Discover and read the best of Twitter Threads about #DPIA
Most recents (17)
The Department for Business, Energy & Industrial Strategy recently published a privacy notice covering their intention to gather data related to gas and electricity consumption. Data gathered includes the meter number and postcode of the house, plus the level of consumption.
This is, by any standard, a vast data grab, covering millions of households. Although the purpose of the scheme is the Energy Price guarantee, there are huge risks here. Energy consumption can tell you an enormous amount about how a household behaves.
While the chaos of '#AcceleratedCitizensAccess' to #GPrecords continues to unfold:
...we've come across some perturbing items on the agenda for @NHSDigital's Board meeting this afternoon 👇 which I'll pick up on in this [Thread].
nhs-prod.global.ssl.fastly.net/binaries/conte…
...we've come across some perturbing items on the agenda for @NHSDigital's Board meeting this afternoon 👇 which I'll pick up on in this [Thread].
nhs-prod.global.ssl.fastly.net/binaries/conte…
First, beginning on page 158, are some Directions that @NHSEngland must know will be HIGHLY controversial - given they are telling @NHSDigital to use @PalantirTech's #Foundry to collect *patient level identifiable data* from hospitals...
I'll tweet as I do a read-through, but even these first two paragraphs are incoherent, e.g. "...in a way that will enable." Enable what?
And if @NHSEngland Directs NHSD to use #Palantir, NHSE is *determining the purposes and means of processing* - i.e. it is a #DataController...
And if @NHSEngland Directs NHSD to use #Palantir, NHSE is *determining the purposes and means of processing* - i.e. it is a #DataController...
‼️THREAD:
Μία κατά λάθος ανάρτηση στη Διαύγεια ενός απόρρητου έργου του @migrationgovgr οδήγησε τους @Malichudis @IPapangeli @Balkanizator σε μια αποκάλυψη:
👉 έργα επιτήρησης προσφύγων αξίας 20 εκατ. ευρώ υλοποιήθηκαν παραβιάζοντας τον κανονισμό #GDPR.
bit.ly/diavgeia-kata-…
Μία κατά λάθος ανάρτηση στη Διαύγεια ενός απόρρητου έργου του @migrationgovgr οδήγησε τους @Malichudis @IPapangeli @Balkanizator σε μια αποκάλυψη:
👉 έργα επιτήρησης προσφύγων αξίας 20 εκατ. ευρώ υλοποιήθηκαν παραβιάζοντας τον κανονισμό #GDPR.
bit.ly/diavgeia-kata-…
Tα έργα #Υπερίων και #Κένταυρος, για τα οποία έχει ασκηθεί έντονη κριτική, αφορούν:
- ένα σύστημα ελέγχου εισόδου-εξόδου, με χρήση βιομετρικών/βιογραφικών δεδομένων,
- κι ένα ψηφιακό σύστημα διαχείρισης ασφάλειας, με χρήση καμερών, drones, και αλγορίθμων ανάλυσης συμπεριφοράς.
- ένα σύστημα ελέγχου εισόδου-εξόδου, με χρήση βιομετρικών/βιογραφικών δεδομένων,
- κι ένα ψηφιακό σύστημα διαχείρισης ασφάλειας, με χρήση καμερών, drones, και αλγορίθμων ανάλυσης συμπεριφοράς.
Ωστόσο, οι @Malichudis @IPapangeli @Balkanizator αποκαλύπτουν πως τα 2 κεντρικά στον σχεδιασμό του υπουργείου έργα:
- σχεδιάστηκαν,
- εντάχθηκαν στα 🇪🇺 ταμεία,
- υλοποιήθηκαν,
δίχως να ικανοποιούνται αναγκαίες προβλέψεις προστασίας προσωπικών δεδομένων.
bit.ly/diavgeia-kata-…
- σχεδιάστηκαν,
- εντάχθηκαν στα 🇪🇺 ταμεία,
- υλοποιήθηκαν,
δίχως να ικανοποιούνται αναγκαίες προβλέψεις προστασίας προσωπικών δεδομένων.
bit.ly/diavgeia-kata-…
#PrivacyResearchDay C'est parti ! La CNIL accueille aujourd'hui des chercheurs internationaux pour présenter leurs travaux sur la #vieprivée et la protection des #données.
