Diritti interna

Doveri interna

ricerca avanzata

Security In Telephone And Internet Traffic Data - 17 January 2008 [1502599]

[doc. web n. 1502599]
Sicurezza dei dati di traffico telefonico e telematico - 17 gennaio 2008 

Security In Telephone And Internet Traffic Data - 17 January 2008

Having convened today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to the personal data protection Code (decree no. 196/2003, hereinafter the "Code");

Having regard to, in particular, sections 17, 123, and 132(5) of the Code;

Having regard to the resolution dated 19 September 2007 whereby the Authority started a public consultation on a document adopted on that date with regard to "Measures and arrangements to safeguard data subjects in connection with the retention of telephone and Internet traffic data for the detection and suppression of criminal offences", which was published on the Authority´s website;

Having regard to the comments and considerations submitted in the course of the public consultation, whose deadline had been set on 31 October 2007;

Having regard to the outcome of the meetings held with some trade associations that had requested such meetings;

Having regard to the documents on file;

Having regard to the considerations made by the Secretary General in pursuance of section 15 of the Garante´s Rules of Procedure (1/2000);

Acting on the report submitted by prof. Francesco Pizzetti;

WHEREAS

1. Preliminary Remarks
The processing of telephone and Internet traffic data carries specific risks for fundamental rights and freedoms and data subjects´ dignity.

The information in question requires special protection and if used inappropriately may impact considerably on the personal sphere of several data subjects; the Italian Constitutional Court pointed out (in two decisions dated 11 March 1993 and 14 November 2006, respectively) that "it can facilitate disclosure of data on an individual´s personality" and adequate safeguards are required in view of such disclosure.

In fact, telephone and Internet traffic data should only relate to the outer features of conversations, calls and/or communications – i.e. they should not allow inferring the respective contents.

Additionally, such outer features allow detecting when someone was in touch with whom and in what manner, whether by telephone or via the Internet, as well as when someone accessed what information on the Net – indeed, it is possible to also locate the users of certain types of equipment.

The sheer volume of communication flows entails the creation and – at times – the retention of numberless items of information that enable tracing a whole gamut of personal, professional, business and institutional relationships as well as giving rise to personal and/or group profiles. This is especially the case if the data are retained by providers on a large scale for longer than is necessary in connection with the provision of services to users and subscribers, because this is mandated by specific legal obligations related to exceptional requirements in the judicial sector.

As regards Internet communications, there are additional, more specific criticalities compared to telephone communications as such – because what is seemingly an "outer" data (e.g. the web page visited, or the destination IP address) often allows detecting or disclosing the contents of the communication as well; that is to say, it can allow not only tracing one´s personal and social relationships, but also extracting information on one´s interests, beliefs and habits.

The inappropriate use of the information in question – which was found to be the case recently in connection with serious infringements of data protection laws – may considerably affect individuals´ private sphere or breach specific secrets in connection with certain activities, relationships and/or professions.

Accordingly, it is necessary to ensure that the retention of the data by providers – where necessary to provide the relevant services and/or mandated by the law – is such as to afford enhanced protection of the rights and freedoms of individuals.

This is why Parliament has entrusted the Garante (section 132 of the Code) with determining the measures and arrangements to be made by providers of electronic communications services in connection with the retention of telephone and Internet traffic data, which is currently provided for in view of the detection and suppression of criminal offences – irrespective of the safeguards laid down more generally in our legal system also in terms of constitutional and procedural law.

This provision is aimed at setting out the stringent precautions to be taken by providers in generating and retaining telephone and Internet traffic data.

Before specifying the necessary precautions as based on the complex investigations carried out by the Garante, it is appropriate to make some preliminary considerations in respect of the current regulatory framework, the providers and the personal data at issue.

2. The Regulatory Framework

2.1. Community Legislation
European directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector requires Member States to protect the confidentiality of electronic communications and prohibits the retention of traffic data that are generated in the course of communications – except for what is expressly authorised for the purposes specified in the directive.

The directive applies (article 3) to processing of personal data in connection with the provision of publicly available electronic communications services on public communications networks. Traffic data are defined as data that are processed "for the purpose of the conveyance of a communication on an electronic communication network or for the billing thereof" (article 2 and recital 15 of directive 2002/58/EC.)

As well as requiring Member States to adopt national legislative measures to ensure confidentiality of the communications taking place via a public communication network and publicly available electronic communications services, the directive focuses on the traffic data generated by those services (article 5). These data as processed and stored by the provider of the public electronic communication network and/or service must be erased or made anonymous when they are no longer needed for the purpose of the transmission of a communication – except in the cases specified therein (see article 6(2), (3) and (5), and article 15(1); see, inter alia, Opinion 1/2003 on the storage of traffic data for billing purposes, as adopted on 29 January 2003 by the European data protection working party.)

Under article 15(1) of the directive, Member States may adopt legislation to restrict the rights and obligations set out in articles 5 and 6 when such restriction constitutes "a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences  or of unauthorised use of the electronic communication system." To that end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds referred to above.

2.2. National Legislation
Directive 2002/58/EC was transposed into Italian law by the personal data protection Code (Title X – Electronic Communications). Chapter I of Title X – dealing with "Electronic Communications Services" – laid down new regulations on the retention of telephone traffic data.

