Posts by Doctor Syntax 40471 publicly visible posts • joined 16 Jun 2014
"If you want something done quickly, report it as broken."
Have a genuinely unskilled assistant who, on suspicion of that, will be sent round to look, can be guaranteed to break it and then bring it back to the workshop for investigation which will take at leas until next week.
Noyb have locked horns with big business a number of times not just for children and I applaud them for it. But those have been businesses with whom the data subjects would do business directly.
In this case it's not. The children, or their parents deal with the schools, not Microsoft. That's one factor.
We seem to have arrived at a situation where, if a data subject does business with one of these organisations in Europe and the data abuse takes place in the US the data subject is expected to take action in the US courts, essentially the big business's home ground. That's where all the diplomatic negotiations have taken us and it doesn't seem to me anything like an effective remedy.
By taking on Microsoft in this instance we're likely to see the same response - if you don't like it, sue in the US. There's an option here - establish that the transaction - data subject to school - takes place in the EU so that any action can be between the parties in their own jurisdiction. It would be a step to getting a general principle recognised - that the jurisdiction should be that in which the data subject was located when the transaction took place.
A general question to those from the EU or UK who think that Noyb is right in bypassing the schools and taking on Microsoft: if data you had given, in the EU or UK to a US corporation were to be breached would find it easy or even feasible to seek redress in the US courts than in your own, were you given the option to do the latter?
"Seriously though, the school has only a smidgen more capability to affect Microsoft's policies than the parents."
It has a capability to determine its own policies and by that means it has the capability to not use Microsoft's services to hold any data on its pupils. Once it makes that decision it doesn't need to affect Microsoft's policies in the least. In that way it can ensure that Microsoft's policies do not affect its ability to discharge its responsibilities to the children.
"And BTW I've almost never found a business consider the privacy implications for either staff or customers of the technologies or 3rd party services they choose to deploy. Convenience and cost rule the day."
That holds right up to the point where things go wrong and their disregard costs them money and convenience. Most will learn from that when it happens to them.
"The UK ICO should maybe take a peek at GLOW in Scotland"
Try lodging a complaint with them. Even better, get as many parents who understand what's happening to ledge a complaint with them and with the schools concerned.
Ask the schools why they have not given you the choice to opt out and remind them of the provision of GDPR which says not opting out cannot be a condition of not providing the service.
Microsoft might change their way and will only change their way if their market is cut away from them unless they do. If it's made clear to their customers, the schools in this case, that they will be held responsible for Microsoft's shenanigans with the data they entrusted to them then they'll have to stop entrusting them with that data.
"The LAs and schools have no way to modify that processing as it's practically impossible to negotiate it with MS"
Then don't deal with them. It's the schools who have a relationship with the parents. If the schools just hand things over to a 3rd party it's their choice and they should be held responsible to the schools for the consequences of that choice.
It looks as if Noyb have lost their way on this.
That is there problem. It's a damn sight less of a realistic possibility for the parents to take it up with Microsoft.
If you were one of the parents what would you do?
I think the law needs to be very clear: if you do business with someone - and I'll include sending children to school - then you must be able to hold that business responsible for whatever actions any of its agents takes.
From the business's PoV it needs, in consequence, to be very careful about whom it appoints as its agents. Simply passing the responsibility along the chain and then throwing up your hands and saying "it's too difficult" is not good enough.
"In its new complaint, noyb said Microsoft was trying to avoid responsibility under GDPR by insisting that almost all of the data protection responsibilities lie with local authorities or schools."
Actually, I think that's preferable. Parents can take the matter up with the schools. For the average parent or parent organisation this is going to be easier than dealing with Microsoft. After all, it would have been the schools' decision to go with Microsoft, not the parents'.
This, I think, is a better principle that saying if the data you provided to a local supplier is breached by their supplier in the US then take it up in a US court. That idea was behind the previous privacy fig-leaves and equally, AIUI, behind the bridge framework.
The schools can then take the matter up with Microsoft and, as customers, should find this easier - not very much easier but they do have a direct relationship. And if they don't get a satisfactory answer from Microsoft they can cease doing business with them.
"You have some sessions with the customer to make part of a plan, build that part, and continue to iterate."
A third alternative. You build some sort of prototype - possibly even a sketch of the UI with a note about what does what. You present that to the user. Once they see something that may vaguely resemble what they were looking for they're better placed to think it through and clarify. But don't put effort into building part of it properly because even if it shouldn't be part of the finished product you're stuck with the sunk costs.
The analogy to construction is more if I just said "I want a house. Four bedrooms. Get started.",
Someone who wants a house either goes to an estate agent to buy one that already exists or they go to an architect* to get a design put together. Only then do the builders/devs get started.
* Occasionally someone will want to be their own architect
If you're read The Mythical Man Month you'll find it said that the user manual is the first thing to be started and the last to be finished. It describes what the user will do with the product. If you're going to build something it's useful to know what the user expects it to do. The reason it's the last thing to be finished allows for the fact that whole project will evolve and that the final documentation will reflect what it became.
I've come across a fair bit of software which would have benefited from that approach - describe how the user will accomplish a task and build something that does that. Instead someone has worked out the various bits of functionality and presented them to the user in a heap. The heap, at first sight, looks logical - all the parts you'd expect to be there are there. But the user then has to work out what disconnected set of actions are needed to do what's needed because usability wasn't taken into account as it would have been if the objective had been to build something that followed a description of it being used.
If they actually did it then assuming the new price is under the limit for a small claims limit then it would be a quick trip to https://www.gov.uk/make-court-claim-for-money to demand its return or a new replacement.
Undoubtedly it would be quickly discovered as a way to get a free replacement.
"If a customer sends their Pixel to Google for repair, we would not keep it regardless of whether it has non-OEM parts or not,"
Then why put that in the T&Cs? Did they copy them from a tractor manufacturer? Did somebody's nephew get given the job of writing them? Or a chatbot? If it was there then, extremely unlikely data corruption aside, somebody put it there deliberately. What else might be in the T&Cs that they didn't mean to be found put there?
Some activity isn't all of it. It's very likely involving a lot of phoning round for capacity and a lot of couriers taking samples around. It's going to involve time spent doing that which would normally have been better used elsewhere. If you're in London why not give one of the hospitals a call to see if they're looking for volunteers to help out with that. At the same time you can do a real feasibility study.
This is a path lab service. It's not clear whether they're being run on the hospitals' sites or whether they have a centralised lab. In the latter case having a set of fully equipped set of labs on site really would be a luxury. In either case falling back to services on site is meaningless - either they are on site or there's nothing to fall back to.
A lot of the instruments will be controlled by PCs. "Digital" isn't a luxury, its how it works.
"I find that even Linux installs are best followed by a routine of removing stuff that gets added by default,"
As a matter of interest, what things and what distro? I'm curious as I'm apt to find myself adding things rather than removing them but that might just depend on the choice of distro.
"An add-on called Forensic Evidence can literally watch, in real time, what an employee is doing, in order to collect evidence for an investigation,"
That sounds like a channel by which possibly restricted information can leak to those not entitled to see it. Just because someone is on a compliance teem doesn't mean they should be enabled to see any personal data the user might be legitimately handling.
Stop them deploying 5G? HMG has been pushing them to deploy 5G and switch off 3G. Likewise roll out FTTP (which goes into areas with good FTTC coverage) at the expense of improving FTTC elsewhere. Also, until the penny finally dropped, they were encouraging the loss of resilience by switching off POTS. Even the penny dropping has only - at present - delayed it.
All in the interest of "digitization",r "digitalisation" or whatever -i.e. the pursuit of shiny at the expense of what works.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
