Search
Content type: Examples
A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish, Polish, Danish, and Latvian apps could be improved in this respect. However, the study also finds that the Google Play Services component of the apps contacts Google servers as often as every 20 minutes…
Content type: Examples
An audit of two apps and a website used by national and local governments in Colombia finds: an absence of public information about the tools, how they work, or how their security and privacy is protected; non-compliance with Colombia’s data protection legal framework, particularly in the area of consent; and reckless deployment of solutions that put hundreds of thousands of users’ personal data at risk. Fundación Karisma, which conducted the audit, makes a number of recommendations for…
Content type: Examples
Following trials in Leicester, Luton, and Blackburn with Darwen, the UK government will assign teams of health care professionals to more than ten local authorities and offer them Public Health England’s near real-time data on infections and a dedicated team of contact tracers, shifting away from its £10 billion centralised national system run under contract by Serco. As of early August, the Serco scheme was still failing to reach a significant proportion of those who had been in close contact…
Content type: Examples
The outsourcing company Serco, which the UK government has contracted to perform contact tracing, accidentally shared the email addresses of almost 300 of the contact tracers it hired when a staff member sent an introductory email and used CC rather than blind CC. Serco does not intend to refer itself to the Information Commissioner's office.
Writer: Ross Hawkins
Publication: BBC
Content type: Examples
After ORG asked questions via its legal representative, AWO’s Ravi Naik, the UK’s Department of Health and Social Care agreed to change the period it would retain Test and Trace data from 20 years to eight. Public Health England manager Yvonne Doyle explained that the novelty of COVID-19 was the reason for keeping the data longer, in case PHE needed to get back in touch with those who had tested positive with additional information.
Publication: ZDNet
Writer: Daphne Leprince-Ringuet…
Content type: Examples
In early July the Open Rights Group issued a pre-action legal letter to UK health secretary Matt Hancock and the Department of Health and Social Care saying they have breached requirements under the Data Protection Act 2018 and GDPR by failing to conduct an impact assessment for the Test and Trace system. ORG and its lawyers, AWO, had been asking for details of the DPIA since the beginning of June, a few days after the system was launched. In their response, the DHSC’s lawyers said “there were…
Content type: Examples
Hours before OpenDemocracy filed suit to compel the UK government to release all the contracts governing its deals with a list of technology firms including Amazon, Microsoft, Google, Palantir, and Faculty, the UK government released the contracts. Faculty is being paid more than £1 million to provide AI services for the NHS, and the companies involved in the NHS data store project, including Faculty and Palantir, were originally granted intellectual property rights and were allowed to train…
Content type: Examples
The AI firm Faculty, which worked on the Vote Leave campaign, was given a £400,000 UK government contract to analyse social media data, utility bills, and credit ratings, as well as government data, to help in the fight against the coronavirus. This is at least the ninth contract awarded to Faculty since 2018, for a total of at least £1.6 million. No other firm was asked to bid on the contract, as normal public bodies’ requirements for competitive procurement have been waived in the interests…
Content type: Examples
The lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently-launched COVID-19 tracking technology, which partially depends on a system originally developed to combat terrorism. While there are no reported cases of harassment or targeting based on the leak online of the personal details of thousands of COVID-19 volunteers, the lack of response fails to boost citizens’…
Content type: Examples
Under the country's emergency laws, on May 4 the Hungarian government announced it would suspend parts of GDPR and exempted authorities from key provisions such as subject access rights, the right to request erasures, and providing notice that personal information is being collected and stored as long as the data is being collected under the rubric of coronavirus-related health protection.
The changes will remain in place until the government declares the end of the emergency. Opposition…
Content type: Examples
Only 16% of Australians had downloaded the country's COVIDSafe app by May 3, a week after its launch on April 26, even though most said they support the federal government's coronavirus contact tracing app. In an Ipsos poll, 80% of those who said they were unlikely to download the app cited privacy concerns such as who holds and has access to the data, and which country's law applies. The government has said its goal is for at least half of the population to download and install the app.…
Content type: Examples
A parliamentary panel granted Israel's Shin Bet security service an additional three weeks to use mobile phone data to track people infected with the coronavirus; prime minister Benjamin Netanyahu had requested a six-week extension while his government drafts legislation to regulate the data use in line with requirements imposed by the Israeli Supreme Court. Testimony given to the parliament's intelligence subcommittee showed that the Shin Bet surveillance was the reason it was possible to…
Content type: Examples
GDPRHub is collecting a list of projects around the world that are using personal data to combat the novel coronavirus. The list is divided into categories such as decentralised contact tracing apps and frameworks; centralised contact tracing systems; lockdown enforcement; self-assessment apps; mapping projects; and statistical analysis. The site also tracks COVID-19-releated data protection issues.
