Annual Report for 2007 ' Summary
Annual Report for 2007 – Summary
Main Legislative and Regulatory Developments
Parliamentary Hearings: The DPA was heard several times in 2007 on major issues addressed by the competent Parliamentary committees. In particular, the Authority was heard on issues dealt with by the Parliamentary committee supervising the implementation of the Schengen agreement, Europol's activities, and immigration matters as well as taking part in the debate on the bill concerning the so-called biological will. The Authority also participated in the hearings concerning bills on the setting up of a fraud prevention system in consumer credit and regulating the TV sector during transition to digital technology. The DPA also contributed to a survey on the relationship between freedom of the press and protection of personal rights as well as to that related to management and use of the information held by the Office of the Revenue.
Reference can also be made to a hearing addressing the use of Galileo and GPS satellite navigation systems, in view of the establishment of a world satellite system for non-military purposes.
Awareness Raising in respect of Parliament and Government: The tasks conferred on the Italian DPA based on the DP Code include calling Parliament's and the Government's attention to the advisability of regulating certain sectors. In this connection, Italy's government submitted a proposal to Parliament to set up a DNA data base managed by police for security reasons. We had the opportunity to draw Parliament's and the Government's attention to the need for setting out some fundamental safeguards in view of the establishment of this national DNA database. In particular, the Authority specified that this database should only be aimed at the identification of individual persons. Consequently, the mandatory collection of DNA samples must not be envisaged – and where envisaged in respect of certain categories such as persons arrested, investigated upon, indicted and/or sentenced, proportionate safeguards must be set out; on the other hand the retention period of identification data should be proportionate to the purposes. Additional safeguards were laid down in respect of access mechanisms (access logging was recommended) and the exercise of data subjects' rights. A similar exercise related to the Parliamentary debate on a bill whereby SMEs and self-employed professionals would have been exempted from the application of minimum security measures. The bill would have considerably reduced the safeguards applying to processing of employees' data by a large portion of Italian businesses. The DPA pointed out that Community and international legislation did not allow exempting a whole category from the application of substantive regulations in terms of personal data protection – as well as giving rise to discrepancies compared to the processing operations performed by public bodies. Additionally, the Italian DPA called upon the Italian Parliament to introduce amendments to the Data protection Code to allow considering additional tools (in particular, binding corporate rules) to provide adequate data protection under the terms of the European directive (article 26(2) ).
Opinions: Under the DP Code, the Italian DPA is to be consulted by the Prime Minister and each Ministry whenever regulations and administrative instruments are to be issued that are liable to impact on data protection matters. In 2007 this took place several times; in particular, reference can be made to the opinions concerning the computerised register of car taxes; membership and tasks of the Committee in charge of international adoptions (here we allowed the processing of personal data related to foreign children that are adopted by or placed under the custody of Italian parents exclusively with regard to indispensable data and in compliance with the safeguards laid down in the DP Code); use of the financial system for the purpose of laundering criminal proceeds and the financing of terrorism; the technical rules on ID cards and electronic IDs; co-ordination of public administrative activities aimed at protecting minors against sexual exploitation and misuse; the provisions regulating payments by public administrative bodies; the self-regulation code applying to media and sports; and the mechanisms to enable local authorities to participate in tax controls and other arrangements aimed at countering tax evasion.
Main Decisions by the DPA
Law Enforcement Databases
The management of large databases for law enforcement purposes was one of the main focuses of attention for the Italian DPA also in 2007. In particular, the Authority carried out in-depth investigations in respect of the processing of data by judicial offices. The need for applying more stringent security measures in this sector was pointed out – in particular by having regard to the exchanges of wiretapping records between telephone operators and judicial authorities. The lack of adequate arrangements in respect of the keeping and handling of personal information was confirmed, inter alia, by the inspections carried out at the Court of Rome, the largest one in Italy as for the volume of cases handled annually. The Authority continued its co-operation with the ministry of Justice, the national council of the judicature, and judicial authorities in order to enforce and facilitate compliance; the lack of sufficient financial resources should be referred to here as one of the main reasons for the difficulties encountered by the judicial sector in ensuring adequate safeguards to citizens' data.
Security in Telephone and Electronic Communications
Following an in-depth investigation into the processing of personal data by the main telecommunication operators in Italy, the Authority discovered shortcomings in the collection and processing of personal data related to use of the Internet.
In particular, some operators acting as "internet access providers" were keeping detailed records of their users'/subscribers' web navigation, allegedly because they were obliged to do so by the law. To that end, various tools were used including hardware probes, transparent proxies and packet inspection techniques, which allowed collecting information with a detail level ranging from the source/destination IP address couple to fine-grained HTTP logs – up to search engine query-strings submitted by users, authentication credentials transmitted over simple HTTP connections and any sensitive information that can be specified in an URL-format web address. This kind of processing is not justified by technical reasons as related to the tasks discharged by Internet access providers, which is why the Authority issued three provisions to ban the processing in question and ordered the providers to delete all the users'/subscribers' navigation data recorded unlawfully within sixty days. The Italian DPA also adopted a general provision regarding the storage and processing of traffic data produced by telephone and internet service providers. This was aimed at ensuring enhanced security in respect of the traffic data retained by providers for lawful reasons (including law enforcement purposes). The measures developed by the Garante clarify who is to retain which data and lay down technical and organisational arrangements to ensure secure storage of the data in question. In particular, it is clarified that Internet content providers, search engine managers, public bodies/organisations making available telephone and Internet networks to their staff and/or using servers made available by other entities, Internet cafés and similar establishments fall outside the scope of application of the retention obligations at issue – pursuant to the definitions set out in directive 2002/22/EC on universal service as well as in directives 2002/58/EC and 2006/24/EC. Several technical measures were set out in order to protect the data - including strong authentication and biometrics procedures, fine-grained audit applied to databases and computer systems, encryption of databases, centralized and securitized log collection, and physical security measures for the protection of computer rooms and data centres.
Biometrics. The DPA authorised a public body (office of the Superintendant for archaeological heritage) to use the hand contour in order to enable employees to access a high-security area. The biometrics-based system to be deployed by the office will only rely on the geometric features of the employees' hands without including any other biometric data. The hand contour will be associated with an encryption algorhythm and stored in the internal memory of the biometric equipment; the latter will only be operating in local mode by means of a digital keyword to be selected and entered by the individual employee. This processing was found by the DPA to be lawful and proportionate; whilst the hand contour information does not enable unique identification as is the case, for instance, with fingerprints, it is sufficiently detailed to be used in specific situations with a view to identity controls.
Employment Issues. Guidelines were issued in respect of the processing of employees' personal data in the public sector. The guidelines address the processing of public employees' medical data; the collection of fingerprints to access the workplace; and the dissemination of data on the Internet.
Local Authorities. The DPA issued Guidelines on the processing of personal data with a view to the publishing and dissemination of documents by local authorities. Specific safeguards were laid down in respect of the data related to individuals mentioned, e.g., in decisions and resolutions posted on the municipal bulletin board, in publicly available documents and/or in documents posted on the Internet, so as to take due account of the principle of transparency.
Schools. The DPA clarified that parents may film and take pictures of their children on the occasion of school theatricals, as the images in question are not intended for dissemination and are collected for personal purposes in order to be circulated among family members and friends. The DPA also provided guidance, in co-operation with the Ministry for education, on the use of videophones by students/pupils in schools.
- The Italian DPA instructed local health care agencies not to include medical diagnosis information in the disability certificates they are required to issue for the applicants to be enrolled in unemployment lists and/or exempted from the payment of school/university taxes.
- Dissemination on the website of an Italian Region of the names related to 4,500 patients as well as of information on the respective health status was prohibited by the DPA.
- It was clarified that local municipal authorities may not request physicians to provide names and/or other items of information to identify the patients they visit at home.
- An inspection was ordered by the DPA and carried out with the help of the Financial Police following media reports on the presence of hundreds of medical records in a garbage dump. Information was preferred to judicial authorities against the relevant data controllers because of their failure to take minimum security measures.
- The DPA urged a public body to use payment order forms containing no references to the diseases affecting the respective beneficiaries, in particular HIV-related conditions; the inclusion of general wording and/or numerical codes was recommended.
