Normalize | The Cat Herder, Volume 4, Issue 15

Databases and digital certs, DPIAs and DPOs, the Department of Health investigates itself and finds t   April 25 · Issue #128 · View online Databases and digital certs, DPIAs and DPOs, the Department of Health investigates itself and finds there’s nothing to see here. 😼 Last week’s newsletter said the following about the hullabaloo over Sinn Féin’s voter database: “It’ll be interesting to see where this goes as these things have a habit of rapidly broadening out from an examination of the use of personal data by one political party into an examination of the use of personal data by all of ‘em.” As predicted, the Irish Examiner yesterday reported that ‘Most political parties in Ireland have breached data protection rules’. So far we know that Sinn Féin had not appointed a Data Protection Officer and had not carried out a Data Protection Impact Assessment. But they have carried out the DPIA now. Which very much misses the point of the DPIA. You do the impact assessment before you start the processing so you can identify which parts of your planned processing operations are too high-risk to go ahead with, which parts require additional safeguards and so on. Miss IG Geek (she/her) 🏳️‍🌈 @MissIG_Geek A #DPIA is only a DPIA if it is conducted *before the processing begins!!!* Otherwise it’s just sparkling gap analysis 12:34 PM - 15 Apr 2021 The failure to appoint a DPO reminded me that it’s 871 days since the Irish Times reported the Data Protection Commission was investigating allegations the Department of Employment Affairs and Social Protection had interfered with the role of its DPO. Digital Rights Ireland wrote to Minister for Employment Affairs and Social Protection Regina Doherty after the records were obtained by The Irish Times, alleging “serious interference” with the role of the data protection officer (DPO). The rights group said the DPO was first excluded from a decision to make changes to the privacy statement and was then “given instructions regarding the exercise of his functions”. Both actions constituted violations of the GDPR, it alleged. This investigation remains open according to the DPC’s 2020 Annual Report. Even by the DPC’s standards this seems an inordinately long time for a relatively straightforward investigation. One wonders what could be causing this delay in concluding an investigation into the department which is vigorously - and occasionally ludicrously - delaying its own appeal against the DPC’s findings in the first part of the Public Services Card investigation. The Department of Health has published the Senior Counsel’s report on its practice of compiling dossiers on autistic children and their families. It has also published the results of its investigation of itself. The department relies heavily on the words “directly” and “seek”. In the department’s mind it is perfectly fine for it to be processing the information if it didn’t directly seek it out. This is not the case. Unfortunately a large part of the department’s data protection argument relies on some legal advice which was sought and received in June 2017. The department did not share this legal advice with the Senior Counsel who prepared the report in 2020. The department has not published this legal advice. The department has redacted the questions which were asked in this request for legal advice. Simon McGarr has a thread about all of this this. Simon McGarr @Tupp_Ed Let me give you a tip when reading internal Civil Service documents. Start with the statement of terms- this will be where you get the first inkling as to the line of defence they will be advancing. Here, the Dept seeks to distinguish between processing data and “seeking” it. https://t.co/GOKxMvzC6q 8:05 AM - 22 Apr 2021 The trial will be extended from 29 April to include vaccination certificates, officials told Le Monde, and the system could eventually be adopted for public events such as concerts, festivals and trade fairs, although not for bars and restaurants. The French trial will form one part of a “reinforced, consolidated and standardised” Europe-wide system, the minister for digital transition, Cédric O, said, with talks already under way with several countries and airlines to ensure early recognition. France is first EU member state to start testing digital Covid travel certificate | Coronavirus | The Guardian www.theguardian.com – Share Facebook trying to “normalize” scraping. No, not predictable at all. This month, Data News editor Pieterjan Van Leemputten sent several queries to Facebook requesting an update on the data scraping incident and further clarity concerning the breach timeline.  However, Facebook accidentally included the journalist in an internal emailed discussion thread. In the original emails sent to EMEA region PR staff, viewed by ZDNet and dated from April 8, Facebook’s team outlined an overall “long-term strategy” for dealing with coverage of data scraping incidents. “Assuming press volume continues to decline, we’re not planning additional statements on this issue,” the email reads. “Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.” Internal Facebook email reveals intent to frame data scraping as ‘normalized, broad industry issue’ | ZDNet www.zdnet.com – Share Updated: More scraping incidents are “expected” in the future. — Warwick Business School scraps 'discriminatory and ableist' exam surveillance software thetab.com – Share The ‘software was built with accessibility in mind from day one’, Proctorio says “A man who was falsely accused of shoplifting has sued the Detroit Police Department for arresting him based on an incorrect facial recognition match. The American Civil Liberties Union filed suit on behalf of Robert Williams, whom it calls the first US person wrongfully arrested based on facial recognition. The Detroit Police Department arrested Williams in 2019 after examining security footage from a shoplifting incident. A detective used facial recognition technology on a grainy image from the video, and the system flagged Williams as a potential match based on a driver’s license photo. But as the lawsuit notes, facial recognition is frequently inaccurate, particularly with Black subjects and a low-quality picture. The department then produced a photo lineup that included Williams’ picture, showed it to a security guard who hadn’t actually witnessed the shoplifting incident, and obtained a warrant when that guard picked him from the lineup.” From ‘Detroit man sues police for wrongfully arresting him based on facial recognition’ by Adi Robertson for The Verge. “Without well-defined policies on how public institutions will allow vaccination to affect access to services and resources, clear articulations of private discretion to use vaccination status to impact peoples’ fundamental rights, and a system for resolving disputes arising out of abuse of these systems, few people will have confidence or trust in the equity of the system. Without clarity on our rights, or how we can enforce them when they’re violated, it’s hard for the public to have anything other than concern about digital systems used to verify immunization.” From ‘Impunity passports: Governing immunity’s impact on rights’ by Sean MacDonald for Brookings Tech Stream. This Twitter thread by Katherine O'Keefe on cookies and misunderstandings. “Large swathes of the public sector don’t (or chose not to) understand this basic idea which first year law students are taught in their first class on EU law.” From this Twitter thread by Fred Logue on the widespread failings of the public sector in Ireland in implementing - or even accepting - the GDPR. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Databases and digital certs, DPIAs and DPOs, the Department of Health investigates itself and finds there’s nothing to see here.

😼

Last week’s newsletter said the following about the hullabaloo over Sinn Féin’s voter database: “It’ll be interesting to see where this goes as these things have a habit of rapidly broadening out from an examination of the use of personal data by one political party into an examination of the use of personal data by all of ‘em.”

As predicted, the Irish Examiner yesterday reported that ‘Most political parties in Ireland have breached data protection rules’.

So far we know that Sinn Féin had not appointed a Data Protection Officer and had not carried out a Data Protection Impact Assessment. But they have carried out the DPIA now. Which very much misses the point of the DPIA. You do the impact assessment before you start the processing so you can identify which parts of your planned processing operations are too high-risk to go ahead with, which parts require additional safeguards and so on.

The failure to appoint a DPO reminded me that it’s 871 days since the Irish Times reported the Data Protection Commission was investigating allegations the Department of Employment Affairs and Social Protection had interfered with the role of its DPO.

This investigation remains open according to the DPC’s 2020 Annual Report. Even by the DPC’s standards this seems an inordinately long time for a relatively straightforward investigation. One wonders what could be causing this delay in concluding an investigation into the department which is vigorously - and occasionally ludicrously - delaying its own appeal against the DPC’s findings in the first part of the Public Services Card investigation.

The Department of Health has published the Senior Counsel’s report on its practice of compiling dossiers on autistic children and their families. It has also published the results of its investigation of itself. The department relies heavily on the words “directly” and “seek”. In the department’s mind it is perfectly fine for it to be processing the information if it didn’t directly seek it out. This is not the case.

Unfortunately a large part of the department’s data protection argument relies on some legal advice which was sought and received in June 2017. The department did not share this legal advice with the Senior Counsel who prepared the report in 2020. The department has not published this legal advice. The department has redacted the questions which were asked in this request for legal advice.

Simon McGarr has a thread about all of this this.

Facebook trying to “normalize” scraping. No, not predictable at all.

Updated: More scraping incidents are “expected” in the future.

—

The ‘software was built with accessibility in mind from day one’, Proctorio says

• “A man who was falsely accused of shoplifting has sued the Detroit Police Department for arresting him based on an incorrect facial recognition match. The American Civil Liberties Union filed suit on behalf of Robert Williams, whom it calls the first US person wrongfully arrested based on facial recognition. The Detroit Police Department arrested Williams in 2019 after examining security footage from a shoplifting incident. A detective used facial recognition technology on a grainy image from the video, and the system flagged Williams as a potential match based on a driver’s license photo. But as the lawsuit notes, facial recognition is frequently inaccurate, particularly with Black subjects and a low-quality picture. The department then produced a photo lineup that included Williams’ picture, showed it to a security guard who hadn’t actually witnessed the shoplifting incident, and obtained a warrant when that guard picked him from the lineup.” From ‘Detroit man sues police for wrongfully arresting him based on facial recognition’ by Adi Robertson for The Verge.
• “Without well-defined policies on how public institutions will allow vaccination to affect access to services and resources, clear articulations of private discretion to use vaccination status to impact peoples’ fundamental rights, and a system for resolving disputes arising out of abuse of these systems, few people will have confidence or trust in the equity of the system. Without clarity on our rights, or how we can enforce them when they’re violated, it’s hard for the public to have anything other than concern about digital systems used to verify immunization.” From ‘Impunity passports: Governing immunity’s impact on rights’ by Sean MacDonald for Brookings Tech Stream.
• This Twitter thread by Katherine O'Keefe on cookies and misunderstandings.
• “Large swathes of the public sector don’t (or chose not to) understand this basic idea which first year law students are taught in their first class on EU law.” From this Twitter thread by Fred Logue on the widespread failings of the public sector in Ireland in implementing - or even accepting - the GDPR.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.