Personal Data As Also Contained in Records and Documents by Public Administrative Bodies: Guidelines for Their Processing by Public Bodies in Conn...
Personal Data As Also Contained in Records and Documents by Public Administrative Bodies: Guidelines for Their Processing by Public Bodies in Connection with Web-Based Communication and Dissemination / Italian Data Protection Authority
(Published in Italy's Official Journal no. 64 dated 19 March 2011)
HIGHLIGHTS OF THE DECISION
The Italian DPA issued a draft of the Guidelines in question in December 2010, partly in the light of recent legislation that was aimed at enhancing the transparency of public administrative activities and facilitating access to public records by introducing various obligations for public administrative bodies to publish and disseminate records, documents and information on their organization and activities.
The Draft Guidelines were submitted for consultation (deadline: January 31st) to specialized bodies (Committee for assessing, ensuring transparency and fostering integrity of public administrative bodies, Committee for regulating access to administrative records, Civil Service Department at the Prime Minister's Office), ministries, organizations representing local authorities and Regions, and consumer associations.
The principles and guidance set forth in the Guidelines are aimed at laying down an initial set of safeguards public bodies are required to implement whenever they communicate or disseminate personal data on the respective official websites in compliance with the legislation in force; such communication and dissemination may be performed for purposes related to transparency and publicity of administrative activities as well as to enable consultation of and access to individual records upon request.
Whilst public bodies may use personal information to discharge their institutional tasks even if no laws and/or regulations provide expressly for the processing of such personal information – and they do not have to request the data subjects' consent in these cases – any public administrative body that posts, on the respective official website, (excerpts of) documents or records containing personal data must check beforehand that the communication/dissemination in question is provided for in laws and/or regulations (see section 4(1)l. and m. and sections 19(3), 20, and 21 of the DP Code). This is without prejudice to the overarching ban on the dissemination of any information suitable for disclosing an individual's health (see sections 22(8), 65(5), and 68(3) of the DP Code).
Furthermore, public administrative bodies may post, on their websites, information containing personal data also taken from administrative records and documents if this dissemination is adequately justified, absolutely necessary to pursue the remit of the individual public administrative body as set forth in specific laws and regulations, and related to information that is helpful to enable the recipients to know the activities and/or operation of the public administrative body in question or else to foster access to the services provided by the said public administrative body. This is without prejudice to the ban on communicating or disseminating user-related information except where this is expressly provided for by laws and/or regulations; additionally, it should be recalled that publishing sensitive personal data is only allowed if it is expressly provided for in a law that should specify the data categories, the processing operations, and the substantial public interest pursued by way of the processing; alternatively, the processing in question must be specified in the ad-hoc regulations public administrative bodies are required to adopt following the Italian DPA's endorsement (see section 20(1) and (2) of the DP Code).
Any data subject has the right to lodge specific requests with public administrative bodies in order to have certain personal data relating to them published on the relevant official websites. Each administrative body has discretion in considering these requests for publication, which may only be granted if the careful assessment to be performed in each case shows that the publishing in question is compatible with the discharge of the institutional tasks committed to the individual public body as well as that the data to be posted are relevant and not excessive vis-à-vis the specific purposes (see section 11 of the DP Code).
Definition of "Transparency", "Publicity", and "Access"
Without prejudice to the specific definitions set forth in sector legislation, we consider it helpful to provide definitions of "transparency", "publicity", and "access" of/to administrative records and documents exclusively with a view to the appropriate implementation of the guidance contained herein. Such definitions relate to the communication and/or dissemination of personal data as performed by public bodies via the respective institutional websites.
"Transparency" – Availability of administrative records and documents containing personal data on institutional websites for the purpose of transparency is intended to ensure widespread knowledge of the information concerning organizational features of the specific administrative body so as to enable wide-ranging supervision of the public administrative body's capability to achieve the respective objectives as well as of the mechanisms in place to assess civil servants' performance.