- A leaflet was published and disseminated ("Protecting Personal Data: Siding with the Patient") to raise citizens' awareness of the importance of data protection in processing operations performed by medical staff, health care bodies, and/or medical labs. It contains concise information on patients' data protection rights and the mechanisms to enforce them.
Processing of Genetic Data
Genetic data may only be processed in the cases provided for by ad-hoc authorisations granted by the Garante (after having consulted with the Minister for Health who shall seek, to that end, the opinion of the Higher Council for Health Care) and, as a rule, with the data subject's written consent.
The general authorisation issued by the Garante in February 2007 to enable this kind of processing filled in a major gap in the regulatory framework. It applies to several categories of data controller for purposes mainly consisting in the provision of health care and the performance of scientific research activities; the issue of genetic data used for facilitating family reunion was also tackled.
After defining the main concepts (genetic data, biological sample, genetic test), the authorisation lists the entities authorised to process genetic data for the purposes specified in the individual cases (health care practitioners, public and private health care bodies, medical genetics laboratories, natural and/or legal persons for scientific research purposes). The principle whereby genetic data may only be processed for such purposes if they are actually indispensable was re-affirmed along with the need for obtaining the data subject's written consent – the only exception being where genetic data are necessary to safeguard the genetic identity (with a view to reproductive choices, or treatment) of a third party belonging to the same genetic line as the data subject and consent may not be provided on specific grounds (legal incapacity, physical impairment, mental disability), or where statistical surveys are at issue or the research activity is provided for by law.
Data controllers must fulfil specific obligations, which are especially stringent as regards the contents of information notices. Genetic counselling is a mandatory requirement if the data are processed for health care or family reunion purposes, both before and during the genetic testing. Specific processing arrangements must be complied with and stringent security measures adopted – including encrypted storage and communication of genetic data and separation of identification from genetic data. The retention period of the data in question must not exceed what is absolutely indispensable for the specific purposes; no genetic data may be disseminated.
A major effort was made by the Italian DPA in 2007 in order to simplify application of data protection legislation in the private sector.
Bulk Debt Transfers and Securitization
A decision (published in Italy's Official Journal of laws and regulations) allowed dealing with several applications lodged with the DPA for exempting data controllers from the obligation to provide information to data subjects in connection with bulk debt transfer and/or securitization. Such operations entail disclosure by the transferor to the transferee of personal data related to the debtors. Under the DP Code, the data controller may be exempted by the DPA from information obligations in specific cases, providing the processing at issue is publicized adequately – according to mechanisms to be set out by the DPA. The Italian DPA ruled that providing information to the individual data subjects (the debtors) entailed a disproportionate effort in this case and exempted the data controllers from the relevant obligations on two conditions: namely, an exhaustive information notice was to be published in the Official Journal no later than when the transfer took effect, and the debtors were to be provided with individual notices on the first useful occasion following the transfer (e.g. when sending the bank statement, or making a payment request) so as to inform them that the transferee had collected their personal data from third parties.
Guidelines for the Monitoring of E-Mail and Internet Usage
The DPA issued a general decision (dated 1 March 2007) applying to the monitoring of e-mail and the Internet carried out by public and private employers alike – in the light both of the case law of the EHRC (case of Copland v. UK) and the stance taken by the WP29. Pursuant to Italy's constitutional framework, employers are required to afford reasonable privacy to their employees in order to ensure that their personality can develop freely and without constraints. Given these assumptions, the guidelines in question attempted to reconcile the interests at stake by re-affirming, on the one hand, the employer's right to lay down the usage arrangements for the IT equipment committed to employees – including proportionate disciplinary measures – and, on the other hand, employees' right to be the subject of controls carried out in a stepwise, proportionate manner and be adequately informed about the processing of their data, which must be minimized. Specific recommendations and prohibitions were laid down in this framework – among the former, the need for employers to adopt an in-house policy tailored to the dimensions of the enterprise, and adequately inform their employees about the mechanisms for using email, the Internet and other electronic tools by also specifying whether and to what extent controls are carried out; as regards specifically the Internet, the categories of website considered relevant to the employment context should be specified, and configuration mechanisms and/or filters should be deployed to prevent certain operations (e.g. certain downloads); additionally, shared email accounts should be made available as well as an ad-hoc email account to allow receiving personal correspondence, whilst employees should be invited to designate a trusted third party (e.g. another employee) to access their mail and forward relevant messages in case they are away from work. The Authority prohibited any activity on the employer's part aimed to perform remote monitoring of employees; where such monitoring requirements are related to production, organisation and/or security in the workplace, the agreement of trade unions should be sought as provided for in other pieces of legislation. Based on the balancing of the interests at stake, the Authority decided that monitoring for preventative purposes may be carried out without the employee's consent also at an early stage, i.e. irrespective of the existence and/or the planned institution of a litigation, providing all the safeguards specified above are in place and the monitoring is proportionate to the specific context (e.g. on account of security risks).
