Royal College of Psychiatrists: Social media data should be handed over

Royal College of Psychiatrists: Social media data should be handed over

The Royal College of Psychiatrists has called for social media data to be handed over to academics in order to protect children and young people who are at risk of suicide.

By studying the content that is being viewed, the hope is that new research could help protect users from material that could harm them.

According to an article from The Guardian:

“We will never understand the risks and benefits of social media use unless the likes of Twitter, Facebook and Instagram share their data with researchers,” said Dr Bernadka Dubicka, chair of the college’s child and adolescent mental health faculty. “Their research will help shine a light on how young people are interacting with social media, not just how much time they spend online.”


Data passed to academics would show the type of material viewed and how long users were spending on such platforms but would be anonymous, the college said.

That the data would be anonymised could potentially make this course of action permissible under GDPR, but this data is nonetheless extremely sensitive. Care would have to be taken to ensure that it was shared with academics legally and that users were sufficiently protected.

The idea has received support from other sources as well. The Guardian goes on:

NHS England challenged firms to hand over the sort of information that the college is suggesting. Claire Murdoch, its national director for mental health, said that action was needed “to rein in potentially misleading or harmful online content and behaviours”.


She said: “If these tech giants really want to be a force for good, put a premium on users’ wellbeing and take their responsibilities seriously, then they should do all they can to help researchers better understand how they operate and the risks posed. Until then, they cannot confidently say whether the good outweighs the bad.”

Click here to read the full article from The Guardian.

With the government currently planning measures to make the internet a safer place for users, including setting up an independent regulator and placing a duty of care on online companies, the Royal College of Psychiatrists may well get what they want here.

But with data privacy being a major concern here, there is also likely to be objections. According to the BBC, civil rights group Big Brother Watch stated that users should be “empowered to choose what data they give away, who to and for what purposes”, and that young people should not be treated like “lab rats” on social media.


Facebook payroll data stolen

Facebook payroll data stolen

Facebook has a poor record when it comes to data protection, and that trend continues. It’s usually user data that has been at risk, but this time it’s their employees’ data as payroll data is stolen.

The details were stolen last month when a thief stole unencrypted hard drives from a Facebook payroll staffer’s car. According to Bloomberg:

The hard drives, which were unencrypted, included payroll data like employee names, bank account numbers and the last four digits of employees’ social security numbers, according to an email Facebook shared with staff Friday morning. The drives also included compensation information, including salaries, bonus amounts, and some equity details.

In total, the drives contained personal data for about 29,000 U.S. employees who worked at Facebook in 2018, a spokeswoman confirmed.

The theft occurred on November 17th, but it was some time before employees were notified. It wasn’t confirmed that the hard drives contained Facebook payroll information until November 29th and those affected weren’t told until December 13th.

This is far too long a gap, especially given the sensitive nature of the information. Facebook have, however, started taking steps to limit the damage. Bloomberg’s report states:

The employee who was robbed is a member of Facebook’s payroll department, and wasn’t supposed to have taken the hard drives outside the office. “We have taken appropriate disciplinary action,” the spokeswoman said. “We won’t be discussing individual personnel details.”

Facebook is still working with law enforcement to recover the information, though none of the hard drives have been found. In an email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service.

Click here to read the full article from Bloomberg.

This breach should be a stark reminder that basic mistakes can lead to serious data breaches. Simple lapses from staff members can have the direst consequences.

Facebook itself made several mistakes here. The member of staff should have been made more aware of their responsibilities, and further steps should have been taken to protect the data, such as encrypting the hard drives.

The company’s response should also have been much swifter, identifying exactly what data had been stolen and notifying those affected sooner.

If you’re concerned about these kind of lapses, make sure your staff are aware of their responsibilities with staff training from Activa Consulting, or get our expert advice on data protection with our consultancy services.

Facebook “Like” button could be GDPR risk

Facebook “Like” button could be GDPR risk

facebook like button imageIt’s common to see the Facebook Like button on websites these days, but it may be a danger to those sites as a result of a new ruling from the European Court of Justice

The court has decided that the website owners themselves are responsible for the data collected through the button. They are therefore also liable in cases where this data could be breached.

Given the social media giant’s infamous history regarding data protection issues, there’s good reason to be worried about the Facebook Like button. As reported by The Drum:

In their ruling the judges say the use of such widgets by any organisation amounts to being a joint data controller, meaning that websites “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing.”