Suivez l'événement en direct en 🇬🇧 ou en 🇫🇷👉 cnil.fr/fr/privacy-res…
Suivez le thread ⬇️
Suivez l'événement en direct en 🇬🇧 ou en 🇫🇷👉 cnil.fr/fr/privacy-res…
Suivez le thread ⬇️
La présidente de la CNIL Marie-Laure Denis accueille la communauté internationale au 1er #PrivacyResearchDay ! Des chercheurs qui travaillent et enseignent en Allemagne, Belgique, Espagne, Singapour, Suisse, Royaume-Uni, Luxembourg et France.
La CNIL utilise la #recherche de multiples façons :
👉 Lors de la rédaction de recommandations et de lignes directrices.
👉 Dans l'un des cas sur les #cookies, la CNIL s'est référée aux résultats de deux documents de recherche.
👉 Lors de la rédaction de recommandations et de lignes directrices.
👉 Dans l'un des cas sur les #cookies, la CNIL s'est référée aux résultats de deux documents de recherche.
Without fanfare, the reasons for which will soon become obvious, @NHSEngland finally published its #DataStore "#DisseminationRegister":
england.nhs.uk/publication/da…
18 months after we first pointed out it had to, and over a year since we began requesting it!
Let's take a look...
england.nhs.uk/publication/da…
18 months after we first pointed out it had to, and over a year since we began requesting it!
Let's take a look...
For starters, it's staggering how little information the register actually contains. Just 18 lines, on 18 data flows or extracts over the past 18 months!
This for what has repeatedly been claimed as a "vital #COVID19 resource"?!
Here's a snapshot of ALL of them 👇
This for what has repeatedly been claimed as a "vital #COVID19 resource"?!
Here's a snapshot of ALL of them 👇
Of those 18 data flows, nine of them are to do with the #vaccination programme - and only started from February of this year. A tenth seems to be mis-dated, unless we had a vaccine no-one ever heard of in April 2020? 🤔
Several of the other named purposes we already knew...
Several of the other named purposes we already knew...
It really feels like we're in the grip of #NHSdataFEVER...
What's going on?
In last few weeks:
#GPDPR - a huge change in how data that your GP saves in your personal GP record gets shared with the Government. The #DPIA (Data Privacy Impact Assessment) still awaited
What's going on?
In last few weeks:
#GPDPR - a huge change in how data that your GP saves in your personal GP record gets shared with the Government. The #DPIA (Data Privacy Impact Assessment) still awaited
#TIGRR - a bonkers, breathless AI-centric libertarian wish-list of data deregulation including abolition of some Articles from our own #GDPR laws (NOT EU law, it's UK law)
Tomorrow there will be a new NHS Data Strategy - which conflates many different uses of data to try to send a ALL DATA GOOD MOAR PLEASE message without any real clarity of thought.
Hmm. Are you 100% certain about that, Dom? @NHSEngland's #PrivacyNotice for the #COVID19DataStore clearly states otherwise 👇
england.nhs.uk/contact-us/pri…
The #dashboards may(?) only show aggregate numbers, but those numbers were generated from individual-level data...
england.nhs.uk/contact-us/pri…
The #dashboards may(?) only show aggregate numbers, but those numbers were generated from individual-level data...
…i.e. from #PersonalData, as is also clearly stated in the #DPIA 👇
england.nhs.uk/wp-content/upl…
Indeed, it says the strategic dashboard "will display ... record level pseudonymised data” and (as a data expert) you will of course know that #pseudonymised data is #personal data…
england.nhs.uk/wp-content/upl…
Indeed, it says the strategic dashboard "will display ... record level pseudonymised data” and (as a data expert) you will of course know that #pseudonymised data is #personal data…
...and has been *in law*, as well as in practice, since at least May 2018.
