POD Data fields a mix of the irrelevant, the unsettling and the possibly illegal

Tweeter @johnhamill151 FOI’d his children’s data from POD and yesterday published what he got back.

To his surprise, he discovered the Department was storing data in POD on his kids which was completely unrelated to their primary school education and data of a sort he had never been aware would be collected or stored.

Medical Data on special needs must be sensitive personal data

These fields included data on children’s special needs assessments such as “GAM_MILD_OR_BRDRLINE_MILD_GLD” or “GAM_SPECIFIC_LEARN_DISABILITY”.

The Department continues to insist that this does not constitute Sensitive Personal Data. They desperately want to claim that because such data will require parent’s consent to be collected. The new Circular governing POD has not changed this miscatagorisation.

In an email to me dated 20th Jan 2015, a department official in the POD section said that

I don’t think one could draw a conclusion that those in receipt of EAL have a physical or mental health condition…The questions measure receipt of special educational supports and nothing else.

In the face of this evidence of actual medical diagnostic data (mild, borderline mild, specific learning disability) being collected and stored, I don’t think that this is a sustainable defence of this illegal processing of sensitive personal data.

Department processing irrelevant data

The purpose of the primary online database-according to the department- is to assist with the statistical analysis of the population of primary schools.

Unfortunately it appears that the department has decided to collect a series of fields in relation to children that have nothing to do with their primary school education. These fields include data on leaving certificate subjects, data on Junior Cert subjects, data on FETAC courses and even data on whether primary school children are sitting the leaving cert applied exams (Hint: no, they’re not).

Jhamill151 tweet

The Department of Education’s ongoing problem with race
After the unfortunate business of the first POD Circular’s efforts erase all non-White options for Irishness, by carefully removing them from the CSO’s list of cultural backgrounds, you might think that the Department of Education might be a bit more sensitive as to ethnic and cultural indicator data it collects and stores on children.

This is, after all, one of only two forms of data it will admit to being Sensitive Personal Data.

Sadly, it appears that there are still fields in the POD database for “MOTHER_TOUNGE_IRI_ENG_IND” and most mysteriously “YEAR_OF_ARRIVAL_IN_IRELAND” which will presumably be the same as date of birth for most children.

It is rather difficult not to think that any data entered against either or both field, neither of which were part of the usual consent form supplied to parents, could be used as a marker of ‘foreignness’, in case the parents withheld consent for data under the “ETHNICITY” field to be collected.

And finally…
It’s very unclear as to what it is for, but it does seem like a strange decision to have a data field labelled “IGNORED_EXEMPTION_QUESTION_IND”. If you have asked to be exempted from the database, what, exactly is being ignored?


The full set of data fields disclosed is below.

POD FOI Data Fields

Posted in Education | Tagged | Leave a comment

POD: A strange tale of a weird idea

Posted in Education | Tagged | Leave a comment

Dept of Education abandon March deadline for POD, confirm both new Circular and revised data use statement needed first

The text of the latest statement from the Department of Education to Primary Schools:

Dear Principal,

Thank you for your continued participation and engagement in the POD project.

As you know both schools and the Department have received a number of comments and queries on certain aspects of the operation of POD. The Department has considered all the submissions received and is committed to taking this feedback on board, in consultation with relevant stakeholders. As a result, an updated Fair Processing Notice and a POD circular, along with supplementary information and guidance for schools and parents will issue in early April. The deadline for schools to populate POD with their pupil and class data is hereby extended until Friday the 30th April 2015.

The POD helpdesk is available Monday to Friday 8:30am-5pm on 01 8892311. If you have any queries or comments please do not hesitate to contact us at pod@education.gov.ie. Please note that schools can refer parents/guardians to the helpdesk if they wish to do so.

Kind regards,


Statistics Section, Department of Education and Skills.

used under cc licence photo by garlandcannon

Posted in Education | Tagged | 1 Comment

Department of Education issue new, water-muddying message re POD to schools

Text of today’s message:

Dear Principal,

Thank you all for your continued participation and engagement in the POD project.

