Seosaimhín, We Hardly Knew Ye | The Cat Herder, Volume 2, Issue 30

We missed a birthday! The first issue of this newsletter went out on August 6th last year so thanks t   August 18 · Issue #47 · View online We missed a birthday! The first issue of this newsletter went out on August 6th last year so thanks to all of you who for reading. As well as keeping this newsletter going, over the next few months there’ll hopefully be a new website with a focus on communications around everything relating to data protection, links to relevant resources and so on. It’s still a work in progress without a fixed launch date. Thanks again and do please forward this newsletter on to anyone you think might find it worth reading. 😼 CNN @CNN The governor of Tanzania's largest city has announced a plan to create and publish a national database of married men to protect women from "heart breaks." https://t.co/IL8fC6pBSN 8:00 PM - 13 Aug 2019 There’s a lot of coverage of the latest in the Public Services Card mess and no doubt you’ll have read most of it by now so rather than doing a round-up of that here are a few snapshots of moments in time from the last few years. — In December 2016 Elaine Edwards wrote a piece in The Irish Times entitled ‘Government continues data-sharing projects despite EU ruling’. It included this on the guidance on the Bara ruling which the DPC had issued. Helen Dixon’s office said that the public policy objective being pursued by a particular data sharing arrangement without consent should be “explicit” and that an assessment should be made as to whether the likely benefits of the sharing justified the overriding of the individual’s data protection rights. Public sector bodies should consider the potential benefits and risks, either to individuals or society, of sharing the personal data, her office said. — In August 2019, following a protracted investigation which, based on all available evidence was prolonged by the department’s stubborn refusal to make contact with reality, the DPC published its findings “on certain aspects of the Public Services Card”. It included the following as commentary. As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses. Instead, the development of the card has proceeded by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the approach to the project from a data protection perspective is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it). Certainly, there is no evidence of any such balance being re-examined on each occasion when a new form of use is identified for the card. That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights. — In response to Elaine Edwards’ piece in December 2016 Robert Watt, Secretary General of the Department of Public Expenditure, took to the letters page of The Irish Times to defend his department’s grand plans - as this story develops we shouldn’t lose sight of the fact that DPER is a joint data controller with DEASP and therefore also liable and responsible for this costly debacle which has infringed on the information rights of millions of people. Watt superciliously brushed aside any concerns, concluding The Department of Public Expenditure and Reform will continue to ensure that data-sharing only takes place in a way that fully aligns with data-protection responsibilities, that protects citizens and that contributes to the improvement of public service delivery. — In the very first edition of this newsletter, over a year ago, we wrote Here at The Cat Herder we were particularly impressed with the similarities between Australia and Ireland when it came to bureaucratic behaviour in the face of a developing data privacy scandal. The specific issue is different but the reactions and administrative instincts are the same across continents. Silencing critics or denying you’re doing what you’re doing doesn’t make the problems go away, it adds to them. — Almost two years ago Elaine Edwards wrote a story in The Irish Times about a woman whose pension payments had been cut off after she refused to get a Public Services Card. This ultimately precipitated the beginning of the formal investigation by the DPC. The department said it did not collect data on the number of individuals who had had payments suspended or stopped by reason of failing to complete the registration process. — According to reporting last night, the government is now considering producing some sort of legislation in an attempt to retrospectively provide a legal basis for the processing the DPC has stated there is no legal basis for. This is a thoroughly bad idea which seems to show that the government has not yet learned much about processing personal data in a transparent and proportionate manner which is respectful of the rights of individuals. 