July Roundup

Please ensure you’re sitting comfortably folks as this was quite a month, both at home and abroad.

1. The Central Statistics Office Really Wants To Track You

In one of the stranger privacy stories we’ve yet seen in this country, the Irish Times reported that the Central Statistics Office desperately wanted to build a comprehensive tourist tracking system using data acquired from mobile phone operators. They’d been told politely on numerous occasions by the office of the Data Protection Commissioner not to do this. In a piece of charming colour, the director general of the CSO wrote to the Data Protection Commissioner in 2013 to express his concern about the embarrassment that could be caused to the CSO if the regulator’s concerns were made public. The director general quite rightly didn’t think this would look good for the CSO. One way to ensure the CSO didn’t look bad would have been to give up on the project. But they didn’t. They persevered. In fact the saga had run for almost a decade.

The CSO even went so far as to get the office of the Attorney General to draft a statutory instrument to force mobile phone operators to hand over subscriber information.

They wanted to track visitors to Ireland as they moved around the country. They wanted to track Irish people as they travelled abroad. They didn’t think this was intrusive, invasive or even just plain old strange.

There was considerable alarmed reaction to the story from experts both local and international, some of which is collected here.

Notes for humans

The stubborn determination displayed by the CSO appears to be part of a wider malaise across the Irish public sector when it comes to privacy and data protection. Rules, laws, best practice and the regulator are mere inconveniences standing in the way of ever more extravagant data acquisition for no good reason, and considerable efforts will be made to route around these inconveniences. We wrote last month about the apparent downgrade or demotion of data protection within Irish government circles. Taken as a whole this displays a disturbing lack of awareness and lack of care when it comes to the safeguarding of citizens’ personal data. This will almost undoubtedly end badly, as can be seen by current events in Sweden.

Also during July a new state database slouched blinking into the light. This one will track every individual who uses the education system. Because why not.

+ ‘Regulator and CSO in stand-off over mobile data’, Irish Times

+ ‘You Want To Do What Now?’, Privacy Kit

+ ‘CSO mobile phone plan ‘surveillance at its worst’ – privacy expert’, Irish Times

+ ‘Just Some Light Tracking? That Could Cost You’, Privacy Kit


2. Privacy Scandal Costs Ministerial Jobs In Sweden

The more of our lives we trust to the databases of authority, and the more these are interlinked, the more power we give away to people who might mean us harm. Privacy and security have to take precedence over administrative convenience wherever governments deal with personal information.

What started out as a reasonably routine bit of outsourcing of some government data services in Sweden has so far cost two ministers and one director general their jobs and put the future of the government in jeopardy. In its rush to bundle registration records into IBM’s cloud the Swedish transport agency ignored established data governance rules.

Notes for humans

Some Irish government ministers would be well advised to look carefully at the increasing number of haphazard large data projects that are underway in their departments. The chances of something similar happening here are increasing.

You don’t have to look too hard to find a fair amount of talk about ‘cloud first’ in relation to various government data projects in Ireland.

Our Cloud First Digital Strategy will be a major step towards raising standards in the provision of Irish Healthcare. It will provide affordable, scalable and securely robust cloud architecture for all Irish Healthcare solutions.


It’s always worth remembering that in many ways ‘the cloud’ is actually just someone else’s computer. So whose computers are your electronic health records going to end up on? Coincidentally, last month an investigation by the Guardian revealed “that a darknet vendor on a popular auction site for illegal products claims to have access to any Australian’s Medicare card details and can supply them on request.”

Towards the end of the month Patrick O’Donovan, the Minister of State for Public Procurement, Open Government and eGovernment announced the eGovernment Strategy 2017-2020. Announcing a strategy that covers the years 2017 to 2020 inclusive when we’re already more than halfway through 2017 would seem to betray a certain lack of planning when it comes to the writing and publication of plans but is not entirely surprising.

While much of the strategy is vague and aspirational (‘We will transform our “back office”‘) there is a thread of determination to share as much data as possible across all branches of government. The Public Services Card is a particular star of the strategy. This card, which ministers and the civil service insist is not mandatory, will force its way into more and more pockets as the government makes it impossible to access routine services without it. The card is of course merely the visible manifestation of a population-wide biometric identity register that is being created.

As we wrote here a few months ago, whether a national identity register is constructed by accident or design, it should most certainly not be created without thorough public debate. The very opposite of this is happening with the slow creep of the Public Services Card across multiple government departments and agencies, as outlined in Annex B of the strategy.

+ ‘Sweden leaked every car owners’ details last year, then tried to hush it up’, The Register

+ ‘The Guardian view on a Swedish scandal: the precedence of privacy’, Guardian

+ ‘State ‘on collision course’ with EU over data sharing’, Irish Times

+ ‘Governments and states playing fast and loose with our data’, Irish Times

+ ‘The State shouldn’t get a free pass when Europe’s data law comes into effect’, Irish Independent

+ ‘The Identity Card That Most Assuredly Isn’t An Identity Card’, Privacy Kit


3. More CCTV, No Impact Assessment

In July a proliferation of CCTV across Ireland was approvingly and unquestioningly reported on.