Please note that the Department is committed to taking on board feedback from schools and parents about POD. In light of this please be aware of the following changes that will be released on POD on 4th March 2015 at 10.00am. In order to facilitate these changes POD will be unavailable between 8.00am and 10.00am on Wednesday the 4th March.

Secure Upload Facility

The updated version of POD will contain a secure upload facility for schools that wish to upload their pupil data using the Department’s excel template. This will replace the encryption process that is currently in place to transmit excel templates. The template is available from the Department’s POD helpdesk pod@eduaction.gov.ie

Ethnic or Cultural Background

The DES has reviewed the question in POD on Ethnic or Cultural Background, the following categories will now be used which better reflect the categories in the CSO 2011 Census of population question. The change in wording will be applied automatically to the system from 4th March, and no additional update will be required at school level. Amended categories in red. [here, marked with an *]

White Irish

Irish Traveller


Any other White Background

*Black or Black Irish – African

*Black or Black Irish – Any other Black Background

*Asian or Asian Irish – Chinese

*Asian or Asian Irish – Any other Asian background

Other (inc. mixed background)

No consent

An updated suggested consent form incorporating these changes will be available for downloading by parents from the Department’s website on 4th March at www.education.ie. These changes will also be reflected on the POD database.

Action required by schools –

Schools that have not yet sought parental/guardian consent for the collection of this data should ensure that they use the wording as per the revised version of the suggested consent form.

Schools that have already secured parental/guardian consent – Where a parent has raised a concern around the ethnic and cultural background question please inform them that the new version of the form will be available for downloading from the Department’s website. A parent wishing to amend what they originally submitted, may return the updated form to the school.

If a new form is submitted, schools will only need to amend the original input if there is a change in category.

For schools that use an administrative software package the Department has been in touch with the software providers and they have made the appropriate changes to their data collection systems.

Learning Support

As a considerable number of schools have indicated that they are having difficulty completing the questions on GAM/NCSE and low incidence, this portion of POD is no longer compulsory for the 2014/2015 school year.

Note that while this means that we may not receive full information on this topic from all schools, the information returned by schools in these questions is still of statistical value and will be used to show aggregate information on how schools are currently allocating resources under GAM.

Schools will receive further instructions for the GAM/NCSE and low incidence questions for the 2015/2016 school year. It is important to note that this data does not roll over with the pupil each year.

The Department has received a number of comments and queries on certain aspects of POD including the retention period for POD data and other data protection concerns. The Department is taking this feedback very seriously and is currently considering the submissions received from parents and other stakeholders. The Department is consulting with the Data Protection Commissioner’s Office and once this evaluation is complete the Department will issue an updated circular on POD later in this academic year.

From the 2016/2017 academic year, it is intended that teacher allocations and capitation grants will be made on the basis of POD data, and the previous basis for allocations, the National Annual School Census will cease operation from that point. The Department will endeavour to work with schools and parents to help avoid the loss of funding or resources.

We would like to take this opportunity to thank all schools that have completed the Primary Online Database. For schools that have yet to enter their pupils on POD, please complete this process by the 31st March 2015 – thank you.

A POD helpdesk has been set up which is available to assist schools with any POD queries. The helpdesk is available Monday to Friday 8:30am-5pm on 01 8892311. If you have any queries or comments please do not hesitate to contact us at pod@education.gov.ie. Please note that schools can refer parents/guardians to the helpdesk if they wish to do so.

Yours faithfully

Posted in Education | Leave a comment

Dept of Education refuses FOI on POD as ‘not in the public interest’

2nd March 2015

Mr Simon McGarr

Re: FOI request 2015/45

I refer to the request which you made under the Freedom of Information Act 2014 for records held by this body:

‘I wish to make a request under the Freedom of Information Acts (as amended) for copies of any and all documents including but not limited to observations, letters, emails and/or submissions whether held in paper, electronic or any format relating to the Primary Online Database between the Department and Minister for Education and Skills and the Data Protection Commissioner and/or her Office.’

I, XXXX, Higher Executive Officer have now made a final decision to refuse your request on 27/02/2015.

The purpose of this letter is to explain that decision. This explanation has the following parts:

1. a condensed schedule of all of the records covered by your request;
2. an explanation of the relevant findings concerning the records to which access is denied, and
3. a statement of how you can appeal this decision should you wish to do so.

This letter addresses each of these three parts in turn.

1. Schedule of records

Outlined below are the documents that this body considers relevant to your request.
1. Emails between Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 9 emails between 9/12/13 and 30/1/15
2. Notes and agendas of meetings between the Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 3 (11/12/13 and 10/2/15)

2. Findings, particulars and reasons for decisions to deny access

The decision to deny access to records has been made under Section 29 of the FOI Act 2014, Deliberations of FOI bodies
29. (1) A head may refuse to grant an FOI request—
(a) if the record concerned contains matter relating to the deliberative processes of
an FOI body (including opinions, advice, recommendations, and the results of
consultations, considered by the body, the head of the body, or a member of the
body or of the staff of the body for the purpose of those processes), and
(b) the granting of the request would, in the opinion of the head, be contrary to the
public interest,

Under the provisions of Section 29(1) of the Freedom of Information Act 2014, I consider that the public interest would not be best served at this time on the basis that it would reveal details regarding the deliberative process on the current development of a revised circular on the Primary Online Database. The Department has yet to finalise its deliberations and such release could prejudice the Department’s ability to properly conclude those deliberations.

3. Rights of appeal

You may appeal this decision. In the event that you need to make such an appeal, you can do so by writing to the Freedom of Information Unit, Department of Education and Skills, Marlborough Street, Dublin 1. Your correspondence should include a fee of €30 for processing the appeal. (Payment should be made by way of personal cheque or postal money order to the accountant the Department of Education and Skills/Please note that from 19 September, 2014, the Department of Education and Skills will no longer accept cheque payments from business users in accordance with the Department of Finance Circular 01/2013. For further information regarding payment methods for business users, please email foi@education.gov.ie).

You should make your appeal within 4 weeks from the date of this notification, however, the making of a late appeal may be permitted in appropriate circumstances. A week is defined in the Act to mean 5 consecutive weekdays, excluding Saturdays and public holidays (Sunday are also excluded, as they are not weekdays). The appeal will involve a complete reconsideration of the matter by a more senior member of the staff of this Department.

Should you have any questions or concerns regarding the above, please contact me by telephone on xxxx.

Yours sincerely,


Statistics Section.

Posted in Education | Tagged | Leave a comment

Tell the Minister for Education: NO to POD

Please join [countentries formid=1] other parents and families in writing to the Minister for Education to protect every school-aged child’s right to privacy and future identity security. Tell Minister O’Sullivan that the Department of Education’s plans for the new Primary Online Database (POD) should be scrapped.

Add your name, email address and any comments below and the following email will go off on your behalf to the Minister to make your voice heard.

  • Dear Minister O’Sullivan:

    I write to you regarding the Department of Education’s planned rollout of the new Primary Online Database (POD). I call on you to withdraw this system until the legitimate issues raised by parents and the wider public can be addressed:

    • It is unacceptable for your Department to gather sensitive, private data on every individual primary school child, including their racial profile, psychological assessments, special needs, religion, and PPS number, and store it until they are at least 30 years of age;
    • It is deeply worrying that school staff will be able to enter comments on any child into a system so poorly secured that the Department cannot guarantee who will be able to access them;
    • It is unrealistic to expect school staff to transfer this highly sensitive data to the Department of Education using a 17-step process so complex its been called ‘damn near unusable’;
    • When parents decline to have their children’s information unlawfully transferred to the POD database, it is outrageous to tell teachers to just go ahead and enter it anyway;
    • It is education extortion to threaten to remove funding and teacher allocations for children whose parents have made the decision not to enter their children’s details.

    The Department may not simply ignore citizen’s data protection rights and legal protections, even when those citizens are children. Please scrap this POD scheme in the best interests of every school child in Ireland.

  • Please add any other comments you would like to be included in your letter:
  • Yours Sincerely,

  • This field is for validation purposes and should be left unchanged.
Posted in Education | Tagged , , | Leave a comment

Minister for Education: We will forget nothing, learn nothing

About two weeks ago, as letters started to arrive home in children’s lunchboxes, parents started raising issues with the Department of Education’s project to take children’s data (racial, psychological assessment, special needs, religion, PPS number and so on) and store it until they were 30.

Here’s the post setting out the inital issues I had with the plan.

This is a long post, but it is about the future security of children’s identity. Please read it and then take a moment to do something to change this plan.

Please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Data Protection Commissioner: Not as happy as claimed

Unfortunately, the Minister has responded by denying there are any problems, saying she’d look at the retention period, then saying she’d looked at it and was sure again it was needed because the Department wanted to have ‘full maximum data’.

Minister O’Sullivan also managed to call into question independence of the new Data Protection Commissioner, by announcing “that office is satisfied with what we are doing” and “the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well”.

On the face of it, the Commissioner’s regulatory role was being undermined by a Government Minister preempting the outcome of any complaint by asserting the opinion of the Commissioner before any complaint had even been ruled on.

It was reassuring to read today’s interview, therefore, with Helen Dixon, the new Data Protection Commissioner. Contrary to the Minister’s assertions earlier in the week, the Commissioner did not seem to be ‘fully satisfied’ with the Department’s plans. She said;

“it seems to be the case that there’s an inadequate explanation of why they need it and why they need to hold it for as long as they are holding it.”

(This might seem like a minor point, but in fact, in EU law, the independence of Data Protection Commissioners is considered a very Big Deal. So much so that the EU Commission has repeatedly sued member states whose Governments act to undermine that independence. After the most recent such case Commission -v- Hungary, the EU Justice Commissioner and Vice President of the Commission, Viviane Reding issued a strong warning;

The independence of national data protection authorities is the very cornerstone of guaranteeing effective data protection rights for our citizens. Lack of independence means lack of effective supervision and oversight, and a lowering of the level of data protection. The Commission has intervened three times with infringement cases against Member States to stop such incursions on the independence of data protection watchdogs. I will not hesitate to intervene again if necessary.” )

Defund your child’s education if you object

In correspondence with individual parents, the Minister’s Office and the Department have taken another tack.

The Minister is threatening to defund the education of any child whose parents object to their data being hoovered up into this database. 

Personally, I think it’s a pretty low road for the person responsible for children’s education to try to hold them to ransom for the sake of an administrative hobby horse of her Department. Here’s the Minister’s Personal Private secretary, finishing off a letter to a parent who had raised serious and detailed concerns that the entire POD database plan was illegal under Data Protection law with the most basic of coercive threats.


“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school”

Similarly, when I wrote to complain, I got an even less varnished version of this threat to defund any child’s education whose parents objected to POD.

Offical's threat


Just take the data with or without consent

As if those threats weren’t objectionable enough, it turned out that the Department had come up with a fallback plan. In their FAQ to teachers, they told them that if any parent did dare to refuse to allow their children’s data to go into POD, the teachers were to ignore their data preferences and just upload it anyway.

Screw parents wishes we wanna

Retention period: Until the child is 30, and then some

Let’s go back to that retention period. It’s set out in Circular 0017/2014, which is closest thing we have to an administrative law underpinning this entire scheme. It says;

The Department will retain personal data in categories 1 and 2 for each pupil on POD for the longer of either the period up to the pupil’s 30th Birthday and subject to review thereafter or for a period of ten years since the student was last enrolled in a primary school.

As very few 20 year olds are to be found still enrolled in primary school, we can take it that the plan is to keep the data at least until the pupil is 30 and then it will be ‘subject to review thereafter’. In other words, there is no commitment to remove this data, ever.

This open-ended retention period, by the way, doesn’t meet the requirement by the Data Protection Acts for notifying the data subject how long the data will be held for or for what purpose (data subject here being parents and then, when they become adults, the pupils themselves). Certainly, any Government department whose Minister is willing to define the criteria for retention as ‘in order to ensure that we have full maximum data’ doesn’t seem like the kind of institution to wipe any data from its system voluntarily.

The Circular is also clear that all this data ‘will’, not ‘may’, be kept. This is an important point, because, under pressure from questions, the department has suggested that maybe they will think about keeping some of the data in an anonymised form after children leave school (and, more urgently, until journalists stop asking questions). But in fact, the Circular short-circuits all of that discussion.

Together, Category 1 and Category 2 data is all of the data the Department is collecting- names, PPS numbers, address, mother’s maiden name, religion, ethnicity, psychological assessments, special needs, the whole shebang- being kept until the citizen is, at the earliest, 30 years of age.

This is explicitly not anonymised or aggregated data.

Security of the data

This is going to get a little bit technical, so stick with me here. Firstly, let’s look at how schools are meant to get this spectacularly rich and sensitive dataset on the nation’s children to the Department of Education. They can fill the data in directly into the webform, which does connect with a secure HTTPS line. Unfortunately, the form won’t let them do many of the things you might expect to come up, like save an entry with only some of the required data filled in.

So, anticipating that the HTTPS option wouldn’t be too popular, the Department has come up with a plan for schools to fill in the data offline, into a Microsoft Office document, and then to encrypt that file using the same encryption system Edward Snowden used to communicate with journalists (GPG) and to then email them that encrypted file.

If you started to make a worried face in the second half of that sentence, that means you’ve probably already encountered trying to use GPG encryption. Here’s Arne Padmos, lecturer with the University of Rotterdam, giving his recent talk “Why is GPG ‘damn near unusable’?” to a group of computer security experts.

But not to worry, the Department told schools that they would produce ‘detailed instructions’ on how to use it. No training, mind, but a handy Word document they could refer to. You can read it all here. Some sample screenshots, to give you a feel for it;

Screenshots of the encryption instructions


As you can see, there is no way that this could go wrong.

Unfortunately, the Department’s focus on keeping this data encrypted in transit pays no attention to the fact that the original data file will remain unencrypted and sitting on the school computer.

Furthermore, the Department decided they would allow the POD data to be automatically copied out and synchronised with the school’s own database. So, no matter how secure the data is getting to the POD, it will then automatically, and by design, be copied out into another database that sits outside the Department’s control or audit.

This is so strange an idea, I’ll show you the bit in their documents where they chat away about it with no mention of security implications, just so you believe me.

Screenshot_2015-01-25_11_53_38So, just to keep count, the list of people with access to this data on children is now;

The Department of Education (for purposes which include statistics, but also funding of children’s education and other, non-specified uses), all the public bodies they intend to share this data with at the moment (the current non-exhaustive list is the Department of Enterprise and Employment, the Department of Social Protection, The CSO, The Child and Family Agency and, apparently, the Revenue Commissioners), everyone in any school with access to either the POD database or their own internal database and any contractors who provide the technical support for those databases.

I could go on and on, but this post is already too long to expect anyone to have reached the bottom here.

I could point out that holding a permanent record that doesn’t allow families and children to declare their ethnicity to be Black and Irish is insulting and backward. I could point out that having a free text Notes field where school staff can write anything they want about a pupil and have it stored, for reference, until that pupil is an adult active in society is a invitation for abuse. The threat of something going on a child’s Permanent Record has never been so real.

You can stop this

I think the main point is clear. This project is a mess. It must not go on as it is. But the Minister and her Department have made clear that they will not budge unless forced to do so.

So, please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Posted in General | Tagged , , | 6 Comments

Unanswered legal problems with the Government’s new database of children

Database Teddies

The Department of Education is building a database of Ireland’s children. It’s called the Primary Online Database and, currently, its intention is to collect a full profile of data on all the children in education and to store that data until they turn 30. Yes, 30.

They started last September 2014, taking data from schools directly, rather than asking parents in almost all cases. Now the department is sending home letters to parents about the database, baldly telling parents that they’re taking their child’s data.


UPDATE: See my follow-up post with lots of  the extra problems identified with the Minister’s POD plan
UPDATE 2: NEW! A simple web form to tell the Minister that this is a bad idea. Sign it and share it!

The Department is collecting data, including sensitive data such as medical information, whether the children have psychological assessments, religious and racial characteristics on children. This is something that requires careful planning to be done correctly. As the Irish Water debacle showed, an organisation can destroy public trust by careless information governance and ill-considered data demands. And any database that contains such critically sensitive data about all the citizens and residents of the state who are under 30 needs very significant and broadly based support.

This database, if leaked or misused, would compromise the identity security of every young person in the entire country. It would provide a treasure trove for blackmailers or identity thieves. It’s precisely because this sort of data is so red-hot radioactive that the Census data- the only collection comparable to this proposed datagrab- is given special legislative protections in the Statistics Act 1993.

Regrettably, it seems the Department of Education has not learned anything from the recent past. I contacted the department on the 6th January to set out some Data Protection concerns with the database. I followed this up with more than one telephone conversation. I received no written reply by the 20th January so I then made a formal complaint to the Data Protection Commissioner.

In that complaint I made the following points;

1/ Section 2(1)(c) of the Data Protection Acts (referred to hereunder as DPA) sets out the principle that data should be obtained for “one or more specified, explicit and legitimate purposes”. Children’s data was obtained from parents by their schools for specific, legitimate, internal school purposes. The Department is seeking to take that data from the school, under threat to its continued funding, and use it for different radically different purposes, none of which were specified at the time the school obtained the child’s data, or or necessary for those internal uses. This is not legitimate.

2/ In addition, the Department’s Letter to Parents states that it is the Department’s intention to store children’s data in the Primary Online Database until they reach the age of 30.

To me, this appears to be self-evidently an excessive retention period. Data may only be stored for as long as is required for the purpose for which it is collected. (per Section 2 (1)(c)(iv) DPA)

As all the purposes of this database are related to children’s primary school experiences, retention for decades after that experience ends will be a breach of the data protection acts, and contrary to Data Protection principles.

3/ I have very significant concerns about the data relating to children proposed by the Department to be obtained, processed, shared and retained until the age of 30. The material describing the contents of the POD database sets out data which is clearly sensitive personal data per the definition at Section 1 DPA.

In particular, the data fields;

Learning Support

Is the pupil in receipt of low incidence support through NCSE? (drop-down list)

Is pupil receiving support under the General Allocation Model? (drop-down list)

EAL (tick-box)
Specific Learning Disability (tick-box)
Learning Support (tick-box)
Mild/Borderline Mild GLD Resource Teaching

Does the child have a psychological or medical assessment report which recommends provision of an additional teaching resource ? (drop-down

represent sensitive personal data as it relates to “the physical or mental health or condition or sexual life of the data subject,”.

However, the Department is proceeding on the assertion that all this data is ‘non-sensitive’ data and does not require parental consent for processing.

Furthermore, the database includes a free text “Notes” tab.

“Notes about a pupil may be entered into the ‘Notes’ tab. At present, notes entered here can be seen by Department of Education staff”

(per P 10 of the Instruction Manual on the POD. The existence of this data field is not notified to parents in any notice addressed to them. )

There is no way for this data to be obtained or retained in compliance with the DPA, as there is no description or limits on what notes may be added to each child’s entry into the database- whether sensitive, relevant, necessary or appropriate. Whether the data is routinely accessed by the Department is irrelevant as it is being retained by the Dept and is accessible to any departmental user with Administrator status.

Furthermore it is not unknown for children to change schools precisely to obtain a fresh start, and it is unsatisfactory that the unlimited and unmonitored notes by staff of one institution would be transferred to the new school, colouring that school’s opinion of the child before they had even started.

4/ The Department of Education’s use case statement which may be accessed on the Department of Social Protections own website does not include the proposed use of children’s PPSNs as described in the Department’s letter to parents regarding this database.

From the records available to me, the proposed use case the Department’s letter describes has not been notified to the Department of Social Welfare and, therefore, has not been agreed with the Minister, as required under S 262(4) and Sec 262(6) of the Social Welfare Consolidation Act 2005.

In the absence of such consent a child’s school would be in breach of the data protection acts were they to transfer his or her PPSN data to the Department as a new Data Controller.

5/ I note that by letter dated 15th January the Minister for Education’s private secretary wrote to parents who have complained about this database and told them that;

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school going forward”

This threat effectively negates any consent that might be given, as it is clearly represents a coercive effort to force consent in the face of the defunding of their child’s education. In addition, the threat to partially defund a school on the basis of purely automatic processing of data in a database it represents a breach of
Section 6B of the DPA,

“a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him”

To read more about how this database is being implemented in a way to undermine trust and effectiveness, take a look at data protection expert Daragh O’Brien’s two posts on the subject, here and here. Those posts give context to this ill-conceived project, by showing how and why the State consistently fails to respect citizens’ data rights.

If you agree with my points, please do contact your child’s school and let them know that you don’t give consent to your child’s data being entered onto POD, and let the Minister for Education, Jan O’Sullivan TD know your concerns about her plan by email minister@education.gov.ie and/or make a complaint to the Data Protection Commissioner’s office (details here) if you have no satisfactory outcome from your contacts.

Photo: Database Teddies by Linda Hartley

Posted in General | Tagged , , | 7 Comments

Private phone messaging apps compared

Recently, for reasons, I had occasion to examine the current state of the market for encrypted messaging apps on phones.

Tested: Wickr, BBM, Threema, Confide, Cyber Dust, Cyphr, Telegram. Thoughts to follow:

-All of these apps start off wanting access to your contacts. You should always say no and invite the people you do want to communicate with manually.
-I have no way to check the cryptographic reliability of any of the below apps. So, one could be a pleasure to use and be using a joke of encryption. In addition, if your life depends on security, please don’t use a phone at all to pass messages. Buyer beware. )

Wickr: Hysterical intro copy. Stunningly ugly. Nuttily tricky to set up. Seems to work.

BBM: Amazingly, even more ugly design than Wickr. Appears to hate users, and does everything it can to stop them. On android: don’t install. Over-reach on permissions, including your call & text history, demands for your location etc. Blackberry, you are a zombie.

Threema: A bit fiddly to set up, quite like whatsapp once you’ve succeeded. Has a nice face to face verification thing too.

Confide: Text only, unlike the others. Only reveals one word at a time, so can’t be screen shot. If you want to send a private private text made of just text, seems like a good bet. Update: Neither I nor my Android co-tester actually received each other’s messages. Though very secure, this is not very useful.

Cyber dust: a much better interface than most of the others. You don’t get an archive or record of your conversations- they vanish from your screen after a few minutes. You can keep your own messages, if you like, by tapping on them, but you can’t keep the other people’s.

Cyphr: Easy set up, easy use. Uses a central server. Makes saving pictures you’ve received very easy, which could be a pro or a con depending on how you want to use it.

Telegram: similar to Threema in set up, slightly cleaner design. Seems to have the larger installed user base.

This is important, because the major barrier to adoption of encrypted apps or messaging is that both sides need to agree to use a particular, non-mainstream, programme to communicate.

This is why the suggestion that Whatsapp, with its tens of millions of users, may encrypt all its messages from end to end is so significant.

My criteria was that the app had to offer to encrypt text (and, ideally, any videos or pictures uploaded) and not store a hackable copy on servers (as Snapchat allowed happen to its users).

Let me know if I’ve missed an option

Posted in General | Tagged | Leave a comment

Thoughts on Ireland’s new Surveillance Order

Some tiny Saturday thoughts on today’s Page 1 scoop by Karlin Lillington re the state’s creation of a new statutory framework for secret Ministerial surveillance orders and, quite seriously, for FISA-style secret court hearings.

1) The Minister has activated a law that has been overtaken by events.

2) The Department of Justice has claimed the SI was signed to comply with EU treaty obligations.

3) But since 2008, when the law was drafted, EU law has been transformed in its approach to privacy, surveillance and rights.

4) Since then, the EU Charter of Fundamental Rights, DRI’s ECJ judgement and even the Google Right To Be Forgotten case mean that the balance struck between privacy and surveillance in the 2008 Act is no longer an obviously lawful approach.

5) Far from complying with EU Treaty obligations, the State may have exposed itself to a challenge under those same Treaties.

6) The 2008 Act should be rewritten to allow for orderly Mutual Legal Assistance Treaty co-operation, but maintaining EU citizens’ privacy and data rights.

Posted in General | Tagged | 2 Comments