Probity | The Cat Herder, Volume 3, Issue 22

A pause here, a pause there. 😼   June 14 · Issue #86 · View online A pause here, a pause there. 😼 Babylon Health admits GP app suffered a data breach - BBC News www.bbc.com – Share The video call app allowed some patients to see recordings of others’ sessions with medics. It’s all gone a bit quiet on the HSE app front. The same seems to have happened in the UK. Lewis Goodall @lewis_goodall Matt Hancock: “the app will help and we’ll bring it in when it’s right to do so” We used to hear about this app a lot. No sign at all of when it will be introduced. 5:23 PM - 11 Jun 2020 The French app appears to have been downloaded and installed by around 2% of the population in the first week after it became available. That’s quite some distance from even the lowball 25% figure the department of health here in Ireland came up with, based on an unidentified US study. Michael Veale @mikarv Centralised French contact tracing app successfully installed and turned on by 2% of the population after a week. https://t.co/2qPXAcNcvl https://t.co/vPMnqXRb2V 8:58 AM - 11 Jun 2020 The raw number of people who have installed the app provides us with no information about how many of those are using it, or will continue using it. — As lockdown restrictions are eased organisations across the world are looking at deploying a range of data processing solutions. Necessity and proportionality, transparency, accountability and data protection impact assessments are all still requirements here in Europe. “Necessity and proportionality are the cornerstones of any tracing strategy,” according to Rob Corbet, Head of the Technology Practice at Arthur Cox in Dublin. “For most organizations, employees can be adequately protected through voluntary measures, so it tends to be only in areas of demonstrable high risk—hospitals, nursing homes, meat processing factories—where an employer can show that a mandatory scheme is necessary and proportionate.” Bloomberg Law: ‘ANALYSIS: Hitting the Pause Button on Contact Tracing’ Is it happening here? We don't know After several years in which numerous concerns have been repeatedly raised about the use of facial recognition technology by law enforcement agencies, this week several dominoes toppled. Or at least appeared to topple. First IBM, then Amazon, then Microsoft all announced they were stopping or pausing the sale of some types of facial recognition systems to police forces in the United States. As always, the devil is in the detail and the detail hasn’t been explained. In IBM’s case, what does “general facial recognition” mean? In Amazon’s case, does this year-long pause mean the data sharing contracts which are already in place with some 1,300 police departments worldwide will be paused too? Do these restrictions apply anywhere outside the US? And so on, and so on … This week, IBM, Amazon, and Microsoft pledged to restrict or eliminate law enforcement’s access to facial recognition technology. Those announcements received lots of accolades, but they left many key questions unanswered. None of the companies disclosed how many police departments used their facial recognition technology — or might be using it currently. Buzzfeed: ‘Amazon, IBM, And Microsoft Won’t Say Which Police Departments Used Their Facial Recognition Technology’ Anecdotally it seems that these three companies do not make up a particularly large amount of the market and most police departments in the US have contracts with smaller and less well-known providers. — Another pause was also announced during the week. Old friends of this newsletter Genomics Medicine Ireland and their research partners in Beaumont Hospital said on Friday that the deadline for individuals and their family members to opt-out of a brain tumour study. The Journal: ‘Beaumont researchers change opt-out deadline for genomics study following calls by Health Minister’ That this extension came only after the probity and transparency of the way in which this entire process was being conducted was questioned by Roisín Shortall. Roisin Shortall @RoisinShortall This Friday’s deadline to opt-out of the brain tumour study by GMI/Beaumont Hospital should be extended. It raises serious concerns about ethics and data privacy, and a more public campaign needs to take place to inform patients of their rights. #dataprivacy #medicalethics https://t.co/GgHmfDfAaB 3:48 PM - 11 Jun 2020 Now that this matter has been raised in the Dáil with a positive outcome for individuals and family members who are concerned about the use of tissue samples in this manner, hopefully the next few months will see proper scrutiny of the peculiar decision to pour tens of millions of state money into a loss-making private company rather than make an investment in a public entity controlled by the state. We lack a national public