🐦 Rossa McMahon wrote a (weary) thread on Twitter going into this in more detail. Miscellanea 🐦 The peculiar behaviour of officials in the Department of Employment Affairs and Social Protection in relation to Simon McGarr 🐦 The peculiar behaviour of officials in the Department of Employment Affairs and Social Protection in relation to journalism which quoted experts they described as cranks. The existence of a mysterious RSA Expert somewhere within the corridors of Independent News & Media, who made several appearances - the most recent being only a few weeks ago - to extol the virtues of the Public Services Card in language that was strongly reminiscent of the government’s own talking points. A piece entitled ‘Dreaded driver licence applications set to get simpler with new service card’ appeared on the 21st February 2018. This was four months after the DPC investigation had begun and the day before Tim Duggan of DEASP and Barry Lowry of DPER appeared before an Oireachtas committee to answer questions about the PSC. One piece of commentary worth reading is Gene Kerrigan in the Irish Independent, who rightly gives credit to the two women who most deserve it. We wouldn’t be where we are now without their bravery and tenacity. Adrian Weckler’s latest Big Tech Show podcast features Helen Dixon and is well worth an hour of your time. As well as diving into more detail on the Public Services Card findings than can be covered in a news report, Dixon also discusses the progress of the investigations into multinationals, and conversations her office is having with old friends of this newsletter Genomics Medicine Ireland. During the week The Financial Times reported (€) that King’s Cross in London was surveiling tens of thousands of people without their knowledge using facial recognition. Sadiq Khan wrote to the owners of King’s Cross seeking more details. The ICO launched an investigation. Who are the proud owners of one of Ireland’s largest biometric databases, one full of high-resolution pictures of millions of people’s faces? Why it’s the Department of Employment Affairs and Social Protection. The DPC’s verdict on what happens with that database is expected soon. The Czech DPA announced that it had wanted to fine both a government department and a municipality but since public bodies were exempted from fines under the implementing act the best it can do is issue press releases detailing how much the organisations in question would have been fined. Translation via Google Translate. — The Maltese DPA fined HSBC €5,000 for illegally monitoring an employee’s bank account. — The Data Protection Commission of Ireland published new guidance, ‘A Quick Guide to GDPR Breach Notifications’. This guidance covers both notifications to the supervisory authority and notifications to data subjects. The DPC also opened an investigation into Verizon / Oath, formerly Yahoo! “Potential harms include fraud and identity theft (suffered by 1 in 10 Australians); being charged higher retail prices, insurance premiums or interest rates on the basis of our online behaviour; and having our information combined with information from other sources to reveal intimate details about our health, financial status, relationships, political views, and even sexual activity.” ‘Here’s how tech giants profit from invading our privacy, and how we can start taking it back’ writes Katherine Kemp in The Conversation. “ The real value of read statuses may just be a feeling: being privy to other people’s data, consensually or otherwise, can create a sense of power or control. There’s a certain satisfaction to surveillance. Data isn’t necessarily knowledge, but it can feel like it.” Anna Wiener has a thoughtful piece in The New Yorker about the shifting ethics of software. In Techcrunch Natasha Lomas covers a new research study into how people interact with cookie consent mechanisms. “The researchers conclude that if consent to drop cookies was being collected in a way that’s compliant with the EU’s existing privacy laws only a tiny fraction of consumers would agree to be tracked.” —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

