Need for Enhanced Security Measures in Processing Telephone Traffic Data - 1 June 2006
[doc. web n. 1303462]
[ doc. web n. 1296533]
Need for Enhanced Security Measures in Processing Telephone Traffic Data - Decision of 1 June 2006
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the complaint lodged by YZ as represented by his counsel, Carlo Lodovico Fava, at whose office YZ chose to be domiciled,
Telecom Italia S.p.A.;
Having regard to Sections 7, 8, and 145 of the Personal Data Protection Code (legislative decree no. 196/2003);
Having regard to the considerations made by the Office as submitted by the Secretary General pursuant to Section 15 of the Garante´s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Prof. Francesco Pizzetti;
After the complainant´s spouse had received – "round about end November 2005" – an anonymous envelope containing a list of the traffic data related to incoming and outgoing phone calls made via the complainant´s cellphone between September and October 2005, the complainant applied to Telecom Italia Mobile S.p.A. (currently Telecom Italia S.p.A.) on 27 December 2005 to object to the unlawful "dissemination" of those data, which were allegedly "only available" to the said company, and to know "the grounds" on which they had been processed.
Considering that his request had not been granted, the complainant lodged a complaint with the Garante (under Section 145 et seq. of the DP Code) including a detailed list of requests pursuant to Section 7 of the DP Code. These requests were aimed, on the one hand, to know the source, purposes, mechanisms, and logic of the processing of the data in question, the identity of both data controller and data processor, and the entities or categories of entity that could become acquainted with the said data; on the other hand, they were aimed to have the processing of the data in the said list blocked or else all processing operations suspended forthwith, and to have those data erased because they were being processed allegedly in breach of the law.
The company declared that "based on the checks carried out by the (…) Business Support Systems function (…) it does not appear that data viewing and/or extraction operations were carried out concerning the user between September and October 2005". The company additionally stated that "format and structure of the lists referred to in the complaint do not conform with those originating from the systems deployed by Telecom Italia S.p.A." and "the circumstances reported by Mr. YZ as well as the outcome of the internal checks were the subject of ad-hoc information that was preferred to judicial authorities on 3 March 2006 and subsequently included in a complaint lodged with the competent authorities on 20 March 2006".
In submissions presented on 22 March 2006, the complainant considered the above replies as unsatisfactory and (…) expressed several doubts as to data security; furthermore, he requested the Garante "to take such measures as may be appropriate in order to prevent similar events from occurring in future".
Furthermore, the company declared that they could not "establish whether some IT staff might have carried out unlawful operations" because "the system is only configured in such a manner as to record accesses in log files (…) rather than to track the detailed operations performed" as regards the latter category of staff – which includes a small number of individuals, who are in charge of maintaining and managing information systems, in particular server information systems and database management systems that are used to set up databases and traffic data processing procedures, and can be equated mostly to system administrators and database administrators.
Concerning the latter issue, the company also stated that they had "started the stepwise implementation of new security techniques that are aimed at making it less likely or downright impossible for similar events to take place. These techniques" – which had not been implemented in the past allegedly on account of "technical incompatibility with the existing systems" – were said to envisage, inter alia, the introduction of "systems to track down the operations performed by IT staff".
BASED ON THE ABOVE PREMISES, THE GARANTE CONSIDERS THAT
This complaint relates to the processing of the data subject´s personal data concerning inbound and outbound telephone traffic from a cellphone.
[After rejecting other claims made by the data subject because they fail to comply with the requirements set out in the DP Code], the Garante finds that the petition lodged by the complainant on 27 December 2005 should be regarded as the exercise of the complainant´s right to object, on lawful grounds, to further processing of the traffic data that are being challenged.
Concerning the said objection, which was lawfully raised against the company that was the only entity in the possession of especially sensitive information, whose confidentiality was to be ensured in full, the complaint is grounded.
As well as requiring compliance with the purpose limitation principle in carrying out processing operations (Section 11(1), letter b) ), the DP code sets out specific safeguards in respect of the processing of telephone and network traffic data by providers of electronic communications services.
Under Sections 30 and 123(5) of the DP Code, only specific persons in charge of the processing acting under instructions given directly by the provider of the publicly available electronic communications service or the publicly available communications network, as the case may be, are allowed to process the said data exclusively for a limited set of purposes that are specifically set out in the aforementioned legislation. Additionally, the processing in question must be limited to what is "absolutely necessary to carry out the said activities and should allow identifying the person in charge of the processing who accesses the data, also by means of automated search facilities".
Based on the declarations made by respondent under their own responsibility, in particular following the request for information and submission of documents lodged by the Garante directly at respondent´s registered office, the company has been found to have in place a computerised authentication system to allow persons in charge of the processing to access the information in question.
Tools to keep track of the operations performed appear to only be implemented with regard to one of the categories of person in charge of the processing, i.e. those referred to by respondent as "users" (see the definitions mentioned in the premises).
In particular, it is unquestionable – following the explicit statement rendered by the data controller, as per the records on file – that the said tools have not been implemented with regard to the operations performed by the so-called "IT staff", i.e. individuals in charge of managing information systems.
Because of the incompleteness and, accordingly, basic ineffectiveness of the said tools in respect of "IT staff", data subjects are exposed to the risk of inappropriate use as for the unlawful acquisition of their traffic data – which may pave the way to let a serious offence such as the one committed in the case at issue go unpunished, as a bulky printout rich in very sensitive information listed throughout its 24 pages was created without due authorisation after browsing and selecting data and subsequently used in a manner that resulted into severely violating the data subject´s rights.
