Diritti interna

Doveri interna

ricerca avanzata

Security Measures and Notification: Simplifications Introduced by the Italian DPA

versione italiana  

Security Measures and Notification: Simplifications Introduced by the Italian DPA
Application of the so-called minimal security measures by public and private bodies was simplified by a decision of the Italian DPA. This simplification exercise will not jeopardize the safeguards afforded to citizens; indeed, the decision by the DPA aims at ensuring an adequate security level by meeting, at the same time, the requests coming from the business sector (in particular, SMEs) to reduce the procedural workload, introduce a tiered system of safeguards depending on sensitiveness and risk of the individual processing operations, and diminish the attendant costs.

The decision by the DPA concerning simplified security measures was adopted after hearing the Minister for regulatory simplification and published in Italy´s Official Journal. It applies to

a. Public and private bodies only processing non-sensitive personal data (such as name, family name, Tax ID, address, telephone number) or else sensitive data relating to their employees´ health or membership of  trade unions;

b. SMEs, self-employed professionals or handicrafts only processing personal data for administrative and/or accounting purposes.

Accordingly, the above categories of data controller

- May instruct the staff in charge of processing also verbally as for the applicable minimal security measures;

- May resort to any authentication system that consists in the use of a username + password in order to enable access to their IT systems; the username will have to be de-activated once the recipient is no longer entitled to access the data (e.g. because he/she does no longer work for the data controller);

- May implement procedures and arrangements to allow continued operation and security  in case an employee is absent from work and/or unable to handle the processing (e.g. by automatically forwarding the relevant emails to another account);

- Must update their security (anti-virus) software at least once a year and perform at least monthly data backups.

The DPA also provided guidance to SMEs, handicrafts, self-employed professionals, and public and private bodies that only process personal data for administrative and accounting purposes in order to draft a simplified security policy document.

Simplified procedures were also introduced in case no computerized systems are used to process personal data.

Regarding notification, an ad-hoc decision was issued by the DPA to simplify the relevant form. It should be recalled here that notification is only to be given to the DPA if certain categories of data are processed (genetic data, biometric data, medical data processed for assisted reproduction purposes, etc.).

Rome, 9 December 2008