Data Sharing and Tracking of Transactions in the Banking Sector 
[doc. web n. 1868766]
Data Sharing and Tracking of Transactions in the Banking Sector
Decision by the Italian DPA of 12 May 2011 as published in Italy´s Official Journal no. 127 dated 3 June 2011
The Italian Data Protection Authority;
Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary General;
Having regard to decree no. 196 dated 30 June 2003 (Personal Data Protection Code);
Having considered the reports, complaints and questions lodged with regard to the processing of customers´ personal data by banks as for the sharing of customer data outside banking groups and the traceability of bank transactions performed by the persons tasked with processing the said data (including the so-called inquiries);
Having regard to the decisions taken by the DPA in this sector;
Whereas it was decided to lay down a comprehensive set of appropriate as well as necessary measures that could provide additional guidance for both sector-specific practitioners and customers; whereas the most appropriate practices will have to be outlined for that purpose;
Whereas the measures in question should be laid down by the Italian DPA in pursuance of section 154(1)c. of the Code;
Having regard to the considerations submitted by the Secretary General pursuant to Article 15 of the DPA´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Prof. Francesco Pizzetti;
This decision is aimed at setting forth the requirements that apply to the processing of customer data by the entities mentioned in paragraph 1.2 below so as to ensure compliance with personal data protection principles under the terms of decree no. 196/2003 (Personal Data Protection Code); the said requirements concern the sharing of customer data by banks and the traceability of the bank transactions performed by bank employees whether they entail money transfers or only consist in the performance of inquiries.
1.2. Scope of Application
This decision applies to the following entities providing they are established in the national territory (under section 5 of the Code): banks, including banks that are members of corporate groups (as regulated, in general, by section 2359 of the Civil Code and, more specifically, by section 60 et seq. of decree no. 385/1993); companies other than banks providing they are members of the above groups (hereinafter referred to as "banks") with regard to such processing operations as they may perform on customer data; Poste Italiane S.p.A. with regard to the activities they may carry out in connection with banking and financial services as per Presidential decree no. 144/2001 – see the Regulations on Bancoposta services adopted pursuant to the powers delegated by section 40 of Act no. 448/1998; see also the Supervision Guidance for Banks contained in Bank of Italy´s circular letter no. 229 dated 21 April 1999, last updated on 9 April 2004.
This decision relates to the processing operations performed by the aforementioned entities by way of the respective employees.
The provisions contained in the Code are left unprejudiced as regards cross-border data transfers by data controllers. In this respect, the DPA reserves the right to issue a decision in future if this proves to be necessary.
Furthermore, this provision does not address the arrangements for customers to access banking services online (so-called home banking services).
1.3. Preparatory Activities
This decision was drafted by taking account of the reports, complaints and inquiries that had been lodged with our DPA over the past years; of the inspections performed in 2008, 2009 and 2010 at the main banks and/or banking groups in Italy as well as at Poste Italiane S.p.A.; of the specific decisions adopted by the Italian DPA following some of those inspections; and of the findings of additional inquiries and surveys that were performed in co-operation with the Italian Banking Association (hereinafter ABI) and finalized in October 2010.
Several data subjects stated in complaints and reports lodged with our DPA that they had been informed that personal data relating to them as kept in the databases of banks they had contracts in place with had been accessed without authorization; additionally, it was alleged that such access had been performed by employees, who were alleged to have passed on the information to third parties who in turn had reportedly used the information for personal purposes – in particular to produce evidence in court as part of judicial separation proceedings and/or for third-party attachment proceedings.
Considering the importance of this issue, our DPA decided to carry out inspections at some banks so as to establish, in the first place, whether employees had actually accessed customer data and on what grounds.
The findings of such inspections were such as not only to enable the DPA to deal with some complaints via ad-hoc decisions, but also to highlight criticalities of a more general nature.
Additionally, having established the different organizational arrangements made by banks along with the considerable number of entities involved in the said investigations, our DPA decided to also request ABI´s collaboration in order to better clarify the issues in question via more in-depth inquiries.
Those inquiries consisted in the drafting by our DPA of a model questionnaire to glean information on the organizational arrangements the individual banks had in place with regard to the issues being addressed; this was followed by a document drafted by ABI in the form of aggregate, anonymous information whereby it was found that "340 entities took part in the survey including banks and banking groups, for a total of 441 banks operating in the national territory."
