One of the issues I raised repeatedly was the use of Garda authorisations for community CCTV (the legislation being very limited). Reading the DPC decision this was a clear issue.
DPC found that Garda authorisations were a good legal basis for 44 (LCC operates 401 cameras!).
The Council relied on local Goverment legislation to justify cameras in housing estates, but the DPC found that the law does not “empower the Council to carry out surveillance in public places”.
This paragraph is partially redacted but note 🚨: some CCTV cameras were “monitoring private dwellings”.
Residents of some housing estates were effectively under constant surveillance.

Worth remembering that private use of CCTV is similarly restricted (but in the opposite way - you can record your own property but not public property).
"The Council has an onus of accountability to ensure [constant] surveillance is proportionate. On the spectrum of surveillance that could have been considered, continuous real time monitoring falls into a category which is particularly oppressive."
🚨 The DPC "established that operators in ... monitoring centres were able to manually control the CCTV cameras and sometimes used this facility to monitor private dwellings."

The centres are redacted; fair to assume that these are the ones operated by community volunteers.
Remarkable: "At the time of writing on the inquiry report, the DPIA remained in 'Draft' form."

I asked the Council in July 2017 if a DPIA had been carried out. I was told:
Over four years later it was still in draft.

(One of my points was that there was little sense to carrying out a DPIA *after* finalising locations and use.)
DPC: "There was also no analysis of the necessity for operating particular CCTV cameras at each location."
Notable specific finding that the Council infringed the law by deploying "at least" 9 CCTV cameras a traveller accommodation sites.
DPC made a specific finding that the Council failed to properly involve their Data Protection Officers in a decision to proceed with one specific CCTV system. This was at a time when the investigation was ongoing. #DPOS
Holy moly.
Another surprising finding - amazing in light of a specific case a number of years ago involving the death of a vulnerable adult.
Similar to the Garda access ‘log’, one monitoring centre recorded all access under a single username; “it is impossible to identify the particular staff member who accessed”.
Ok here we go - a big one: State surveillance of specific individuals on the basis of informal requests and in the absence of any warrant, authorisation, record keeping or regulation.
CCTV footage was not deleted by policy, but automatically when a hard drive was full - "in essence a random data retention period", even though the official retention policy said 30 days.

Baffling in this day and age.
🚨 (this report continues to amaze). For context, the right of access to personal data was introduced in 1988.
Note the above finding that LCCC breached GDPR in not involving their DPO properly. Three years ago I asked what resourcing was being allocated to the role. Worse than that, the DPO was sidelined.
This was one of my early comments on CCTV in Limerick. The consultation, such as it was, took in local councillors, joint policing and one or two community groups. DPC decision specially says better community consultation needed.
And here’s the tweet that started it all.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Rossa McMahon

Rossa McMahon Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @rossamcmahon

13 Jan
This is a thread with some reactions to reading the DPC decision on Limerick's CCTV systems. A few points:

- the decision is comprehensive and methodical;
- it should be required reading for legislators and large data controllers (particularly State bodies)
- it is damning.
There is an element of everything-that-could-go-wrong-going-wrong and, in fact, what it reveals is much worse than what I had feared or suspected. As Fergal says:
It is astounding that some of these issues were ongoing at the time they were under inspection, not least due to high-profile nature of the introduction of the GDPR and, to some extent, the fact that some (!) local residents drew attention to the issues.
Read 8 tweets
31 Aug 19
Yes @Slate, consent is not an "ethical rubber stamp".

But no, #gdpr does not "require companies to ask for consent prior to data collection processes".

Consent as legal basis seems to be one of the most persistently misunderstood elements of GDPR.…
"We aren’t saying that consent has no place in this ecosystem. But it shouldn’t be the only way we let people make decisions about data protection."

Exactly! That's why GDPR has 6 legal bases for processing, one of which is consent. And consent is often not an appropriate basis.
Choose legal basis that reflects the relationship and processing, consent is often not appropriate and if consent is difficult it's probably because a different legal basis is the right one - @ICOnews…
Read 5 tweets
30 Jun 19
Finally read full article; situation with GMI worse than I thought.

GMI is engaged in highly sensitive data collection: harvesting genetic material on a population-wide scale. Its approach to doing so & lack of clarity/appropriate behaviour on foundational issues v. worrying.
The attitude of the company is an even greater red flag.

I cannot understand why @roinnslainte (@SimonHarrisTD) & @NTMA_IE (@Paschald) have not long since paused the Government's $70m investment in GMI, why @DPCIreland has not stepped in with an urgent investigation.
Aside from hoovering up genetic material from Irish hospitals, GMI operates a high street presence, gathering up further genetic material in "exchange" for gimmicky health/fitness "metrics".

Remember GMI is a private company, not a State research org.
Read 11 tweets
20 Jun 19
In November 2018 the Data Protection Commission helpfully obliged the Government by saying that community CCTV has a legal basis (required by GDPR) in section 38 of the Garda Síochána Act (once authorised). That statement now, predictably, relied on.…
"Once the local authority in the administrative area concerned is willing to take on and deliver on its responsibilities as a data controller for the schemes concerned, there is no legal impediment under data protection legislation to the scheme commencing.”
However, section 38(2) says:

"The Garda Commissioner shall specify the areas within which, based on the information available to him or her, the installation and operation of CCTV is warranted for the purpose specified in subsection (1)."
Read 5 tweets
14 Apr 19
Kári Stefánsson was a director of GMI until last September. GMI has numerous overlaps with DeCODE Genetics, the company he founded in Iceland. He thinks medical privacy is not just overrated, but "morally unacceptable".…
"I think it is completely unacceptable that you could demand service from the health care system at the same time as you refuse to have your information used to make discoveries."

He does talk about data security in that Q&A, and elsewhere talks about the importance of protecting the data. But that is hard to square with the attitudes quoted above.…
Read 9 tweets
14 Apr 19
In October 2018 GMI reps met with DoH to discuss the Health Research Regulations. Look at the first sentence here, from this DoH memo of the meeting.
Here’s the footnoted aside.
This is why GMI is important and needs to be tackled.

Health researchers and doctors with them are well funded and connected and make dramatic claims both about what they will achieve and what will be prevented by regulation.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!