Code of conduct and professional practice applying to the processing of personal data for statistical and scientific research purposes within the ...
[doc. web. n. 1565879]
[doc. web. n. 1556573 ]
Code of conduct and professional practice applying to the processing of personal data for statistical and scientific research purposes within the framework of the national statistical system
(Published in the Official Journal no. 230 of October 10, 2002)
The garante per la protezione dei dati personali
Having convened today, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General,
Having regard to Article 27 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, under which Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to the Directive, taking account of the specific features of the various sectors,
Having regard to Section 31(1), letter h), of Act no. 675 of 31.12.1996, which entrusts the Garante with the task of encouraging, within the framework of the categories concerned and in compliance with the representation principle, the adoption of codes of conduct and professional practice for certain sectors, verifying that they are compliant with laws and regulations also by having regard to the considerations made by entities concerned, and contributing to ensuring that they are disseminated and respected,
Having regard to legislative decree no. 281 of 30.07.1999 on the processing of personal data for historical, statistical and scientific research purposes and, in particular, to Section 6(1) thereof, under which the Garante is entrusted with the task of encouraging adoption of one or more codes of conduct and professional practice for public and private entities, including scientific societies and trade associations, involved in the processing of data for statistical and scientific research purposes,
Having regard to Section 10(6) of the abovementioned legislative decree no. 281/1999, dealing with some aspects that should be specified in the code applying to the processing of data for statistical and scientific research purposes,
Having also regard to Section 12(2) of legislative decree no. 322 of 06.09.1989, as amended by Section 12(6) of legislative decree no. 281/1999, providing that the Committee for Safeguarding Statistical Information is to be heard with a view to the adoption of codes of conduct and professional practice in respect of the processing of personal data within the framework of the National Statistical System,
Having regard to the provision issued by the Garante on 10 February 2000, as published in the Official Journal no. 46 of 25.02.2000, in which the Garante encouraged adoption of one or more codes of conduct and professional practice in respect of the processing of personal data for statistical and scientific research purposes and called upon all the entities entitled to participate in the adoption of such codes under the representation principle to notify the Garante thereof by 31 March 2000,
Having regard to the communications received by the Garante in response to the provision of 10 February 2000, in which several public and private entities, scientific societies and trade associations indicated their intention to participate in drawing up the abovementioned codes, such entities having subsequently set up an ad-hoc working group including, inter alia, representatives from the following public bodies: Istituto Nazionale di Statistica – ISTAT [National Statistics Agency], Istituto di studi e analisi economica – ISAE [Institute for Economic Research and Analysis], Istituto per lo sviluppo della formazione professionale dei lavoratori – ISFOL [Institute for Development of Employees' Vocational Training], Presidenza del Consiglio dei Ministri – Dipartimento della Funzione Pubblica [Prime Minister's Office – Public Administration Department],
Whereas the draft code has been the subject of a wide-ranging discussion among the entities concerned, which have been given the opportunity to submit their considerations and put forward proposals,
Having regard to the Prime Minister's decree no. 152 of 09.03.2000, including provisions to set forth the criteria and procedure for determining the private bodies participating in the National Statistical System (SISTAN) pursuant to Section 2(1) of Act no. 125 of 28.04.1998,
Having regard to the Prime Minister's decree of 09.05.2001 on circulation of information within the National Statistical System,
Having regard to the Prime Minister's decree of 28.05.2002 on inclusion of additional statistics agencies into the SISTAN,
Having regard to the letter of 2 April 2001, by which the President of ISTAT forwarded, at the request of the Committee on Guidance and Coordination of Statistical Information, the text of the code of conduct and professional practice applying to the processing of personal data carried out for statistical and scientific research purposes within the framework of the National Statistical System, as undersigned by himself on behalf of the entities concerned,
Having regard to the decision made by this Authority concerning preliminary examination of the abovementioned code (decision no. 23 of 4 July 2001),
Considering that it is appropriate to proceed with the final assessment of the code of conduct and professional practice applying to the processing of personal data for statistical purposes within the framework of the SISTAN, also separately from the code that is to regulate use of personal data for statistical purposes outside the SISTAN in pursuance of Sections 6(1) and 10(6) of legislative decree no. 281/1999,
Having heard the Committee for Safeguarding Statistical Information as required by Section 12(2) of legislative decree no. 322 of 06.09.1989, also on the basis of the further analysis carried out in agreement with ISTAT,
Having taken account of the fact that compliance with the provisions laid down in the code is a fundamental prerequisite for the processing of personal data to be lawful,
Having ascertained that the code is compliant with laws and regulations concerning the protection of individuals with regard to the processing of personal data, in particular with Section 31(1), letter h), of Act no. 675/1996 as well as with Sections 6, 10, 11 and 12 of legislative decree no. 281/1999,
Whereas the code is to be published in the Official Journal of the Italian Republic under the Garante's responsibility, in pursuance of Section 6(1) of legislative decree no. 281/1999,
Having regard to the records on file,
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante's Regulations no. 1/2000 as adopted by decision no. 15 of 28 June 2000 and published in the Official Journal of the Italian Republic no. 162 of 13 July 2000,
Acting on the report submitted by Professor Gaetano Rasi,
the annexed code of conduct and professional practice applying to the processing of personal data for statistical and scientific research purposes within the framework of the National Statistical System to be forwarded to the Law and Decree Publishing Department at the Ministry of Justice in order for it to be published in the Official Journal of the Italian Republic.