2. Data Sharing among Banks Belonging to the Same Corporate Group
2.1. Organisational Issues as Resulting from the Findings of Inquiries and Inspections
Customer information may be shared within a banking group in connection with three main scenarios:
1. Sharing of personal data among banks belonging to the same corporate group;
2. Sharing of personal data between offices or branches of a given bank;
3. Sharing of personal data within an office or branch of a given bank.
In the first scenario, i.e. whenever customers´ personal data are shared among banks belonging to the same corporate group, the inspections showed that different arrangements were in place in the individual banks. Two main situations could be detected:
- Only data relating to crediting and debiting operations were shared between offices of banks all belonging to the same group, i.e. no information could be accessed on the balance of and/or the full list of the transactions performed on an account if that account was held at another bank within the group;
- All kinds of data could be shared within the banking group, i.e. balance data and other banking information could be accessed by bank tellers (who had been appointed as persons in charge of the processing based on the respective tasks and authorization profiles) without any limitations.
Also in the second scenario, i.e. when personal data are shared between offices or branches of a bank, considerable differences could be found based on our inspections:
- In the case of a bank, the data concerning customers of a specific office could be accessed in full by the persons in charge of the processing at that office if the respective authorization profiles allowed them to do so; such persons could not only handle the accounts held at the office in question, but also obtain information on whether a given customer held additional accounts and/or deposits with other offices of the bank – even though they could not access the relevant figures. The persons in charge of the processing as appointed at a given office of the bank could perform certain bank transactions (cash-in, withdrawals, money transfers, handling of securities, etc.) upon request of customers holding accounts at other offices of the said bank; they could only obtain the balance and/or the list of the transactions relating to those accounts if the transactions in question had been performed correctly;
- In the case of another bank, no transactions could be performed by the persons in charge of the processing on accounts held at branches other than the one where the current account of the specific customer was held, except for cash-ins. The bank did not allow data sharing among its branches/offices as it only allowed the persons in charge at a given office/branch to view the bank data relating to customers from other branches;
- Finally, in the case of yet another bank the employees working at a given branch were enabled to only access information on accounts/deposits etc. held at that branch.
As for the third scenario, it was found that customer data is usually only shared between the persons in charge of the processing within an office/branch based on specific authentication and authorization profiles.
2.2. Protection of Personal Data
The findings from the above preparatory activities showed that the banks were acting as separate data controllers.
Accordingly, the sharing of customers´ personal data within a banking group amounts to a communication addressed to third-party recipients.
The information notice to be provided by each bank acting as a data controller under section 13 of the Code will have to specify that customers´ personal data may be communicated to other data controllers within the relevant banking group.
As for consent, it should be pointed out that data may only be communicated if the data subject´s informed consent was obtained (under section 23 of the Code); any one of the preconditions listed in section 24 of the Code must be fulfilled if consent is not relied upon.
Conversely, the sharing of customer data between branches or offices of a bank amounts to a flow of data within a single data controller´s organization and does not require the data subjects´ consent as it entails no communication to third-party recipients.
In the latter case, however, the information notice might also specify that customer data may be shared between the bank´s offices or branches.
3. Data Sharing between Banks Belonging to a Group and Entities Managing the Information Systems Where Customers´ Banking Information Is Held
3.1. Organisational Issues as Resulting from the Findings of Inquiries and Inspections
The findings of our inspections show that the information systems containing customer data, which log employees´ access to such data, are managed by companies both external and internal to the individual banking groups; each bank has entered into an agreement for the supply of services with those companies. Two main organizational arrangements could be distinguished by ABI:
1. In some banking groups, information systems are managed mostly in-house (…) and committed to a company that belongs to the group and acts either as a data processor or – in some cases – as a separate data controller (…);
2. Conversely, there are banking groups/banks where information systems are managed mostly by external entities (…) and outsourcing plays a leading role in this area. In the latter case, the bank – i.e. the data controller – appoints the third-party outsourcee as "data processor".
In the former case, the so-called "vehicle" companies mostly act as separate controllers in respect of customer data, as pointed out by ABI; a minority of them are appointed as data processors.
Two additional sub-categories can be distinguished in this regard:
a. In large-sized banking groups, the management of information systems is committed to a "vehicle" company belonging to the banking group; this may be done under different arrangements, including consortia, and third parties may be relied upon to handle certain activities (mostly related to infrastructures);
b. In medium-sized banking groups, the arrangements applying to information systems are sometimes similar to those described under letter a. above, whilst in other cases a centralized system is in place at the holding.