genome project (something that GMI says it supports) to offer such oversight, management and researcher support, and the necessary leadership for any commercial collaboration. It is not the norm for private companies to have sole control of large national DNA databases, as is our current, evolving situation. Karlin Lillington’s piece in The Irish Times last Thursday, ‘Next government needs to create a national public genome project’ proposes the same alternative as Shortall does in the video clip above. It also highlights the unusual approach taken at almost every stage throughout this process. Such a procedural approach is highly unusual. I spoke to several international academic researchers who said the norm in research appeals was for the rejected party to submit further written documentation, not bring a lawyer and corporate executive team, as if to a court hearing. So an examination of the processes involved in allowing researchers access to samples such as these also appears to be in order. It should not take questions in the Dáil and a ministerial intervention to nudge hospitals and their commercial research partners into providing the bare minimum of transparency. The folks at Noteworthy are trying to fund an investigation into how we’ve ended up in this situation. If you’re interested in putting some money towards this, they’re at 80% of their total already. Before we wrap up this section two quick reminders: Firstly, that the DPC announced in November 2019 it was carrying out a “widespread compliance and supervision” examination of how Genomics Medicine Ireland processes personal data. Presumably this is still ongoing. Secondly, that the DPC has the power under Article 58 of the GDPR “to impose a temporary or definitive limitation including a ban on processing”. Despite the pandemic having proved beyond a shadow of a doubt that the Public Services Card is not necessary for the social welfare system to function, officials in the Department of Employment Affairs and Social Protection just can’t seem to stop themselves from trying to insert it as an extra step into existing processes that were already functioning perfectly well without it. Simon McGarr @Tupp_Ed The Government is trying to make it compulsory to have a PSC card *and* a verified MYGovID before they will let parents newly access a Back To School Grant for children’s’ clothes and shoes. FG have a history with children’s shoes, of course. https://t.co/2CQROaZ2jZ https://t.co/1dePYTwZTB 12:18 AM - 10 Jun 2020 The Belgian DPA recently published guidance on the use of temperature checks. Hunton Andrews Kurth has a decent summary. Overall, the Guidance provides that organizations cannot currently conduct temperature checks to the extent they record the results of those checks, or the organization’s response to such checks, in files, nor may organizations conduct temperature checks using sophisticated means, such as thermal cameras, digital temperature scanners or other automated measuring means. However, the simple reading of individuals’ temperatures without recording any data does not constitute a processing activity under the EU General Data Protection Regulation (“GDPR”) and is therefore allowed from a data protection standpoint. — The Belgian DPA also imposed a €5,000 fine on a local election candidate for sending election materials to local authority staff, which was held to be further processing incompatible with the original purpose for which the personal data had been collected. If you’re looking for a reasonably short and accessible read about some of the many misconceptions about the GDPR, and European data protection law more broadly, then ‘An American’s guide to the GDPR’ by Meg Leta Jones and Margot Kaminski comes highly recommended. Although it is aimed at an American audience, a great many of the misunderstandings of the GDPR (no, it is not all about consent) in Europe come from the cultural dominance of technology products and services developed by American firms operating in the American legal landscape. “The Council did tell Finnan that a DPIA was “being undertaken retrospectively”, but that savours very much of locking the stable door after the horse has bolted. The whole point of the DPIA is to prevent the horse from bolting in the first place. Indeed, the GDPR and DPA18 both expressly require that it should be carried out “prior to the processing” (emphasis added). Doing so retrospectively is as much a breach as not doing so at all.” In addition to horses Eoin O'Dell talks football and more than a few other things in ‘Neither a pretty face nor a beautiful game — of football pitches, data protection impact assessments, artificial intelligence, facial recognition, and closed-circuit television surveillance’. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A pause here, a pause there.