[This part was omitted because providing information on the regulatory amendments that took place over time in respect of data retention obligations]

Without prejudice to the requirements set out in an Act dated 31 July 2005 as amended by a decree adopted on 31 December 2007, whereby the application of any provisions mandating and/or allowing the erasure of traffic data was suspended until 31 December 2008, the current regulatory framework requires the providers of electronic communications services to retain, for the purpose of detecting and suppressing criminal offences, telephone traffic data – including unsuccessful calls – and Internet traffic data – except for the contents of communications – for twenty-four and six months, respectively (section 132(1) of the Code).

Additionally, the said providers are required to retain the data in question for further twenty-four and six months, respectively, with a view to detecting and suppressing the offences specifically referred to in section 407(2) letter a. of the criminal procedure code as well as the offences against information and/or computerised systems (section 132(2)).

Finally, it is provided that the retention of the data must be compliant with specific arrangements and measures to safeguard data subjects. Determination of the arrangements and measures in question was committed to the Italian data protection authority (see sections 17 and 132(5) of the Code.)

2.3. Directive 2006/24/EC
In order to harmonise Member States´ legislation on traffic data retention for the purpose of detecting and suppressing crimes, directive 2006/24/EC was issued on 15 March 2006; its transposition deadline was set for 15 September 2007.

The directive sets out specific guidelines as for both the retention period of traffic data (ranging from six months to two years) and the appropriate, harmonised determination of the "categories of data to be retained" – which are listed in article 5 of the directive. The guidelines take account of the specific services taken into consideration, i.e. fixed and mobile telephony, Internet access, Internet-based e-mail, and Internet-based telephony.

The guidelines in question should be kept in mind also for the purposes of this provision. Given the regulations in place in Italy, the general definition of "traffic data" as per section 4(2), letter h., of the Code does not specify what data are specifically meant nor is a distinction drawn explicitly between "telephone" and "internet" traffic data.

Conversely, this distinction is necessary because the Italian lawmaker – unlike the Community – laid down two different retention periods depending on the nature (telephone or Internet-based) of the data at issue.

Hence, it is necessary to specify the scope of application of this provision as for the obligation to retain data.

3. Providers Required to Retain Traffic Data
The "providers" required to retain traffic data under section 132 of the Code are those making electronic communications services available to the public on public communication networks. "Electronic communication services" are services consisting, whether wholly or mainly, "in the conveyance of signals on electronic communications networks" (Section 4(2) letters d. and e. of the DP Code).

[…] Hence, the requirement to retain data applies, under section 132 above, to the entities that bring into effect, whether exclusively or not, the conveyance of signals on electronic communications networks – irrespective of the proprietary status of such networks – and offer services to end-users in pursuance of the non-discrimination principle (see also directive 2002/21/EC and decree no. 259/2003 – Electronic Communications Code.)

Conversely, the scope of application of this provision does not include, for instance, the following:

  • entities directly offering electronic communication services to limited groups of individuals (e.g. public or private bodies that only enable their employees and/or collaborators to carry out telephone or Internet communications). Although these services fall within the scope of the general definition applying to "electronic communication services", they may not be regarded as "available to the public". However, if the communication is routed to a user that is outside a so-called "private network", the traffic data generated by that communication are to be retained – for instance, this applies to the provider used by the recipient of the communication in question, in case the latter consists in an e-mail message: see, on this point, document WP37 "Protection of Privacy on the Internet" (21 November 2000);
  • entities that do not generate and/or process traffic data directly even though they offer publicly available electronic communication services;
  • owners and managers of public establishments and/or private clubs of any kind that only make terminals available to the public, or to customers and/or associates, whereby such terminals may be used for telephone or Internet communications, or else that make Internet wireless access points available to the public – except for public payphones that only operate in voice mode;
  • managers of Internet websites disseminating contents on the Net (so-called "content providers"). They do not provide an "electronic communication service" as per section 4(2)e. of the Code – which in turn refers to section 2c. of Directive 2002/21/EC, whereby "the services providing contents conveyed by means of electronic communication networks and services" are excluded from the scope of application. Additionally, it should be pointed out that traffic data related to a communication – such as navigation data and the pages visited on website – often allow detecting or disclosing the contents of such communication; accordingly, retaining such data would be actually in breach of section 132 of the DP Code, which does not require the "contents" of communications to be retained for judicial purposes (see also article 1(2) of directive 2006/24/EC, whereby retention of the "content of electronic communications, including information consulted by an electronic communications network" falls outside the relevant scope of application;
  • search engines. The Internet traffic data processed by search engines allow keeping track of the operations performed by users on the Net, and can be equated accordingly to "content" data.


4. What Traffic Data Are to Be Retained
The retention obligation applies to telephone traffic data – including unsuccessful calls – and Internet traffic data – excluding the contents of communications (section 132 of the DP Code) – in particular, to any data processed by a provider with a view to conveyance of the communication and/or the billing thereof (section 4(2)h. of the Code).

Accordingly, the providers fulfilling the conditions mentioned in paragraph 3 are to retain, exclusively for the purposes of detecting and suppressing criminal offences, the traffic data they hold to the extent such data are generated by technical activities that are instrumental to the provision of the services in question and/or to the relevant billing. This requirement is also in line with the data relevance and minimization principles laid down in sections 3 and 11 of the Code.

