So Many Awards | The Cat Herder, Volume 2, Issue 47

The enforcement notice for the PSC arrives. The National Children's Hospital will come armed to the t   December 8 · Issue #63 · View online The enforcement notice for the PSC arrives. The National Children’s Hospital will come armed to the teeth with expensive facial recognition cameras which may or may not be used. 😼 If you’re in a spot of bother over flogging people’s data then adding a dash of forgery to the mix isn’t the brightest of ideas. Lib Dems suspend campaigner after apparent email forgery | Politics | The Guardian www.theguardian.com – Share Party had sought retraction of journalist’s story about alleged sale of voter data — This is one hell of a sentence. “Chinese scientists are trying to find a way to use a DNA sample to create an image of a person’s face.” China Uses DNA to Map Faces, With Help From the West - The New York Times www.nytimes.com – Share Beijing’s pursuit of control over a Muslim ethnic group pushes the rules of science and raises questions about consent. The DPC issued an enforcement notice regarding the Public Services Card on Friday last. ‘Enforcement notice on public services card issued by data commissioner’, Irish Examiner ‘Regulator issues enforcement notice on public services card project’, Irish Times It’s three years to the day since Elaine Edwards wrote a piece in The Irish Times headlined ‘Government continues data-sharing projects despite EU ruling’. Daragh O Brien of Castlebridge Associates is quoted as saying Nothing exemplifies the failure of the Irish public service to recognise that data protection law exists, and has evolved, more than the celebration of an award for a project that on the face of it appears to ignore the Court of Justice ruling in the Bara case As if, yet again, nothing had changed this year threw up yet another award. After the DPC’s report was delivered the Department of Employment Affairs and Social Protection won an award for MyGovID at the eGovernment awards. The Secretary General’s eagerness to promote this on the department’s website caused consternation. “Publish today unpublish tomorrow?”. Now we all wait to see what happens next with the Public Services Card. As pointed out in the piece in the Irish Examiner above, if this case wends its way through the courts and ultimately to the CJEU then it could be another three years before any conclusion is reached. Which is almost the lifespan of a Public Services Card and far from an ideal state of affairs when the fundamental rights of millions of data subjects are being infringed upon. It is almost four months since the DPC’s report into the card was unwillingly published by the department. In that intervening period - and for at least eighteen months beforehand - the department has not made any effort to update the information available to data subjects about the card on the psc.gov.ie website. The response to the question “What company produces these cards and what safeguards are in place to safeguard the use of data by this company?” starts with the following The PSC is produced in Ireland by an Irish-registered company called Biometric Card Services (BCS) under contract to the Department. The current contract is due to expire at the end of 2017. The company has changed its name and the end of 2017 has long gone. Yet nobody has bothered to update this information. While the department cannot quickly change the legislation which they are relying on as a lawful basis for processing personal data, they can easily improve the level of transparency around the project by keeping their FAQ up to date. But they haven’t. This is sadly symptomatic of the department’s attitude to data protection. — Those in charge of procurement at the National Children’s Hospital appear to be suckers for a good sales presentation. Because nothing else can explain why they decided to acquire quite so much advanced facial recognition gear from Hikvision. The response to inquiries is as evasive or uninformed as ever. The claim of ‘not yet been decided’ is questionable since specifying these specialized cameras that cost 5 to 10 times what a conventional Hikvision camera costs for the express purpose of delivering facial recognition indicates a decision to deploy facial recognition. If the hospital is planning on deploying facial recognition then it needs to get a database of faces from somewhere. Perhaps some eager reporter might ask the hospital where they were planning on getting their database from. As well as asking them whether they’ve carried out a Data Protection Impact Assessment. Which they must do before any data processing takes place. It’s always advisable to do the DPIA before money has been spent on shiny top-of-the-range equipment. We did. The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Millions of SMS messages exposed in database security lapse – TechCrunch techcrunch.com – Share Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted. It could, it really could. “Patients should know how their data is used. There should be no surprises. While legitimate research for public health benefit is to be encouraged, it must always be consensual, safe and properly transparent,” said Phil Booth, coordinator of medConfidential, which campaigns for the privacy of health data. “Do patients know – have they even been told by the one in seven GP practices across England that pass on their clinical details – that their medical histories are being sold to multinational pharma companies in the US and around the world?” Patient data from GP surgeries sold to US companies | Politics | The Guardian www.theguardian.com – Share Dealings with international pharma raise new fears about American ambitions to access NHS. Many, many, many things could go wrong. Amazon lets doctors record your conversations and put them in your medical files www.cnbc.com – Share Amazon is introducing a virtual medical scribe so doctors can spend more time with patients and less time at the computer. The Data Protection Authority of Baden-Wuerttemberg published a template joint controller contract. — Facebook was fined ~$4 million dollars by Hungary’s competition authority for making the misleading claim that its services were free. This is yet another example of how competition and consumer protection laws are beginning to interact with data protection laws. — German Data Protection Authorities have proposed that manufacturers of hardware and software who are not themselves data controllers should be obliged to comply with the GDPR in order to strengthen the implementation of data protection by design and default. — The Information Commissioner’s Office in the UK launched an SME hub. “We don’t have any substantial proof that towns become safer when Ring enters the picture. But when Ring cameras enter a town, it’s easy for cities to equate surveillance with being a good neighbor.” From the final part of Caroline Haskins‘ series on the surveillance network Amazon are building in partnership with police departments across the US. “others caution that genetic tests may do more harm than good. They could miss some diseases that heel-stick testing can detect and produce false positives for others, causing anxiety and leading to unnecessary follow-up testing. Sequencing children’s DNA also raises issues of consent and the prospect of genetic discrimination.” Tanya Lewis on genetic screening for newborns: '23 and Baby’ “The tantalizing principle of China’s offer to unstable governments is to re-assert the power of the state. China’s client governments are likely comforted by its insistence that national security means the stability of the current regime, and cybercrime can be defined as critics saying anything untoward about its members. Is this any different from how Western firms work hand-in-glove with their own governments to export political values alongside their products and services?” Maria Farrell explains how China’s Autocracy As A Service is flourishing. We’re watching this two minute video illustration of how difficult it is to opt-out of data collection by Google versus how very, very easy it is to opt-in. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