The darker side of Facebook’s Like button has come to prominence in recent months on the back of a series of privacy scandals to rock Facebook, with analysts pointing out that its primary function isn’t as a digital show of support but a tool to track individuals and permit data collection beyond Facebook’s products.


This was brought to light in a case involving German retailer Fashion ID which was sued by consumer rights group Verbraucherzentrale NRW over its use of the Facebook widget which escalated to the ECJ, which has now determined that Fashion ID must be considered a data controller in terms of both the collection and transmission of data.

You can read the full article here:

Becoming complicit in Facebook’s data protection failings is an extremely dangerous thing to do – and considering its track record, could potentially bring certain companies to their knees. Many websites would therefore do well to completely remove the Facebook Like button.

This demonstrates how important it is to be aware of not only your own data protection processes, but also those of third-party developers and services.

You may believe your organisation to be GDPR compliant, but if you are using the services of one which isn’t, you will still be liable for any data breaches that occur as a result of their failings.

If you think this is a concern at your company, we can help. Contact us today – our GDPR consultancy services can help improve your compliance levels and reduce the data protection risks businesses face.

Concerns raised over how FaceApp uses data

Concerns raised over how FaceApp uses data

mobile phone - appsFaceApp topped the app download charts again this week, boosted by the popularity of its new ageing filter which allows people to see how they will look when they’re a few decades older.

However, concerns have been raised about how the app handles personal data – in particular, what access it has to user’s photos and how it makes use of them.

As reported by the Guardian:

These concerns have been heightened by growing awareness of online privacy issues in recent years and the fact that the developer is based in Russia, where many high-profile online misinformation campaigns have been based, in addition to a loosely-phrased privacy policy.


In the US, senior Democrat Chuck Schumer has urged the FBI to investigate, saying FaceApp could pose “national security and privacy risks for millions of US citizens”, according to a letter seen by Associated Press. He said it would be “deeply troubling” if sensitive personal information was provided “to a hostile foreign power actively engaged in cyber hostilities against the United States”.


The FaceApp CEO, Yaroslav Goncharov, said only a single picture specifically chosen by the user would be uploaded from a phone and the app did not harvest a user’s entire photo library, a claim backed by security researchers.

You can read the full report from the Guardian here:

Despite the attempt at reassurance from Goncharov, there are still reasons to be worried about FaceApp. Many apps are still harvesting user data; La Liga was recently fined $280,000 under GDPR for using its mobile app to spy on users and try to stop piracy.

And with FaceApp having been developed in Russia, which as the Guardian stated, has been where “many high-profile online misinformation campaigns have been based”, there’s even more reason to be concerned.

If you’re uncertain about your own organisation’s obligations under GDPR, Activa Consulting are here to help. Contact Us today to find out how we can improve your compliance!

Facebook will be fined $5 billion for Cambridge Analytica Scandal

Facebook will be fined $5 billion for Cambridge Analytica Scandal

The US data regulator, the Federal Trade Commission (FTC), has announced that it intends to fine Facebook $5 billion for its part in the Cambridge Analytica Scandal.

The fine that Facebook received from the UK’s ICO , coming pre-GDPR, was a mere £500,000 – but despite this being a huge amount more, many feel that it’s inadequate.

Here’s what Dave Lee, the BBC North America technology reporter had to say about it:


Facebook had been expecting this. It told investors back in April that it had put aside most of the money, which means the firm won’t feel much added financial strain from this penalty.


What we don’t yet know is what additional measures may be placed on the company, such as increased privacy oversight, or if there will be any personal repercussions for the company’s chief executive, Mark Zuckerberg.


The settlement, which amounts to around one quarter of the company’s yearly profit, will reignite criticism from those who say this amounts to little more than a slap on the wrist.

You can read the full news report here:

It’s notable that the fine was only just passed by the FTC by 3 votes to 2, with those voting against it stating that it was insufficient, even though it would be the biggest ever brought by the FTC against a tech company.

Perhaps the most shocking thing is that Facebook shares actually rose 1.8% at the news, with investors receiving the news positively.

The debate will go on, but many will continue to think that Facebook got off lightly with just a $5 billion fine. If this had come under GDPR, it would likely have been in a great deal of trouble.

As it is, a mere £500,000 from the ICO – a record at the time, until the recent British Airways fine of £183 million – seems hardly worth mentioning.