GDPR and a Digital Protection Agency?

Ok, I know I said that I’ll stop reading articles about personal data abuses, but they just keep coming.

Silicon Valley has failed to protect our data. Here’s how to fix it
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere.

[…]

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

That sounds like a very sensible, pragmatic and effective approach, so it’s obviously going to be ignored. It was interesting reading that after hearing about another data breach yesterday, this time with a fitness app. It seems the company dealt with it appropriately though. This time.

The MyFitnessPal hack may affect 150 million people. It could’ve been even worse.
Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when.

What will these companies make of the GDPR, I wonder.

WTF is GDPR?
Last year the company [Facebook] told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

And this.

How Europe’s new privacy rule is reshaping the internet
Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.

Caught out by their own documents #2

Dutch Data Protection Authority accidentally leaked its employees’ data
“When it comes to data leaks, the same procedures apply to all parties, including us,” Gras added. Still, Gras insisted that the blunder in question was relatively mild and did not require any formal notification.

“A data breach must be reported if it leads to serious adverse consequences for the protection of personal data, or if there is a significant chance that this will happen,” she stated.

So it appears that the leak was too insignificant to necessitate reporting it to themselves.

PDF problems again…

Data, data, everywhere – any of it helping?

Data and education. Educating ourselves with data? On data? Improving education by improving data?

We might have the data, but have we got the answers?
Regarding what he calls ‘technical validity’, are we measuring what we are supposed to be measuring? Then, in what he describes as ‘normative validity’, are we measuring what we value, or are we valuing what we measure? Two important questions for us all to ask about the data that our systems are awash with.

Some great points here, refreshingly honest, about the state of data and information in schools. And here’s a response of sorts, albeit from a higher education perspective:

Taking the data conversation to a new level
The publication of this report is a significant moment in our journey to build a better data infrastructure for UK higher education because it is coming from a very different place. The members of the Higher Education Commission are senior, experienced leaders, strategists and Politicians and previous Commission inquiries have addressed topics like the regulation and the financial sustainability of HE. These are not people whose natural habitat is the world of petabytes, XML and FUNDCOMP; they are perhaps the most un-nerd bunch you could ever assemble. Yet their decision to base this inquiry on data in HE is in itself a recognition of the fundamental transformations that data technology is enabling.

Meanwhile, though:

Students hit by University of Greenwich data breach
Students’ names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university’s website. They were posted alongside minutes from the university’s Faculty Research Degrees Committee, which oversees the registrations and progress of its research students. In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work.

Protecting library privacy

You are not what you read: librarians purge user data to protect privacy
“I was approached years ago at a different library about users who’d checked out certain astrological books,” said Thistlethwaite. The NYPD officer told her he was looking for the Zodiac killer. “Most police investigations are a little smarter than that, but sometimes they’re just not.”

Seems pretty clear to me: ​one of the principles in the Data Protection Act is that data should not be kept longer than is necessary. Admittedly this is a news article from the US, where there’s no direct equivalent of the DPA, but still.

Kent Police fined £100K after leaving confidential documents and tapes in disused police station

Kent Police must pay a £100,000 fine after a potentially ‘enormous and damaging’ security blunder. It comes after confidential information, including copies of police interview tapes, were left in the basement of the former Gravesend police station.

http://www.kentonline.co.uk/kentonline/news/police-fined-100k-for-damaging-14425/

US universities rethink data storage after hacking incidents

Online thieves have increasingly sought sensitive or otherwise valuable data from educational institutions, experts say. Last year alone, breaches included possible exposure of 2.5 million Social Security and bank account numbers associated with an Arizona community college system, 74,000 Social Security numbers of University of Delaware students and staff, and 145,000 applications to Virginia Tech, according to the Privacy Rights Clearinghouse.

http://articles.baltimoresun.com/2014-03-15/news/bs-md-higher-ed-hacking-20140315_1_personal-data-social-security-universities

On owning your own data

The problem, of course, is this wretched business model that has your landlord snooping on you and keeping all that information in the first place. If they didn’t have that information — or if that information was encrypted in a manner that only you could access it — they couldn’t share your information even if they wanted to.

http://aralbalkan.com/notes/on-owning-your-own-data/

Victims’ documents found in auctioned filing cabinet

“The Department of Justice in Northern Ireland has been fined almost £150,000 for a serious breach of the Data Protection Act after confidential documents were found inside a filing cabinet sold in an auction. … The ICO said that while there was an expectation within the agency that personal data would be handled securely, its investigation found limited instructions to staff on what that meant in practice, despite the highly sensitive information the office held.”

http://www.newsletter.co.uk/news/regional/victims-documents-found-in-auctioned-filing-cabinet-1-5871440

Oxford University apologises after list of low-grade students is made public

“How would you feel if your worst exam results were emailed to hundreds of your coursemates? Students at University College, Oxford had to put up with just that when a list of the 50 worst performing students was sent around one of the colleges.”

http://www.theguardian.com/education/abby-and-libby-blog/2014/jan/14/oxford-university-exam-results-blunder

Do people really care about personal data?

"Privacy is difficult to understand as long as it’s presented as an abstract concept. But to those teenagers, the desire to talk to their friends without their parents or teachers knowing everything that’s said is not at all abstract. Similarly, all consumers care very much about the practical effects of today’s centralised data warehouses, such as wasting time dealing with bureaucracy that makes it hard to change the phone number on an account. They care about bad credit histories, misdirected post, and the failure to get what they want. They care when they discover that the photograph they thought they deleted was only hidden from view but has remained in the site’s database, where it has been automatically recognised, reused, and added to profiles that have been sold to advertisers or become the subject of a government applied court order. They care about being erroneously placed on no-fly lists because an online “friend” once watched a terrorist video and feeling that their personal relationships are a commodity."

http://mydex.org/blog/2013/12/20/do-people-really-care-about-personal-data/