As well as with the provisions set out in the 2005 Act mentioned above, the obligation in question is in accordance with directive 2006/24/EC – whereby retention only concerns the data that have been "generated or processed by providers… in the process of supplying … communication services" (see Recital 23 and article 3(1) of the said directive).

Article 5 of the directive lists the specific items of information to be retained by having regard to the different categories of traffic data as well as to the type of communication (telephone vs. Internet).

As regards electronic communication services, a distinction should be drawn actually between telephone and Internet services.

The former include:

  • telephone calls including voice calls, voice messaging, conference calls and facsimile data transmissions;
  • ancillary services including call forwarding and call transfer;
  • messaging and multimedia services, including SMS-messaging services.

The latter include:

  • Internet network access;
  • Electronic mail;
  • Internet-based facsimile (as well as SMS and MMS messaging);
  • Internet telephony (Voice-over-IP).

As regards the retention of telephone traffic data in respect of unsuccessful calls, and subject to the guidance provided by directive 2006/24/EC (see Recital 12, which excludes "unsuccessful call attempts" from the relevant scope of application), a provider is to retain exclusively the data generated by telephone calls that have been successfully connected but not answered, or where there has been a network management intervention (see article 2(2) letter f. of directive 2006/24/EC).

5. Purposes
The data to be retained under the law may only be used for the purposes of detecting and suppressing criminal offences – and the law specifies which offences justify the prolonged retention of the data in question; hence, providers are subject to specific constraints with regard to any requests that are aimed at different purposes.

For instance,

a. they may not comply with requests made in connection with litigations under civil, administrative and/or accounting laws;

b. the purpose limitation constraint also applies to any data subject accessing the data related to him/her on the basis of the access right set out in section 7 of the Code (i.e. the data obtained in this manner may only be used for the aforementioned criminal law purposes) as well as to defence counsel acting in a criminal proceeding on behalf of a defendant, a person under investigation, a victim and/or any other party seeking damages (section 132(3) of the Code).

6. Data Acquisition

The mechanisms for acquiring the traffic data retained by providers are set out in the Code. As regards the initial retention period (i.e. twenty-four months and six months as for telephone and Internet traffic data, respectively), the relevant request must be lodged "by means of a reasoned order issued by the public prosecutor also at the request of defence counsel, the person under investigation, the injured party, or any other private party" (section 132(3) of the Code).

The counsel for defendant and/or the person under investigation is empowered to directly request traffic data from the provider with regard to the data related to "the subscriptions entered into by his/her client according to the arrangements specified in Section 391-quater of the Criminal Procedure Code without prejudice to the requirements set out in Section 8(2), letter f), with regard to incoming phone calls" (Section 132(3) of the Code). The latter requirement means that providers should assess beforehand whether failure to provide the requested data "may be actually and concretely prejudicial to performance of the investigations by defence counsel" as per Act no. 397 of 7 December 2000.

As regards the subsequent retention period (i.e. the additional twenty-four months and six months as for telephone and Internet traffic data, respectively), section 132(4) of the Code provides that the retained data may only be acquired "by means of a reasoned order [of a judicial authority] if sufficient circumstantial evidence is considered to exist of the commission of the offences under Section 407(2), letter a), of the Criminal Procedure Code as well as of any offences against information or computerised systems."

7. Required Measures and Arrangements

As said, the Garante is required by law to set out the measures and arrangements to safeguard data subjects in connection with the retention of telephone and Internet traffic data for the purpose of detecting and suppressing criminal offences (under section 132(5) of the Code).

To that end, the Garante has analysed several technical issues with experts in this field and carried out inspections at major electronic communication service providers; additionally, a specific public consultation was launched on a detailed document setting out the measures and arrangements considered suitable with a view to the retention of traffic data for judicial purposes.

The measures submitted for public consultation were received favourably as no substantial criticisms were levelled by the entities concerned.

All the considerations and comments submitted via the said consultation were taken into account and analysed in view of drafting this provision.

In laying down the measures and arrangements described below as applicable to the providers, this Authority took account of the criteria mentioned in sections 17 and 132(5) of the Code as well as of the following:

a. the legal requirement whereby specific precautions are to be envisaged by having regard to the amount and quality of the data to be protected and the risks mentioned in section 31 of the Code; such risks have to be averted by the providers in pursuance of the security obligations arising out of the measures laid down in the Code (section 31 et seq.; Annex B);

b. the advisability of setting out, as of now, such protective measures for the processing operations performed by the providers in question as can be verified in the course of an inspection activity, the ultimate objective being the enhanced security of telephone and Internet traffic data;

c. the need for taking account of the costs arising from the adoption of the measures and arrangements set out herein, partly in the light of the multifarious technical and economic features of the entities concerned;

d. the relevant European framework, in particular the opinions rendered by the Article 29 Working Party (no. 4/2005; no. 3/2006; and no. 8/2006);

e. the state-of-the-art technology, which is why the provisions below should be regarded as subject to review on a regular basis.

The measures and arrangements set out by the Italian data protection Authority are described below.

It shall be provided that:

7.1. Authentication Systems
Only the persons in charge of the processing are authorised to process telephone and Internet traffic data, on condition specific computerised authentication systems are in place that must be based on strong authentication techniques. The latter consist in the joint use of at least two different authentication techniques irrespective of the specific access mode (local/remote) to the processing system in question. It is necessary to prevent the processing from being performed if the person in charge thereof has failed to pass a computerised authentication test in accordance with the requirements described above.