As for the latter case (case 2 above), the information system used to process customers´ personal data is usually managed by a single third party since it is seldom the case that several entities are involved – usually not exceeding two in number; the third party in question "participates in information processing and management procedures based on a list of services that have been agreed upon contractually as a function of the specific requirements to be met by the individual bank."
3.2. Protection of Personal Data
The different solutions implemented by banks and banking groups mirror the respective features, including operational and size constraints; it is accordingly appropriate to regulate the arrangements each bank and/or banking group should make in order to share customers´ personal data with the company/companies in charge of managing the relevant information systems. Based on the overall assessment of the information gathered through preparatory activities, one is to argue that the companies managing the information systems in question – hereinafter referred to as "outsourcees" – can hardly be considered to be separate "data controllers", in particular if one considers the relevant consequences also in terms of liability vis-à-vis data subjects (see sections 4(1)f. and g. and 28-29 of Italy´s DP Code).
Even though banks have full discretion in deciding to outsource their information systems, it is indispensable for each bank to carefully assess whether the companies managing those systems may actually be regarded as separate data controllers or should rather be appointed as data processors under the terms of section 29 of the DP Code – regardless of whether they are members of the banking group or not – by taking account of the activities they are tasked to perform based on the respective contractual agreements. This is a precondition to ensure that the processing operations in question are compliant with personal data protection legislation; see also, in this connection, the opinion rendered by Article 29 Working Party (Opinion no. 1/2010 – WP169 – dated 16 February 2010).
Whilst an outsourcee may well act as a "data controller", in practice the outsourcer bank will be the only data controller if
1. It can decide on the purposes of the processing;
2. It can issue binding instructions and guidance to the outsourcee companies managing the information systems, whereby such instructions are basically superimposable to those a data controller is expected to give to a data processor;
3. It can supervise performance of both the said companies and their staff in charge.
In the light of the above considerations, a bank should be regarded as the sole data controller if customers´ personal data are processed by an outsourcee according to arrangements whereby the aforementioned powers – which may only be vested in a data controller pursuant to section 4(1)f. and section 28 of the DP Code – continue to be vested in the bank, i.e. they are not factually vested in the outsourcee(s). Hence, it is necessary for the outsourcee company/ies to be appointed as data processor(s) pursuant to section 4(1)g. and section 29(4) and (5) of the DP Code.
4. "Tracking" Data Access and Audit Tool
4.1. Organisational Issues as Resulting from the Findings of Inquiries and Inspections
It is appropriate to lay down a set of requirements applying to employees´ access to customer databases as well as to the tracking of the processing operations performed by those employees.
The various solutions implemented by banks and banking groups were established via on-the-spot inspections to evaluate the technological features of the information systems that were used to track banking transactions (including money-related transactions and inquiries). The wide gamut of such solutions mirrors the discretion left to each bank or banking group in implementing the provisions contained in the "Compliance Requirements for Banks" adopted by Bank of Italy on 10 July 2007. Pursuant to international approaches, the said Compliance Requirements lay down tasks and functions applying to bank management and envisage the setting up of a specific compliance function that should be an integral part of the internal auditing system. The compliance function was introduced by the above instruments and is in charge of supervising and managing the risk of incurring administrative fines, major financial losses and/or reputational damage on account of the violation of statutory and/or self-regulatory instruments (this being the so-called compliance risk). The said Compliance Requirements detail the main tasks along with minimum quality standards for the compliance function, the powers vested in the head of such function, and its interplay with other corporate functions – in particular the internal auditing function.
The internal auditing function of banks is regulated by law as well as by specific regulations issued by Bank of Italy – in particular via the Supervision Guidance on "Internal Auditing and Organisation". The latter guidance requires banks to be equipped with monitoring systems for both corporate risk and reliability and security (including information systems) via specific "alerts" that must be relied upon during the auditing activities.
Whilst there is no legislation to regulate the traceability of bank transactions by determining whether and to what extent the relevant log files should be retained, it is to be observed that all the banks inspected by our DPA had implemented monitoring systems for money-related transactions in order to protect customer assets along with their activities – as part of the discretion left to banks in organizing compliance functions; however, only some of those banks were found to have deployed systems to log the inquiries performed on current accounts or other customer-related information. Even with such banks, however, the short retention periods of the log files did not always allow tracing the information on the inquiries performed by a given employee.
