Limitations and Safeguards Applying to Taking of Fingerprints and Image Acquisition by Banks - Provision of 27 October 2005 
- Rilevazione di impronte digitali ed immagini per accedere agli istituti di credito: limiti e garanzie - 27 ottobre 2005 
- Video Surveillance The general provision adopted by the Garante - 29 aprile 2004 
- Facsimile verifica preliminare-comunicazione installazione rilevazione immagine-impronta digitale banche pdf
[doc. web n. 1276947]
[ doc. web n. 1246675]
Limitations and Safeguards Applying to Taking of Fingerprints and Image Acquisition by Banks - Provision of 27 October 2005
published in the Official Journal of the Italian Republic no. 68 of 22 March 2006
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to international and Community legislation concerning personal data protection (Directive no. 95/46/EC);
Having regard to the Personal Data Protection Code (legislative decree no. 196 of 30 June 2003), in particular to Section 17 thereof;
Having regard to the provisions taken by the Garante on 29 April 2004, concerning video surveillance, and 28 September 2001, concerning biometric data acquisition by banks;
Having considered the requests for prior checking lodged by several credit institutions pursuant to Section 17 of the Code in respect of the processing of biometric personal data as related to security requirements applying to bank agencies; having regard to the draft guidelines the Italian Banking Association is about to issue to banks, which were submitted to the Garante for consideration;
Having regard to the considerations made by the Secretary General in pursuance of Section 15 of the Garante´s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Fortunato;
Some credit institutions lodged requests for prior checking with the Garante, in pursuance of Section 17 of the Code; the requests concerned the processing of personal data as consisting in coupling customers´ biometric data – based, in particular, on the taking of fingerprints via scanners connected and/or integrated with a computerised system – with other personal data concerning customers to be collected by means of video surveillance systems.
The requests were lodged also in pursuance of the guidelines issued by the Garante in its provision on video surveillance of 29 April 2004 (see point 3.2.1 thereof) and were aimed to allow gathering evidence to be possibly used in cases involving criminal conduct.
The Italian Banking Association submitted statistics relating to criminal activities against banks – with particular regard to bank robberies – and highlighted, in turn, that the need for equipping some especially at-risk agencies and branches with devices to gather biometric data was supported by many banking institutions.
Having concluded complex preliminary enquiries, the Garante considers it necessary to adopt a new general provision to take account of the innovations brought about by the Code that came into force on 1 January 2004, by having regard to the general principles set out in its provision of 28 September 2001. This applies, in particular, to the requirements contained in Sections 17, 24(1), letter g), and 154(1), letter c), of the said Code. Indeed, the Garante is in charge of laying down measures and precautions addressing "specific categories of processing and data controller" within the framework of a check to be carried out prior to start of the relevant processing (as per Section 17 of the Code), whenever the processing concerns personal data other than sensitive and/or judicial data that entail specific risks for the data subjects´ fundamental rights, freedoms, and dignity.
In the case at issue, as already highlighted in point 3.2.1 of the 2004 provision, the specific risks result from the deployment of "video surveillance systems entailing image collection either in connection and/or matched and/or compared with other specific personal data" as well as from the specific features of some of the data to be processed – namely, those based on the taking of fingerprints.
Therefore, this provision is aimed at setting out the measures and precautions to safeguard data subjects that will have to be implemented by all credit institutions operating in the national territory, where they plan to avail themselves of the systems in question, if the preconditions mentioned below are fulfilled and providing they comply with the principles laid down in the Code.
2. Lawfulness, Purpose Specification, Data Minimisation, and Proportionality
The blanket, undifferentiated use of systems allowing data subjects to be identified by means of a mix of different data acquisition mechanisms is not permitted as it is in breach of the data minimisation principle – whereby information systems and software should be configured in such a manner as to rule out the processing of personal data (here, the biometric data) that are unnecessary for the purposes to be achieved (see Section 3 of the DP Code).
The blanket collection of highly significant data – such as those related to fingerprints – in respect of all bank customers is to be regarded as unlawful, especially if it is only accounted for by un-specific security requirements.
Failing specific proof of the concrete existence of a considerable risk, this would disproportionately impinge on the data subjects´ freedom and dignity and would expose them to the risk that highly sensitive personal data such as fingerprints data may be misused.
The personal data at issue may only be processed in compliance with adequate safeguards and exclusively in view of enhancing the security of property and individuals – namely, bank employees and customers. To that end, it is necessary for specific circumstances to apply as related to objective situations such as to give rise to a concrete, considerable risk, which each bank is required to assess with special care (see the Garante´s provisions of 11 December 2000 and 7 March 2001).