As regards traffic data that is retained exclusively with a view to detecting and suppressing offences (i.e. any data that was generated over six month beforehand, or any data processed for the said purposes that has been kept separate from the data processed for different purposes ever since it was generated), one of the techniques mentioned above must be based on the biometrics of the persons in charge of the processing so as to ensure that the latter are physically present at the workstations used for the processing.

The authentication mechanisms in question must also be applied to all technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the provider.

As regards the said technical staff, there may be cases in which it is necessary for them to access processing systems that handle traffic data in the absence of biometrics and/or strong authentication mechanisms (e.g. to repair malfunctioning or failures, to install hardware and/or software components, to upgrade and re-configure the IT system) so as to perform certain operations that require their physical presence close to the processing systems at issue – for instance, to perform administration activities from a local console, whereby it may be necessary to disable network services and it is impossible to handle input/output operations via ancillary equipment such as the one that can be used for strong authentication.

If technical staff are to perform the above operations, subject to compliance with the minimum measures set out in Annex B to the DP Code as for authentication credentials as well as with the specifications made in paragraph 7.3 below (concerning processing of telephone traffic data for judicial purposes), this will have to be recorded in an ad-hoc "access log" along with the respective reasons and a summary description of the operations performed; the log may be managed with the help of electronic tools as well and will have to be kept by the provider at the premises where the processing takes place. In case of inspections and/or controls, it will have to be made available to the Italian data protection authority jointly with a list of the staff authorised to access the individual processing systems in their capacity as system administrators; this list must be updated regularly by the respective providers.

7.2. Authorisation Systems
As for authorisation systems, specific procedures must be in place to ensure separation between technical functions consisting in allocation of authentication credentials and identification of authorisation profiles and, on the other hand, technical management of systems and databases. Such different functions may not be allocated jointly to the same entity.

The authorisation profiles to be determined and allocated to the persons in charge of the processing must allow distinguishing between processing of traffic data for standard management purposes and the processing operations aimed at detection and suppression of crimes; as for the latter, a distinction must be drawn between the authorisation to process the data in question during the initial mandatory retention period (section 132(1) of the Code) and the authorisation to also process the data during the subsequent mandatory retention period (section 132(2) of the Code); finally, a separate profile will apply to processing of the data in connection with the exercise of data subjects´ rights (section 7 of the Code).

Accordingly, where a person in charge of the processing has been authorised to process traffic data, for instance, during the initial mandatory retention period (section 132(1) of the Code), that person must not be allowed to access any data whose processing requires an authorisation profile applying to the whole mandatory retention period (section 132(2) of the Code).

[…]

7.3 Separate Retention of the Data
Traffic data that are retained exclusively for the purpose of detecting and suppressing criminal offences must be processed with the help of IT systems that are physically different from those used to manage traffic data for other purposes. This applies to both processing and storage components.

More specifically, the IT systems used to process traffic data that are retained exclusively for justice-related purposes must be other than those used to also carry out other corporate tasks (e.g. billing, marketing, fraud prevention); additionally, they must be protected against intrusion by means of suitable perimeter protection tools to safeguard communication networks and the memory resources used for the processing.

Conversely, traffic data that are retained for no longer than six months after being generated may be processed for justice-related purposes both by means of the same processing and storage systems used for processing operations in general and by duplicating them and keeping them separate from the traffic data that are processed for standard purposes – in view of processing such data with the help of dedicated systems.

In this manner, providers are free to select – on the basis of the respective organizational models and technological infrastructure – the IT architecture that is best suited for both the mandatory retention of traffic data and the conventional processing operations performed in the corporate environment. Indeed, traffic data that are retained for up to six months after being generated may be processed for justice-related purposes with the help of non-dedicated IT systems; alternatively, they may be duplicated to carry out dedicated processing operations exclusively with a view to judicial purposes. In the latter instance, the measures and arrangements set out for the data that are only retained for judicial purposes shall apply as from the start of the relevant processing.

The IT equipment that is used to process traffic data exclusively for justice-related purposes must be placed inside restricted access areas – or else inside areas that may only be accessed by individuals authorised to do so in order to discharge specific tasks – and there must be electronic control devices and/or supervisory procedures in place in those areas so as to allow recording of the identification data related to access-enabled individuals including the respective time frames.

If telephone traffic data are processed exclusively for justice-related purposes, access control must envisage biometric recognition procedures.

Upon expiry of the term set out in section 132(1) of the Code, any traffic data that is processed for the purposes of detecting and suppressing criminal offences must be handled in accordance with mechanisms that enable different access modes by having regard to the respective time constraints; the data must be kept separate so as to ensure compliance with purpose limitation and the individual authorisation profiles.

To that end,

  • either the data are to be kept physically separate by making available totally separate systems in terms of both processing and storage,
  • or the data are to be kept logically separate, or mechanisms should be deployed with regard to database structure and/or indexing systems and/or access mechanisms and/or authorisation profiles.

There must be suitable measures in place to restore access to the data if the latter and/or the electronic tools are damaged; the time required for this purpose must be compatible with data subjects´ rights and should in no case be in excess of seven days.

7.4 Persons in Charge of the Processing
The persons in charge of the processing that access traffic data stored for the purposes set forth in section 132 of the DP Code – also where this is aimed at allowing exercise of the rights mentioned in section 7 of the DP Code – must be appointed on purpose with regard to the data in question.

The appointment mechanisms must envisage regular training sessions to describe the relevant instructions, compliance with security measures and the specific tasks. Attendance at such sessions must be documented.

Regarding the requests for exercise of the rights set out in section 7 of the Code that entail retrieving traffic data (also pursuant to section 132(5), letter c., of the DP Code), to the extent this is allowed by section 8(2)f. of the Code, the data controller is required to keep the documents providing proof of the requesting party´s identity as per section 9 of the DP Code and take the appropriate arrangements to only disclose the data to the individual(s) that are entitled to get the information pursuant of the said section 9.

7.5 Deleting the Data
Upon expiry of the terms set out in the legislation in force, traffic data must be made unavailable to processing and retrieval by IT systems; they must also be deleted or made anonymous without delay, within a time limit that must be technically compatible with implementation of the relevant IT procedures – this applies both to the databases and processing systems used for processing and to the backup and disaster recovery systems and media, also pursuant to the measures set out in the legislation in force. The operations in question must be documented by no later than thirty days as from expiry of the terms mentioned in section 132 of the DP Code.

7.6 Other Measures
Audit Log
The implemented IT solutions must be such as to ensure supervision over the processing of traffic data by the individual persons in charge of the processing – irrespective of their positions, skills and tasks as well as of the purposes of the processing. The supervision in question must be effective and accurate as also related to the processing operations performed on the individual items of information held in the various databases.

The solutions referred to above include storage, in an ad-hoc audit log, of the operations performed (whether directly or indirectly) on traffic data and any other personal data related thereto. This applies both to the operations consisting in and/or deriving from the interactive use of the systems and to the operations performed via the automatic functioning of IT software.

Audit log systems must ensure that the records they contain are complete, non-modifiable, and authentic with regard to all the processing operations and all IT-security-related events being audited. To that end, storage systems on non-modifiable devices must be implemented to record auditing data – possibly in a centralised fashion – from the individual processing facilities and/or data centres. The data and/or data clusters must undergo computerised procedures prior to being written in order to certify their integrity; encryption technology must be used in the said procedures.

The measures set out herein must be implemented in compliance with the principles that regulate monitoring of employees´ use of electronic devices – with particular regard to the information to be provided to data subjects (see the DPA´s decision dated 1 March 2007, web no. 1387522.)

7.7 Internal Audit – Regular Reporting
The handling of traffic data for the purposes of detecting and suppressing crime must be the subject of at least annual internal auditing procedures to be implemented by data controllers; such procedures should be aimed at checking compliance with organisational, technical and security measures as applying to traffic data in pursuance of the legislation in force as well as of the DPA´s provision, including the measures that are required to select the persons in charge of this specific processing.

This type of audit should be committed to a corporate unit and/or staff that should be other than those in charge of processing the data for the purposes of detecting and suppressing crime.

The auditing activity must include ex-post checks, sample checks and/or alarm-triggered checks based on alerting and anomaly detection systems; checks on lawfulness and legitimacy of data access by the persons in charge of the processing; checks on data integrity; and checks on the  computerised procedures implemented for data processing. Regular audits should be also carried out on the actual erasure of the data upon expiry of the relevant retention periods.

The auditing activity must be documented as appropriate in order to always enable establishing which systems have been audited, which technical operations have been performed, which findings have resulted from access analysis, and which criticalities have been detected.

The outcome of the audits must be

  • disclosed to the individuals and bodies that are empowered to make decisions and implement corporate policies (based on the respective organisational status);
  • referred to in the security policy document, which must specify the actions required, if any, to upgrade security measures;
  • made available to the Italian DPA and/or judicial authorities, if they so request.

7.8 Documenting Information Systems
The information systems used to process traffic data must be documented appropriately in accordance with software engineering principles. Non-standard and/or non-commonly received descriptions should be avoided.

For each application system, the description should refer to the logical/functional architecture, the overall architecture and structure of processing systems, traffic data input/output flows, the communication network architecture, and the entities/categories authorised to access the system.

The documentation in question should come with location diagrams of applications and systems to show the specific location of the individual systems where the data used for detecting and suppressing criminal offences are processed.

The technical documentation must be updated and made available to the Italian DP authority, upon request, along with detailed information on the entities authorised to access the systems with a view to processing traffic data.

7.9 Data Encryption and Protection
Traffic data that are only processed for justice-related purposes must be protected with the help of encryption technology – in particular against the risk that they may be acquired and/or altered accidentally on account of maintenance operations performed on IT systems or else in the course of standard system administration operations. In particular, arrangements should be made to prevent the information in the databases that are used by the IT applications deployed for the processing in question from being intelligible to any entity that does not fulfil the appropriate access conditions and/or authorisation profiles.

To that end, encryption and/or obfuscation of database parts and/or indexes and/or other encryption-based technical measures can be implemented.

The above arrangements must be effective in order to minimize the risk that persons in charge of technical activities related to the processing – e.g. system administrators, database administrators, hardware/software maintenance engineers – might get undue access to the stored information – perhaps by chance – in the course of accessing the systems in question and/or performing maintenance activities, or that they might modify the stored information whether intentionally or not.