"Publicity" – Online availability for publicity purposes is intended to inform about administrative actions as related to fairness and legitimacy principles as well as to ensure that administrative instruments are legally enforced so as to foster the conduct possibly required on the part of the addressees of those instruments.
"Access" – Availability of administrative records and documents on institutional websites for the purpose of access is intended to ensure that such records and documents are only made available to specific entities (or categories) so as to facilitate participation in administrative activities and procedures.
Public administrative bodies are required, first and foremost, to assess what specific purposes are mentioned in the applicable laws and regulations that lay down specific mechanisms for the disclosure of information, records and documents issued by the public administration; account should be taken in this regard that the legislation on transparency, publicity of and access to public records is intended to ensure that public administrative activities are publicly known – subject to some limitations – and does not serve similar purposes.
The above assessment is aimed ultimately at developing different mechanisms for making available the data and documents in question, by having regard to the different purposes served in the individual cases (transparency / publicity / access), the categories of information to be disseminated, and the tools that may be used to disclose such information – so that data subjects' rights are respected in full.
Accordingly, appropriate arrangements should be made to ensure that the information is disclosed in accordance with fairness and proportionality standards; that it may not be retrieved unconditionally and unrestrainedly; and that data quality and accuracy principles are upheld by also limiting the period in which the information is available online.
The data should be retrieved preferably via internal search engines. This solution is to be prioritized, from a general perspective, because it can ensure that access to the information is more selective as well as consistent with the purposes served by publication of the said information; at the same time, it can ensure that the information to be disseminated can be easily found in the official website(s). To that end, specific access rules may be coded within each text file (e.g. via the noindex/noarchive metatags and the robots.txt file, to be configured in accordance with the Robot Exclusion Protocol). This is without prejudice to the use of any tools that can facilitate retrieval of the information and documents to be disseminated on a public body's official website.
Where no specific sector-related provisions lay down mandatory disclosure periods (e.g. in the case of resolutions by municipalities and provinces, which must be posted on the respective Public Billboards in the respective premises for fifteen consecutive days), each public administrative body will have to set forth the appropriate online availability periods with regard to any records or documents that contain personal data (where such data is capable to identify individual data subjects); those periods may in no case exceed what is considered to be necessary, on a case by case basis, to achieve the purposes underlying public dissemination.
Once the said specific periods have expired, the relevant records (or parts of a website) should be removed; alternatively, they may be shifted to a section that can only be reached from within the public body's website and is not indexed by external search engines. The latter may be achieved by means of web publishing and content management systems, which can allocate specific availability periods to the documents and records posted on the public body's website (e.g. via specific metadata); upon expiry of the said periods, the information can be easily removed, also automatically. An alternative option might consist in planning regular checks of the timestamp and availability conditions applying to the various items of information posted on the website, in particular following updates of the said information.
The appropriate precautions should be taken to prevent bulk duplication (by means of automated software) of the files containing personal data that can be found on institutional websites; this is aimed at preventing this information from being reproduced and re-used in different contexts and for different purposes. Network firewalls may be deployed or specific application filtering techniques implemented. In any case, the information available online must be also available to individuals with disabilities in pursuance of Act no. 4/2004.
Any data that is available on line must be accurate, updated, and reliable (see Section 11(1)c. of the DP Code); this is a requirement also stemming from the obligation to ensure conformity of the information posted online with that contained in the original administrative records/documents (see Section 54(4) of decree no. 82/2005). The appropriate measures should be implemented to do away with or reduce the risk that the information and documents available on the Internet may be erased, amended, altered and/or taken out of their context – for instance, reliable sources may be specified from which the said documents may be retrieved; digital certificates and electronic signatures may be used; "context data" may be inserted into any file posted on official websites such as versioning information, expiry, administrative body in charge.
