November 13, 2017 at 10:23 am
richard-674310 - Monday, November 13, 2017 10:17 AMSuppose in your example ("get the data from Server X") it were phrased more like "Grab all the emails that Steve Jones sent/received; in the period X to Y, off server X"? It's now a lot harder to imagine that the recipient of the request doesn't know what's going on!
Just use BleachBit. Then it all will be OK
...
-- FORTRAN manual for Xerox Computers --
November 13, 2017 at 11:39 am
Steve Jones - SSC Editor - Monday, November 13, 2017 9:59 AMrichard-674310 - Monday, November 13, 2017 7:20 AMHey Steve,
I'm not convinced by the "I just did what my boss told me to do" model.
If we want to be taken seriously as a profession - rather than a bunch of craftsmen/women, then we need at least a concept of professionalism and ethics. You might enjoy Uncle Bob's take on it. It is somewhat targeted at developers and I see no reason why the basic ideas would not apply to data professionals too.http://blog.cleancoder.com/uncle-bob/2015/11/18/TheProgrammersOath.html
http://blog.cleancoder.com/uncle-bob/2015/11/27/OathDiscussion.html
...and finally - people going to jail.
http://blog.cleancoder.com/uncle-bob/2017/08/28/JustFollowingOders.htmlI know it's not a great answer, but I also don't know what I'd do. Each situation/case might be different, with nuanced interpretations. If someone said "get the data from Server X", which is in Ireland, am I supposed to somehow validate this as a request I should or should not fulfill? I can imagine this coming to a data professional, in the middle of many similar requests, and just completing it.
It's not that I don't feel responsibility, or that I think someone shouldn't, but that this is complex and it's not easy to keep up with what we should be doing.
Very interesting points, Richard. And I can see your point of view too, Steve. Many years ago I was working for a company that had to record training data to meet some regulations. I was asked to make modifications to the data and told, at the time, it was because not everything had been entered. (Back then we weren't even using any SQL databases - it was all data was stored in flat files of various types.) So, as far as I've ever know, what I was doing was fine; I wasn't breaking any regulations. It certainly was plausible that not all training was captured at the time it was done. So, I went ahead and did it. But, afterwards I wondered, why hadn't they captured this training when it was done? It could have been for any number of legitimate reasons. The recording of that training data wasn't automated; it had to be done manually as I did it. Perhaps everyone was too busy at the time the training was occurring. But how easy would it have been if the manager talking to me were lying and he just wanted to pad the data to satisfy the regulation. All I could do at the time was take the manager at his word. I didn't have access to the data he had me enter, so I couldn't verify anything. I was very young and gullible. And personally I hate going through life mistrusting everyone and everything.
Kindest Regards, Rod Connect with me on LinkedIn.
November 13, 2017 at 11:58 am
jay-h - Monday, November 13, 2017 7:36 AM[Related point: Recently there was a problem with Google docs locking people out of because an algorithm decided the content was 'inappropriate'. Google apologized for the overly aggressive algorithm, but not, apparently for policing the content of private documents.
Social media are in a death-or-bongo situation. They are pilloried for not doing enough to detect child porn & terrorism but criticised for the algorithms and practices necessary to do so
November 13, 2017 at 12:12 pm
David.Poole - Monday, November 13, 2017 11:58 AMjay-h - Monday, November 13, 2017 7:36 AM[Related point: Recently there was a problem with Google docs locking people out of because an algorithm decided the content was 'inappropriate'. Google apologized for the overly aggressive algorithm, but not, apparently for policing the content of private documents.Social media are in a death-or-bongo situation. They are pilloried for not doing enough to detect child porn & terrorism but criticised for the algorithms and practices necessary to do so
Well the cases in question were neither.
But still you have a problem: either you go strictly by algorithm (which will definitely be frequently wrong) or you get some human to look at 'suspicious' material which is an absolute violation of privacy.
Both are unacceptable.
...