@ICOnews published some helpful (draft) guidance just last month that can point you in the right direction if there's any confusion:
ico.org.uk/media/about-th…
@ICOnews published some helpful (draft) guidance just last month that can point you in the right direction if there's any confusion:
ico.org.uk/media/about-th…
Apropos of @thesundaytimes article, a few thoughts: firstly, as I tweeted 2 days ago 👇 & in stark contrast to the #transparency around other tech/data intitiatives - *cough* @NHSEngland #DataStore *cough* - the team published a blog on what it was doing:
healthtech.blog.gov.uk/2020/10/29/how…
healthtech.blog.gov.uk/2020/10/29/how…
In this blog, the app team gave an explanation of the latest changes it had made - including a reduction in the #RiskThreshold, which took account of TWO factors: the inclusion of a measure of #infectiousness in the API *and* a new #distance algorithm...
healthtech.blog.gov.uk/2020/10/29/how…
healthtech.blog.gov.uk/2020/10/29/how…
In case folks aren't aware, @Google & @Apple's #ExposureNotification API is quite frequently updated. As the #Android developer pages (and #nhsxCOVID18app's blog) say, the #infectiousness field was only added at v1.6; with functionality changing at 1.7 👇
developers.google.com/android/exposu…
developers.google.com/android/exposu…
Nyt on varmaan paikallaan ihan kaikkien tarkistaa oma vaikutusarvioinnin tilanne. - ”Kaikkien terveystietoja laajamittaisesti käsittelevien rekisterinpitäjien on tehtävä tietosuojaa koskeva vaikutustenarviointi.” #vastaamo 1/X
Vaikutusarviointivaatimus ei koske pelkästään terveystietoja käsitteleviä. Tietosuoja.fi ohjeistaa asiasta mm. ”vaikutustenarviointi on tehtävä silloin, kun suunniteltu käsittely todennäköisesti aiheuttaa korkean riskin ihmisten oikeuksille ja vapauksille.” 2/X
”Vaikutustenarviointi on tehtävä erityisesti silloin, kun henkilötietojen käsittelyssä käytetään uutta teknologiaa, käsitellään laajamittaisesti rikostuomioita, rikkomuksia tai erityisiä henkilötietoryhmiä, kuten terveystietoja, etnistä alkuperää,...” 3/X
So @cabinetofficeuk (@GDSTeam) has updated the #DataEthicsFramework for government and the public sector today - the first version of which was published by @MattHancock in 2018, when he was at @DCMS:
gov.uk/government/pub…
Two obvious questions:
1) Where are the published...
gov.uk/government/pub…
Two obvious questions:
1) Where are the published...
...ratings for all of the government & public sector data projects / programmes that have been started since 2018?
A framework that neither demands nor provides publicly visible outputs surely fails on two of its own 'overarching principles'; #transparency and #accountability...
A framework that neither demands nor provides publicly visible outputs surely fails on two of its own 'overarching principles'; #transparency and #accountability...
2) Other than "consult with your team leader", what happens when a project 'fails' the framework - say a national programme that doesn't do a #DPIA, or a body that employs a #discriminatory #algorithm?
An 'ethics' framework without meaningful #consequences ain't #ethical at all.
An 'ethics' framework without meaningful #consequences ain't #ethical at all.
So not so much a #ContactTracing app as a feature-creeping Christmas tree?
One thing about tech that's successful is that it is ultimately successful because it performs the core function it (cl)aims to provide well.
#efficacious ≠ #effectiveness
One thing about tech that's successful is that it is ultimately successful because it performs the core function it (cl)aims to provide well.
#efficacious ≠ #effectiveness
In case you're wondering, "Detection rate" refers to detecting other #phones with the app installed, not the #virus:
The #FalseNegative rate is the amount of times the app incorrectly reports a contact as 'non-infectious' when in fact it is / could be...
The #FalseNegative rate is the amount of times the app incorrectly reports a contact as 'non-infectious' when in fact it is / could be...
...and the #FalsePositive rate is how often the app incorrectly reports a contact as 'infectious' when it's not, i.e. a #FalseAlarm.
Basically, what these #ErrorRates tell us is that #Bluetooth ranging is HARD!
Would you trust a #SmokeAlarm that went off wrongly nearly half...
Basically, what these #ErrorRates tell us is that #Bluetooth ranging is HARD!
Would you trust a #SmokeAlarm that went off wrongly nearly half...
With very real world consequences:
Having seen the impact of just one 'slipped grade' (my elder son, several years back) my heart goes out to all those students receiving new like this today.
Having seen the impact of just one 'slipped grade' (my elder son, several years back) my heart goes out to all those students receiving new like this today.
