Simplifying the Security Measures Set Forth in the Technical...
Simplifying the Security Measures Set Forth in the Technical Specifications Contained in Annex B to the Data Protection Code ' 27 November 2008
[doc. web n. 1619241]
Simplifying the Security Measures Set Forth in the Technical Specifications Contained in Annex B to the Data Protection Code – 27 November 2008
As published in Italy´s Official Journal no. 287 dated 9 December 2008
THE ITALIAN DATA PROTECTION AUTHORITY (GARANTE PER LA PROTEZIONE DEI DATI PERSONALI)
Having convened today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to the personal data protection code (legislative decree no. 196 dated 30 June 2003), in particular sections 33 et seq. thereof, along with Annex B to the Code containing the technical specifications concerning minimum security measures;
Having regard to section 29 of decree no. 112 dated 25 June 2008 as converted, with amendments, into Act no. 133 dated 6 August 2008, which modified, inter alia, section 34 of the DP Code;
Whereas it is necessary to set forth simplified arrangements applying to implementation of the said technical specifications by any entity that "only processes non-sensitive personal data or else processes sensitive data that only consist in the health and/or disease status related to their employees and collaborators, including project-based collaborations, whereby no reference is made to the respective diagnosis, or else in their employees´ and collaborators´ membership of trade union and/or trade union-like organisations" as well as in respect of "any processing that is carried out for standard administrative and accounting purposes, in particular by SMEs, self-employed professionals, and handicrafts" by respecting data subjects´ rights (see paragraph 1-bis of section 34 of the DP Code);
Noting, furthermore, that the aforementioned simplified arrangements, to be updated regularly, should be made known as widely as possible also via the Italian DPA´s website (www.garanteprivacy.it);
Having regard to the opinion by the Minister for Deregulation that was rendered via a letter dated 21 November 2008 on the preliminary draft of this decision, forwarded to the Minister via a letter dated 3 November 2008;
Having regard to the considerations submitted by the Office as made by the Secretary General pursuant to section 15 of the Italian DPA´s Regulations no. 1/2000;
Acting on the report submitted by Prof. Francesco Pizzetti;
This decision lays down simplified mechanisms to implement the minimum security measures that are set forth in the technical specifications annexed (as Annex B) to the personal data protection Code (hereinafter referred to as Annex B.)
The Regulations Concerning Minimum Security Measures
Whoever processes personal data is required to protect the data by means of the appropriate security measures.
Some of these measures are specified in the Code and represent the minimum level of protection – reference is made here to the measures contained in section 33 et seq. of the Code, to be implemented in accordance with the arrangements laid down in Annex B.
Simplification measures were recently enacted in respect of processing operations performed with electronic tools by entities that only use non-sensitive personal data or only process sensitive data consisting in medical information related to their employees and collaborators, whether project-based or not, without any specification of the respective diagnosis, or else in information on membership of trade unions and/or similar organizations.
In the above cases, it will no longer be necessary to keep and update a security policy document as per section 34(1)g. of the Code; such obligation was actually replaced by the data controller´s obligation to issue a self-executing affidavit (under the consolidated statute contained in Presidential decree no. 445 dated 28 December 2000) to the effect that the said data controller only processes the aforementioned data in compliance with such additional security measures as may be required (see section 29 of decree no. 112 dated 25 June 2008 as amended by Act no. 133 dated 6 August 2008).
Regarding the processing operations in question as well as those performed by any entity for standard administrative and accounting purposes – in particular by SMEs, self-employed professionals, and handicrafts – the Italian data protection authority is required to lay down simplified implementing arrangements in respect of Annex B after hearing the Minister for De-Regulation.
The arrangements mentioned above are laid down by way of this decision, which will be updated regularly.
