View profile

Normal Practice | The Cat Herder, Volume 4, Issue 11

March 28 · Issue #124 · View online
The Cat Herder
The Irish state does it again. I have nothing remotely witty to add here.

Call centre staff to be monitored via webcam for home-working ‘infractions’ | Working from home | The Guardian
Where to start with the latest sorry instalment in the Irish state’s cavalier disregard for people’s data protection rights? With the breaches of medical confidentiality, the unwarranted and mandated secrecy, the menacing of media outlets by waving the Official Secrets Act in their direction, the tiresomely predictable cries of ‘we dun nuttin’ wrong and even if we did we think its lawful’, the alarmingly hasty establishment of an investigation into the entity that’s being investigated by the entity that’s being investigated which isn’t actually an investigation at all, the refusal to publish the legal advice which apparently found the reprehensible and utterly unethical behaviour to be “entirely lawful, proper and appropriate”, the fact that the Department of Health has had plenty of time to workshop its lines in advance of this story becoming public knowledge and the best it has come up with so far is to describe what was done as “normal practice”?
Data protection law is based on a set of principles. These are not creations of the GDPR. They go back decades.
The first principle of data protection is that personal data must be processed lawfully, fairly and transparently.
Simon McGarr deals with the lawfulness of this processing in ‘The Gist: Autistic children and other enemies of the State’.
That’s because it may be normal for me to hold your bank records if I receive them on foot of a court-ordered discovery process. But if I break into your house in the night and steal them from your desk then it is generally considered very Not Normal when I am found with them.
The UK ICO (and good grief I’m having to say something nice about the ICO here) has a passable definition of what would make something unfair, which is as close to a definition of fair as we will get. Processing is unfair if it is “unduly detrimental, unexpected or misleading to the individuals concerned“.
Digital Rights Ireland put out a statement yesterday which shows that the behaviour appears to have been concealed from the Department’s own data protection unit.
We note that the department’s statement yesterday refers to the collection, processing and sharing of personal data of autistic children who had litigated on their rights as “normal practice”.
In that light, we do not know why this processing would have been kept secret from the department’s own Data Protection Officer and not placed on their statutory register of processing activities.
The Data Protection Commission has considerable powers. It needs to urgently do more than simply corresponding with the Department of Health. Section 130 of the Data Protection Act would be a good place to start, particularly the bit about securing documents and records for later inspection. Because documents and records have a nasty habit of disappearing if they’re not secured in this country.
Describing this as “normal practice” invites many, many questions which need to be answered by an independent investigation separate to a DPC investigation, and most certainly not a “consideration” of issues by the Department itself as proposed by the Secretary General Robert Watt in his open letter of Friday evening. Is this normal practice just within the Department of Health? Or is it normal practice across government departments? Is it normal practice within state agencies which operate under the aegis of those departments? How long has it been normal practice for? Will it continue to be normal practice since it has been declared “entirely lawful, proper and appropriate” in unpublished legal advice?
Before he headed to the Department of Health Robert Watt was the Secretary General of the Department of Public Expenditure and Reform. This department played a leading role in the still-ongoing Public Services Card omnishambles.
In December 2016 Mr Watt took issue with an article in the Irish Times which questioned the legality of data sharing among state bodies. He wrote a letter to the newspaper baldly stating that the article was “not correct”.
He went on to say that “To suggest that any public body continues to share data and ignores the Bara judgment and the changing data protection regime is not correct.” Well, that assertion has seemingly been proved very, very untrue by the behaviour of Mr Watt’s new department.
In his letter he mentioned something called ‘the “ask once, use many” approach’ in relation to personal data. This suggests Mr Watt may indeed understand that using without asking is not something state bodies should be doing.
Nevada’s website, which is run through a partnership with a nonprofit organization, Immunize Nevada, contained 24 ad trackers and 45 third-party cookies. Ranking states by number of cookies, Nevada has more than the lowest 46 states combined.
We Ran Tests on Every State’s COVID-19 Vaccine Website – The Markup
On Tuesday, the Federal Data Protection and Information Commissioner (FDPIC) announced that it has opened proceedings against the platform operator Myvaccines foundation. The free service allows people to create an electronic version of their paper vaccination record to ensure they are kept up to date about their vaccinations. The platform has received the support of government public health departments. 
According to a tweet from Republik magazine on Tuesday, 450,000 vaccination data, including those of 240,000 people vaccinated against Covid-19, were openly accessible and vulnerable to manipulation.
Swiss online vaccine registry probed for data security issues - SWI
This one does feel pretty inevitable
This one does feel pretty inevitable
Credit Card Hacking Forum Gets Hacked, Exposing 300,000 Hackers’ Accounts
The European Commission Vice President Vera Jourova casually lobbed a hint about rejiggering the entire data protection supervisory model in the direction of the participants in the “public squabbles” between regulators.
Meanwhile the European Parliament adopted a resolution calling for improved implementation and enforcement of the GDPR but not calling for any review of the regulation. The tardiness of the Irish and Luxembourg DPAs was singled out for special mention.
  • ‘“Vaccine credentials are a very slippery slope,” she said. “If not done right, vaccine credentials will be a major violation — and an easy one — of individuals’ health privacy, because you’re carrying around in your pocket something that’s a critical piece of health data.”‘ From 'Paper beats app: Vaccine verification will likely be proven offline. Here’s why.’ by David Ingram for NBC News
  • “If nothing else, the campaign would be useful if it made the term “surveillance advertising” catch on. One of the many tricky things about discussing digital ad targeting based on user data is that there isn’t any great, widely understood terminology for the phenomenon itself. “Targeted advertising,” the phrase in the headline to my story from a year ago, is too broad; there’s nothing wrong with “targeting” an ad to readers of WIRED, for example. “Microtargeting” is better, but doesn’t get at why the practice is troubling. What really defines the dominant model of digital ad tech is that it’s based on keeping track of where we go, what we do, whom we know.” From ‘This Group Wants to ‘Ban Surveillance Advertising’’ by Gilad Edelman for Wired.
  • “The FOC’s case against Facebook is seen as highly innovative as it combines the (usually) separate (and even conflicting) tracks of competition and privacy law — offering the tantalizing prospect, were the order to actually get enforced, of a structural separation of Facebook’s business empire without having to order a break up of its various business units up.” From ‘Competition challenge to Facebook’s ‘superprofiling’ of users sparks referral to Europe’s top court’ by Natasha Lomas for Techcrunch.
  • The Oireachtas Justice Committe invited submissions to a review of the implementation of the GDPR in Ireland. Castlebridge’s comprehensive and well-worth-your-time submission is here.
  • [Shameless plug] Wearing my Article Eight Advocacy hat I contributed a little bit to a joint submission to the same Committee with the Clann Project which you can read here [direct link to PDF].

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland