The Bad Samaritan

The Samaritans have launched a new tool for the persecution of the vulnerable… Sorry, a nannyish attempt to spy on your friends, No, I mean, they’re trying to use technology to do what real friends would be doing anyway…. I’ll try this again. There’s this app they have. You’ve probably heard of it; it runs in the background monitoring tweets of those you follow on Twitter, and analyses them to look for indications that a person may be in need of support. The Samaritans are convinced it’s marvellous and has no Data Protection or privacy implications.

The Data Protection Act 1998 applies to the processing of any personal data, anywhere by any person. Certain areas are carved out – the use of personal data for national security purposes is inevitably and depressingly exempt, as is the use of data for purely personal, domestic reasons, and to an extent, the use of data for journalism. Beyond that, although the Data Protection principles are flexible, they apply to all uses of personal data.

At no point in the text of the Data Protection Act does it say that personal data that is public or published is exempt from the Act’s provisions. There is no section that says that, and no section that can be interpreted as meaning that. Moreover, I can use the same quote I used from the Information Commissioner’s Code of Practice on Online data that I used in my last blog about monitoring of blogs:

“If you collect information from the internet and use it in a way that’s unfair or breaches the other data protection principles, you could still be subject to enforcement action under the DPA even though the information was obtained from a publicly available source.”.

And “You should only use their information in a way they are likely to expect and to be comfortable with.”

As the Samaritans have claimed that their app is entirely legal and has no Data Protection implications, I am certain that they will have no problem answering the following questions:

Principle 1:

  • No consent is being obtained; which data protection conditions allow the Samaritans to monitor and – crucially – to analyse and interpret the state of mind of Twitter users without consent?
  • How are data subjects to be informed that their tweets are being monitored and – crucially – analysed with a notification to any third party who chooses to register?
  • The first principle requires the processing of data to be ‘fair’: what steps have the Samaritans taken to ensure that those registering to receive notifications via the app have no malicious intentions towards the subject and will not use the notification for malicious purposes?

Principle 2:

  • What assessment has been carried out to ensure that the processing (i.e. attempting to identify the subject’s state of mind in order to notify secretly a third party of that) is compatible with the subject’s original purpose in publication? How is that original purpose identified?

Principle 3:

  • How have the Samaritans established that their gathering of data and analysis of Twitter users’ state of mind is relevant and not excessive?

Principle 4:

  • Principle 4 states that personal data ‘shall’ be accurate for the purpose – there is no qualification to this. How have the Samaritans ensured that the analysis of a Twitter user’s state of mind is accurate when alerting a third party to it?

Principle 6:

  • What provisions have the Samaritans in place to provide the following:
  • Subject Access: data subjects are entitled to know what data is held about them, and who has received it. Will data subjects be told who has received alerts about them if they ask? If not, which exemption applies?
  • Section 10 Right to object to damaging / distressing processing: data subjects have a right to object to damaging processing – will such requests be honoured? If not, why not?
  • Section 12: Data subjects have a right to request that any automated processing will be carried out by a human being. Will Section 12 requests be honoured and if not. why not? How many members of Samaritans staff are available to carry out the analysis?

Principle 7:

  • What technological and organisational security measures are in place to ensure that the analysis of Twitter users state of mind (potentially sensitive personal health data as defined by the Act)?

Principle 8

  • How have the Samaritans ensured that the sharing of personal data about Twitter users’ state of mind is restricted to the European Economic Area? If it has not, how is the sharing of information about Twitter users’ state of mind outside the EEA justified under Principle 8.

For the record, I think the 30 day retention period of data (principle 5) may be OK.

Comments

  1. All valid points raised, however, I would imagine that it’s the app itself does the processing, rather than a central Samaritans server. This would make the individual the data controller, and if it’s done for domestic purposes then Section 36 will apply.

    I personally think this app is a bad idea, and did initially believe it was in breach of the DPA, but after considering the above it seems likely it isn’t.

    • I don’t think it matters where the processing occurs. I believe that the Samaritans determine the purposes by making the app available.

      • If that was true, then the same could be said about any organisation offering an app – Facebook, Twitter etc.

      • My comments may be invalid anyway – it appears there is no app, so the processing is likely instigated by the Samaritan’s server.

      • Fair enough, but it is true nevertheless. Data Protection is built on establishing the controller as the entity that determines the purposes. It’s entirely possible for Facebook or Twitter could have an app that was downloaded by users for which they were at least joint data controllers. as long as they determined the purposes for which any personal data was used.

Trackbacks

  1. […] of the FAQs, with no apparent change to the position that those whose tweets are processed get no fair processing notice whatsoever, makes me more concerned that this app has been released without adequate assessment of […]

%d bloggers like this: