Privacy Kit

Subscribe
Archives
August 16, 2020

"we intend to order them to redo the awarding of grades" | The Cat Herder, Volume 3, Issue 31

A PSC anniversary; when is automated decision-making not automated decision-making; more facial recog
 
August 16 · Issue #95 · View online
The Cat Herder
A PSC anniversary; when is automated decision-making not automated decision-making; more facial recognition in Ireland and hopefully less facial recognition in the UK.
😼

I find it hard to believe that it’s possible to run an entirely UK-based organisation from the arse-end of another continent.
Tim Turner spotted an FOI request on whatdotheyknow.com which piqued his interest. This led him to write a blog post on remote working as it applies very specifically to the UK’s Information Commissioner.
Sky picked up on this post and ran a story on it (without crediting Tim, which is very bad form, Sky).
In Ireland we’re going to find out a lot about the principles of fairness, transparency and accountability in data protection very soon.
GDPR, Article 5.1 - “Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”
GDPR, Article 5.2 - “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Things have gone very badly wrong in England. This came after things went very badly wrong in Scotland. A U-turn has been performed in Scotland. There has been no sign of anything similar happening in England yet.
Sunder Katwala
Sunder Katwala
@sundersays
Ofqual's rule (2): impossible for a 2020 student in top 3 of their class to miss an Oxbridge offer grade, as long as their class contained 3 past students, 2017-19, whose grades surpassed it

Ofqual has graded the ghosts of past students - and given their grades to 2020 students
7:34 PM - 15 Aug 2020
The only way to restore individual fairness is to restore individual appeals which look at the student’s actual achievements, not the past record of the school. Every previous student has had, every future student will have, access to an individual appeal process. Not in 2020. So much for the Secretary of State’s pledge that this year’s students should not face ‘a systematic disadvantage as a consequence of these extraordinary circumstances’.
Higher Education Policy Institute: ‘A-Levels 2020: what students and parents need to know’
The official response so far has not been promising.
Michael Veale
Michael Veale
@mikarv
This is NHSX-level of reverse-engineer-yourself-out-of-the-law level delusion.

(nb: the v2 NHSX app DPIA is, finally, much improved, after an arrogant and deeply flawed start) https://t.co/5mVIvWmXux https://t.co/YFVjs2Jo3L
8:30 PM - 15 Aug 2020
While in the UK Ofqual is attempting to avoid any Article 22 challenges by claiming there’s no automated decision-making because a human glanced at the automated decisions after they came out of the automated decision-making machine the Norwegian DPA is taking things back to the data protection principles. It plans to tell the International Baccalaureate Organisation to bin their algorithm and have another go at the whole grades thing, based on the principle of fairness. The Datatilsynet feels the personal data of students has not been processed fairly.
The Norwegian Data Protection Authority considers that the IBO has processed personal data in an unfair manner and that this year’s IB grades are inaccurate. Therefore, we have sent the IBO an advance notification stating that we intend to order them to redo the awarding of grades.
The Norwegian DPA intends to order rectification of IB grades | Datatilsynet
www.datatilsynet.no – Share
The Norwegian Data Protection Authority considers that the IBO has processed personal data in an unfair manner and that this year’s IB grades are inaccurate. Therefore, we have sent the IBO an advance notification stating that we in …
—
If in doubt, and if in the United States, always try a First Amendment defence of whatever it is you’re up to.
Facial Recognition Start-Up Mounts a First Amendment Defense - The New York Times
www.nytimes.com – Share
Clearview AI has hired Floyd Abrams, a top lawyer, to help fight claims that selling its data to law enforcement agencies violates privacy laws.
This will happen here. It almost definitely is already happening here.
Big British Bank Barclays Accused Of Spying On Employees—This May Be The New Trend
www.forbes.com – Share
Barclays is being investigated by the Information Commissioner’s Office. The privacy agency is examining the big bank to see if the company spied on its employees.
—
A good news story about live facial recognition.
Megan Goulding, a lawyer for civil rights group Liberty, which supported Bridges’ claim, said the facial recognition systems are discriminatory and oppressive.
“The court has agreed that this dystopian surveillance tool violates our rights and threatens our liberties,” Goulding said. “Facial recognition discriminates against people of color, and it is absolutely right that the court found that South Wales Police had failed in their duty to investigate and avoid discrimination.”
UK court says face recognition violates human rights
techxplore.com – Share
The use of facial recognition technology by British police has violated human rights and data protection laws, a court said Tuesday, in a decision praised as a victory against invasive practices by the authorities.
Personal details of staff released in Social Protection IT breach 
www.irishexaminer.com – Share
The leaked data included pictures of staff displaying their Personal Public Service Numbers and access to elements of the personal files of staff. 
If the reporting here is accurate then special categories of personal data i.e. health data was involved in this breach and yet the Sideshow Bob Rake Department deemed this not to be a great enough risk to the rights and freedoms of its own staff to warrant reporting the breach to the Data Protection Commission.
The leak was from the Time and Attendance administrator system in the department which deals with staff working hours and other human resource elements such as sick leave. The information stored in the system would include medical files for personnel in the department.
A statement issued to the Irish Examiner from the department last night confirmed the breach but did not address questions about how many staff or former staff members were affected.
From the tone of the quote from a department statement in the story (“The department confirms that this [the breach] did not involve customer data") one could assume that the department is labouring under the delusion that data breaches involving the personal data of its staff are somehow less serious than those involving the personal data of its ‘customers’. This is not the case.
At the same time the department has put a tender out for two hundred thousand Euros worth of facial recognition software. The DPC’s investigation into the legality of the large biometric database of facial images of the majority of people in the country which was collected and is still held by the department has not been completed yet. One would have to question the timing of this tender in the light of that fact. Surely the department isn’t deliberately attempting to create more sunken costs for this whole sorry mess?
Simon McGarr
Simon McGarr
@Tupp_Ed
Guess who wants MOAR automatic facial recognition software?