Done in Rome, the 31st of July 2002
CODE OF CONDUCT AND PROFESSIONAL PRACTICE APPLYING TO THE PROCESSING OF PERSONAL DATA FOR STATISTICAL AND SCIENTIFIC RESEARCH PURPOSES WITHIN THE FRAMEWORK OF THE NATIONAL STATISTICAL SYSTEM
This Code is aimed at ensuring that use of personal data for statistical purposes, where such data are considered under the law to be in the substantial public interest and the source of official statistical information, and therefore are to be regarded as a community asset, is compliant with data subjects' rights, fundamental freedoms and dignity, and in particular with their right to confidentiality and personal identity.
This Code is adopted in pursuance of Sections 6 and 10(6) of legislative decree no. 281 of 30.07.1999 and applies to the processing operations for statistical purposes that are performed within the framework of the National Statistical System with a view to the purposes referred to in legislative decree no. 322 of 06.09.1989.
Adoption of this Code is grounded on the relevant international sources and instruments concerning statistics, with particular regard to
a) The European Convention on the Protection of Human Rights and Fundamental Freedoms of 4 November 1950, as ratified by Italy via Act no. 848 of 04.08.1955,
b) The Charter of Fundamental Rights of the European Union of 18.12.2000, with particular regard to Articles 7 and 8 thereof,
c) Convention no. 108 as adopted in Strasbourg on 28.01.1981 and ratified by Italy via Act no. 98 of 21.02.1989,
d) Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995,
e) Council of Europe Recommendation no. R(97)18 as adopted on 30.09.1997,
f) Article 10 of EC Regulations no. 322/97 as adopted by the Council of the European Union on 17.02.1997.
Organisations, agencies and entities applying this Code are required to also abide by the impartiality and non-discrimination principles in respect of other users, with particular regard to communication for statistical purposes of data that are stored in public archives and processed either by public bodies or with the help of public funds.
CHAPTER I - SCOPE AND GENERAL PRINCIPLES
Article 1. Scope
1. This Code shall apply to the processing of personal data for statistical purposes as carried out by
a) statistical organisations and agencies included and/or participating in the National Statistical System with a view to either implementing the national statistics programme or producing statistical information, in compliance with the respective institutional framework,
b) entities other than those mentioned under a), though belonging to the same administration/body, if the relevant processing operations are provided for by the national statistics programme and statistical agencies certify the methods adopted, by having regard to the provisions included in legislative decrees no. 322 of 06.09.1989 and no. 281 of 30.07.1999 - as subsequently amended and supplemented - in addition to those laid down herein.
Article 2. Definitions
1. For the purposes of this Code, the definitions set forth in Section 1 of Act no. 675 of 31.12.1996 – hereinafter referred to as the "Act" – and legislative decree no. 281 of 30.07.1999, including subsequent amendments and additions, shall apply. Additionally, for the same purposes
a) "processing for statistical purposes" shall mean any processing operation that is performed for the purpose of statistical analysis or the production, retention and dissemination of statistical results in pursuance of the national statistics programme, or else for the purpose of publicising statistical information within the scope of the institutional activities carried out by the entities referred to in Article 1,
b) "statistical result" shall mean the information obtained by means of the processing of personal data in order to quantify features of a collective phenomenon,
c) "public variable" shall mean the feature or set of features, whether qualitative or quantitative in nature, that is the subject of a statistical survey in which information included in public registers, lists, records, instruments and publicly available sources is used,
d) "statistical unit" shall mean the entity to which the processed data refer and/or can be referred.
Article 3. Data Subjects' Identifiability
1. For the purpose of implementing this code,
a) a data subject shall be considered to be identifiable if it is possible, by reasonable means, to establish a significantly likely relationship between the combination of the modalities for the variables concerning a given statistical unit and the latter's identification data,
b) the means that can be reasonably used to identify a data subject shall fall, in particular, under the following categories:
- economic resources
- time resources
- files including personal data and other information sources including identification data jointly with a subset of the variables that are communicated and/or disseminated,
- files, including or not personal data, providing information in addition to the data that are communicated and/or disseminated,
- hardware and software to carry out the processing required in order to establish a connection between non-personal data and an identified entity, by having also regard to the actual possibility of unlawfully achieving identification of the latter entity in light of the security systems and monitoring software adopted,
- knowledge of sample extraction, imputation, correction and statistical protection procedures as applied to obtain the data,
c) as regards communication or dissemination, a data subject shall be regarded as non-identifiable if the identification risk – in terms of likelihood of identifying the data subject by taking account of the communicated/disseminated data – is such that the means possibly required in order to achieve identification are to be considered disproportionate compared with the resulting infringement of and/or risk of infringing the data subject's rights, by having also regard to the benefit(s) that can be achieved.
Article 4 Criteria for Assessing the Identification Risk
1. With a view to the communication and dissemination of statistical results, the following criteria shall be considered in assessing the identification risk:
a) aggregate data shall be considered to consist in combinations of modalities associated either with a frequency that must not be lower than a pre-determined threshold, or with an intensity resulting from the synthesis of the values taken by a number of statistical units equal to said threshold. The minimum threshold value shall be three.
b) In assessing the threshold value account will have to be taken of the confidentiality level applying to the information.
c) Statistical results related exclusively to public variables are not subjected to the threshold rule.
d) The threshold rule may fail to be complied with if the statistical result does not reasonably allow identifying statistical units by having regard to assessment type and nature of the associated variables.
e) Statistical results concerning the same population may be disseminated in such a way as not to allow setting up connections among them and/or with other known information sources that may possibly permit identification.
f) Confidentiality is assumed to be adequately safeguarded if all the statistical units of a population show the same modality for a given variable.
2. The variables that may be disseminated in non-aggregate fashion shall be specified in the national statistics programme, where this is necessary to meet specific knowledge requirements also at international and/or Community level.
3. In communicating sample data collections, the identification risk shall be limited to the greatest possible extent. Said limit and the methodology to assess identification risk shall be set forth by ISTAT, which shall also lay down the arrangements for data release - in line with the principles referred to in Article 3(1), letter d) – and inform the Committee for Safeguarding Statistical Information.
Article 5. Processing of Sensitive Data by Private Entities
1. Private entities included in the National Statistical System pursuant to Act no. 125 of 28.04.1998 shall collect and further process sensitive data for statistical purposes in anonymous format, as a rule, subject to the provisions laid down in Section 6-bis(1) of legislative decree no. 322 of 06.09.1989 as inserted by legislative decree no. 281 of 30.07.1999 including subsequent amendments and additions.
2. Under certain circumstances, if lawful, specific statistical purposes related to the processing of sensitive data cannot be achieved without identifying data subjects, even on a temporary basis, the following prerequisites shall have to be met for said processing to be lawful:
a) the data subject must have given his/her own consent freely on the basis of the information provided;
b) the data controller must take specific measures in order to keep identification data separate already at the time of data collection, unless this proves unreasonable or requires a clearly disproportionate effort;
c) prior authorisation of the processing by the Garante is necessary, also on the basis of an authorisation applying to categories of data and/or types of processing; alternatively, the processing must be included in the national statistics programme.
3. Consent shall be given in writing. If the sensitive data are collected by specific methods such as telephone and/or computer-assisted interviews, which make it especially burdensome for the survey to obtain written consent, consent may be documented in writing on condition that is has been given expressly. In the latter case, the records giving proof of the information provided to the data subject as well as of the latter's consent shall be kept by the data controller for three years.
CHAPTER II - INFORMATION NOTICE, COMMUNICATION AND DISSEMINATION
Article 6. Information Notice
1. In addition to the information referred to in Section 10 of the Act, the data subject or the persons from which the data subject's personal data are collected for statistical purposes shall be notified of the possibility for the data to be processed for other statistical purposes in pursuance of legislative decrees no. 322 of 06.09.1989 and no. 281 of 30.07.1999 as subsequently amended and supplemented.
2. If the processing concerns personal data that have not been collected from the data subject and informing the latter entails a disproportionate effort compared with the right to be safeguarded – as per Section 10(4) of the Act –, the information shall be considered to have been notified if the processing is included in the national statistics programme or else is publicised by suitable means; the latter shall have to be communicated in advance to the Garante, which may provide for specific measures and arrangements.
