One of the issues I raised repeatedly was the use of Garda authorisations for community CCTV (the legislation being very limited). Reading the DPC decision this was a clear issue.
DPC found that Garda authorisations were a good legal basis for 44 (LCC operates 401 cameras!).
The Council relied on local Goverment legislation to justify cameras in housing estates, but the DPC found that the law does not “empower the Council to carry out surveillance in public places”.
This paragraph is partially redacted but note 🚨: some CCTV cameras were “monitoring private dwellings”.
Residents of some housing estates were effectively under constant surveillance.
Worth remembering that private use of CCTV is similarly restricted (but in the opposite way - you can record your own property but not public property).
"The Council has an onus of accountability to ensure [constant] surveillance is proportionate. On the spectrum of surveillance that could have been considered, continuous real time monitoring falls into a category which is particularly oppressive."
🚨 The DPC "established that operators in ... monitoring centres were able to manually control the CCTV cameras and sometimes used this facility to monitor private dwellings."
The centres are redacted; fair to assume that these are the ones operated by community volunteers.
Remarkable: "At the time of writing on the inquiry report, the DPIA remained in 'Draft' form."
I asked the Council in July 2017 if a DPIA had been carried out. I was told:
Over four years later it was still in draft.
(One of my points was that there was little sense to carrying out a DPIA *after* finalising locations and use.)
DPC: "There was also no analysis of the necessity for operating particular CCTV cameras at each location."
Notable specific finding that the Council infringed the law by deploying "at least" 9 CCTV cameras a traveller accommodation sites.
Astounding.
DPC made a specific finding that the Council failed to properly involve their Data Protection Officers in a decision to proceed with one specific CCTV system. This was at a time when the investigation was ongoing. #DPOS
Holy moly.
Another surprising finding - amazing in light of a specific case a number of years ago involving the death of a vulnerable adult.
Similar to the Garda access ‘log’, one monitoring centre recorded all access under a single username; “it is impossible to identify the particular staff member who accessed”.
Ok here we go - a big one: State surveillance of specific individuals on the basis of informal requests and in the absence of any warrant, authorisation, record keeping or regulation.
CCTV footage was not deleted by policy, but automatically when a hard drive was full - "in essence a random data retention period", even though the official retention policy said 30 days.
Baffling in this day and age.
🚨 (this report continues to amaze). For context, the right of access to personal data was introduced in 1988.
Wow.
Note the above finding that LCCC breached GDPR in not involving their DPO properly. Three years ago I asked what resourcing was being allocated to the role. Worse than that, the DPO was sidelined.
This was one of my early comments on CCTV in Limerick. The consultation, such as it was, took in local councillors, joint policing and one or two community groups. DPC decision specially says better community consultation needed.
This is a thread with some reactions to reading the DPC decision on Limerick's CCTV systems. A few points:
- the decision is comprehensive and methodical;
- it should be required reading for legislators and large data controllers (particularly State bodies)
- it is damning.
There is an element of everything-that-could-go-wrong-going-wrong and, in fact, what it reveals is much worse than what I had feared or suspected. As Fergal says:
It is astounding that some of these issues were ongoing at the time they were under inspection, not least due to high-profile nature of the introduction of the GDPR and, to some extent, the fact that some (!) local residents drew attention to the issues.
"We aren’t saying that consent has no place in this ecosystem. But it shouldn’t be the only way we let people make decisions about data protection."
Exactly! That's why GDPR has 6 legal bases for processing, one of which is consent. And consent is often not an appropriate basis.
Choose legal basis that reflects the relationship and processing, consent is often not appropriate and if consent is difficult it's probably because a different legal basis is the right one - @ICOnews
Finally read full article; situation with GMI worse than I thought.
GMI is engaged in highly sensitive data collection: harvesting genetic material on a population-wide scale. Its approach to doing so & lack of clarity/appropriate behaviour on foundational issues v. worrying.
Aside from hoovering up genetic material from Irish hospitals, GMI operates a high street presence, gathering up further genetic material in "exchange" for gimmicky health/fitness "metrics".
Remember GMI is a private company, not a State research org.
In November 2018 the Data Protection Commission helpfully obliged the Government by saying that community CCTV has a legal basis (required by GDPR) in section 38 of the Garda Síochána Act (once authorised). That statement now, predictably, relied on.
"Once the local authority in the administrative area concerned is willing to take on and deliver on its responsibilities as a data controller for the schemes concerned, there is no legal impediment under data protection legislation to the scheme commencing.”
However, section 38(2) says:
"The Garda Commissioner shall specify the areas within which, based on the information available to him or her, the installation and operation of CCTV is warranted for the purpose specified in subsection (1)."
Kári Stefánsson was a director of GMI until last September. GMI has numerous overlaps with DeCODE Genetics, the company he founded in Iceland. He thinks medical privacy is not just overrated, but "morally unacceptable".
"I think it is completely unacceptable that you could demand service from the health care system at the same time as you refuse to have your information used to make discoveries."
Wow.
He does talk about data security in that Q&A, and elsewhere talks about the importance of protecting the data. But that is hard to square with the attitudes quoted above.
In October 2018 GMI reps met with DoH to discuss the Health Research Regulations. Look at the first sentence here, from this DoH memo of the meeting.
Here’s the footnoted aside.
This is why GMI is important and needs to be tackled.
Health researchers and doctors with them are well funded and connected and make dramatic claims both about what they will achieve and what will be prevented by regulation.