GDPR and Irish politics.

AndrewJRenko

blanch152 wrote: »

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

Yes, consent is indeed an issue, a very big issue.

But we don't have any information about what consent was sought.

It is likely that they have a base layer of the electoral register data, and optional additional layers with canvass information and Facebook findings.


If all they hold about you is the electoral register, I'm not sure consent would be a big issue.

francois

blanch152 wrote: »

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

Indeed, if there is only the freely available information of address and resident, that is not an issue, where problems arise are other things which may identify a voter to target-socio-economic group, sexual orientation etc, these would raise red flags.
If the db is a mail list fine under GDPR, if this is for identifying potential voters who have not given consent to have anything other than the address and resident name, not fine.
Furthermore if anyone feels that they do not want to be on the DB, their information must be removed withing 30 days under right to erasure, you can also request to see what information is being stored in the DB

FrancieBrady

blanch152 wrote: »

As someone else said, every organisation will have inadvertent and minor breaches of GDPR from time to time, given the nature of GDPR. However, a deliberately constructed database using information from voters obtained and stored without their consent is a horse of a very different colour.

There is no problem using the electoral register for canvassing and political purposes i.e. to identify where voters live and how many voters are in a particular dwelling or to address a general letter or election material to each individual. Those are the types of things the electoral register can be used for.

However, once, in an organised and systematic way (and there are more important considerations if you do this electronically, such as limiting access) you add additional information, such as likely voting intentions or that this person follows Mairia Cahill or Gerry Adams on Facebook, then you are doing something that is a huge problem because you don't have consent.

Why is it a problem...you keep stopping short of that. If that info is used for electoral purposes? (Why you would want to know who they follow on twitter is another story)

As for the DPC, they are doing their job, and I look forward to seeing the outcome.

Are they? How hard was it for a DPC to check that cookies weren't being kept, the party had appointed the proper officers and roles, that the data was in the EU etc?

Seems to me the DPC might need a rousing boot in the proverbial here.

blanch152

crossman47 wrote: »

Is it any different to the old pen and paper approach of marking likely voters on the register to ensure, for example, they got a lift to the polling station?

For a start, Joe Smith, SF member in Cork can check if his cousin Michael Smith in Kerry is a likely SF voter on the database. That was not possible in the past, and represents quite a significant shift in the ability to use information, one of the driving reasons behind GDPR.

Sinn Fein will have two difficulties with this database. Firstly, they won't have consent from each individual. Secondly, allowing all members access to the database as reported is a very serious breach.

Social Welfare have had to tighten up procedures because of scandals in previous years, to give an example.

https://www.independent.ie/irish-news/personal-security-called-into-question-by-breach-26324999.html

https://www.irishtimes.com/news/social-welfare-probe-over-breaches-1.688332

Closing the door on a SF canvasser does not give them permission to tell every SF member in the country that I am not a SF voter.

Overheal

KildareP wrote: »

Which is exactly what Donald Trump used Cambridge Analytica for.

You both gave me a good chuckle with this exchange

blanch152

AndrewJRenko wrote: »

Yes, consent is indeed an issue, a very big issue.

But we don't have any information about what consent was sought.

It is likely that they have a base layer of the electoral register data, and optional additional layers with canvass information and Facebook findings.


If all they hold about you is the electoral register, I'm not sure consent would be a big issue.

Yes, if all they hold about you is the electoral register, there is no issue. However, the information in the public domain, including from Sinn Fein sources, is that there is much more information than that. The second question is who has access and how is that regulated.

KildareP

FrancieBrady wrote: »

What?

I am asking about using this information properly, as a tool to be more efficient, not for nefarious improper use.

Again, "using the information properly" is subjective.

SF believe they are using the information properly just as Trump/CA believed they were using the information properly. You clearly believe both cases are acceptable.

If you're someone who doesn't believe that an organisation should be able to profile individuals for the gain of that organisation, without implementing controls or even obtaining consent (although we don't know yet if SF gathered consent), then you're going to be of the opposite opinion and think such activity is completely unacceptable and improper use of information.

Thankfully, the GDPR sets down rules that state what requirements must be met in order to be deemed to be "using the information properly".

Naturally, if you are someone who thinks blanket profiling without control is acceptable and proper use of information then of course you are going to see the GDPR as burdensome.

Colonel Claptrap

Which arm of SF has access to the data?

SF Dublin?
SF Belfast?
SF Frankfurt?

cee_jay

FrancieBrady wrote: »

Are they? How hard was it for a DPC to check that cookies weren't being kept, the party had appointed the proper officers and roles, that the data was in the EU etc?

Seems to me the DPC might need a rousing boot in the proverbial here.

