ANNUAL REPORT 2000
ANNUAL REPORT 2000
TABLE OF CONTENTS
Part One – Progress in Implementing the Data Protection Act
- MAIN REGULATORY DEVELOPMENTS pag. 4
- PUBLIC ADMINISTRATIVE AGENCIES pag. 10
- LAW ENFORCEMENT AGENCIES, JUDICIAL AUTHORITIES, INTELLIGENCE AND SECURITY SERVICES pag. 22
- HEALTH CARE pag. 27
- EMPLOYMENT AND SOCIAL SECURITY pag. 31
- STATISTICS AND SCIENTIFIC RESEARCH, HISTORICAL RESEARCH pag. 35
- ASSOCIATIONS, POLITICAL GROUPS AND PARTIES, RELIGIOUS DENOMINATIONS pag. 38
- LEGAL PROFESSION, PRIVATE INVESTIGATORS, FREELANCE PROFESSIONALS pag. 42
- CREDIT, FINANCIAL AND INSURANCE ORGANISATIONS pag. 45
- JOURNALISM pag. 51
- SURVEILLANCE AND BIOMETRICAL INFORMATION pag. 57
- MARKETING pag. 62
- ELECTRONIC COMMERCE pag. 64
- ELECTRONIC NETWORKS AND TELECOMMUNICATIONS SERVICES pag. 66
- DATA AND SYSTEMS SECURITY pag. 72
Part Two – The Garante : Organisation and Features pag. 741.
PROGRESS IN IMPLEMENTING THE DATA PROTECTION ACT No. 675/1996
MAIN REGULATORY DEVELOPMENTS
No significant legislative amendments were made in the period considered as regards Act no. 675/1996, on the processing of personal data.
However, the activities aimed at supplementing and updating the relevant legislation continued and "horizontal" provisions were made that produced effects in terms of personal data protection.
In addition to major sources of primary legislation, the above activities also concerned new law sources that can be regarded in a sense as non-conventional, in respect of specific sectors – e.g., the general authorisations granted by the Garante or the codes of conduct and professional practice applying to a few sectors.
Special importance should be attached to Act no. 127 of 24.03.2001 – Postponing the Deadline Enabling Government to Pass Legislation in pursuance of Act no. 676/1996, on the Processing of Personal Data – which postponed the deadline for the Government to pass legislation on privacy as mentioned in Acts no. 676/1996 and 348/1998. Under this Act, the framework legislation applying to data processing can be supplemented until 31st December 2001, as regards those sectors where the general principles laid down in the 1996 DP Act have to be specified or completed and this has not yet been done by Government, in whole or in part. The Act also provided for issuance, by 31st December 2002, of a consolidated text of the provisions concerning the protection of individuals and other entities with regard to the processing of personal data – including all the measures in force as well as such amendments and additions as will be deemed necessary to enhance coordination or else facilitate enforcement.
Act no. 325 of 03.11.2000 – Provisions Concerning the Adoption of the Minimum Security Measures for the Processing of Personal Data Referred to in Article 15 of Act no. 675 of 31.12.1996 - granted additional time, until the 31st December 2000, to the entities that had not managed to adopt the so-called minimum security measures by the 29th of March 2000, on condition that they drafted a document bearing a certified date to describe a) the specific technical and organisational requirements that had made it necessary to take advantage of the postponed deadline, b) the arrangements that had been or were to be adopted and the main features of the adjustments on schedule, c) the guidelines developed in order to fully implement security measures.
The adoption of the Code of conduct and professional practice applying to the processing of personal data for historical purposes should be also highlighted; this was provided for in a legislative decree of 1999 (no. 281 of the 30th July). The Code was aimed at ensuring that personal data acquired in connection with historical research, exercise of the right to study and information as well as the activity of archives would be used in compliance with data subjects' rights, fundamental freedoms and dignity – with particular regard to the right to privacy and personal identity.
