[Sticky] Some extracts from Data Privacy workshop
As far as the red chain is concern, the nodes (GMP, helpline etc) are collecting and storing personal data about the victims and slavery incidents under "public task" and no consent is sought from the victims. There is a duty to make sure individuals cannot be traced and identified, and strict restriction placed on the level of access to private data. The personal information that may help to trace a person includes, among the usual suspect, mental and physiological, cultural, location, trade union membership and social ID etc. [This I mean thinking about CDD's security ID, and other potential personal trait of the victims.]
Apart from GDPR, we need to know all data protection laws in all countries (where the chain will reach). Germany for example has a much stricter requirement then EU's GDPR. In the UK, we need to consider in addition, the UK Data Protection Act, paying more attention to Part 3 on "Law Enforcement". GDPR covers EU data flows out of EU area, and global capture of data belongs to EU citizens. So in practice, GDPR will applies to all nodes (including India) since all nodes on the chain will have access to EU data.
Encryption is not by default enough unless we can prove that the encryption cannot be broken. E.g. someone somewhere might have compromised a password, then the who chain will be in danger, or the privacy file of an individual will be violated.
Under GDPR, the subjects (victim and accused) have the rights to be informed, access, rectification/correction, erasure/be forgotten, restrict processing, portability, object, reject automated profiling/non-human decision making. We have to think through how this affect the data stored on the chain and how AI is to apply to them. The Police who is process the data may have a bigger control over such rights (in term of public interests). But other organisation e.g. NGO will have less control over storing, access and processing. [We also have the complicated relationship about Indian state welfare officers processing incident record in the UK if they have equal access to all data stored on the chain.]
Data protection must be by design or by default. Cannot rely on particular user being vigilant. There is a heavy duty of care to be exercised regarding confidentiality and data sharing.
We have to separate copy right and access right, although in our case, the access in many cases assumes consent to share data copy right. It will get more sensitive when these data has commercial values individually and/or collectively.
The spirit about GDPR is about clarity, transparency and accountability; a consent is needed for (personal) data sharing. [An incident type and a post doc equal a personal data as the two information may tract to a real person.] Other ethics and legal consideration may also apply.
We need to think about the requirements careful and check if the data/information is still of any use after all these compliance.
To be continued.