2018-03-08 1:10 GMT+01:00 Alexandros Papadopoulos <a...@member.fsf.org>:

> Thoughts very much appreciated.

If this was me and I had the time/energy I'd consider:

- Seeing what published information (policy decisions, advertisements,
public debates) about adoption of the system and how it operates.
- Consider using FOI to dig further to find out more and fill in the gaps
which are almost certain to be missing from the above.
- When GDPR comes into force, consider having your child make appropriate
SAR's (which will be free).
- There ought to be a record kept (under the GDPR) of the grounds for
processing (and information about this should be being supplied to data
subjects from May). The ground is presumably not consent, which could be
attacked, but they may have messed this up.
- They will almost certainly have to have a DPO notified to the ICO, so
finding who that is is a start. If they haven't done so, that's another
point of pressure. The idea of a DPO is a good one because they must be no
lower than board - 1 and must have considerable freedom to call out
failures of the GDPR. Not having one is a violation.

Really just understanding the shape of what is there is where I would
start, before thinking about how it might be challenged.

Also finding others concerned so the load is shared.

The other attack is of course non-legal, using publicity, journalism and so
on. Some of the above will help with that. I'm a lawyer so I specialist in
legal points of pressure, but others push in other places and often with
much greater effect. Public bodies can be quite weak against exactly the
right kinds of pressure.

Francis Davey
Please support ORG's work - join and help fund our future:

To unsubscribe, send a blank email to 
or use https://lists.openrightsgroup.org/listinfo/org-discuss

Reply via email to