Source: https://gdprhub.eu/index.php?title=Projects_using_personal_data_to_combat_SARS-…
Content type: Examples
The US Department of Health and Human Services has announced it will waive penalties for violations of the Health Insurance Portability and Accountability Act, which protects patient data privacy. HHS argued that in the nationwide emergency caused by the COVID-19 pandemic, greater latitude is needed to allow doctors to provide telehealth services and use new technologies such as one-on-one video conferencing apps to communicate with patients. However, the agency said that public-facing…
Content type: Examples
On March 20, the UK's Department of Health and Social Care published a notice providing legal backing for the NHS to set aside the duty of patient confidentiality as part of its response to the COVID-19 pandemic. As long as it is to fight the coronavirus, NHS organisations and GPs may share whatever patient data they deem necessary.
Source: https://twitter.com/halhod/status/1245297265054367744/photo/1
Writer: Hal Hodson
Publication: Twitter
Content type: Examples
On March 24 the German Bundestag passed a comprehensive amendment to the Infection Protection Act that authorises the Federal Ministry of Health to implement measures for medical care without the consent of the Federal Council. These include the ability to impose curfews and travel restrictions, override patent protection for medical products, and issue ordinances creating other exceptions to the law. The Federal Data Protection Commissioner criticised the proposals because he doubted whether…
Content type: Examples
On March 14, the Peruvian government set up a website for individuals to check their symptoms so they can be directed towards sources of help. The web form asks for ID number, phone, email and home address.
Source: https://www.gob.pe/coronavirus
Writer: Peruvian government
Publication: Peruvian government
Content type: Examples
The Indonesian Doctors Association has asked the government to open up the identity of patients who have tested positive for the novel coronavirus in order to facilitate contact tracing and improve the efficiency of efforts to prevent further spread, arguing that in an emergency like this the public will support the disclosure in the interests of safety.
Source: https://mediaindonesia.com/read/detail/296992-permudah-kontak-tracing-idi-dorong-pemerintah-buka-data-pasien
Writer: Atalya…
Content type: Examples
The first two confirmed cases of COVID-19 in Indonesia and their neighbours became the targets of media coverage and social media abuse after their personal details were spread via WhatsApp and other social media soon after the President announced the positive tests results - before anyone told the patients themselves. The Health Ministry denied responsibility for the data breach.
Sources:
https://www.thejakartapost.com/news/2020/03/04/covid-19-patients-become-victims-of-indonesias-lack-of-…
Content type: Examples
A review of European privacy laws considers whether the tracking and monitoring methods China used to shut down the COVID-19 epidemic are in compliance with GDPR. The French data protection authority CNIL says employers are not allowed to take mandatory temperature readings from employees or visitors or require them to fill out compulsory medical questionnaires. Italy passed emergency legislation requiring anyone who has recently stayed in an at-risk area to notify health authorities. Germany…
Content type: Examples
A task force at the Italian Ministry of Innovation, in collaboration with the University of Pavia to leverage big data technologies to deal with COVID-19, after the WHO advised governments that lockdowns alone are not enough, and that testing, isolation, and contact tracing are crucial. The effort is beginning with anonymised data provided by Facebook; Italian telcos including Tim, Vodafone, Wind Tre, and FastWeb, via their Asstel trade association, have also offered anonymous datasets…
Content type: Examples
Recent study shows that Americans are wary of data from smart speakers being used in criminal investigations, the Pew Research Center reported. A recent study showed that 49% of Americans answered that it is unacceptable for smart speakers companies to share audio recordings of their customers with law enforcement in order to help with criminal investigations. Only 25% said it is acceptable. Aparently, this result contrasts with some other data use practices measured in the same survey. For…
Content type: Examples
The Home Office Christmas 2018 announcement of the post-Brexit registration scheme for EU citizens resident in the UK included the note that the data applicants supplied might be shared with other public and private organisations "in the UK and overseas". Basing the refusal on Section 31 of the Freedom of Information Act, the Home Office refused to answer The3Million's FOI request for the identity of those organisations. A clause in the Data Protection Act 2018 exempts the Home Office from…
Content type: Examples
In December 2018, in the wake of the Windrush scandal, the National Police Council, which represents police chiefs across England and Wales agreed to cease passing on to deportation authorities information about people suspected of being in the country illegally. The measures also ban officers from checking the police national computer solely to check on immigration status. Police said they believed that their too-close relationship with immigration authorities in aid of the government's "…
Content type: Examples
The payday lender Wonga announced in April 2017 that a data breach at the company affected an estimated 270,000 customers, 245,000 of them in the UK and the rest in Poland. The company sent those it thought were affected messages warning that it believed there may have been illegal and unauthorised access to some of the data in their accounts. Wonga was already controversial because of the high rates of interest in charged, and findings by the UK's financial regulator that it had made loans to…
Content type: Examples
A 2017 lawsuit filed by Chicagoan Kyle Zak against Bose Corp alleges that the company uses the Bose Connect app associated with its high-end Q35 wireless headphones to spy on its customers, tracking the music, podcasts, and other audio they listen to and then violates their privacy rights by selling the information without permission. The case reflects many of the concerns associated with Internet of Things devices, which frequently arrive with shoddy security or dubious data…