Annual Report for 2004 - Summary
Annual Report for 2004
Main Legislative Developments
The consolidated Data Protection Code (legislative decree no. 196/2003) came into force on January 1, 2004; the Code brought about the thorough implementation of both Directives. It was amended by an Act of February 26, 2004 in connection with data retention for the purpose of detecting and suppressing criminal offences. The Act replaced the text of Section 132 in the Code by extending the retention period for telephone traffic data, which may now be retained for 24 months; upon expiry of this term, they shall be retained by the telecom provider for additional 24 months exclusively with a view to detecting and suppressing some very serious criminal offences, including those related to terrorism.
Another amendment to the Code was introduced in March 2004 concerning notification requirements. The data protection Code requires notification of the processing operations liable to affect data subjects´ fundamental rights and freedoms that are listed in the relevant Section (37); however, it also empowers the Garante to add to or reduce the list of notifiable processing operations. By the decision adopted in March, the Garante exempted controllers from notifying some processing operations that were considered not to be liable to affect the data subjects´ rights and freedoms among those listed in Section 37 - by having regard either to the capacity of the data controllers or to the purposes of the processing.
Reference should also be made to the adoption of general authorisations applying to the processing of sensitive data by various categories of data controller. Under the data protection Code, processing of sensitive data by private entities is allowed with the data subject´s consent and the DPA´s authorisation, which may also be granted in the form of a general authorisation addressed to categories of data controller – setting out the framework within which the sensitive data at issue may be processed. Seven general authorisations have been issued so far, starting in 1998; their scope of application is time-limited, as they are reviewed regularly to take account of supervening developments. Those issued in 2004 will expire on June 30, 2005.
As for other legislative developments, the following may be mentioned:
Regulations issued in February 2004 set out the mechanisms for the issuance of the so-called “Services Card”, which is meant to simplify electronic access by citizens´ to public administrative services, i.e. in view of e-government enhancement. The card will contain the holder´s identification data and tax ID code, but no biometric data. The Government is planning to distribute about 30 million of these cards by the end of 2005.
The 2004 Budget Act provided expressly for introducing an ad-hoc electronic “medical” ID card (containing the holder´s tax ID Code) to be used by citizens for accessing all National Health Service services; the relevant provisions were set out in Section 50 of Act 326/2003 and specified subsequently via regulations issued in 2004. This measure was meant to only facilitate supervision over health care expenditure, with particular regard to the costs for drug prescriptions. The card is expected to be delivered to all Italian citizens by the end of 2005.
Main Decisions by the DPA
A decision adopted by the Garante on April 29, 2004 referred to the basic principles applying to this subject matter and described the general requirements to be fulfilled by any video surveillance system; guidance was also provided in respect of specific data processing operations – e.g. concerning the use of video surveillance in schools, hospitals, on board transportation means, and at the workplace. The DPA reserved the right to take ad-hoc measures in particular situations on a case-by-case basis.
The basic criterion should be respect for citizens´ fundamental rights and freedoms and personal dignity, with particular regard to privacy, identity and personal data protection (see Section 2(1) of the data protection Code). Accordingly, the Garante pointed out that individuals may not be deprived of the right to move without interferences that are incompatible with a free democratic society (see Article 8 of the European Human Rights Convention as ratified in Italy by Act no. 848/1955) such as those resulting from invasive, oppressive data acquisitions in respect of an individual´s whereabouts and movements – which is being facilitated by the growing system interaction via Internet and Intranets. The Garante also drew inspiration from the guidelines issued by several international and Community forums such as, in particular, the documents drafted by the European data protection authorities within the framework of the Article 29 Working Party and the Council of Europe´s guidelines on video surveillance of 20-23 May 2003.
The Garante clarified that, as a rule, clear-cut information must be provided to data subjects if census data contained in public and/or publicly available databases are used for electoral propaganda. For the purposes of the European and administrative elections scheduled in June 2004, the Garante dispensed candidates and parties making propaganda with the information requirement, which was found to be a disproportionate obligation, however exclusively if the data were taken from public lists and the data subjects were not contacted further. No consent was required if the data were taken from lists, registers, documents, and instruments that are held by public bodies and freely accessible pursuant to laws or regulations (e.g. electoral registers held by municipalities, lists of members of professional rolls, etc.), or if telephone subscribers directories were used to send standard mail messages and/or make direct phone calls. In all other cases the data subject´s prior specific consent is necessary on the basis of an information notice specifying the purposes for which the data will be used.
The Garante highlighted the principles to be complied with by TLC operators and public administrative agencies in sending SMS messages of an “institutional” nature, i.e. the messages used by central and/or local authorities to wage information and awareness-raising campaigns or else to disseminate publicly relevant information.
In a decision of July 7, 2004 concerning SMS-messages sent by the Italian Government to inform citizens about the voting procedures of the 13 June 2004 European elections, the Garante confirmed the view it had voiced in a decision adopted in March 2003 and recalled that institutional SMS-messaging is lawful only in case of emergency and exceptional situations. More specifically, it should be distinguished between the messages sent by telephone operators at the request of public administrative agencies and those sent directly by public bodies. In the former case, the subscribers´ explicit consent will not be required exclusively if the messages are sent in connection with natural disasters and other emergency situations, further to the adoption by the relevant public body – if so allowed under the law – of an emergency measure for the purposes of ordre public, public health and hygiene. In the latter case, i.e. when SMS-messages are sent directly by public bodies, no consent will be required in respect of “institutional” communications as such. However, in both cases the telephone operators and the public bodies concerned, respectively, will have to provide prior, adequate information to users in respect of mechanisms and purposes of the processing performed on the personal data in question as well as in respect of the possibility of receiving institutional messages.