Traffic data flows between the provider´s information systems must take place via secure, encryption-based communication protocols; in any case, no plaintext data should be transmitted. Secure communication protocols must also be implemented to ensure, generally speaking, system security – in particular, to prevent vulnerability and intrusion risks: for instance, "terminal emulation" interactive access, whether for technical purposes or not, should not be allowed on non-secure channels, and activation of unnecessary network services should be avoided as such services  might lend themselves to intrusion attempts.

7.10 Timeframe for Implementing the Measures and Arrangements Set out Herein
Having regard to the measures and arrangements mentioned above and taking account of the precautions already implemented by providers, as shown by the inspections carried out so far, as well as of the time that is technically required to implement such precautions in full also in the light of the public consultation, it is appropriate to set a deadline for all providers to comply with the guidelines described in the above paragraphs – namely, by no later than October 31, 2008. By the said date all providers will have to formally notify the Garante that they have complied in full with the measures set forth herein.

8. Application of Certain Measures to the Data That Are Processed for Different Purposes
The considerations made in the foregoing paragraphs as to the especially sensitive nature of traffic data, the need to afford increased protection to the rights and freedoms of individuals, and the more stringent requirements to be made in respect of these data also apply to any other processing operation that is performed on telephone and/or Internet traffic data by the providers mentioned in paragraph 3.

Hence, it is indispensable to ensure that at least some of the measures and arrangements mentioned in paragraph 7 above are implemented in any case by the providers in question, insofar as they are appropriate to the specific circumstances, within the framework of similar processing operations performed on telephone and/or Internet traffic data for purposes unrelated to justice – e.g. in connection with billing and/or payment related to interconnection and marketing of services – as regards the shorter timeframe mentioned in section 123 of the DP Code.

This is why the Italian data protection authority requires the providers mentioned in paragraph 3 hereof to implement, under section 17 of the DP Code, the measures and arrangements specified under letter c. hereof within the deadline and in accordance with the mechanisms set out in paragraph 7.10, without prejudice to such provisions as may have to be made in pursuance of section 132(5) of the DP Code.

A copy of this decision will be forwarded to the Ministry of Justice also in view of having it published in the Official Journal of the Italian Republic, under the responsibility of the Ufficio pubblicazione leggi e decreti, as well as to the Authority for Communications Safeguards.

BASED ON THE ABOVE PREMISES,
THE ITALIAN DATA PROTECTION AUTHORITY

a. Under sections 17, 123, and 132(5) of the DP Code, requires the providers of electronic communications services as per paragraph 3 hereof to take the measures and arrangements specified herein to safeguard data subjects in connection with the processing of the telephone and Internet traffic data mentioned in paragraph 4. To that end, they shall (see paragraph 7):