What do you think the role of the DPC is? Proactive or reactive?

FrancieBrady

KildareP wrote: »

Again, "using the information properly" is subjective.

SF believe they are using the information properly just as Trump/CA believed they were using the information properly. You clearly believe both cases are acceptable.

If you're someone who doesn't believe that an organisation should be able to profile individuals for the gain of that organisation, without implementing controls or even obtaining consent (although we don't know yet if SF gathered consent), then you're going to be of the opposite opinion and think such activity is completely unacceptable and improper use of information.

Thankfully, the GDPR sets down rules that state what requirements must be met in order to be deemed to be "using the information properly".

Naturally, if you are someone who thinks blanket profiling without control is acceptable and proper use of information then of course you are going to see the GDPR as burdensome.

I honestly don't believe that recording what is in fact a guess (how somebody might vote) beside a name in the electoral register is a crime of any magnitude.

Nobody is saying why this is a bad thing.

If somebody is using data improperly that is wrong and should not happen (Can we put the CA and conspiracy stuff to one side and discuss 'proper use')

KildareP

crossman47 wrote: »

Is it any different to the old pen and paper approach of marking likely voters on the register to ensure, for example, they got a lift to the polling station?

That would fall equally foul of the GDPR

It doesn't matter the format the data is held in, it's that the data exists and is held in the first place.

The only difference today is that doing it electronically is significantly faster, can capture far more information, often covertly, can be transported, stored and made accessible much easier and can be sorted and churned with little to no human intervention.

FrancieBrady

cee_jay wrote: »

What do you think the role of the DPC is? Proactive or reactive?

I would say given the nature of the activity it would have to be constantly proactive.

Is it good enough that he/she didn't know until a newspaper wrote about it?

Why isn't he/she regularly questioning parties on this, why only now?

cee_jay

FrancieBrady wrote: »

I would say given the nature of the activity it would have to be constantly proactive.

Is it good enough that he/she didn't know until a newspaper wrote about it?

Why isn't he/she regularly questioning parties on this, why only now?

That is not the role of the DPC though. They act through complaints, and try to drive compliance in organisations. Why single out political parties for proactivity? There are lots of activities which hold personal data.
The onus is on the company (or political party in this case) to be compliant with the law.

FrancieBrady

cee_jay wrote: »

That is not the role of the DPC though. They act through complaints, and try to drive compliance in organisations. Why single out political parties for proactivity? There are lots of activities which hold personal data.
The onus is on the company (or political party in this case) to be compliant with the law.

Not according to themselves.

Accordingly, the DPC is the Irish supervisory authority responsible for monitoring the application of the General Data Protection Regulation (GDPR), and we also have functions and powers related to other regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (LED). The statutory powers, duties and functions of the DPC are as established under the Data Protection Act 2018, which gives further effect to the GDPR, and also gives effect to the LED.

Our Mission
Safeguarding data protection rights by driving compliance through guidance, supervision and enforcement.

They are responsible for 'monitoring compliance' and 'driving compliance through guidance, supervision and enforcement.

So how did their 'monitoring' miss this stuff? And why was it not 'enforced'?

Jimbob1977

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

expectationlost

blanch152 wrote: »

That is extremely naive. A political party building a database on every single voter in the country doesn't alarm you in any way?

why would something that you already presumed occurred alarm you

skimpydoo

Mary Lou said last night that SF used to have a data compliance offer but now have a data protection officer. It looks like they might have been slightly confused about GDPR and I am sure other political parties were as equally confused no matter how you try to spin it.

AndrewJRenko

Jimbob1977 wrote: »

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

Except that didn't happen.

Lots of stuff gets blamed on GDPR but has nothing to do with GDPR.

Floppybits

AndrewJRenko wrote: »

Except that didn't happen.

Lots of stuff gets blamed on GDPR but has nothing to do with GDPR.

GDPR has been the greatest gift to the government departments. They can now deny anything and everything and cite GDPR as the reason why they can do something and they just love hiding behind it. Remember the all the guest signing books are tourist locations being removed because of GDPR and then having to be put back.

cee_jay

FrancieBrady wrote: »

Not according to themselves.



They are responsible for 'monitoring compliance' and 'driving compliance through guidance, supervision and enforcement.

So how did their 'monitoring' miss this stuff? And why was it not 'enforced'?

How do you propose they monitor databases they have no knowledge of?

Floppybits

cee_jay wrote: »

How do you propose they monitor databases they have no knowledge of?

Of course they know there is a database they probably just don't know where it is being hosted. One of the problems if they hired a 3rd party to set this up for them using cloud hosting.