The specific circumstances in question, possibly supported by the findings of the competent law enforcement and public policy bodies, may be related, in particular, to the location of a bank agency – e.g. where the latter is placed in high-crime-rate areas, isolated, or close to "escape routes" for criminals. Account may also be taken of the circumstance that a given bank agency, maybe like other agencies located in the same area, was the subject of robberies. Other specific circumstances may also be considered, where they may give rise to a real danger in respect of one or more bank agencies – such was the case, in the past, in connection with the increased amount of cash available in banks at the time the Euro was introduced.
The existence of the said circumstances should also be reviewed on a regular basis by having regard to any factor that is liable to affect the risk exposure level – e.g. the establishment of a police station nearby, or the enhancement of manned surveillance inside a bank agency. Based on the outcome of this review, any data processing operation that is found not to be justified any longer must be terminated or suspended.
3. Information Notices
Data subjects must be adequately informed both of the presence of fingerprint acquisition systems and of the association between fingerprints and images (as per Section 13 of the DP Code). The information must be provided prior to data collection and anyway before a person accesses a double-door / revolving door entrance, if any.
The information notice must contain the items referred to in the DP Code (Section 13), and may be worded concisely on condition the information is clear and unambiguous. It must highlight that the person is free to access the bank without having his/her fingerprints taken, in which case an alternative procedure should be applied also based, if necessary, on customer identification.
The Garante has developed a model "minimum" information notice data controllers might want to use at the entrance(s) to banks; this notice must be supplemented by a more detailed notice to be posted inside the bank. Both models are annexed to this provision.
4. Measures and Precautions to Be Taken
The use of fingerprinting systems jointly with video surveillance equipments must take place in compliance with the additional precautions and measures listed below to safeguard data subjects:
a) Alternative options to access the bank
The taking of fingerprints should not entail a compression of the bank customers´ freedom and dignity. If access to the bank is envisaged by way of the systems in question, it should be ensured that, if the customer objects to or is unable to undergo fingerprinting because of his/her personal circumstances, access to the bank is enabled in any case by means of an alternative entrance – and anyway without the customer´s being obliged to provide his/her personal data – and, if necessary, by taking certain precautions that are left to the bank manager´s discretion (e.g. the request for producing an ID document). As already pointed out in the Garante´s provision of 2001, any arrangements that are burdensome to a customer or else suitable for dodging the obligation to allow entrance without taking the customer´s fingerprints are prohibited.
b) Data collection mechanisms
The deployed video surveillance systems must be oriented exclusively towards the entrance area of the bank and not film any other buildings or, in particular, the entrances thereof.
As for the biometric data to be collected, it is sufficient to take one fingerprint of the person concerned.
c) Security measures
The systems deployed for collecting images, whether fixed or moving, and taking fingerprints must ensure that the data are immediately encrypted before being recorded in a database – irrespective of the relevant configuration – in compliance with high security standards.
It must be ensured that images and fingerprints are matched unambiguously to prevent identification errors.
Special attention should be paid to the encryption techniques applied to both images and fingerprints.
The data must be processed via "robust" encryption systems using either symmetric or asymmetric encryption algorhythms, or else both types of algorhythm.
In particular, if the data are encrypted by means of symmetric encryption techniques and the symmetric keys relating to each data and/or each data portion are encrypted by means of asymmetric or public key encryption techniques, the whole encryption process must be guaranteed by an escrow agent – namely, the person in charge of an internal independent auditing function, or another independent entity to be nominated by the latter – acting as the custodian of the encryption keys that can allow de-crypting the information kept by the bank.
It must be prevented that the acquired information may be decrypted without the said escrow agent´s involvement.
Access to decrypted information, either on judicial grounds or following exercise of the data subject´s rights (pursuant to Section 7 of the DP Code), must only take place by the agency of the said escrow agent.
The obligation to take such minimum security measures as are compliant with the benchmarks set out in the DP Code (see Section 31 thereof and Annex B to the Code) is hereby left unprejudiced. This applies, in particular, to access by persons in charge of the processing and/or system administrators in charge of specific tasks related to operation or maintenance of the systems in question.