First we go to Duleek, stopping off briefly in Hertfordshire along the way for some context. A few years ago there was quite a controversy in England over what critics dubbed the ‘Royston Ring of Steel’.  CCTV cameras with full number plate recognition capabilities were deployed around the rural town of Royston in Hertfordshire. The UK has significantly more CCTV surveillance than most other European countries. Yet even in a country where CCTV is more accepted than most, people found the scale of the deployment in Royston excessive. The office of the Information Commissioner investigated and ruled the system was unlawful and excessive.

Royston has a population of approximately fifteen thousand. There were seven cameras deployed to make up the Ring of Steel. That’s one camera for roughly every 2,142 people in the area.

The local papers gushingly reported the launch of a new CCTV scheme in Duleek. One even used the word slick in a headline. Local businesses including Indaver Ireland and Irish Cement appear to have provided the funding for the project. This system has fourteen cameras which cover Duleek and Donore. According to the 2016 census, Duleek has a population of 4,219 and Donore a population of 760, which gives a total population of just shy of five thousand for the area covered by these cameras. That’s one camera for every 355 people in the area. This is extraordinarily disproportionate for a rural area.

Anyway, let’s move on from the fully operational battle station in Duleek to a plethora of proposed schemes in County Limerick. The Limerick Leader reported that CCTV was to be rolled out to fourteen towns in the county before the end of the year.  Rossa McMahon made a polite enquiry on Twitter as to what procedures had been followed in Newcastle West. The council seemed unwilling to discuss their public surveillance plans in public.

Notes for humans

So many questions, so few answers. Why are public authorities unwilling to answer questions in public about the procedures that have or have not been followed? Should private companies be paying for police equipment? Why are there so many cameras in Duleek compared to Royston, which was adjudged to be disproportionate and excessive?

+ ‘WATCH: The new CCTV camera system in Duleek is pretty slick!’, Meath Chronicle

+ ‘Duleek sets the bar with new CCTV cameras’, Drogheda Independent

+ ‘Duleek and Donore CCTV security system launched’, Drogheda Life

+ ‘The Royston ring of steel: Data watchdog warns police that surveillance scheme in rural Hertfordshire town is ‘unlawful”, Independent

+ ‘Fourteen Limerick towns named for roll-out of CCTV scheme’, Limerick Leader

4. Google And The Royal Free

The Information Commissioner in the UK ruled that “London’s Royal Free hospital failed to comply with the Data Protection Act when it handed over personal data of 1.6 million patients to DeepMind”, a Google subsidiary.

Notes for humans

It’s your data, not Google’s and not the hospital who acts as an intermediary. Information about your health is some of the  most sensitive personal data imaginable. It is absolutely your right to know what your data will be used for, to decide if you want your personal data to be used for research purposes and to be able to withdraw that permission at any time.

In Ireland the HSE has provided scant detail about what it plans to do with your personal data, and whether it has any agreements in place with vast data-hungry technology companies such as Google.

It’s ten years since Google acquired Doubleclick. At the time Google gave reassurances it wouldn’t merge the Doubleclick database of web browsing with its own user database. Last year it quietly did just that. Assurances given can easily be overridden by commercial decisions in the future. You’ll have very little say if someone else controls your data.

+ ‘Google DeepMind NHS app test broke UK privacy law’, BBC

+ ‘Privacy and population-wide whole-genome sequencing in the age of Google’, Privacy News Online

+ ‘Why Google DeepMind secretly gaining 1.6 million UK patient records is a human rights issue’, Liberty Human Rights

+ ‘The DeepMind debacle demands dialogue on data’, Nature

+ ‘Listen To The Privacy Geeks’, Paul Bernal

+ ‘Giving Google our private NHS data is simply illegal’, Guardian

5. Passenger Name Record Deal Struck Down

The Court of Justice of the European Union has sent a proposed agreement on Passenger Name Record data between the EU and Canada back for revision. The court found the data sharing agreement was incompatible with European law.

“The court’s confirmation that the EU-Canada PNR agreement is illegal in its current form is a turning point in the fight against unlawful border surveillance,” said Estelle Massé, Senior Policy Analyst at Access Now. “Civil society has long argued that the blanket surveillance mandated by PNR agreements and the EU PNR Directive are in violation of fundamental rights. The Commission must urgently reform these measures”.

Notes for humans

This may seem a bit down in the weeds but it is important because, as seen above, indiscriminate sharing of personal data, even data which may seem mostly innocuous can have far-reaching consequences. In other words, if this agreement had remained as it was without revision, your address or travel itinerary could have ended up being shared with all kinds of organisations you most certainly wouldn’t have expected.

+ ‘CJEU: Planned PNR agreement between EU and Canada must be reworked’, out-law.com

+ ‘In win for privacy, European court rejects EU-Canada “PNR” agreement’, Access Now


Honourable Mentions

[Image credit: Frankie Guarini on Unsplash]

Leave a Reply

Your email address will not be published. Required fields are marked *