😼

The video call app allowed some patients to see recordings of others’ sessions with medics.

It’s all gone a bit quiet on the HSE app front. The same seems to have happened in the UK.

The French app appears to have been downloaded and installed by around 2% of the population in the first week after it became available. That’s quite some distance from even the lowball 25% figure the department of health here in Ireland came up with, based on an unidentified US study.

The raw number of people who have installed the app provides us with no information about how many of those are using it, or will continue using it.

—

As lockdown restrictions are eased organisations across the world are looking at deploying a range of data processing solutions. Necessity and proportionality, transparency, accountability and data protection impact assessments are all still requirements here in Europe.

Bloomberg Law: ‘ANALYSIS: Hitting the Pause Button on Contact Tracing’

After several years in which numerous concerns have been repeatedly raised about the use of facial recognition technology by law enforcement agencies, this week several dominoes toppled. Or at least appeared to topple. First IBM, then Amazon, then Microsoft all announced they were stopping or pausing the sale of some types of facial recognition systems to police forces in the United States.

As always, the devil is in the detail and the detail hasn’t been explained. In IBM’s case, what does “general facial recognition” mean? In Amazon’s case, does this year-long pause mean the data sharing contracts which are already in place with some 1,300 police departments worldwide will be paused too? Do these restrictions apply anywhere outside the US? And so on, and so on …

Buzzfeed: ‘Amazon, IBM, And Microsoft Won’t Say Which Police Departments Used Their Facial Recognition Technology’

Anecdotally it seems that these three companies do not make up a particularly large amount of the market and most police departments in the US have contracts with smaller and less well-known providers.

—

Another pause was also announced during the week. Old friends of this newsletter Genomics Medicine Ireland and their research partners in Beaumont Hospital said on Friday that the deadline for individuals and their family members to opt-out of a brain tumour study.

The Journal: ‘Beaumont researchers change opt-out deadline for genomics study following calls by Health Minister’

That this extension came only after the probity and transparency of the way in which this entire process was being conducted was questioned by Roisín Shortall.

Now that this matter has been raised in the Dáil with a positive outcome for individuals and family members who are concerned about the use of tissue samples in this manner, hopefully the next few months will see proper scrutiny of the peculiar decision to pour tens of millions of state money into a loss-making private company rather than make an investment in a public entity controlled by the state.

Karlin Lillington’s piece in The Irish Times last Thursday, ‘Next government needs to create a national public genome project’ proposes the same alternative as Shortall does in the video clip above. It also highlights the unusual approach taken at almost every stage throughout this process.

So an examination of the processes involved in allowing researchers access to samples such as these also appears to be in order. It should not take questions in the Dáil and a ministerial intervention to nudge hospitals and their commercial research partners into providing the bare minimum of transparency.

The folks at Noteworthy are trying to fund an investigation into how we’ve ended up in this situation. If you’re interested in putting some money towards this, they’re at 80% of their total already.

Before we wrap up this section two quick reminders:

Firstly, that the DPC announced in November 2019 it was carrying out a “widespread compliance and supervision” examination of how Genomics Medicine Ireland processes personal data. Presumably this is still ongoing.

Secondly, that the DPC has the power under Article 58 of the GDPR “to impose a temporary or definitive limitation including a ban on processing”.

Despite the pandemic having proved beyond a shadow of a doubt that the Public Services Card is not necessary for the social welfare system to function, officials in the Department of Employment Affairs and Social Protection just can’t seem to stop themselves from trying to insert it as an extra step into existing processes that were already functioning perfectly well without it.

The Belgian DPA recently published guidance on the use of temperature checks. Hunton Andrews Kurth has a decent summary.

—

The Belgian DPA also imposed a €5,000 fine on a local election candidate for sending election materials to local authority staff, which was held to be further processing incompatible with the original purpose for which the personal data had been collected.

• If you’re looking for a reasonably short and accessible read about some of the many misconceptions about the GDPR, and European data protection law more broadly, then ‘An American’s guide to the GDPR’ by Meg Leta Jones and Margot Kaminski comes highly recommended. Although it is aimed at an American audience, a great many of the misunderstandings of the GDPR (no, it is not all about consent) in Europe come from the cultural dominance of technology products and services developed by American firms operating in the American legal landscape.
• “The Council did tell Finnan that a DPIA was “being undertaken retrospectively”, but that savours very much of locking the stable door after the horse has bolted. The whole point of the DPIA is to prevent the horse from bolting in the first place. Indeed, the GDPR and DPA18 both expressly require that it should be carried out “prior to the processing” (emphasis added). Doing so retrospectively is as much a breach as not doing so at all.” In addition to horses Eoin O'Dell talks football and more than a few other things in ‘Neither a pretty face nor a beautiful game — of football pitches, data protection impact assessments, artificial intelligence, facial recognition, and closed-circuit television surveillance’.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.