3. As regards data collection for statistical purposes, informing the person the data are collected from on the specific purposes and the arrangements applying to the processing for which the data are intended may be postponed if this proves necessary in order to achieve the objectives of the relevant survey – by having regard to the subject matter and/or the nature of said survey -, on condition that the processing does not concern sensitive data. In such cases, the data subject must be provided with the supplementary information as soon as the reasons for which it has been withheld no longer apply – unless this entails a manifestly disproportionate effort. The entity responsible for the survey must draw up a document – to be subsequently kept for at least two years as of completion of the survey and made available to any entity exercising the rights referred to in Section 13 of the Act – detailing the specific reasons for which it has been considered appropriate to withhold the information, the items of information that have been withheld and the arrangements followed to inform data subjects once the reasons for which said information has been withheld no longer apply.
4. Where the circumstances of the collection and the objectives of the relevant survey are such as to allow an entity to respond in the name and on behalf of another entity, being a relative of and/or cohabiting with the latter, the data subject may also be informed by the respondent.
Article 7. Communication to Entities Outside the National Statistical System
1. Individual data including no reference that can link them to data subjects may be communicated to entities outside the National Statistical System, in the form of sample collections and anyhow in such a way as to prevent data subjects from being identified.
2. Communication of personal data to university researchers and institutions, research bodies or members of scientific societies that fall under the scope of application of the code of conduct and professional practice on the processing of personal data carried out outside the National Statistical System for statistical and scientific research purposes – as per Section 10(6) of legislative decree no. 281 of 30.07.1999 including subsequent amendments and additions – shall be allowed within the framework of specific laboratories set up by entities included in the National Statistical System, on condition that
a) the data result from processing operations, for which the abovementioned entities included in the National Statistical System act as data controllers,
b) the data to be communicated do not include identification data,
c) the provisions on statistics secrecy and personal data protection as included, inter alia, in this code are complied with by the researchers accessing said laboratories, also on the basis of a prior commitment statement,
d) access to laboratories is controlled and monitored,
e) access to files including data other than those that are communicated is not permitted,
f) suitable measures are taken in order for the researchers using the laboratories to be prevented from performing data entry and retrieval,
g) releasing the results of the processing operations performed by researchers using the laboratories is only authorised after the relevant laboratory staff have verified compliance with the provisions as per point c).
3. Within the framework of joint projects that are also aimed at pursuing institutional purposes as related to the data controller of the processing that has given rise to the data, the entities included in the National Statistical System may communicate personal data to researchers working on behalf of universities, other public bodies and organisations pursuing research purposes, provided the conditions below are complied with:
a) the data result from processing operations, for which the abovementioned entities included the National Statistical System act as data controllers,
b) the data to be communicated do not include identification data,
c) the communication takes place in accordance with ad-hoc research protocols undersigned by all the researchers participating in the specific project,
d) the provisions concerning statistics secrecy and personal data protection as also included in this code are expressly laid down in the abovementioned protocols to the effect that they should be binding on all the researchers participating in the specific project.
4. Researchers authorised to communicate data are banned from carrying out processing operations for purposes other than those expressly referred to in the research protocol, keeping the communicated data beyond the project deadline and communicating the data further to third parties.
Article 8. Data Communication between Entities Included in the National Statistical System
1. Communication of personal data including no identification data is allowed within the framework of entities included in the National Statistical System as regards the statistical processing operations that are instrumental to achieving the requesting party's institutional purposes and have been expressly referred to in the relevant request, without prejudice to compliance with the requirement that data should be relevant and not excessive.
2. Communicating, inter alia, the identification data of statistical units is allowed within the framework of entities included in the National Statistical System if the requesting party declares that no identical statistical result can be obtained otherwise, subject to lodging of a reasoned request in which the purposes to be achieved pursuant to legislative decree no. 322 of 06.09.1989, including the scientific research purposes as regards the entities referred to in Section 2 of said decree, are detailed – without prejudice to compliance with the requirement that data should be relevant and absolutely necessary.
3. Such data as are communicated in pursuance of paragraphs 1 and 2 above may only be processed by the requesting party, even subsequently, for the purposes sought under legislative decree no. 322 of 06.09.1989, including the scientific research purposes as regards the entities referred to in Section 2 of said decree, in accordance with the limitations set forth in legislative decree no. 281 of 30.07.1999 and by complying with the security measures referred to in Section 15 of the Act as subsequently amended and supplemented.