Simplification Applying to Certain Processing Operations
As already pointed out by the Italian DPA via its decision dated 19 June 2008 (published in Italy´s Official Journal no. 152 dated 1 July 2008 as well as on www.garanteprivacy.itunder web document no. 1526724) as well as in the report submitted to Parliament and Government on 19 June 2008 concerning minimum security measures, the said security measures may be implemented by certain data controllers in a simplified manner based on the experience gathered so far and without affecting the substantive features of the safeguards adopted against certain risks (see section 34(1-bis) of the DP Code as added by section 29 of the aforementioned decree).
Accordingly, new arrangements were set forth to considerably simplify application of several specifications contained in Annex B.
This is aimed ultimately at ensuring the appropriate security level by taking account of the small size of certain organizations along with the specific features of some processing operations that only serve administrative and accounting purposes. Reference was made in this connection to a detailed survey of the individual issues as well as to more in-depth assessments carried out in respect of the implementing issues that have been brought to the DPA´s attention from time to time – in particular by means of questions and reports.
The simplified arrangements listed in the attached file may be implemented forthwith by the entities concerned.
NOW, THEREFORE, THE ITALIAN DATA PROTECTION AUTHORITY
a. Sets forth the simplified arrangements to implement the minimum security measures applying to the processing of personal data in the attached file, which shall be an integral part of this decision, pursuant to section 34(1-bis) of the DP Code;
b. Orders that a copy of this decision be forwarded to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic.
Done in Rome, this 27th day of November 2008
The Secretary General
Simplified Arrangements to Apply the Minimum Security Measures in Processing Personal Data
1. Who May Resort to Simplified Arrangements
The following simplified arrangements may be applied by public and/or private entities that:
a. Use non-sensitive personal data or only process sensitive data related to their employees and collaborators, whether project-based or not, consisting in health and/or disease information without any specification of the respective diagnosis, or else in information on membership of trade unions or similar organizations;
b. Process personal data exclusively for standard administrative and accounting purposes, with particular regard to self-employed professionals, handicrafts, and SMEs (see section 2083 of Italy´s Civil Code and Ministerial decree dated 18 April 2005 on adjustment of the criteria applying to small- and medium-sized enterprises pursuant to Community law, as published in the Official Journal no. 238 dated 12 October 2005).
2. Processing Performed with the Help of Electronic Tools
The entities mentioned in paragraph 1 may apply the minimum security measures set forth in the legislation on processing performed with the help of electronic tools (section 34 of the DP code and rules 1 to 26 of Annex B) by complying with the following simplified arrangements
2.1. Instructions given to the persons in charge of the processing (implementing arrangements applying to rules 4, 9, 18 and 21 of Annex B)
The instructions on minimum security measures mentioned in Annex B may be given to the persons in charge of the processing also verbally by using simple, clearly worded language.
2.2. Computerised authentication system (implementing arrangements applying to rules 1, 2, 3, 5, 6, 7, 8, 10 and 11 of Annex B)
Any authentication system that relies on an identification code for data access (hereinafter, the "username") coupled with a password (hereinafter, the "password") may be used to access information systems, providing
a. the username identifies a single person, whereby different entities shall be prevented from using the same username;
b. the password is only known to the person accessing the data.
The username must be deactivated as soon as the person in charge of the processing is disqualified for lawfully using the data – e.g. because that person is no longer employed by the given organization.
The authentication procedure may also consist in the login procedure that is implemented via the operating system for the networked workstations.
If the person in charge is absent and/or unable to use the system for a long time and it proves accordingly indispensable to take steps exclusively on account of system operation and security issues, and if access to the data and electronic devices is exclusively password-enabled, the data controller may ensure that data and/or electronic devices are made available via pre-defined arrangements and/or procedures. As for the latter, instructions shall be given to the persons in charge of the processing beforehand and the latter shall be informed of any steps taken – e.g. it might be provided that any employees on leave of absence should implement mechanisms that automatically forward their emails to another accessible account: see the Guidelines on Email and the Internet in the Employment Sector as approved by the Italian DPA and published in Italy´s Official Journal no. 58 dated 10 March 2007.
