Probity | The Cat Herder, Volume 3, Issue 22
|
A pause here, a pause there.
😼
The video call app allowed some patients to see recordings of others’ sessions with medics.
It’s all gone a bit quiet on the HSE app front. The same seems to have happened in the UK.
Matt Hancock: “the app will help and we’ll bring it in when it’s right to do so”
— Lewis Goodall (@lewis_goodall) June 11, 2020
We used to hear about this app a lot. No sign at all of when it will be introduced.
The French app appears to have been downloaded and installed by around 2% of the population in the first week after it became available. That’s quite some distance from even the lowball 25% figure the department of health here in Ireland came up with, based on an unidentified US study.
Centralised French contact tracing app successfully installed and turned on by 2% of the population after a week. https://t.co/2qPXAcNcvl pic.twitter.com/vPMnqXRb2V
— Michael Veale is @mikarv@someone.elses.computer (@mikarv) June 11, 2020
The raw number of people who have installed the app provides us with no information about how many of those are using it, or will continue using it.
—
As lockdown restrictions are eased organisations across the world are looking at deploying a range of data processing solutions. Necessity and proportionality, transparency, accountability and data protection impact assessments are all still requirements here in Europe.
Bloomberg Law: ‘ANALYSIS: Hitting the Pause Button on Contact Tracing’
After several years in which numerous concerns have been repeatedly raised about the use of facial recognition technology by law enforcement agencies, this week several dominoes toppled. Or at least appeared to topple. First IBM, then Amazon, then Microsoft all announced they were stopping or pausing the sale of some types of facial recognition systems to police forces in the United States.
As always, the devil is in the detail and the detail hasn’t been explained. In IBM’s case, what does “general facial recognition” mean? In Amazon’s case, does this year-long pause mean the data sharing contracts which are already in place with some 1,300 police departments worldwide will be paused too? Do these restrictions apply anywhere outside the US? And so on, and so on …
Anecdotally it seems that these three companies do not make up a particularly large amount of the market and most police departments in the US have contracts with smaller and less well-known providers.
—
Another pause was also announced during the week. Old friends of this newsletter Genomics Medicine Ireland and their research partners in Beaumont Hospital said on Friday that the deadline for individuals and their family members to opt-out of a brain tumour study.
The Journal: ‘Beaumont researchers change opt-out deadline for genomics study following calls by Health Minister’
That this extension came only after the probity and transparency of the way in which this entire process was being conducted was questioned by Roisín Shortall.
This Friday’s deadline to opt-out of the brain tumour study by GMI/Beaumont Hospital should be extended. It raises serious concerns about ethics and data privacy, and a more public campaign needs to take place to inform patients of their rights. #dataprivacy #medicalethics pic.twitter.com/GgHmfDfAaB
— Róisín Shortall (@RoisinShortall) June 11, 2020
Now that this matter has been raised in the Dáil with a positive outcome for individuals and family members who are concerned about the use of tissue samples in this manner, hopefully the next few months will see proper scrutiny of the peculiar decision to pour tens of millions of state money into a loss-making private company rather than make an investment in a public entity controlled by the state.
Karlin Lillington’s piece in The Irish Times last Thursday, ‘Next government needs to create a national public genome project’ proposes the same alternative as Shortall does in the video clip above. It also highlights the unusual approach taken at almost every stage throughout this process.
So an examination of the processes involved in allowing researchers access to samples such as these also appears to be in order. It should not take questions in the Dáil and a ministerial intervention to nudge hospitals and their commercial research partners into providing the bare minimum of transparency.
The folks at Noteworthy are trying to fund an investigation into how we’ve ended up in this situation. If you’re interested in putting some money towards this, they’re at 80% of their total already.
Before we wrap up this section two quick reminders:
Firstly, that the DPC announced in November 2019 it was carrying out a “widespread compliance and supervision” examination of how Genomics Medicine Ireland processes personal data. Presumably this is still ongoing.
Secondly, that the DPC has the power under Article 58 of the GDPR “to impose a temporary or definitive limitation including a ban on processing”.
Despite the pandemic having proved beyond a shadow of a doubt that the Public Services Card is not necessary for the social welfare system to function, officials in the Department of Employment Affairs and Social Protection just can’t seem to stop themselves from trying to insert it as an extra step into existing processes that were already functioning perfectly well without it.
The Government is trying to make it compulsory to have a PSC card and a verified MYGovID before they will let parents newly access a Back To School Grant for children’s’ clothes and shoes.
— Simon McGarr @Tupp_ed@mastodon.ie (@Tupp_Ed) June 9, 2020
FG have a history with children’s shoes, of course.https://t.co/2CQROaZ2jZ pic.twitter.com/1dePYTwZTB
The Belgian DPA recently published guidance on the use of temperature checks. Hunton Andrews Kurth has a decent summary.
—
The Belgian DPA also imposed a €5,000 fine on a local election candidate for sending election materials to local authority staff, which was held to be further processing incompatible with the original purpose for which the personal data had been collected.
- If you’re looking for a reasonably short and accessible read about some of the many misconceptions about the GDPR, and European data protection law more broadly, then ‘An American’s guide to the GDPR’ by Meg Leta Jones and Margot Kaminski comes highly recommended. Although it is aimed at an American audience, a great many of the misunderstandings of the GDPR (no, it is not all about consent) in Europe come from the cultural dominance of technology products and services developed by American firms operating in the American legal landscape.
- “The Council did tell Finnan that a DPIA was “being undertaken retrospectively”, but that savours very much of locking the stable door after the horse has bolted. The whole point of the DPIA is to prevent the horse from bolting in the first place. Indeed, the GDPR and DPA18 both expressly require that it should be carried out “prior to the processing” (emphasis added). Doing so retrospectively is as much a breach as not doing so at all.” In addition to horses Eoin O'Dell talks football and more than a few other things in ‘Neither a pretty face nor a beautiful game — of football pitches, data protection impact assessments, artificial intelligence, facial recognition, and closed-circuit television surveillance’.
Endnotes & Credits
- The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
- As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
- The image used in the header is by Krystian Tambur on Unsplash.
- Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
- Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.