https://t.co/DGxzRsOCfd https://t.co/CODLHAXAR4
9:44 PM - 15 Aug 2020
—
Speaking of the DPC and DEASP and investigations and the Public Service Card, a year has now passed since the first part of the DPC’s investigation into the PSC and associated systems concluded with the delivery of a report to the department. Which the department then initially refused to publish, then refused to release under FOI because this might cause a threat to national security. If you fancy a trip down memory lane, here’s Issue 30 of Volume 2 of this newsletter from the 18th August last year, ‘Seosaimhín, We Hardly Knew Ye’.
Here’s the DPC’s ‘Statement on Matters Pertaining to the Public Services Card’, and a still very relevant quote from that statement
As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses. Instead, the development of the card has proceeded by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the approach to the project from a data protection perspective is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it). Certainly, there is no evidence of any such balance being re-examined on each occasion when a new form of use is identified for the card. That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights.
A year has passed and still “no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses.”
This is an organisation which seems unwilling to make any effort to meet many of its obligations as one of the largest data controllers in the state, preferring instead to use evasiveness, bluster and delaying tactics at every turn.
France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision.
JDSupra, ‘France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices’
  • “Arguments in relation to transatlantic data flows and other issues are the equivalent of the Admiral pulling rank. In other circumstances they might be persuasive and important arguments. However, we’re dealing with a conflict of fundamental principles here, and the CJEU is attentively manning its light house. For any other outcome, the Commission has to be able to persuade the lighthouse to move.” Daragh O Brien pours some cold water on the chatter about the European Commission and the US Department of Justice cooking up some sort of replacement for the now very much deceased Privacy Shield in ‘Privacy Shield Replacement: The Bastard Son of Shield’.
  • “Doctoroff seemed to paint the very picture Wylie fears. According to the blog post, he “believes the crisis ultimately will create an even greater need for urban innovation — including the sort of data collection and analysis that had concerned some Toronto residents, which could become important tools for controlling the spread of future disease outbreaks akin to COVID-19.” The pandemic, then, could be a Trojan horse for data-gathering projects far beyond Sidewalk Lab’s wildest dreams for Quayside. Doctoroff likened it to New Yorkers who “adjusted to a network of surveillance cameras installed in lower Manhattan after the September 11 attacks.” Brian J Barth on the ‘Death of a Smart City’.
  • "Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information. It’s those requirements the litigation is focused on, with the cases set to argue that the tech giants’ third party tracking cookies, BlueKai and Krux — trackers that are hosted on scores of popular websites, such as Amazon, Booking.com, Dropbox, Reddit and Spotify to name a few — along with a number of other tracking techniques are being used to misuse Europeans’ data on a massive scale.” ‘Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent’, Natasha Lomas for Techcrunch.
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

A PSC anniversary; when is automated decision-making not automated decision-making; more facial recognition in Ireland and hopefully less facial recognition in the UK.

😼

Tim Turner spotted an FOI request on whatdotheyknow.com which piqued his interest. This led him to write a blog post on remote working as it applies very specifically to the UK’s Information Commissioner.

Sky picked up on this post and ran a story on it (without crediting Tim, which is very bad form, Sky).

In Ireland we’re going to find out a lot about the principles of fairness, transparency and accountability in data protection very soon.

Things have gone very badly wrong in England. This came after things went very badly wrong in Scotland. A U-turn has been performed in Scotland. There has been no sign of anything similar happening in England yet.

Ofqual's rule (2): impossible for a 2020 student in top 3 of their class to miss an Oxbridge offer grade, as long as their class contained 3 past students, 2017-19, whose grades surpassed it

Ofqual has graded the ghosts of past students - and given their grades to 2020 students

— Sunder Katwala (@sundersays) August 15, 2020

Higher Education Policy Institute: ‘A-Levels 2020: what students and parents need to know’

The official response so far has not been promising.

This is NHSX-level of reverse-engineer-yourself-out-of-the-law level delusion.