2.3. Authorisation System (implementing arrangements applying to rules 12, 13 and 14 of Annex B)
Where it is necessary to keep processing operations separate in terms of their scope, authorisation profiles may be allocated to the persons in charge of the processing – whether individually or by homogeneous categories – via an authorisation system and/or authorisation functions that are incorporated into software applications and/or operating systems; this will allow limiting access to only such data as is necessary to perform the given processing.
2.4. Additional Security Measures (implementing arrangements applying to rules 15 to 18 of Annex B)
The entities mentioned in paragraph 1 shall ensure that the scope of the processing committed to the individual persons in charge of the processing as well as to the persons in charge for managing and/or maintenancing electronic tools is in line with the principles of adequacy, proportionality and data minimization; to that end, they may also carry out regular checks. Additionally, they shall update such authorisation profiles as they may have allocated, whenever this proves necessary.
Regular software updates to prevent the vulnerability of electronic devices – e.g. via anti-virus software – as also related to the software mentioned in section 615-quinquies of the Criminal Code as well as to add possible patches, shall be carried out at least yearly. If the computer is not connected with publicly accessible electronic communications networks (ADSL lines, Internet access via corporate Intranet, e-mail), the update must be performed at least every other year.
The data may be protected by also performing at least monthly back-ups. Such regular back-ups may fail to include the data that were not modified in the period following the latest back-up, i.e. any static data, providing a backup copy of such data is available with a view to possible data recovery operations.
2.5. Security Policy Document (implementing arrangements applying to rules 19.1 to 19.8 of Annex B)
2.5.1. Subject to the provisions that already allow drafting a self-executing affidavit instead of the security policy document under specific circumstances (see paragraph 1.a above and section 29 of legislative decree no. 112/2008), any public and private entities that only process personal data for standard administrative and accounting purposes, with particular regard to self-employed professionals, handicrafts and SMEs, may draft a simplified security policy document in the manner described below.
The document in question must be drawn up before starting the processing operations and updated by March 31st of every year if changes took place in the previous calendar year compared to the statements made in the document.
The document shall contain:
a. identification information concerning the data controller and any data processors, where appointed. If the data processors change frequently on organizational grounds, reference may also be made to the mechanisms whereby an updated list of such data processors can be retrieved;
b. a general description of the processing operation(s) so as to establish whether the specific security measures are adequate. The description in question should specify the purposes of the processing, the categories of data subject and the data or data categories related to them, as well as the data recipients or the categories of data recipient;
c. a list, also category-wise, of the persons in charge of the processing and their respective tasks. If the persons in charge change frequently on organizational grounds, reference may also be made to the mechanisms whereby an updated list of such persons in charge of the processing can be retrieved along with their respective tasks;
d. a description of such additional security measures as have been adopted to prevent the risk of data destruction and/or loss, whether accidental or not, unauthorised access, and unauthorised processing and/or processing for purposes other than those underlying data collection.
3. Implementing Arrangements Applying to Processing Operations without Electronic Tools (implementing arrangements applying to the rules 27 to 29 of Annex B)
The entities mentioned in paragraph 1 may comply with the obligations related to the adoption of minimum security measures as per section 35 of the Code by applying the measures set forth in Annex B with regard to processing operations performed without electronic tools (rules 27 to 29 of the Annex) in accordance with the simplified arrangements specified below.
3.1. The persons in charge of the processing shall receive instructions, also verbally, concerning supervision over and safe-keeping of instruments and documents containing personal data throughout the processing cycle.
3.2. Where any instrument or document containing sensitive and/or judicial personal data is committed to persons in charge of the processing in order for them to discharge the relevant obligations, the said instrument and/or document shall be kept under the control of the persons in charge until it is returned, so that no unauthorised entity may get access to it, and it shall be returned upon completion of the relevant operation.