Taking account of the above considerations and the lack of specific legislation, this DPA considers it appropriate to lay down measures concerning
- The "tracking" of accesses to customers´ banking data;
- The retention period of the relevant log files;
- The implementation of alerts aimed at detecting intrusions and/or inappropriate accesses to bank data such as to give rise to unlawful processing operations.
4.2. "Tracking" Accesses and Retention Periods of Log Files
4.2.1. Tracking of Transactions
In order to ensure the controls on the processing of (prospective) customers´ data as performed by the persons in charge of such processing – irrespective of their capacities, skills, competences and purposes – suitable IT solutions must be in place. Along with the so-called minimum security measures set forth in section 34 of the DP Code, which apply to any processing operations that are performed with the help of electronic tools and envisage, in particular, the need to "protect electronic tools and data against unlawful processing…" (see section 34, letter e.), suitable measures must be implemented (pursuant to section 31 of the DP Code) to enable effective, in-depth controls also on the processing of individual information items as contained in the databases at issue.
The aforementioned solutions include a detailed log of the banking transactions performed whenever such transactions consist in and/or result from the interactive use of information systems by the persons in charge of data processing – except for inquiries of aggregated data that cannot be traced back to individual customers.
In particular, the log files should keep track at least of the following information for each access to bank data as performed by a person in charge of data processing:
- The ID code of the person that accessed the data;
- Date and time of the access;
- ID Code of the relevant workstation;
- ID Code of the customer whose bank data were accessed by the person in charge;
- Type of contractual relationship in place with the customer whose data were accessed (e.g. C/A no., loan/guarantee, securities deposit account, etc.).
The measures referred to herein must be implemented in compliance with the laws in force on employee monitoring (section 4 of Act no. 300/1970); account must also be taken of the principles set forth by the Italian DPA in its Guidelines on the use of Internet and e-mail with regard to the information notices to be provided to data subjects (decision dated 1 March 2007, web doc. No. 1387522).
4.2.2. Retention of Transaction Logs
The retention period of transaction logs may differ depending on log type; additionally, no specific retention periods are set forth in the law except for the access logs relating to system administrators – their minimum retention period being 6 months as per clause 4.5 in the DPA´s decision dated 27 November 2008 (web doc. No. 1577499). The findings of inquiries and inspections confirmed that the said logs are retained for a variable period; this was also supported by ABI documents stating that access logs are retained on average for 12 months, whilst bank transactions logs are retained for no less than 10 years.
However, based on the experience gathered from inspections, it is considered appropriate to require that inquiry logs should be retained for no less than 24 months as from the respective log date. A shorter retention period would not allow data subjects to become apprised of the access performed in respect of their personal data along with the underlying reasons.
4.3. Implementation of Alerts Aimed at Detecting Intrusions or Unauthorised/Inappropriate Access to Information Systems
4.3.1. Implementing Alerts
Specific alerts should be envisaged by banks whenever inappropriate and/or risky events are detected in connection with the inquiry operations performed by persons in charge of data processing.
Partly on that account, the logs relating to all the access applications used by the persons in charge of data processing should be pooled into the business intelligence tools that are used by banks to monitor access to their banking databases.
4.3.2. Internal Auditing – Regular Reporting
Data controllers should subject the handling of banking data to an internal auditing exercise at least yearly in order to monitor compliance with the organizational, technical and security measures applying to personal data processing under the laws in force.
The auditing should be committed to an organizational unit or, in any case, to staff other than the one in charge of processing customers´ banking data.
The auditing should also include ex-post sample checks as well as checks following alerts issued by alerting and anomaly detection systems to investigate whether the data access operations performed by the persons in charge are lawful and legitimate and whether integrity of the data and IT procedures used to process such data could be ensured. Regular checks should also be carried out on the retention of log files in accordance with the terms set forth in clause 4.2.2. above.
Auditing activities should be documented as appropriate to allow keeping track of the audited systems, the technical operations performed on such systems, audit findings, and the criticalities detected in this connection.
The outcome of the auditing should be
- Notified to the persons and bodies that are lawfully empowered to make decisions and represent the bank at the various levels, depending on internal rules;
- Mentioned in the security policy document, which should specify such actions as may be necessary to upgrade the relevant security measures;
- Made available to the Italian DPA upon a specific request to do so.