In saying that they should have still got all the information from whoever set the thing up like where the hosting server is based, database details and other such information. Now whether Mary Lou knows those exact details I would doubt it. I know from my own work in IT that the higher ups rarely know the details of server names or where they are hosted and nowadays all you have to say is its in the cloud and most managers will be lost.

KildareP

FrancieBrady wrote: »

I honestly don't believe that recording what is in fact a guess (how somebody might vote) beside a name in the electoral register is a crime of any magnitude.

Nobody is saying why this is a bad thing.

If somebody is using data improperly that is wrong and should not happen (Can we put the CA and conspiracy stuff to one side and discuss 'proper use')

OK, if someone approached me tomorrow to say "build a database that will win our party an election" (after all, why would you go to the effort of building a database, if not to increase your chances at winning elections?), my questions will be:

Who is registered to vote? Well that's the electoral register.
Offers absolutely no insight whatsoever! May as well just lookup the electoral register directly each time you need to know.

So I need to ask more questions and then establish more detail outside of the electoral register.

Do these people vote for our party?
If yes, great!

If no, why not?
Simply knowing they do not vote for our party is of little additional use beyond knowing they're registered to vote.
We need to convert them into voters.

I need to know who they vote for instead?
What is instead's party doing that our party is not?
What could our party do that would make them consider voting for us?
Do they not vote for anyone else because they feel disillusioned?
Or do they just not bother voting at all because they couldn't be bothered?

To start getting an idea of what might make them consider our party, I'd need to establish what sort of things matter to this person and so I'd need to know things like:

How old are they?
Where did they go to school?
Have they gone to college? What did they study?
Do they still live with their parents?
If they've moved out, are they renting and sharing, renting alone, have bought their own house, used help to buy, or availed of affordable housing?
Whereabouts do they live? Where did they live previously?
Do they have a car? What type of car? How old is it?
Do they work? What do they work at? Where do they work? How long have they worked there and any jobs previous?
How much do they earn?
Have they got a pension?
Have they get private health insurance?
Are they married? Have they got kids?

Suddenly I'm looking to gather quite a large amount of extremely private and sensitive information about individuals. But if I argue it's OK to do it under the guise of doing so for "electoral purposes", is that still OK?

And that's the problem - where do you draw the line on when it's still deemed to be "using this information properly" for "electoral purposes" and when that's no longer the case?

Who even gets to draw the line, in the absence of GDPR?

Do I not have the right to not be profiled in this manner?

Do I not have the right to make sure my sensitive information collected and stored about me is not at risk of being leaked in a breach?

Of course - I'm not saying this is what Sinn Fein have done, none of us know what is in their database at this time.

But arguing the GDPR shouldn't apply where information is being collected for "electoral purposes" is very open to interpretation as above.

This is exactly the sort of scenario that the GDPR was brought in to define.

beakerjoe

Jimbob1977 wrote: »

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

Its really not hard to understand.

Most people/organizations just either fear it, dont understand it or simply use it as a blanket defence for their own devices.

beakerjoe

Floppybits wrote: »

Of course they know there is a database they probably just don't know where it is being hosted. One of the problems if they hired a 3rd party to set this up for them using cloud hosting.

.

How would they have knowledge? Crystal ball?

beakerjoe

Colonel Claptrap wrote: »

Which arm of SF has access to the data?

SF Dublin?
SF Belfast?
SF Frankfurt?

Most likely appropriately authorized personal. Those who need the data to carry out their duties. Once they have a lawful basis to process the data, it all may be legal.

markodaly

FrancieBrady wrote: »

Cambridge Analytica are a private consulting firm.

I am talking about a political party doing this and using it for electoral purposes.

How is that different?
SF is a private political party?


Regardless, the only reason this thread exists is to take the heat from SF because they got caught with their hand in the cookie jar.

Now that MLMD has admitted to very serious breaches in relation to GDPR, we need to 'talk about GDPR' and how it's a 'negative' thing....

Classic!

beakerjoe

markodaly wrote: »

How is that different?
SF is a private political party?


Regardless, the only reason this thread exists is to take the heat from SF because they got caught with their hand in the cookie jar.

Now that MLMD has admitted to very serious breaches in relation to GDPR, we need to 'talk about GDPR' and how it's a 'negative' thing....

Classic!

imo, they arent very serious breaches.

I didn’t realise there was a GDPR case against Cambridge Analytica.

Overheal

Jimbob1977 wrote: »

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

That's an awfully vague example.

Overheal

fvp4 wrote: »

I didn’t realise there was a GDPR case against Cambridge Analytica.

I think you realize that the reference was made with regard to how data can be misused with regard to elections.