We missed a birthday! The first issue of this newsletter went out on August 6th last year so thanks to all of you who for reading. As well as keeping this newsletter going, over the next few months there’ll hopefully be a new website with a focus on communications around everything relating to data protection, links to relevant resources and so on. It’s still a work in progress without a fixed launch date.

Thanks again and do please forward this newsletter on to anyone you think might find it worth reading.

😼

There’s a lot of coverage of the latest in the Public Services Card mess and no doubt you’ll have read most of it by now so rather than doing a round-up of that here are a few snapshots of moments in time from the last few years.

—

In December 2016 Elaine Edwards wrote a piece in The Irish Times entitled ‘Government continues data-sharing projects despite EU ruling’. It included this on the guidance on the Bara ruling which the DPC had issued.

—

In August 2019, following a protracted investigation which, based on all available evidence was prolonged by the department’s stubborn refusal to make contact with reality, the DPC published its findings “on certain aspects of the Public Services Card”. It included the following as commentary.

—

In response to Elaine Edwards’ piece in December 2016 Robert Watt, Secretary General of the Department of Public Expenditure, took to the letters page of The Irish Times to defend his department’s grand plans - as this story develops we shouldn’t lose sight of the fact that DPER is a joint data controller with DEASP and therefore also liable and responsible for this costly debacle which has infringed on the information rights of millions of people. Watt superciliously brushed aside any concerns, concluding

—

In the very first edition of this newsletter, over a year ago, we wrote

—

Almost two years ago Elaine Edwards wrote a story in The Irish Times about a woman whose pension payments had been cut off after she refused to get a Public Services Card. This ultimately precipitated the beginning of the formal investigation by the DPC.

—

According to reporting last night, the government is now considering producing some sort of legislation in an attempt to retrospectively provide a legal basis for the processing the DPC has stated there is no legal basis for. This is a thoroughly bad idea which seems to show that the government has not yet learned much about processing personal data in a transparent and proportionate manner which is respectful of the rights of individuals.

🐦 Rossa McMahon wrote a (weary) thread on Twitter going into this in more detail.

Miscellanea

🐦 The peculiar behaviour of officials in the Department of Employment Affairs and Social Protection in relation to Simon McGarr

🐦 The peculiar behaviour of officials in the Department of Employment Affairs and Social Protection in relation to journalism which quoted experts they described as cranks.

The existence of a mysterious RSA Expert somewhere within the corridors of Independent News & Media, who made several appearances - the most recent being only a few weeks ago - to extol the virtues of the Public Services Card in language that was strongly reminiscent of the government’s own talking points. A piece entitled ‘Dreaded driver licence applications set to get simpler with new service card’ appeared on the 21st February 2018. This was four months after the DPC investigation had begun and the day before Tim Duggan of DEASP and Barry Lowry of DPER appeared before an Oireachtas committee to answer questions about the PSC.

One piece of commentary worth reading is Gene Kerrigan in the Irish Independent, who rightly gives credit to the two women who most deserve it. We wouldn’t be where we are now without their bravery and tenacity.

Adrian Weckler’s latest Big Tech Show podcast features Helen Dixon and is well worth an hour of your time. As well as diving into more detail on the Public Services Card findings than can be covered in a news report, Dixon also discusses the progress of the investigations into multinationals, and conversations her office is having with old friends of this newsletter Genomics Medicine Ireland.

During the week The Financial Times reported (€) that King’s Cross in London was surveiling tens of thousands of people without their knowledge using facial recognition.

Sadiq Khan wrote to the owners of King’s Cross seeking more details. The ICO launched an investigation.

Who are the proud owners of one of Ireland’s largest biometric databases, one full of high-resolution pictures of millions of people’s faces? Why it’s the Department of Employment Affairs and Social Protection. The DPC’s verdict on what happens with that database is expected soon.

The Czech DPA announced that it had wanted to fine both a government department and a municipality but since public bodies were exempted from fines under the implementing act the best it can do is issue press releases detailing how much the organisations in question would have been fined.

Translation via Google Translate.

—

The Maltese DPA fined HSBC €5,000 for illegally monitoring an employee’s bank account.

—

The Data Protection Commission of Ireland published new guidance, ‘A Quick Guide to GDPR Breach Notifications’. This guidance covers both notifications to the supervisory authority and notifications to data subjects.

The DPC also opened an investigation into Verizon / Oath, formerly Yahoo!

• “Potential harms include fraud and identity theft (suffered by 1 in 10 Australians); being charged higher retail prices, insurance premiums or interest rates on the basis of our online behaviour; and having our information combined with information from other sources to reveal intimate details about our health, financial status, relationships, political views, and even sexual activity.” ‘Here’s how tech giants profit from invading our privacy, and how we can start taking it back’ writes Katherine Kemp in The Conversation.
• “ The real value of read statuses may just be a feeling: being privy to other people’s data, consensually or otherwise, can create a sense of power or control. There’s a certain satisfaction to surveillance. Data isn’t necessarily knowledge, but it can feel like it.” Anna Wiener has a thoughtful piece in The New Yorker about the shifting ethics of software.
• In Techcrunch Natasha Lomas covers a new research study into how people interact with cookie consent mechanisms. “The researchers conclude that if consent to drop cookies was being collected in a way that’s compliant with the EU’s existing privacy laws only a tiny fraction of consumers would agree to be tracked.”

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.