Simplified Mechanisms to Ensure Data Protection in the Insurance Sector
The Italian DPA authorised insurance companies to implement a new, simplified procedure in order to inform customers on the processing of their personal data. Account was taken in this regard of the experience gathered over the past few years within the framework of the so-called "insurance chain", which includes several stakeholders such as joint insurers and re-insurance companies. In practice, it was decided that the information notice will have to be provided once and for all by the insurance company stipulating the contract with the individual customer. That company will be responsible for informing the customer about any subsequent and/or further use of his/her personal data – including the respective purposes and recipients – also on behalf of other entities in the "insurance chain", who often have no direct contacts with the data subjects even though they may process personal information after collecting it from the insurance company. Specific safeguards were laid down by the DPA in order to enable the companies to avail themselves of these simplified information mechanisms – in particular, the insurance company will have to inform customers about the entities processing their data in connection with the specific contracts; an updated list of those entities will have to be posted on the company's website, partly in order to facilitate exercise of access rights by data subjects; any purposes pursued by the companies/entities in question other than those related to risk management will have to be specified in the information notice; and specific consent requirements will have to be complied with whenever consent is actually necessary – which is often not the case, e.g. because the customer's data are indispensable to stipulate and/or enforce the contract. In particular, it was recalled that processing customers' data for marketing purposes requires ad-hoc consent, and that sensitive data (including medical information) may only be processed by insurance companies with the customers' written consent.
Practical Guidelines for SMEs
Practical guidelines were issued to take account of the specific needs applying to SMEs in respect of data protection issues. Starting from the consideration that certain requirements under personal data legislation are sometimes considered burdensome, in particular by SMEs, and in order to foster the view that data protection can turn into a major business asset as it can increase consumers' and users' trust, the Italian DPA issued the guidelines in question to provide SMEs with a tool that can facilitate compliance and highlight the simplification measures that are currently available. As well as clarifying the main obligations that apply to any entity processing personal data and basic data protection concepts (data controller/data processor; information notice; consent and mechanisms for ensuring it is informed, in particular when sensitive data are to be processed), the guidelines clearly set out in which cases the processing is to be notified to the Italian DPA and what security measures a company performing standard business activities is required to take. The options currently available for cross-border data flows were also described, including the use of standard contractual clauses, and a checklist was made available so as to enable a company to verify whether all the relevant steps were taken in view of ensuring compliance.
Use of Customers' Data by Call Centres and Telecom Operators (Inbound and Outbound Services)
Following in-depth inspections carried out all over Italy (with the help of the Financial Police) in respect of the main telephone operators and call centres, it could be established that personal data had been processed unlawfully in several cases and unfair processing practices had been put in place. The Garante issued five decisions in June 2007 setting forth measures to be implemented by some of the most important telephone operators and call centres in order to comply with privacy and other rights vested in users. The decisions in question required phone companies and call centres handling outbound services to terminate all unlawful data processing operations (in particular to activate unsolicited services such as high-speed Internet connections) and inform the Garante on the steps taken to implement the organisational, technical, and procedural measures set out therein (providing information notices to users and obtaining their specific consent to the use of data for advertising purposes; ensuring transparency when first contacting users as to the source of the respective data and the mechanisms of their use; taking note of an user's objection to further contacts; checking on the activity carried out by call centres appointed as data processors.) In case of non-compliance, the Garante reserved the right to issue more stringent provisions such as blocking or prohibiting processing operations.
