter thread.)
- Only then did the officials start considering what their lawful basis for this surveillance might be.
For any public sector data controllers reading, Section 60 of the Data Protection Act says nothing about lawful bases. It concerns the restriction of data subject rights in some circumstances. It even says this in the title of the section - ‘Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest’.
The six lawful bases for processing personal data are set out in Article 6 of the GDPR. You need to have a lawful basis before you process any personal data.
You need to carry out a data protection impact assessment if you plan to carry out mass surveillance, also before you process any personal data.
Looking through the text of legislation in an attempt to find a lawful basis as some sort of retrospective justification for what you’ve done without a lawful basis is not complying with data protection law.
Finally, the number of likes on a tweet is not a justification for doing anything at all, really.
In a curiously topical coincidence the Finnish DPA fined a data controller €72,000 for, among other things, processing personal data without a lawful basis and failing to carry out a data protection impact assessment.
—
In the UK the ICO appears to have taken the fairly unusual position of intimating that data controllers may be sanctioned for notifying the supervisory authority of personal data breaches if such a notification wasn’t deemed necessary.
Jon Baines: ‘ICO – report a databreach to us, and we might take action against you’
- “The problem with immunity passports isn’t just medical—it’s ethical. Access to both COVID-19 testing and antibody testing is spotty. Reports abound of people who fear they have been infected desperately trying to get tested to no avail. Analysis has shown that African Americans are far less likely than white, Hispanic, or Asian patients to be tested before they end up in the emergency room. Mobile testing sites administered by Verily (a subsidiary of Google’s parent Alphabet) require people to have a smartphone and a Google account. Residents in San Francisco’s Tenderloin district, one of the city’s poorest neighborhoods, were turned away from testing sites because they didn’t have cell phones.” EFF: Immunity Passports Are a Threat to Our Privacy and Information Security
- Imogen Parker and Elliot Jones have some thoughts on the same topic and the plethora of issues it raises for the Ada Lovelace Institute. “The complexity and richness of these issues highlights the need for serious thought before any system is rolled out, and the evidence, policy, practice and societal implications need monitoring and careful shaping. There are a number of issues and risks involved with the roll-out of a digital immunity certification, some of which can be ameliorated through careful policy design and others which are inherent trade-offs of any such system that need consideration.
- "The political theorist Langdon Winner famously wrote in 1980: “What matters is not technology itself, but the social or economic system in which it is embedded.” What he meant was that a technology is never neutral. It represents by design political and ethical choices. And this is exactly why we need data ethics as an additional perspective on technologies adopted during the Covid19 pandemic. From AI triage and treatment choices in overloaded hospitals to contact tracing and facial recognition of people with masks. Data ethics is the step beyond privacy technology design and data protection legal compliance. With data ethics we evaluate not only the role of the very data technologies’ design, we evaluate their role in society and the power dynamics they reinforce and produce.” Gry Hasselbalch and Pernille Tranberg also consider the larger structural and power issues in ‘Contact Tracing Apps are Not Just a Privacy Tech Issue. It’s a Question about Power’
- The latest practical guidance from Castlebridge is on temperature scans in the workplace, which examines the technical and legal concerns and also, as above, recommends that wider issues be considered when designing and implementing any such system.
Endnotes & Credits
- The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
- As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
- The image used in the header is by Krystian Tambur on Unsplash.
- Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
- Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.