Tracking kids in schools

Seems the school sector has gotten cold feet on the use of tracking technologies in schools. Since the decision by the Swedish SA on the use of facial recognition biometrics, other schools are following suit.

A right to feel safe vs. a right to a private life – both human rights

The question is that sometimes it is VERY useful to use tracking technologies, for example in order to protect vulnerable persons, i.e. small children, and old people (who tend to wander). So the decision by Norrköping kindergarten was a bad one IMHO to not allow the use of tracking – use of armband- of toddlers/small children.

As a parent it would give me peace of mind. Human rights states that we have a ‘right to feel safe’ and ‘a right to a private life’. These rights can often conflict with each other which results in the wrong decisions being made. Hence in fear of breaking the GDPR a school has made a rather incorrect decision which has so many benefits for all. What’s more is that RFID/sensors are not biometrics, so have no relation to the other decision. Sensors do not even need to be linked to an identity. All the school needs to know is if they have lost a child, not which one… that they can work out pretty quickly by seeing which they have.

This presents another problem in that decisions are made by persons who are are not able to take this careful balancing act and really identify the potential risk of harm to the natural person. In the case of Norrköping school I can see none which outweigh the benefits on a ‘right to feel safe’.

Thanks to Inge Frisk for bringing this decision in Norrköping to my attention.

EU ePrivacy Directive amendment

A recently passed amendment to the EU Privacy Directive will require Internet users’ consent before cookies can be placed on their computers. This is part of a revised ePrivacy Directive that is close to enactment, that includes improvements on security breach, cookies and enforcement. The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The revised ePrivacy Directive must be implemented by the Member States within 18 months.

The changes introduced include:

    For the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internetservice provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
    Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
    The possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;
    Substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

What this means is that the current laws that the data subject has increased protection online. If their personal data has been exposed, they must be notified. As such they must be informed if personal information on them is being collected, and they should have the option to opt-out (or more preferably opt-in). This is not possible with the way cookies are used today where they are just downloaded onto the users’ PCs without warning. All security to warn the user of tracking cookies are provided by the web-browser. This will now have to be included in the cookie itself.. I think. Any experts out there that know how this could work in practice, please jump in here and comment 🙂

I also read some references to how the use of RFID for the collection of personal information falls in the scope of this amendment.

And finally enforceability is key. Hence each member state must have the appropriate legilsation implemented to make this amendment effective and enforceable.

Unencrypted RFID in Michigan driving licenses

“Michigan entering into a federal agreement to put unencrypted, long-range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit”, says Republican State Rep. Paul Opsommer, in a statement. “I don’t think we need RFID in our licenses period, but even if we did, there is absolutely no reason it couldn’t be short range and encrypted. The federal government has made some bad technology choices that they now want to cram down the rest of our throats. Canada is totally rethinking this whole program from the ground up, and so should Michigan.” Read more at Network World.