  1. implement specific computerised authentication systems that must be based on strong authentication techniques. The latter consist in the joint use of at least two different authentication techniques, which must be applied to all the persons in charge of the processing and the technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the provider – irrespective of the specific access mode (local/remote) to the processing system in question. It is necessary to prevent the processing from being performed if the person in charge thereof has failed to pass a computerised authentication test in accordance with the requirements described above. As regards traffic data that is retained exclusively with a view to detecting and suppressing offences, one of the techniques mentioned above must be based on the biometrics of the persons in charge of the processing so as to ensure that the latter are physically present at the workstations used for the processing. The authentication mechanisms in question must also be applied to all technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the provider. As regards the technical staff mentioned herein, there may be cases in which it is necessary for them to access processing systems that handle traffic data in the absence of strong authentication mechanisms (e.g. to repair malfunctioning or failures, to install hardware and/or software components, to upgrade and re-configure the IT system); if this were the case, subject to compliance with the minimum measures set out in Annex B to the DP Code as for authentication credentials, this will have to be recorded in an ad-hoc "access log" along with the respective reasons and a summary description of the operations performed, also with the help of electronic tools. The log will have to be kept by the provider at the premises where the processing takes place. In case of inspections and/or controls, it will have to be made available to the Italian data protection authority jointly with a list of the staff authorised to access the individual processing systems in their capacity as system administrators; this list must be updated regularly by the respective providers;
  2. Implement specific procedures to ensure separation between technical functions consisting in allocation of authentication credentials and identification of authorisation profiles and, on the other hand, technical management of systems and databases. The authorisation profiles to be determined and allocated by the provider to the persons in charge of the processing must allow distinguishing between processing of traffic data for standard management purposes and the processing operations aimed at detection and suppression of crimes; as for the latter, a distinction must be drawn between the authorisation to process the data in question during the initial mandatory retention period (section 132(1) of the Code) and the authorisation to also process the data during the subsequent mandatory retention period (section 132(2) of the Code); finally, a separate profile will apply to processing of the data in connection with the exercise of data subjects´ rights (section 7 of the Code);
  3. As regards traffic data that are retained exclusively for the purpose of detecting and suppressing criminal offences, implement IT systems that are physically different from those used to manage traffic data for other purposes. This applies to both processing and storage components. Conversely, traffic data that are retained for no longer than six months after being generated may be processed for justice-related purposes both by means of the same processing and storage systems used for processing operations in general and by duplicating them and keeping them separate from the traffic data that are processed for standard purposes. The IT equipment that is used to process traffic data exclusively for justice-related purposes must be placed inside restricted access areas – or else inside areas that may only be accessed by individuals authorised to do so in order to discharge specific tasks – and there must be electronic control devices and/or supervisory procedures in place in those areas so as to allow recording of the identification data related to access-enabled individuals including the respective time frames. If telephone traffic data are processed exclusively for justice-related purposes, access control must envisage biometric recognition procedures. Upon expiry of the term set out in section 132(1) of the Code, any traffic data that is processed for the purposes of detecting and suppressing criminal offences must be handled in accordance with mechanisms that enable different access modes by having regard to the respective time constraints; the data must be kept separate so as to ensure compliance with purpose limitation and the individual authorisation profiles. To that end, either the data are kept physically separate by making available totally separate systems in terms of both processing and storage, or the data are kept logically separate, or else mechanisms should be deployed with regard to database structure and/or indexing systems and/or access mechanisms and/or authorisation profiles. Finally, there must be suitable measures in place to restore access to the data if the latter and/or the electronic tools are damaged; the time required for this purpose must be compatible with data subjects´ rights and should in no case be in excess of seven days;
  4. Appoint the persons in charge of the processing that may access traffic data stored for the purposes set forth in section 132 of the DP Code – also where this is aimed at allowing exercise of the rights mentioned in section 7 of the DP Code. The appointment mechanisms must envisage regular training sessions to describe the relevant instructions, compliance with security measures and the specific tasks. Attendance at such sessions must be documented. Regarding the requests for exercise of the rights set out in section 7 of the Code that entail retrieving traffic data (also pursuant to section 132(5), letter c., of the DP Code), to the extent this is allowed by section 8(2)f. of the Code, the provider is required to keep the documents providing proof of the requesting party´s identity as per section 9 of the DP Code and take the appropriate arrangements to only disclose the data to the individual(s) that are entitled to get the information pursuant of the said section 9;
  5. Upon expiry of the terms set out in the legislation in force, ensure that traffic data are no longer available to processing and retrieval by IT systems. Providers must erase or make anonymous such data without delay, within a time limit that must be technically compatible with implementation of the relevant IT procedures – this applies both to the databases and processing systems used for processing and to the backup and disaster recovery systems and media, also pursuant to the measures set out in the legislation in force. The operations in question must be documented by no later than thirty days as from expiry of the terms mentioned in section 132 of the DP Code;
  6. Implement IT solutions that can ensure supervision over the processing of traffic data by the individual persons in charge of the processing – irrespective of their positions, skills and tasks as well as of the purposes of the processing. The supervision in question must be effective and accurate as also related to the processing operations performed on the individual items of information held in the various databases. The solutions referred to above include storage, in an ad-hoc audit log, of the operations performed (whether directly or indirectly) on traffic data and any other personal data related thereto. This applies both to the operations consisting in and/or deriving from the interactive use of the systems and to the operations performed via the automatic functioning of IT software. Audit log systems must ensure that the records they contain are complete, non-modifiable, and authentic with regard to all the processing operations and all IT-security-related events being audited. To that end, storage systems on non-modifiable devices must be implemented to record auditing data – possibly in a centralised fashion – from the individual processing facilities and/or data centres. The data and/or data clusters must undergo computerised procedures prior to being written in order to certify their integrity; encryption technology must be used in the said procedures;
  7. Carry out internal auditing procedures at least at annual intervals to check  compliance with organisational, technical and security measures as applying to traffic data in pursuance of the legislation in force as well as of the DPA´s provision, including the measures that are required to select the persons in charge of this specific processing. This type of audit should be committed to a corporate unit and/or staff that should be other than those in charge of processing the data for the purposes of detecting and suppressing crime. The auditing activity must include ex-post checks, sample checks and/or alarm-triggered checks based on alerting and anomaly detection systems; checks on lawfulness and legitimacy of data access by the persons in charge of the processing; checks on data integrity; and checks on the  computerised procedures implemented for data processing. Regular audits should be also carried out on the actual erasure of the data upon expiry of the relevant retention periods. The auditing activity must be documented as appropriate in order to always enable establishing which systems have been audited, which technical operations have been performed, which findings have resulted from access analysis, and which criticalities have been detected. The outcome of the audits must be: disclosed to the individuals and bodies that are empowered to make decisions and implement corporate policies (based on the respective organisational status); referred to in the security policy document, which must specify the actions required, if any, to upgrade security measures; made available to the Italian DPA and/or judicial authorities, if they so request;
  8. Document the information systems used to process traffic data as appropriate in accordance with software engineering principles. Non-standard and/or non-commonly received descriptions should be avoided. For each application system, the description should refer to the logical/functional architecture, the overall architecture and structure of processing systems, traffic data input/output flows, the communication network architecture, and the entities/categories authorised to access the system. The documentation in question should come with location diagrams of applications and systems to show the specific location of the individual systems where the data used for detecting and suppressing criminal offences are processed. The technical documentation must be updated and made available to the Italian DP authority, upon request, along with detailed information on the entities authorised to access the systems with a view to processing traffic data.
  9. Protect traffic data that are only processed for justice-related purposes with the help of encryption technology – in particular against the risk that they may be acquired and/or altered accidentally on account of maintenance operations performed on IT systems or else in the course of standard system administration operations. Providers should make arrangements to prevent the information contained in the databases that are used by the IT applications deployed for the processing in question from being intelligible to any entity that does not fulfil the appropriate access conditions and/or authorisation profiles. To that end, encryption and/or obfuscation of database parts and/or indexes and/or other encryption-based technical measures can be implemented. The above arrangements must be effective in order to minimize the risk that persons in charge of technical activities related to the processing – e.g. system administrators, database administrators, hardware/software maintenance engineers – might get undue access to the stored information – perhaps by chance – in the course of accessing the systems in question and/or performing maintenance activities, or that they might modify the stored information whether intentionally or not. Traffic data flows between the provider´s information systems must take place via secure, encryption-based communication protocols; in any case, no plaintext data should be transmitted. Secure communication protocols must also be implemented to ensure, generally speaking, system security – in particular, to prevent vulnerability and intrusion risks;