Article 9. Supervisory Authority
1. The Committee for Safeguarding Statistical Information referred to in Section 10 of legislative decree no. 322 of 06.09.1989 shall contribute to appropriately implementing the provisions laid down in this code with particular regard to the provisions made in Article 8 above, by reporting possible breaches to the Garante.
CHAPTER III - SECURITY AND RULES OF CONDUCT
Article 10. Data Collection
1. The entities referred to in Article 1 shall take special care in selecting the staff in charge of collecting data as well as in laying down organisation and mechanisms for the survey, so as to ensure compliance with this code and protection of data subjects' interests; they shall also take steps to appoint the persons in charge of the processing as required by law.
2. At all events, the staff in charge of data collection shall abide by the provisions laid down herein as well as by the instructions received. In particular,
a) they shall disclose their identity, their tasks and the purposes of the collection also by means of suitable documents,
b) they shall provide the information as per Section 10 of the Act and Section 6 of this Code, and such additional explanations as may allow data subjects to answer in a suitable, informed manner, and shall refrain from following deceptive practices or putting undue pressure on data subjects,
c) they shall not carry out data surveys simultaneously on behalf of several data controllers, except where this is expressly authorised,
d) they shall timely correct mistakes and inaccuracies in the information acquired with the survey,
e) they shall take special care in collecting the personal data referred to in Sections 22, 24 and 24-bis of the Act.
Article 11. Data Retention
1. Personal data may be retained longer than is necessary to achieve the purposes for which they have been collected and/or subsequently processed in pursuance of Section 9 of the Act as well as of Section 6-bis of legislative decree no. 322 of 6 September 1989, as subsequently amended and supplemented. In those cases, identification data may be retained for as long as they are necessary with a view to:
- continuous and longitudinal surveys,
- control, quality and coverage surveys,
- identification of sample patterns and selection of survey units,
- setting up archives of statistical units and information systems,
- other cases in which this is fundamental and can be adequately documented for the purposes sought.
2. In the cases referred to in paragraph 1, identification data shall be stored separately from all other data so as to allow different levels of access, unless this proves impossible on account of the specific features of the processing or involves an effort that is clearly disproportionate compared with the right to be protected.
Article 12. Security Measures
1. In taking the security measures as per Section 15(1) of the Act and the Regulations referred to in paragraph 2 of the latter Section, the data controller shall also specify the different levels of access to the personal data by having regard to their nature and the tasks discharged by the entities involved in the processing.
2. The entities referred to in Section 1 shall take the precautions required under Sections 3 and 4 of legislative decree no. 135 of 11 May 1999 with regard to the data referred to in Sections 22 and 24 of the Act.
Article 13. Exercising Data Subject's Rights
1. As for exercising the rights referred to in Section 13 of the Act, any data subject may access the statistical archives containing the data concerning him/her to have them updated, rectified or supplemented, provided that this does not prove impossible on account of the nature or status of the processing or else involves an effort that is clearly disproportionate.
2. Pursuant to Section 6-bis of legislative decree no. 322 of 6 September 1989, the data processor shall take note of the changes requested by a data subject using ad-hoc fields and/or registers without modifying the data initially entered, where these operations do not produce significant effects either on statistical analysis or on the statistical results related to the processing. In particular, no changes shall be made if the latter are in conflict with statistical classifications and methodology as adopted in pursuance of international, Community and national regulations.
Article 14. Rules of Conduct
1. Data processors and persons in charge of the processing shall also follow the rules of conduct detailed below, where they may lawfully access – also for reasons related to their work, study and research – personal data that are processed for statistical purposes:
a) personal data may only be used for the purposes specified in planning the processing operations,
b) personal data shall be kept in such a way as to prevent their being dispersed, stolen or anyhow used by departing from either the relevant laws or the instructions received,
c) personal data and information that is not publicly available, where acquired in the course of performing statistical activities and/or activities instrumental to the latter, may not be disseminated or used otherwise for private purposes,
d) the activities performed shall be adequately documented,
e) professional know-how concerning personal data protection shall be continuously adjusted to technological and methodological evolution,
f) communication and dissemination of statistical results shall be encouraged as related to users' information requirements on condition that personal data protection regulations are complied with.
2. The data processors and persons in charge of the processing referred to in paragraph 1 shall have to abide by the provisions laid down herein, also if they are not bound by official and/or professional secrecy rules. Data controllers shall take suitable measures in order to ensure that data processors and persons in charge of the processing are familiar with the abovementioned provisions.
3. Any conduct that fails to comply with the rules set forth herein shall have to be immediately reported either to the data controller or to the data processor.