The Guidelines also provide guidance in respect of the principles and standards applying to specific cases that have to do with sector-specific legislation. A few examples are reported below:
If the regulatory and/or legislative preconditions that legitimate communication and/or dissemination are fulfilled, it is necessary for each public administrative body to verify what personal data - considered to be relevant in order to appropriately discharge the respective institutional tasks – are to be disclosed by posting them on the institutional website (see sections 11, 18, and 19 of the DP Code).
Special care should be taken in selecting the personal data to be posted online if the information includes sensitive and/or judicial data, or data suitable for disclosing health or sex life.
Indeed, especially stringent safeguards apply to sensitive and judicial data, which public bodies may only process if such data are indispensable, in the given case, to carry out institutional activities and such activities may not be implemented by processing anonymous data and/or data that are neither sensitive nor judicial in nature (see section 22 of the DP Code).
- Human Resources Information
- The amendments made to section 19 of the DP Code to regulate disclosure of information on performance and assessment of "any person discharging public functions" are in line with the basic requirement of ensuring transparency of administrative activities. Posting such information on an administrative body's website is mostly compliant with specific regulatory obligations on transparency as clarified by the "Guidelines" issued by the competent Independent Board for the Assessment, Transparency, and Integrity of Public Administrative Bodies. Accordingly, additional items of information may be disseminated in respect of civil servants' work and assessment – except for those that are closely related to the employer-employee relationship and/or the employee's detailed evaluation data. As well as being adequately justified, such dissemination must be also provided for in the "Triennial Transparency and Integrity Policy" each administrative body is required to lay down; relevance and non-excessiveness principles must be complied with.
- No information may be disclosed (subject to legal requirements) on any diseases and/or disabilities that result into an employee's leave of absence or are taken into account in the employee's performance evaluation, nor is any information to be disseminated on the employer-employee relationship within the given public administrative body;
- Information on the costs borne by public bodies for the payment of wages and salaries to their employees, including the individual beneficiaries, must be posted on the respective websites in pursuance of the law;
- The requirement whereby the CVs of senior civil servants should be published on a public body's website in accordance with the "European CV" form does not entail publication of the CV as a whole, which cannot be justified exclusively for the sake of transparency; account must be taken of relevance and non-excessiveness principles, so that the information to be disseminated will have to be selected appropriately by having regard to the public functions and/or tasks discharged by the individual civil servant (e.g., personal details including name, job position, business phone number, business e-mail; information on educational and professional background including job assignments, language skills, contributions to workshops, published papers, etc.; such additional information on the person's professional skills as may be provided in the CV);
- There is no justification for posting on a public body's website information such as employees' pay slips, detailed data extracted from tax returns, working hours of individual employees, home addresses and phone numbers, personal emails, or information on an employee's leaves of absence;
- Transparency of public administrative activities can also be achieved without resorting to personal data; accordingly, there is no need for specific precautions if a public administrative body posts on its website information that cannot be related to identified or identifiable individuals (e.g. aggregated quantitative information on wage levels and personal allowances; work absence rates; total apportionment made for performance bonuses and amount of the bonuses actually allocated to employees; performance targets allocated to the individual divisions/departments; information on the handling of payments and the relevant good practices);
- The lists of senior civil servants each public administrative body is required by law to post on its official website must only include the information specified in the sector-specific legislation (first and last name, date and place of birth, date of seniority, start of employment date, tasks conferred and respective deadlines). On the other hand, the computerized database of the employees of public administrative bodies set up by an ad-hoc law at the Prime Minister's Office includes additional items of information on senior civil servants (e.g. career information, secondments, etc.) for the purposes of fostering mobility and professional exchanges; accordingly, it may only be accessed by public administrative bodies for those purposes as well as by any entity that plans to use this information to establish or defend a legal claim.
- Public Allowances, Grants, Benefits
- The registers of beneficiaries of public allowances or grants (set up under a Presidential decree of 7 April 2000, no. 118) should only include such data as is necessary to identify the individual data subjects (names and dates of birth) along with the accounting year in which the given allowance/benefit was granted and the "legal instrument justifying the granting of the allowance/benefit in question". However, it will be excessive to mention the underlying piece of legislation if the latter is such as to disclose the data subject's health (e.g. in the case of Act no. 68/1999 on "Provisions to Ensure Labour Rights Vested in People with Disabilities", or Framework Act no. 104/1992 on "Assistance, Social Integration, and Rights of Handicapped Individuals", etc.);
- No irrelevant data should be disseminated via the web in this context – such as a recipient's home address, Tax ID, bank details, or any information describing the recipient's straightened circumstances;
- As said, no information suitable for disclosing a recipient's health may be disseminated online such as references to the circumstance that a scholarship was granted to a "person with disability" or that a welfare bonus was allocated to an "non-independent elderly"; this also applies to information on the score totaled according to the so-called "index of independence of activities of daily living" (ADL index, or Katz index);
- If the above information on allowances or benefits is posted in the official websites of the public bodies granting them, it is preferable to implement internal retrieval mechanisms or channels and limit the indexing of such information as well as the creation of cache copies by external search engines via appropriate arrangements (see above).
It should be verified whether the personal data contained in records and documents posted on the institutional website may be disclosed to the public as a whole or else to those users that applied for a specific service, or maybe to the parties involved in an administrative proceeding (in which case selective access mechanisms will have to be implemented).
Where administrative records and documents are to be posted online to fulfill publicity obligations (see Act no. 69/2009), it is disproportionate to enable such records and documents to be retrieved via external search engines; conversely, it is reasonable to post the information in a section of the institutional website and limit its indexation along with its dissemination period by way of the arrangements specified above.
- Public Competitive Examinations
- The laws and regulations concerning publicity of the results of public competitive examinations expressly provide that personal data may be disseminated also by way of the official website of the individual public administrative body. Accordingly, it is lawful to disseminate the results of such competitive examinations online by enabling access to the relevant public body's website – that is to say, the information in question should not be retrievable via external search engines. To that end, candidates may be provided – for instance – with authentication credentials (username and password, registration number, other identification tokens) to access special areas of the public body's website where additional information may also be disclosed (if appropriate) based on freedom of information legislation (e.g. the tests performed, minutes of the exam sessions, scoring or grades, supporting documents such as CVs, publications, etc.);
- Based on the above premises, a distinction should be drawn between relevant and irrelevant information. The former includes, for instance, a list of candidates with the respective pass votes or total score as well as a list of candidates that have qualified for written/oral exams; conversely, irrelevant information in this context includes candidates' fixed or mobile phone numbers, home addresses, email accounts, educational background, Tax IDs, family status (e.g. the number of children with disabilities), or psychometric information.
- Selective Access to Public Records
- Specific laws and regulations provide that certain administrative records and documents (e.g. the lists of people with disabilities that are set up for selective job placement purposes) are to be made available by public bodies to any entity with a vested interest therein as well as to any entity requesting access to those records and documents to defend legitimate interests; to that end, IT technologies may also be relied upon. The scope of dissemination of the records and documents in question is therefore known beforehand (e.g. addressees of the given administrative decisions, third parties concerned by administrative decisions, counterparties). For this reason, granting unrestrained access to this information is in breach of the proportionality principle, whilst it is appropriate to implement selective access criteria.
- Accordingly, restricted access areas will have to be set up in the given public body's website (e.g. via an Intranet or an Extranet), where the records and documents in question will be made available after eliminating such items of personal information (including health-related information) as are irrelevant for the specific publicity purposes; alternatively, the entities who may legitimately access such information might be provided with a personal access code (pursuant to the relevant regulations set forth in the Digital Administration Code) if availability of the records and documents in question is envisaged within the framework of the digital services provided by the relevant public administrative body;
- Of note, any information that is found to be irrelevant or excessive in the context of an online dissemination service may be processed further by the competent public body to fulfill the respective institutional tasks; that information may also be accessed by any entity with a vested interest therein pursuant to the applicable freedom of information legislation (see, in particular Act no. 241/1990).