2. Other Regulatory Developments
A few regulatory instruments were adopted in the period considered that also produced significant effects on the processing of personal data. The most important among them are briefly described below:
a) Act no. 340 of 24.11.2000, including provisions on de-regulation and simplification of administrative proceedings. Under Article 3 thereof, an important instance of the public interest – as based on the definition laid down in legislative decree no. 135 of 11.05.1999, on the processing of special categories of data by public bodies – consists in direct consultation by either a public administrative agency or the manager of a public utility of the files held by the administrative body that is competent for issuing a given certificate in order to establish, ex officio, specific circumstances or qualifications or events or else verify the statements made by citizens in this regard.
b) Prime Minister's decree of 6th December 2000, concerning the 2001-2003 National Statistics Programme. The processing of personal data is referred to specifically in paragraph 1.3 of the Preamble, where the regulatory provisions are mentioned that underlie the purposes for which data may be collected as well as the safeguards for fundamental rights. In particular, reference is made to the information to be provided to data subjects, their right of access to personal data and the main precautions to be taken in processing sensitive data.
c) Act no. 397 of 07.12.2000, including provisions on investigations by defence counsel. Under Article 11 thereof, defence counsel or their deputies, authorised private detectives and technical experts must inform the persons they have contacted as they can provide useful information in connection with investigational activities, in line with the relevant provisions of Act no. 675/1996 – i.e., they must specify their capacity and the purposes of the interview as well as whether they are planning to interview them or to hear their statements, and remind them that they are obliged to declare whether they are the subject of investigations or appear as defendants in connection with the relevant or a joint proceeding or else in respect of a related offence, that they may refuse to answer or make a statement and must not disclose the questions, if any, they have been asked by the judicial police and/or the public prosecutor as well as the relevant answers;
d) legislative decree no. 443 of 28.12.2000, including regulations on administrative documents. Special reference should be made, in this regard, to Article 16(1) thereof, providing that the documents transmitted to other public administrative agencies should only include such data in the special categories mentioned in Articles 22 and 24 of the DP Act as concern personal circumstances, events and qualifications that are referred to in laws or regulations and are absolutely necessary for achieving the purposes for which they are collected. Article 78 further stresses that the provisions concerning personal data are left unprejudiced;
e) Ministerial decree of 2nd February 2001, concerning the description of types and features and arrangements for installation and use of electronic devices and other technical equipment – so-called "electronic bracelets" - deployed for controlling persons under house arrest/detention, in pursuance of Article 275-bis of the Criminal Procedure Code and Article 47-ter, paragraph 4-bis, of Act no. 354 of 26.07.1975.
Article 4 of the above decree regulates the processing of personal data in that it provides that said devices and equipment must be used by respecting the data subject's dignity, the retention period of the relevant data must be limited and the entities authorised to process the data must be specified by also ensuring compliance with the security measures provided for in Article 15 of the DP Act.
f) Act no. 135 of 29.03.2001, reforming the laws on tourism; Article 8 thereof provides for amending Article 109 of the Consolidated Public Security Statutes (Royal Decree no. 773 of 18.06.1931) as regards the so-called "hotel cards". Prior to this amendment, the above Article had been modified twice – namely, by Article 16 of Act no. 388/1993, ratifying the Schengen Agreement, and by decree-law no. 97/1995 as converted into Act no. 203/1995 – in order to bring it into line with the principles laid down in Article 45 of the Convention implementing the Schengen Agreement. Prior to the amendments made by Act no. 135/2001, these cards had to be kept by each accommodation establishment for twelve months and made available to public security officials on request; a copy of the cards had to be transmitted daily to the competent public security department, also via electronic networks. Under the new provision, the manager of each establishment will have to provide the authorities with the identification data of his guests by delivering a copy of the relevant cards; alternatively, he may communicate the identification data included in the cards by computerised or electronic means, in accordance with the mechanisms to be specified in a decree by the Minister for Home Affairs.
3. Parliamentary Activity
In addition to the laws and regulations passed by Parliament, various other bills related to data protection and the activity of the Garante were followed up by the authority during 2000. Reference can be made, in particular, to the bill on the serving of judicial writs via mail – including provisions to enhance the protection of recipients' privacy - , the bill to amend the Criminal and the Civil Codes in connection with libel and defamation by the media, the bill to regulate the use of names in identifying Internet domains and network services, and the bill amending the provisions on immigration and foreigners' status – with regard to the proposed taking of fingerprints for foreigners.