It is basically irrelevant that the traffic recorded in the said 24-page list might possibly not include all the calls, or that it has been recorded in accordance with a pattern that is different from the one conventionally used by respondent. Conversely, what compounds the seriousness of the case is the fact that both inbound and outbound calls are recorded and that the traffic data include also some location data concerning the cellphone in question.
Therefore, respondent is in breach of the obligation to take, in addition to the "minimum" security measures that, where not adopted, may carry criminal punishments (Section 34 and 35 of the DP Code, and Annex B to the DP Code), a measure that falls unquestionably under the scope of their broader security obligations.
The latter obligations require the data controller to minimize the risks related to the processing – here, the risk that unauthorised processing operations may be performed – by having regard to the knowledge acquired thanks to technical developments, the nature of the data, and the specific features of the processing. If one considers these circumstances, the level of protection afforded to the subscribers and users concerned cannot be regarded as adequate in the case at issue.
The need to implement measures that can ensure, in addition to computerised authentication and authorisation mechanisms, the possibility to check, albeit retrospectively, who carried out a given processing operation and whether such operation was carried out in a manner that was "absolutely necessary in view of performing" the activities permitted by the law, was actually the subject of a provision issued by the Garante last year with regard to equally sensitive activities carried out by the same company for purposes of justice. In that provision (dated 15 December 2005) it was set out that the providers of electronic communications services carrying out, at the request of judicial authorities, activities related to phone wiretapping must take certain measures and that such measures are both necessary and appropriate also in order to safeguard data subjects´ rights – without prejudice to such additional measures as may be ordered by the Garante concerning traffic data retention (pursuant to Section 132 of the DP Code and Section 5 of Act no. 155/2005).
Therefore, the Garante provides hereby that Telecom Italia S.p.A., in pursuance of Section 150(2) of the DP Code, is required to implement IT solutions that are suitable for ensuring supervision over the activities carried out by any and all persons in charge of any kind of processing with regard to the individual items of information included in the databases in use, regardless of the individual person´s capacity, tasks and scope of activity as authorised in respect of the data at issue.
In particular, the company will have to ensure that the authorisation profiles applying to database administrators and system administrators are actually limited to the data and operations committed to them and do not entail the – albeit potential – capability to process personal data other than those that are necessary.
The aforementioned solutions will have to entail the guaranteed recording of all the operations carried out in respect of traffic data in an ad-hoc audit log, including those only consisting in consultation of the data; they must be implemented without delay in accordance with the terms set out below by no later than one hundred and twenty days as from the date of reception of this document, and respondent will have to confirm by the same deadline – both to the complainant and to the Garante – that the requirements laid down herein were complied with in full.
Section 123(5) of the DP Code was also infringed insofar as the said Section requires "identification of the person in charge of the processing who accesses the data, also by means of automated interrogation procedures." This obligation may not be considered to be fulfilled by only requiring computerised authentication of the persons entitled to access the data at the time they access such data; in fact, it requires unquestionably that the said authentication and access be logged in order to document – and possibly check – at least unauthorised accesses. Furthermore, there appear to be involved other constituent elements and/or circumstances related to the statutory offence in question (intention of causing damage to others and/or profiting from the offence; possible harm – see Section 167 of the DP Code). It is therefore necessary to prefer information to judicial authorities, which will receive a copy of this decision jointly with the relevant records.
On the basis of the general resolution dated 19 October 2005 concerning the lump costs and duties to be paid in respect of the handling of complaints, the costs and duties related to the complaint at issue are awarded to respondent and set at 500 Euro, of which 150 Euro relate to handling costs – with particular regard to the administrative requirements to be met in connection with lodging the complaint.
WHEREUPON, THE GARANTE
a) finds that the objection to the processing is grounded as per the complaint at issue, and accordingly provides under the terms of Section 150(2) of the DP Code that, in order to safeguard the data subject´s rights, computerised solutions should be adopted without delay, anyhow by no later than one hundred and twenty days as from the date of reception of this decision, with a view to ensuring control of the activities carried out by any and all persons in charge of the processing – irrespective of their capacity, tasks and scope of activity – with regard to any and all types of processing carried out concerning the individual information items contained in the different databases that are used; to that end, the operations carried out whether directly (in interactive mode) or indirectly (via the automatic deployment of computer software) must be recorded in an ad-hoc audit log, whose operation should ensure that the recordings are complete, non-modifiable, and non-repudiable. At the same time, IT systems and procedures will have to be adopted by the same deadline such as to ensure that the technical functions consisting in the allocation of authentication credentials, data access privileges, and authorisations are kept absolutely separate from the technical functions consisting in system and database management, whereby it should be prevented that the said functions may be entrusted to the same person in charge of the processing;
b) orders respondent to confirm, both to the data subject and to the Garante, that the measures set out in this provision have been implemented in full by the same deadline as per letter a);
c) finds that the remaining claims by the complainant are inadmissible;
d) awards lump legal costs amounting to 500 Euro to Telecom Italia S.p.A., which will have to pay them directly to the complainant.
Done in Rome, this 1st day of June 2006
THE SECRETARY GENERAL