(nb: the v2 NHSX app DPIA is, finally, much improved, after an arrogant and deeply flawed start) https://t.co/5mVIvWmXux pic.twitter.com/YFVjs2Jo3L

— Michael Veale is @mikarv@someone.elses.computer (@mikarv) August 15, 2020

While in the UK Ofqual is attempting to avoid any Article 22 challenges by claiming there’s no automated decision-making because a human glanced at the automated decisions after they came out of the automated decision-making machine the Norwegian DPA is taking things back to the data protection principles. It plans to tell the International Baccalaureate Organisation to bin their algorithm and have another go at the whole grades thing, based on the principle of fairness. The Datatilsynet feels the personal data of students has not been processed fairly.

The Norwegian Data Protection Authority considers that the IBO has processed personal data in an unfair manner and that this year’s IB grades are inaccurate. Therefore, we have sent the IBO an advance notification stating that we in …

—

If in doubt, and if in the United States, always try a First Amendment defence of whatever it is you’re up to.

Clearview AI has hired Floyd Abrams, a top lawyer, to help fight claims that selling its data to law enforcement agencies violates privacy laws.

This will happen here. It almost definitely is already happening here.

Barclays is being investigated by the Information Commissioner’s Office. The privacy agency is examining the big bank to see if the company spied on its employees.

—

A good news story about live facial recognition.

The use of facial recognition technology by British police has violated human rights and data protection laws, a court said Tuesday, in a decision praised as a victory against invasive practices by the authorities.

The leaked data included pictures of staff displaying their Personal Public Service Numbers and access to elements of the personal files of staff. 

If the reporting here is accurate then special categories of personal data i.e. health data was involved in this breach and yet the Sideshow Bob Rake Department deemed this not to be a great enough risk to the rights and freedoms of its own staff to warrant reporting the breach to the Data Protection Commission.

From the tone of the quote from a department statement in the story (“The department confirms that this [the breach] did not involve customer data") one could assume that the department is labouring under the delusion that data breaches involving the personal data of its staff are somehow less serious than those involving the personal data of its ‘customers’. This is not the case.

At the same time the department has put a tender out for two hundred thousand Euros worth of facial recognition software. The DPC’s investigation into the legality of the large biometric database of facial images of the majority of people in the country which was collected and is still held by the department has not been completed yet. One would have to question the timing of this tender in the light of that fact. Surely the department isn’t deliberately attempting to create more sunken costs for this whole sorry mess?

Guess who wants MOAR automatic facial recognition software?https://t.co/DGxzRsOCfd pic.twitter.com/CODLHAXAR4

— Simon McGarr @Tupp_ed@mastodon.ie (@Tupp_Ed) August 15, 2020

—

Speaking of the DPC and DEASP and investigations and the Public Service Card, a year has now passed since the first part of the DPC’s investigation into the PSC and associated systems concluded with the delivery of a report to the department. Which the department then initially refused to publish, then refused to release under FOI because this might cause a threat to national security. If you fancy a trip down memory lane, here’s Issue 30 of Volume 2 of this newsletter from the 18th August last year, ‘Seosaimhín, We Hardly Knew Ye’.

Here’s the DPC’s ‘Statement on Matters Pertaining to the Public Services Card’, and a still very relevant quote from that statement

A year has passed and still “no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses.”

This is an organisation which seems unwilling to make any effort to meet many of its obligations as one of the largest data controllers in the state, preferring instead to use evasiveness, bluster and delaying tactics at every turn.

JDSupra, ‘France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices’

  • “Arguments in relation to transatlantic data flows and other issues are the equivalent of the Admiral pulling rank. In other circumstances they might be persuasive and important arguments. However, we’re dealing with a conflict of fundamental principles here, and the CJEU is attentively manning its light house. For any other outcome, the Commission has to be able to persuade the lighthouse to move.” Daragh O Brien pours some cold water on the chatter about the European Commission and the US Department of Justice cooking up some sort of replacement for the now very much deceased Privacy Shield in ‘Privacy Shield Replacement: The Bastard Son of Shield’.
  • “Doctoroff seemed to paint the very picture Wylie fears. According to the blog post, he “believes the crisis ultimately will create an even greater need for urban innovation — including the sort of data collection and analysis that had concerned some Toronto residents, which could become important tools for controlling the spread of future disease outbreaks akin to COVID-19.” The pandemic, then, could be a Trojan horse for data-gathering projects far beyond Sidewalk Lab’s wildest dreams for Quayside. Doctoroff likened it to New Yorkers who “adjusted to a network of surveillance cameras installed in lower Manhattan after the September 11 attacks.” Brian J Barth on the ‘Death of a Smart City’.
  • "Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information. It’s those requirements the litigation is focused on, with the cases set to argue that the tech giants’ third party tracking cookies, BlueKai and Krux — trackers that are hosted on scores of popular websites, such as Amazon, Booking.com, Dropbox, Reddit and Spotify to name a few — along with a number of other tracking techniques are being used to misuse Europeans’ data on a massive scale.” ‘Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent’, Natasha Lomas for Techcrunch.

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.