4. Regulatory Provisions and Administrative Regulations Issued without Consulting the Garante
It should be pointed out that on many circumstances the Garante was not consulted, even though is provided for expressly by Article 31(2) of the DP Act whenever Government and the Prime Minister plan to issue regulations liable to concern personal data protection matters.
This breach of law was stressed twice by the Garante during 2000, and the Prime Minister's attention was drawn to the fact that any provision that was issued without consulting the Garante could be voided for breach of national and Community law. The Prime Minister's office responded at the beginning of 2001 by assuring the greatest commitment towards implementing the provisions laid down in Article 31(2) of the DP Act.
PUBLIC ADMINISTRATIVE AGENCIES
The greatest portion of the activity carried out by public administrative agencies in 2000 had to do with implementing, in particular, decree no. 135/1999 on the processing of sensitive data by public bodies. Based on the deluge of questions and requests coming from local and central authorities, it appears, however, that public bodies have not yet fully implemented or understood the provisions included in the DP Act of 1996.
Although well over four years have elapsed since coming into force of the Act, in many public agencies there are still flaws and uncertainties that are partly related to the need for developing the required cultural tools in respect of the safeguards laid down by the Act, but partly also depend on a narrow interpretation of the Act which is only implemented in a formal fashion, belatedly, inaccurately or with many deficiencies. A significant example is provided, in this regard, by the hyper-bureaucratic approach adopted in respect of sensitive data, which should be a major component in ensuring full-fledged protection of citizens' rights; nor is adequate attention paid to security and risk assessment in connection with personal data processing especially by local municipalities. A few specific problems will be mentioned below; from a general standpoint it can be said, however, that there is a lack of broadmindedness in considering data protection issues related to public administrative bodies. In fact, there is the need for a quantum leap in assessing these issues with a view to building better relationships between administration and citizens as regards the protection of individual rights.
6. Processing of Sensitive Data and Data Concerning Judicial Matters
The Garante's attention was especially focussed in 2000 on implementing the provisions laid down in decree no. 135/1999, regulating the processing by public bodies of sensitive data and data concerning judicial matters.
The basic feature of that decree consisted in allowing public bodies to process those two categories of data not only if this was expressly provided for by laws, but if the significant instances of public interest served by their processing were specified by laws (or by the Garante, on a transitional basis); in the latter cases, however, public bodies were supposed to specify and notify the categories of data and the data processing operations involved.
This was done only to a very limited extent, despite the Garante's repeated warnings as to the need for public administrative agencies to comply with this requirement in order to ensure that they would process sensitive data lawfully. Additionally, the obligation to consult with the Garante before issuing regulations that are related, in whole or in part, to the processing of personal (sensitive) data has been often taken in no account by public bodies and institutions.
The above circumstances point to the need for public administrative agencies to re-consider their approach to data protection issues, also in light of the need to avoid setting up inhomogeneous mechanisms in this sector. The latter applies in particular to local municipalities, which are required by decree no. 135/99 to specify the processing operations they consider to serve an importance instance of the public interest; Italy's national association of local municipalities has been urged by the Garante to seek the Authority's opinion with regard to the various "lists" of operations taken into account.
As regards, more specifically, the processing of "judicial data", this is regulated by Article 24 in Italy's Data Protection Act, which provides that "Processing of personal data allowing the disclosure of (judicial) measures (...) shall be permitted only where expressly authorized by a law or an order of the Garante specifying the reasons of substantial public interest underlying such processing, the data to be processed and the operations that may be performed.". This applies to both private and public bodies. As to the requirement that the processing must be authorised by a law, decree no. 135/1999 allowed public bodies to process these judicial data as the relevant operations were found by the decree to serve an important public interest; again, public bodies are expected to specify the data processing operations they consider to be essential with a view to serving the public interest - which has been done only to a limited extent. Additionally, the Garante has issued a general authorisation (No. 7/2000, applicable until December 2001) under which private and public bodies are allowed to process these data for the (additional) purposes specified in the authorisation without having to lodge a specific request with the Garante.
7. Privacy vs. Transparency in Administrative Matters?
It has been repeatedly pointed out by the Garante that the provisions protecting personal data should not be construed to limit the transparency of administrative activities and, in particular, the right of access to records held by the public administration.