Hmm. Who at @ofqual signed off on an appeals process that operationalises the dog-eat-dog #ethics of the #HungerGames?
allez je refais une petite lecture commentée de l'avis @CNIL #StopCovid
pour rappel, le précédent avis portait sur les principes et le protocole ( #protocoleROBERT), celui-ci porte sur l'app et le décret accompagné d'une analyse d'impact (#AIPD #PIA #DPIA)
Rappel d'abord que "l’objectif à valeur constitutionnelle de protection de la santé constitue un impératif majeur de nature à justifier dans certaines conditions, des atteintes transitoires au droit à la protection de la vie privée et des données à caractère personnel".
The app has been updated today.
No nore #Analytics.
IMHO alt solution: good #DPIA, a legitimate interest assessment, a transparent privacy policy and an opt-out trigger.
Or consent!
Analytic is not evil.
Just do it applying art.5 #GDPR principles.
No nore #Analytics.
IMHO alt solution: good #DPIA, a legitimate interest assessment, a transparent privacy policy and an opt-out trigger.
Or consent!
Analytic is not evil.
Just do it applying art.5 #GDPR principles.
Unfortunately the privacy policy is not yet translated in Italian. Just English and Bulgarian.
Maybe this is not really intelligible as GDPR suggests.
Maybe this is not really intelligible as GDPR suggests.
Today the Italian DPA (Garante) released the GDPR APP "GDPR in your pocket".
The app has 2 trackers for crash management and analytics.
NO CONSENT AND NO OPT-OUT 🤔
The privacy note: smedata.eu/index.php/priv…
NOT IN ITALIAN. 🤔
The app: play.google.com/store/apps/det…
#GDPR @meobaldo
The app has 2 trackers for crash management and analytics.
NO CONSENT AND NO OPT-OUT 🤔
The privacy note: smedata.eu/index.php/priv…
NOT IN ITALIAN. 🤔
The app: play.google.com/store/apps/det…
#GDPR @meobaldo
1st #tracker: MS Appcenter Analytics
Real-time #analytics that highlight users’ behavior. It also provides push notifications to mobile devices.
At first sign, a #consent may be asked by a DPA.
and an #OptOut should be granted to users.
None of them in the app!
Real-time #analytics that highlight users’ behavior. It also provides push notifications to mobile devices.
At first sign, a #consent may be asked by a DPA.
and an #OptOut should be granted to users.
None of them in the app!
2nd #tracker: MS Appcenter Crashes
Automatically generates a crash log every crash. The log is written to the device's storage and when the user starts the app again, the crash log will be sent to App Center.
MS will collect a lot of data regarding my mobile, installed app, etc
Automatically generates a crash log every crash. The log is written to the device's storage and when the user starts the app again, the crash log will be sent to App Center.
MS will collect a lot of data regarding my mobile, installed app, etc
Italian #DPA lock down the risky #surveillance law that aim to have (biometric_identification+cctv+smart_image_analisys) to check public employees punch-in and punch-out.
This time DPA analyze implementing decree.
In october 2018 the DPA did the same on the draft of the main law
This time DPA analyze implementing decree.
In october 2018 the DPA did the same on the draft of the main law
The law is already in force (D.Lgs 56/2019) but it lacks of application rules.
The DPA is highlighting and pointing out all the issues related to the law itself ant to the application rules, that are conflicting with the #GDPR main #principles.
The DPA is highlighting and pointing out all the issues related to the law itself ant to the application rules, that are conflicting with the #GDPR main #principles.
Main issues are:
1) terms and #definitions don't match with GDPR definitions. they have to be lined up
2) principles of #Necessity & #Proportionality are completely unattended
3) the new biometric gates can't be #mandatory
4) #alternative gates should be available if needed
1) terms and #definitions don't match with GDPR definitions. they have to be lined up
2) principles of #Necessity & #Proportionality are completely unattended
3) the new biometric gates can't be #mandatory
4) #alternative gates should be available if needed
You are worried about #facebook and #FaceApp, but use #Microsoft #Office every day? Time to be concerned! Did you know that Microsoft is processing lots of data about you without telling you about it? 1/n #GDPR #ePrivacy
Through its software and operating system, #Microsoft collects and stores personal data about user behavior, so-called #diagnostic data, on a large scale. Microsoft collects this data in various ways: 2/n
via system-generated logs of events on its servers and via the telemetry client in Windows 10, in Office 365 ProPlus, and in the mobile Office apps. These telemetry clients collect diagnostic data on your device and send this information to Microsoft's servers in the US. 3/n