This same stance was taken following the tsunami-events of December 26, 2004, when the Prime Minister´s Office and the Ministry of Foreign Affairs requested the DPA´s co-operation with a view to acquiring, from the relevant mobile telephony companies, data concerning Italian citizens that appeared to be in the areas affected by the tsunami. The request was aimed, in particular, at allowing the Ministry to send an SMS-message urging those users to report their whereabouts.
The data protection Code empowered the Garante to lay down the mechanisms to enter and use the personal data concerning subscribers (and pre-paid card holders) in publicly available paper and/or electronic directories (see Section 129).
On July 15, 2004 the Garante adopted a decision by specifying, in particular, suitable arrangements for data subjects to give their consent with regard both to inclusion of their data into directories and to any further processing of said data for purposes related to commercial or marketing activities, surveys, etc. A specific model form was drafted by the Garante, which all telephone operators subsequently sent to subscribers (January 2005). This form allows subscribers to be informed appropriately about the purposes for which their data may be included in telephone directories, and to decide whether to consent to what kind of processing (in particular, whether to also consent to receiving commercial information, and how – i.e. by mail and/or by phone – as signified by ad-hoc symbols to be placed beside each entry). It will be unlawful for any entity to send unsolicited communications to a subscriber that has objected to them via the form.
Code of Conduct Applying to the Processing of Personal Data for Statistical and Scientific Purposes
On June 16, 2004 the Garante adopted the code of conduct and professional practice applying to public and private bodies processing personal data for statistical and/or scientific purposes, where they are not included in the National Statistical System (Sistan).
Apart from setting prerequisites and relevant safeguards for the processing of data for statistical and scientific purposes, this code draws an important distinction between market surveys for statistical purposes and market surveys for commercial purposes. The text of the Code was annexed to the consolidated data protection code as required by law. An English version is available at www.garanteprivacy.it.
Code of Conduct Applying to Private Credit Reference Agencies
Following a public consultation launched by the Garante, the Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments was finally adopted on November 12, 2004 by all the relevant trade associations with the contribution of several consumer associations. This Code will be legally binding since compliance with its rules is a precondition for the processing of personal data to be lawful, and any breach may carry sanctions plus the payment of damages. The main features of the code are as follows: a) need for banks and financial companies (i.e. the entities participating in and accessing the credit information systems – CIS – in question) to use a standard, simplified information notice developed jointly with the Garante, setting out the methods used in risk assessment as well as the mechanisms for data subjects to exercise their rights in practice. b) Possibility to only process objective, non-sensitive personal data, and prohibition against using hidden codes to categorise customers/applicants. c) Need to regularly check that the data are accurate, updated, and not excessive, and for keeping data on defaults separate from those coming from public sources. In particular, only data concerning the debtor will have to be processed, and the data subject will be entitled to be informed before his/her data are entered into the system. d) Need to comply with the retention periods set forth in the code, which are the following: 1) data on payment defaults that have been remedied may be retained for up to one year or up to two years depending on whether up to two instalments or more than two instalments were at issue, respectively; 2) loan applications may be retained for 180 days, whereas they must be erased after 30 days if they are not granted and/or are waived by the applicant; 3) data on defaults that have not been remedied may be retained for up to 3 years as from expiry of the relevant contract/agreement. e) Only the banks and financial companies participating in the CIS may access the personal data contained therein, and security measures must be adopted to prevent bulk queries. f) The data extracted from CIS may not be used for the purposes of marketing, surveys or advertising. g) Managers of CIS are liable to the sanctions (including criminal punishments) set out in the data protection Code in addition to those that can be imposed by the relevant trade associations.
The text of the Code was annexed to the consolidated data protection code as required by law. An English version is available at www.garanteprivacy.it.
Public Consultation on Four Key Issues: Loyalty Programmes, Interactive TV, RFID and Videophones.
With a view to the adoption of broad-ranging provisions on the issues in question, the DPA launched a public consultation in December 2004 by calling on user and consumer associations, trade associations, and citizens to give their views on some of the key points to be addressed in developing data protection guidelines for these highly sensitive sectors. In particular, comments and suggestions were sought as for the definition of the categories of data to be collected, purposes of the processing, information notices, obtaining consent, and application of security measures. The deadline for submissions was January 31, 2005.
Media and Information
In addition to the weekly newsletter that has been published since 1999 to provide the public with information on the DPA´s activities, and the six-monthly CD-ROM containing a digital archive of the our activities plus the reference legislation – called “Citizens and the Information Society” (whose twelfth edition was published in 2004), the Authority continued its training programme (in-house workshops) on the features and/or application issues related to the Data Protection Code as addressed to private and public data controllers.
Reference should also be made to the international conference organised at the DPA´s premises on June 17 and 18, 2004, called “Privacy and Technological Innovations”, which provided the opportunity for exchanging views on the issues related to privacy and leading edge technologies. The proceedings were published at the beginning of 2005
The Authority´s website can be visited at www.garanteprivacy.it.
The documents are partly available in English.