As regards specifically inbound services, simplified arrangements were laid down in December 2007, partly based on the outcome of the inspections carried out to verify compliance with the above decisions. It was clarified that call centres handling inbound customer calls are not required to inform customers in respect of personal data processing operations, unless the data collected by the operator taking the call are to be used for different purposes (e.g. marketing) – in which case the data subject's informed consent will have to be obtained.
Several issues were addressed in 2007 concerning data protection and journalism. As for the so-called court journalism, the DPA found that publication by some media of the transcripts (including wiretapping transcripts) from ongoing judicial investigations was in breach of DP legislation – in particular, because the transcripts contained personal data (some of them relating to sex life) and their dissemination was in breach of the principle whereby the published information must be "material in view of the public interest". This principle is actually also laid down in the Code of Practice for the processing of personal data by journalists. In other cases it was found that personal data had been collected in breach of fairness and lawfulness principles – e.g. because pictures had been taken intrusively, or because videos had been recorded unbeknownst to the data subjects; of note, the processing in question was also in breach of the fairness and transparency obligations set out in the journalists' Code of Practice mentioned above. In a case concerning publication of news reports on a lady deceased after a serious illness, in which excessive identifying information had been disclosed, the DPA found that the safeguards set out both in the DP Code and in the journalists' Code of Practice had been violated since they apply to the deceased as well. Reference should be made finally to the special protection afforded to children by the DP Code in connection with media and journalism; a code of practice (Charter of Treviso) was adopted a few years ago for this purpose by the Italian journalists' association and endorsed by the Italian DPA. Many cases concerned the publication of data that allowed identifying – unnecessarily – children involved in legal disputes (separation, divorce) and/or in criminal proceedings related to sexual abuse.
In 2007, there were 316 decisions on formal complaints (regulated by sections 145-151 of the DP Code). Like in previous years, most of them concerned banks, financial companies and credit reference agencies. A few cases related to processing of the so-called commercial information (assets and liabilities, bankruptcy/winding-up procedures, etc.) by companies operating in this sector; they resulted into decisions urging such companies to perform in-depth checks before re-using public information in order to ensure that the information in question was updated, accurate, and complete.
Several cases that addressed the processing of data for journalistic purposes enabled the DPA to probe deeper into the "personal data" concept. Regarding identifiability of data subjects, the data related to individuals who were not explicitly identified but could be recognised by reference to other items of information held by the data controller (or available elsewhere) was considered to be personal data; however, it was stressed that it was necessary to take account of all the means that could be reasonably used by the data controller and/or another entity to identify the person in question. Mention should also be made of a case in which the personal information published in respect of two individuals other than the complainant - whose husband had been reported to have deceased in a car accident while he was "with his current partner" - was considered to be personal data related, albeit indirectly, to the said complainant because it produced effects that also impacted on the complainant in question.
Interestingly, the DPA ruled that the complaint lodged against a hospital was inadmissible because the access request was not aimed at obtaining communication of a personal genetic data held by the hospital, but rather the delivery of a tissue sample related to the complainant's deceased father (in particular, a "tissue fragment included in paraffin" and/or a blood sample.)
The inspection activities by the Garante were enhanced in 2007, partly on the basis of the six-month inspection plans developed by the DPA. In performing such inspections, the Garante can also avail itself of a specialised squad within the Financial Police (Guardia di Finanza), which was entrusted with checking compliance with the requirements concerning notification, information notices, security measures, and enforcement of the resolutions adopted by the Garante. Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation. In particular, the Inspection Department focused on the processing of personal (medical) data by pharmaceutical companies and health care bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users'/subscribers' data by telecom operators; and e-banking services.
Following the inspections, 228 proceedings were instituted with a view to the imposition of administrative sanctions; in 15 cases criminal information was preferred to judicial authorities. Criminal infringements concerned non-compliance with resolutions adopted by the Garante; failure to take minimum security measures; and the violation of the prohibition against the remote monitoring of employees. The administrative sanctions imposed are expected to yield minimum revenues amounting to about Euro 725,000.
Mention should also be made of the specific activities carried out by the Italian DPA in pursuance of international agreements and conventions, especially those related to operation of the Schengen Information System and Eurodac databases.