The enforcement notice for the PSC arrives. The National Children’s Hospital will come armed to the teeth with expensive facial recognition cameras which may or may not be used.

😼

If you’re in a spot of bother over flogging people’s data then adding a dash of forgery to the mix isn’t the brightest of ideas.

Party had sought retraction of journalist’s story about alleged sale of voter data

—

This is one hell of a sentence. “Chinese scientists are trying to find a way to use a DNA sample to create an image of a person’s face.”

Beijing’s pursuit of control over a Muslim ethnic group pushes the rules of science and raises questions about consent.

The DPC issued an enforcement notice regarding the Public Services Card on Friday last.

• ‘Enforcement notice on public services card issued by data commissioner’, Irish Examiner
• ‘Regulator issues enforcement notice on public services card project’, Irish Times

It’s three years to the day since Elaine Edwards wrote a piece in The Irish Times headlined ‘Government continues data-sharing projects despite EU ruling’. Daragh O Brien of Castlebridge Associates is quoted as saying

As if, yet again, nothing had changed this year threw up yet another award. After the DPC’s report was delivered the Department of Employment Affairs and Social Protection won an award for MyGovID at the eGovernment awards. The Secretary General’s eagerness to promote this on the department’s website caused consternation. “Publish today unpublish tomorrow?”.

Now we all wait to see what happens next with the Public Services Card. As pointed out in the piece in the Irish Examiner above, if this case wends its way through the courts and ultimately to the CJEU then it could be another three years before any conclusion is reached. Which is almost the lifespan of a Public Services Card and far from an ideal state of affairs when the fundamental rights of millions of data subjects are being infringed upon.

It is almost four months since the DPC’s report into the card was unwillingly published by the department. In that intervening period - and for at least eighteen months beforehand - the department has not made any effort to update the information available to data subjects about the card on the psc.gov.ie website. The response to the question “What company produces these cards and what safeguards are in place to safeguard the use of data by this company?” starts with the following

The company has changed its name and the end of 2017 has long gone. Yet nobody has bothered to update this information.

While the department cannot quickly change the legislation which they are relying on as a lawful basis for processing personal data, they can easily improve the level of transparency around the project by keeping their FAQ up to date. But they haven’t. This is sadly symptomatic of the department’s attitude to data protection.

—

Those in charge of procurement at the National Children’s Hospital appear to be suckers for a good sales presentation. Because nothing else can explain why they decided to acquire quite so much advanced facial recognition gear from Hikvision. The response to inquiries is as evasive or uninformed as ever.

If the hospital is planning on deploying facial recognition then it needs to get a database of faces from somewhere. Perhaps some eager reporter might ask the hospital where they were planning on getting their database from. As well as asking them whether they’ve carried out a Data Protection Impact Assessment. Which they must do before any data processing takes place. It’s always advisable to do the DPIA before money has been spent on shiny top-of-the-range equipment.

Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted.

Dealings with international pharma raise new fears about American ambitions to access NHS.

Amazon is introducing a virtual medical scribe so doctors can spend more time with patients and less time at the computer.

The Data Protection Authority of Baden-Wuerttemberg published a template joint controller contract.

—

Facebook was fined ~$4 million dollars by Hungary’s competition authority for making the misleading claim that its services were free. This is yet another example of how competition and consumer protection laws are beginning to interact with data protection laws.

—

German Data Protection Authorities have proposed that manufacturers of hardware and software who are not themselves data controllers should be obliged to comply with the GDPR in order to strengthen the implementation of data protection by design and default.

—

The Information Commissioner’s Office in the UK launched an SME hub.

• “We don’t have any substantial proof that towns become safer when Ring enters the picture. But when Ring cameras enter a town, it’s easy for cities to equate surveillance with being a good neighbor.” From the final part of Caroline Haskins‘ series on the surveillance network Amazon are building in partnership with police departments across the US.
• “others caution that genetic tests may do more harm than good. They could miss some diseases that heel-stick testing can detect and produce false positives for others, causing anxiety and leading to unnecessary follow-up testing. Sequencing children’s DNA also raises issues of consent and the prospect of genetic discrimination.” Tanya Lewis on genetic screening for newborns: '23 and Baby’
• “The tantalizing principle of China’s offer to unstable governments is to re-assert the power of the state. China’s client governments are likely comforted by its insistence that national security means the stability of the current regime, and cybercrime can be defined as critics saying anything untoward about its members. Is this any different from how Western firms work hand-in-glove with their own governments to export political values alongside their products and services?” Maria Farrell explains how China’s Autocracy As A Service is flourishing.
• We’re watching this two minute video illustration of how difficult it is to opt-out of data collection by Google versus how very, very easy it is to opt-in.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.