-- FORTRAN manual for Xerox Computers --
November 13, 2017 at 1:28 pm
If the judge issuing the warrant doesn't know the meaning of the term "256 bit AES encrypted", then this case will drag on a lot longer than he initially anticipated.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 14, 2017 at 6:16 am
Consider the consequences (good or bad) of the court requiring controls being placed on data transmission between sovereign entities. Whether it is related to "tariffs" or "contraband" search, these new barriers will likely slow down international trade and processing of data, but may also reduce the movement of data/activity between countries for tax avoidance or transaction obfuscation, and ultimately may put some controls on the stateless corporations that have become "too big to fail"... Note that I'm very concerned about privacy, and benefits and costs will obviously depend on implementation detail, so I'm not sure where I stand on this issue yet.
November 17, 2017 at 6:29 pm
It's going to be intereting if the Supreme Court rules that MS must hand over data protected by EU data protection laws when asked by the American Justice Department.
When some Microsoft employee in Ireland hands over data such data what's going to happen (a) to Microsoft Ireland and (b) to the employee and (c) to the MS Ireland Management that made it MS Ireland policy to permit such handover. I guess the answer to (a) is that Microsoft ireland will pay a massive fine; and the second time it happens the massive fine will really hurt. The answer to (c) is a bit harder to guess - but again a large fine might be appropriate, or even a jail sentence (one can be pretty sure that if teh Supreme Court makes such a ruling the EU will harden up the regulations to make it painful to try to play games with them). Of course if MS Ireland claims to have a firm policy not to hand over such data, any American senior management of MS Ireland had better avoid vacations in (or other visits to) the USA because they will be violating a ruling by the supreme court and failing to carry out their legal responsibilities imposed by a demand for the data by the Justice Department. How (b) works out I haven't a clue, except that the employee concerned will have destroyed his reputation as someone who can be trusted with sensitive data, which makes him pretty well unemployable anywhere in the EU (and anywhere in any country with a decent view on data protection) unless he is qualified for jobs with no access to sensitive data.
We've already had a period where it was illegal for European companies to have sensitive data stored or processed in the USA (when the Safe Habor Agreement was declared void becuse the USA would not observe it). I doubt the replacement agreement will survive very long, because it's extremely unlikely that the USA will observe that agreement any more than it did the last one, or that it will interpret the agreement as obliging only to pay lip service to the principles itis supposed to uphold. I think a Supreme Court decision to back the justice department against Microsoft would ensure that data protection officials throughout the EU will watch very carefully to see if the there are viloations of the agreement - and it's very likely that the when the justice department demands data those officials will demand to see the evidence justifying the decision to demand seeing the data, since otherwise they would be trusting the same people whose failure to enforce the Safe Harbor Agreement lead to its being declared unreliable, not to be trusted, and hence void.
And Steve's "I'd just do it" attitude strikes me as something that may help ensure that the USA never gets decent data protection laws (because that attitude would render such laws unenforceable) and that would mean that the risk of having ever increasing trade barriers between the EU and the USA, including a total restriction on any sort of trade in IT services, would never go away.
Tom
November 20, 2017 at 10:41 am
TomThomson - Friday, November 17, 2017 6:29 PMAnd Steve's "I'd just do it" attitude strikes me as something that may help ensure that the USA never gets decent data protection laws (because that attitude would render such laws unenforceable) and that would mean that the risk of having ever increasing trade barriers between the EU and the USA, including a total restriction on any sort of trade in IT services, would never go away.
My quote has nothing to do with the law or my desire to comply. It has to do with someone asking me for data and not knowing this might be a request that breaks the law. I've never had to deal with information that crosses borders, and it wouldn't cross my mind that a request might be a problem.
November 20, 2017 at 10:48 am
Steve Jones - SSC Editor - Monday, November 20, 2017 10:41 AMMy quote has nothing to do with the law or my desire to comply. It has to do with someone asking me for data and not knowing this might be a request that breaks the law. I've never had to deal with information that crosses borders, and it wouldn't cross my mind that a request might be a problem.
This is why a key part of GDPR has to be an ongoing education piece. The role of a Data Protection Officer is to monitor compliance, ensure that training takes place and provide advice to the organisation and its staff.
I'm not going to worry about cross border data exchanges (Chapter 5, articles 44-50). That's above my pay grade. I'm putting something together that represents the first four chapters of GDPR as a small set of diagrams and hope to share it soon.
Viewing 9 posts - 16 through 23 (of 23 total)
You must be logged in to reply to this topic. Login to reply