Finally, the systems deployed must meet stringent data reliability and integrity requirements in pursuance of such certifications and/or authorisations as may have been granted to them. In this context, the banks where the systems are deployed must obtain and keep the certificate to be issued by the installer as per Rule no. 25 in the Technical Specifications concerning minimum security measures (Annex B to the DP Code).
d) Data retention
The encrypted data relating to fingerprints and images, if any, must be retained for no longer than one week and stored in chronological sequence so as to allow them to be retrieved promptly, also by organising them as appropriate by date of recording.
Mechanisms must be in place to automatically erase all the information upon expiry of the said term. It must also be prevented that the retention period is increased surreptitiously by creating backup copies.
This is without prejudice to the possibility for the bank to make the data available by preventing them from being automatically erased upon expiry of the relevant data retention term, if the data subject lodges a data access request, criminal events have taken place, or a request is lodged by judicial authorities.
Finally, no interlinking is allowed between the acquired data and other data held by the bank and/or third parties, nor may additional databases be set up or facial recognition systems deployed.
e) Data access
The information gathered by means of the data acquisition systems in question may only be decrypted and accessed by judicial and police authorities in connection with specific investigations related to detection or prevention of offences as carried out pursuant to the Criminal Procedure Code. To that end, the co-operation of the aforementioned escrow agent may be sought, who may lawfully access the data if this is necessary in discharging his/her tasks – also whenever a data subject exercises his/her right to access the personal data concerning him/her.
Conversely, the staff – including external staff – that are specifically in charge of operating and maintaining the equipment may in no way be enabled to access the "plain-text" version of the encrypted data (whether images or fingerprints).
5. Balancing of Interests
If the prerequisites and conditions referred to above are fulfilled, the processing of personal data shall be regarded as lawful also in the absence of the data subjects´ consent under the terms of Section 24(1), letter g), of the DP Code.
This finding is based on the specific purposes sought as well as on the consideration both of the mechanisms applying to the processing, which is of a provisional nature and must be compliant with the measures and precautions set out herein, and of the further purposes aimed at by the other data controllers that may receive the data (i.e. judicial and police authorities).
The data subject´s consent must be considered to be also unnecessary with regard to decryption of the processed data by the escrow agent, whose additional processing operations must not go beyond the communication of the "plain-text" version of the data either to the aforementioned entities or to the data subject requesting access to his/her data as per Section 7 of the DP Code.
6. Specific Requirements
It is to be recalled, first and foremost, that the processing operations in question must be notified to the Garante pursuant to Section 37(1), letter a), of the DP Code.
Additionally, each credit institution is required to provide the Garante – by May 31st, 2006 – with the list of all the respective agencies/branches where the devices at issue had been deployed prior to issuance of this provision.
Where a credit institution plans to install new equipment, or modify the existing equipment, an ad-hoc prior checking application will have to be lodged with the Garante by means of the forms annexed hereto. The said prior checking will be performed once only prior to start of the processing, as per Section 17 of the DP Code. To that end, it is permitted to provide a single list including all the relevant agencies/branches where the said equipment is to be deployed by specifying the concrete risks that account for such deployment, as assessed by having regard to other available measures.
In addition to the above requirements, each bank agency/branch will have to keep and update the following documents also in view of possible inspections by the Garante:
a) a copy of the prior checking application lodged with the Garante;
b) documents pointing to the existence of concrete risks to the relevant bank agency/branch;
c) technical documents concerning installation of the deployed biometric and video surveillance systems, showing their compliance with the conditions set out herein. The said documents must also include:
- the features of the video equipment (e.g. location of camera(s) and respective technical features);
- the features of the biometric data collection device(s);
- the features of the information systems used for processing images and biometric data with particular regard to the encryption process;
- the maximum data retention period;
d) a copy of the information notice provided to customers;
e) such documents as can allow outlining the alternative access mechanisms to the bank agency/branch in question;
Based on the above premises, the Garante
1. Orders all data controllers, under section 154(1), letter c), of the DP Code, to take the necessary measures laid down herein in order to bring their processing operations into line with the legislation in force;
2. Specifies, in pursuance of section 24(1), letter g), of the DP Code, the cases in which personal data may be processed by credit institutions in connection with the information systems referred to herein without the data subjects´ consent in order to pursue legitimate interests, under the terms detailed in the Premises and in compliance with the limitations and conditions specified herein;
3. Orders that a copy of this provision be forwarded to the Ministry of justice – Publishing Department in order for it to be published in the Official Journal of the Italian Republic as per section 143(2) of the DP Code.
Done in Rome, this 27th day of October 2005
THE SECRETARY GENERAL