b. Under sections 17, 123, and 132(5) of the DP Code and in pursuance of section 157 thereof, requires the aforementioned providers, acting as data controllers, to comply with all the arrangements set out in letter a. above as quickly as possible and in any case by no later than October 31, 2008, and to notify the Garante thereof by also testifying to their full compliance;

c. Under section 17 of the DP Code, requires the aforementioned providers, acting as data controllers, to take the following measures and arrangements (see paragraph 8 hereof) with regard to traffic data that are processed for the purposes mentioned in section 123 of the DP Code [i.e. for purposes other than the detection and suppression of criminal offences] by no later than October 31, 2008, and to notify the Italian DP Authority thereof in pursuance of section 157 of the Code by also certifying their full compliance:

  1. implement specific computerised authentication systems that must be based on strong authentication techniques. The latter consist in the joint use of at least two different authentication techniques, which must be applied to all the persons in charge of the processing and the technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the provider – irrespective of the specific access mode (local/remote) to the processing system in question. It is necessary to prevent the processing from being performed if the person in charge thereof has failed to pass a computerised authentication test in accordance with the requirements described above. As regards traffic data that is retained exclusively with a view to detecting and suppressing offences, one of the techniques mentioned above must be based on the biometrics of the persons in charge of the processing so as to ensure that the latter are physically present at the workstations used for the processing. The authentication mechanisms in question must also be applied to all technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the provider. As regards the technical staff mentioned herein, there may be cases in which it is necessary for them to access processing systems that handle traffic data in the absence of strong authentication mechanisms (e.g. to repair malfunctioning or failures, to install hardware and/or software components, to upgrade and re-configure the IT system); if this were the case, subject to compliance with the minimum measures set out in Annex B to the DP Code as for authentication credentials, this will have to be recorded in an ad-hoc "access log" along with the respective reasons and a summary description of the operations performed, also with the help of electronic tools. The log will have to be kept by the provider at the premises where the processing takes place. In case of inspections and/or controls, it will have to be made available to the Italian data protection authority jointly with a list of the staff authorised to access the individual processing systems in their capacity as system administrators; this list must be updated regularly by the respective providers;
  2. Implement specific procedures to ensure separation between technical functions consisting in allocation of authentication credentials and identification of authorisation profiles and, on the other hand, technical management of systems and databases;
  3. Upon expiry of the terms set out in the legislation in force, ensure that traffic data are no longer available to processing by IT systems. Providers must erase or make anonymous such data, within a time limit that must be technically compatible with implementation of the relevant IT procedures – this applies both to the databases and processing systems used for the processing and to the backup and disaster recovery systems and media, also pursuant to the measures set out in the legislation in force. The operations in question must be documented by no later than thirty days as from expiry of the retention period (section 123 of the DP Code);
  4. Implement IT solutions that can ensure supervision over the processing of traffic data by the individual persons in charge of the processing – irrespective of their positions, skills and tasks as well as of the purposes of the processing. The supervision in question must be effective and accurate as also related to the processing operations performed on the individual items of information held in the various databases. The solutions referred to above include storage, in an ad-hoc audit log, of the operations performed (whether directly or indirectly) on traffic data and any other personal data related thereto. This applies both to the operations consisting in and/or deriving from the interactive use of the systems and to the operations performed via the automatic functioning of IT software. Audit log systems must ensure that the records they contain are complete, non-modifiable, and authentic with regard to all the processing operations and all IT-security-related events being audited. To that end, storage systems on non-modifiable devices must be implemented to record auditing data – possibly in a centralised fashion – from the individual processing facilities and/or data centres. The data and/or data clusters must undergo computerised procedures prior to being written in order to certify their integrity; encryption technology must be used in the said procedures;
  5. Document the information systems used to process traffic data as appropriate in accordance with software engineering principles. Non-standard and/or non-commonly received descriptions should be avoided. For each application system, the description should refer to the logical/functional architecture, the overall architecture and structure of processing systems, traffic data input/output flows, the communication network architecture, and the entities/categories authorised to access the system. The documentation in question should come with location diagrams of applications and systems to show the specific location of the individual systems where the data used for detecting and suppressing criminal offences are processed. The technical documentation must be updated and made available to the Italian DP authority, upon request, along with detailed information on the entities authorised to access the systems with a view to processing traffic data.

d. Orders that a copy of this decision be sent to the Ministry of Justice also in view of having it published in the Official Journal of the Italian Republic under the responsibility of the Ufficio pubblicazione leggi e decreti, as well as to the Authority for Communications Safeguards.

Done in Rome, this 17th day of the Month of January 2008

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Pizzetti

THE SECRETARY GENERAL
Buttarelli