5. Information in Case of Unauthorised Access
5.1. Information to the Data Subject
Banks shall inform data subjects without delay of any unlawful processing operations performed by persons in charge of data processing on the personal data relating to them. This timely information may in general allow data subjects to take appropriate counter-measures and possibly minimize the risks related to the violation of personal data protection legislation.
Providing the information in question is an appropriate measure under the terms of section 154(1)c. of the DP Code.
5.2. Information to the Italian DPA
Banks shall timely inform the Italian DPA and provide the appropriate details of any cases where accidental and/or unlawful violations of personal data protection have been established - providing such violations are material on account of either the type or amount of the data concerned and/or the number of customers affected – and such violations give rise to the destruction, loss, modification and/or unauthorized disclosure of customers´ data.
Providing the information in question is an appropriate measure under the terms of section 154(1)c. of the DP Code.
BASED ON THE ABOVE PREMISES, THE ITALIAN DATA PROTECTION AUTHORITY
Under section 154(1)c. of the DP Code, orders the measures mentioned hereinafter to be taken by banks, including banks that are members of banking groups, companies other than banks that are members of such banking groups, and Poste Italiane S.p.A. when performing the activities mentioned in clause 1.2. hereof:
1. Measures That Are Necessary:
a. Appointing the Outsourcee as Data Processor (clause 3.2.)
If customers´ personal data are processed by an outsourcee according to arrangements whereby the powers that may only be vested in a data controller pursuant to section 4(1)f. and section 28 of the DP Code continue to be vested in the bank, i.e. they are not factually vested in the outsourcee(s), it is necessary for the banks – which are the sole data controllers – to appoint the outsourcee company/ies as data processor(s) pursuant to section 4(1)g. and section 29(4) and (5) of the DP Code;
b. Tracking of Transactions (clause 4.2.1)
Suitable IT measures must be implemented to enable controls on the processing of individual information items as contained in the individual databases. The aforementioned solutions include a detailed log of the banking transactions performed, whenever such transactions consist in and/or result from the interactive use of information systems by the persons in charge of data processing – except for inquiries of aggregated data that cannot be traced back to individual customers.
In particular, the log files shall keep track at least of the following information for each access to bank data as performed by a person in charge of data processing:
The ID code of the person that accessed the data;
Date and time of the access;
ID Code of the relevant workstation;
ID Code of the customer whose bank data were accessed by the person in charge;
Type of contractual relationship in place with the customer whose data were accessed (e.g. C/A no., loan/guarantee, securities deposit account, etc.).
c. Retention of Transaction Logs (clause 4.2.2.)
The retention period for inquiry logs shall not be shorter than 24 months as from the respective log date.
d. Implementing Alerts (clause 4.3.1.)
i. Specific alerts shall be envisaged by banks to detect inappropriate and/or risky events in connection with inquiry operations.
ii. The logs relating to all access applications shall be pooled into business intelligence tools.
e. Internal Auditing – Regular Reporting (clause 4.3.2.)
i. Data controllers shall subject the handling of banking data to an internal auditing exercise at least yearly.
ii. The auditing shall be committed to an organizational unit or, in any case, to staff other than the one in charge of processing customers´ banking data.
iii. The auditing shall also include ex-post sample checks as well as checks following alerts issued by alerting and anomaly detection systems to investigate whether the data access operations performed by the persons in charge are lawful and legitimate and whether integrity of the data and IT procedures used to process such data could be ensured. Regular checks shall also be carried out on the retention of log files in accordance with the terms set forth in clause 4.2.2. above.
iv. Auditing activities shall be documented as appropriate and their outcome shall be notified to the entities mentioned in clause 4.3.2.
2. Measures That Are Appropriate:
f. Information to Data Subjects (clause 2.2.)
The information notice provided to data subjects under section 13 of the DP Code may also specify that customers´ data may be shared by the branches and/or offices of the given bank.
g. Information to Data Subjects (clause 5.1.)
Banks shall inform data subjects without delay of any unlawful processing operations performed by persons in charge of data processing on the personal data relating to them.
h. Information to the Italian Data Protection Authority (clause 5.2.)
Banks shall timely inform the Italian DPA of any cases where accidental and/or unlawful violations of personal data protection have been established, if such violations are material.
3. The measures referred to under point 1. above shall be implemented within 30 months as from publication of this decision in Italy´s Official Journal.
4. A copy of this decision shall be forwarded to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic pursuant to section 143(2) of the DP Code.
Done in Rome, this 12th day of the month of May 2011
THE SECRETARY GENERAL