Slashdot Mirror
Charity Promotes Covert Surveillance App For Suicide Prevention
VoiceOfDoom writes Major UK charity The Samaritans have launched an app titled "Samaritans Radar", in an attempt to help Twitter users identify when their friends are in crisis and in need of support. Unfortunately the privacy implications appear not to have been thought through — installing the app allows it to monitor the Twitter feeds of all of your followers, searching for particular phrases or words which might indicate they are in distress. The app then sends you an email suggesting you contact your follower to offer your help. Opportunities for misuse by online harassers are at the forefront of the concerns that have been raised, in addition; there is strong evidence to suggest that this use of personal information is illegal, being in contravention of UK Data Protection law.
How is this invading privacy? Don't I already have access to this data? All I am doing is searching it.
The information scraped from public twitter feeds is not in any way "personal information".
It actually states that it only looks at public tweets.
Right. Also: not illegal. The Samaritans are processing the data on behalf of the registered users of their app, not for themselves. The users determine what data is to be processed, and request the specific way in which it will be processed. Therefore, under the definitions from the Data Protection Act, the user is the data controller ("a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed"). The Samaritans are acting as a data processor ("any person who processes the data on behalf of the data controller").
The act is quite clear throughout that it is the data contr-oller[1], not the data processor, who must comply with the various restrictions as to how data may be used. The users, as long as they are using the app only for the purposes for which The Samaritans describe it as having been designed, are exempt from the provisions of the Data Protection Act, because the data is "processed by an individual only for the purposes of that individual's personal, family or household affairs".
However, even if this were not the case, here is the principle that TFA interprets as stating that the processing performed should not be permitted: "Personal data shall not be processed unless at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
Unfortunately for this argument, schedule 2 allows processing that is "necessary in order to protect the vital interests of the data subject," which appears to me to be the case here. And, while the data in question is considered sensitive, schedule 3 allows processing which "is necessary in order to protect the vital interests of the data subject or another person, in a case where the data controller cannot reasonably be expected to obtain the consent of the data subject", which also appears to me to be true. It also allows processing of data that "has been made public as a result of steps deliberately taken by the data subject."
So, even were we to hold that The Samaritans are the data controller for the data used by the app, it seems they are entitled to perform this processing.
[1] It seems that slashdot believes the data protection act to be lame, and won't let me post accurate quotes from it. It appears especially to dislike the word that starts "cont" and ends "roller" for some reason I don't quite understand, but unfortunately that word is used very frequently in the text, so I can't really avoid it.