An issue to be addressed in this regard has to do with the effects produced by another type of right of access – i.e., the data subject's right of access – on enhancing the transparency of administrative activities. Indeed, the DP Act right of access only applies to the data subject and his/her personal data, whereas the access to administrative records is granted to any person giving proof of her lawful interest in accessing the information; additionally, it is not necessary for the controller – i.e., the public administrative agency - to allow the data subject to inspect and copy the relevant documents, as he can, whenever possible, provide an abstract of the records with regard to the personal data concerning the data subject.
Despite these differences, the exercise of this new right of access has increased openness and transparency of administrative activities by providing another opportunity for checking operation of administrative machinery – see, for instance, access by employees to their evaluation data as described in another paragraph of this Report.
Obviously, this also entails the need to strike a balance with the right to privacy of other parties involved in an administrative proceeding. This may be especially true in connection with the publication by a local municipality of medical data or information taken from census registries, since these data can only be published under specific circumstances. Similar considerations apply to the (lawful) request lodged by a man to access his personal data and those of his children, where a proceeding was pending against that man for violence and maltreatment; in this case the only solution can consist in issuing detailed regulations in which – pursuant to the decree no. 135/1999 mentioned above – the processing operations are specified concerning sensitive data and the relevant obligations are laid down in terms of relevance, accuracy, updating of these data. Conversely, the Garante ruled that it was not against the provisions of the DP Act to publish, on a newsletter edited by the local branch of the Bar, information on a provision under which a member of the local Bar had been temporarily disqualified from his office. The right to privacy of the individual data subject could not override the important instance of the public interest served by publication of this news, since disclosure of the disciplinary measure was meant – also based on the laws applying to professional rolls – to safeguard the rights of the entities that had contacts with the members of a profession for whatever reason.
8. Access to Records Held by the Public Administration
The relationship between right of access to records held by the public administration and right to personal data protection has been the subject of a lively debate among law scholars and has been addressed in many decisions of law courts. A few considerations have already been made in the preceding paragraph; the Garante's view is that the DP Act leaves unprejudiced the regulatory framework applying to transparency and access to records held by administrative agencies, partly because this is expressly referred to in Article 43(2) of the DP Act. Additionally, it has been repeatedly stressed by the Garante that existence of provisions applying specifically to personal data protection cannot be in itself a reason for denying and/or limiting access to such records; indeed, the administrative agencies receiving a request for access have to assess, in the first place, whether the applicant has a lawful interest in obtaining the records – as prescribed by the relevant laws - and satisfies the additional conditions provided for by law.
9. Large-Sized Data Banks
The issues related to the setting up of large-sized data banks had to do mostly with the processing of population data. Reference can be made, in this regard, to
- a project involving cooperation of Tuscany's Regional Electronic Network and the Ministry for Home Affairs in order to allow consultation, via electronic means, of census records held by local municipalities,
- an Act passed by Friuli-Venezia Giulia Region, to set up a larger regional data bank starting from the register of beneficiaries of oil price reductions, to be used for "other purposes of an institutional nature".
In both cases the Garante has stressed that it is necessary to proceed with these activities on the basis of comprehensive regulations in order to reduce the risk of a proliferation of inhomogeneous initiatives, which are in danger of missing their targets as there is, for instance, no obligation for local municipalities to join census data exchange systems. It is necessary to specify the laws and/or regulations requiring acquisition of such data, because the reference to "institutional and/or public interest purposes" is excessively broad in scope. As regards, in particular, the Friuli-Venezia Giulia Region case, it has been also pointed out that regions are not empowered to regulate, even indirectly, personal data protection matters, but only to issue such measures as are required to implement, at regional level, provisions that have been made at national and/or Community level.
In connection with this subject matter, the mechanisms applying to creation of a road accidents database should be also mentioned. This database had been provided for in a decree-law of 28.03.2000, to include road accidents in which third-party liability policy-holders were involved – the aim being to enhance prevention of and fight against fraud in this insurance sector. The database was to be set up at ISVAP, which is the independent authority supervising insurance companies and pension funds. The provisions applying to personal data protection as included both in the decree-law and in the Act converting it into a Statute (no. 57 of 05.03.2001) were far from satisfactory, since generic arrangements had been made in respect of access to the data by judicial and other competent public bodies and no specific provisions were mentioned concerning mechanisms for and limitations on access to this information by insurance companies. ISVAP was tasked with drafting the specific regulations, and in this regard the opinion of the Garante was sought.
10. Electronic Identity Card and Electoral Card
Public administrative agencies are growingly keen on using electronic documents both in the performance of administrative activities and to deliver online services to citizens, as this can allow simplifying, streamlining and rationalising their activities. There is, however, the risk that creating and interconnecting electronic documents may be detrimental to individual rights and privacy – especially on account of the lack in Italy of consolidated laws applying to these matters. It is therefore necessary to harmonize the measures to be taken and reconcile enhanced administrative effectiveness with safeguards for personal privacy, also in line with the principles enshrined in Community law.
In the past few years, the Garante stressed the need to carefully consider the information to be included into electronic documents, the operations that may be performed on this information, the entities authorised to access the various categories of data and the rights of citizens – with particular regard to medical and biometrical data. In 2000 the Authority was requested to give its opinion on draft regulations to be issued by the Ministry for Home Affairs concerning technology and materials used in producing electronic identity cards and documents.
The Garante made a few considerations with regard to interconnection of the individual databases, updating of a national archive (so-called National Index of Census Registers) – which is not provided for in primary legislation – and processing of sensitive data. The Ministry subsequently undertook to take account of these considerations and informed the DP Act that Government planned to issue specific provisions applying to the National Index of Census Registers. However, no information has been provided so far concerning the tests on electronic identity cards carried out in various municipalities.
As to the electoral card – which is meant to replace the electoral certificate permanently -, it was circulated for the first time in 2000 in a paper format, although the relevant law actually allowed issuing a single, multi-purpose electronic card that could also be used for identification. The Garante had already remarked in 1999 that the use of a paper format might fail to meet privacy requirements, as the document would disclose information on the voter's participation in the individual elections and/or referendums – namely, a stamp with the date and the number of the polling station -, which could be considered to be excessive compared with the purposes referred to in the relevant statute. It was suggested that the use of an electronic medium would be preferable. However, these remarks were not taken into account in the regulations finally issued in 2000, as the Ministry held that the need to control exercise of the right to vote should override the need to safeguard citizens' privacy. This issue is, however, still open as a number of criticisms were levelled against the regulations after their publication in the Official Journal.
11. Census Registers, Registers of Births, Deaths and Marriages [Civil Status Registers] and Electoral Rolls
A considerable portion of the Garante's activity in respect of public bodies has consisted in responding to the many requests for clarification submitted by local municipalities with regard to communication and dissemination of data included in census registers, civil status records and/or electoral rolls.
The Garante has pointed out, in the individual cases, the need for complying with laws and regulations that apply to census registers; therefore, whilst it is undoubtedly possible to devise simplified mechanisms for transmitting the available data to an individual requesting access as based on the legislation in force, innovative management and/or access mechanisms require specific regulations. In particular, the unlimited consultation of census registers held by municipalities as well as the interconnection between these registers and databases managed by other administrative agencies was found to comply neither with the provisions regulating census registers nor with data protection legislation.
As to civil status (vital) records, i.e. the registers of births, deaths and marriages, the Garante stressed that public administrative agencies do not require the data subjects' consent in order to disclose the relevant data - provided this is done in accordance with existing laws and/or regulations.
The electoral rolls issue was especially difficult to cope with; the Garante referred, in particular, to the fact that any person is currently entitled to inspect and copy the electoral rolls held by local municipalities, whereas the electoral lists recording the electors that have voted in each polling station may no longer be accessed – even by elected representatives – after 15 days from the date of their deposit with the court clerk's office.
12. Taxation and Revenues
Cooperation between the Garante and the Finance Ministry continued throughout 2000. In particular, the Garante's opinion was sought – as prescribed by law – in respect of the following :
- the draft forms to be used for the 1999 tax reports, where the need for more detailed information was pointed out as regarded features of the processing and possible recipients of the data included in the tax reports;
- lawful disclosure of the names of taxpayers that report income in excess of a given threshold; as this disclosure is provided for in specific regulations that were not modified following entry into force of the DP Act, the Garante gave a favourable opinion;
- draft regulations to be issued by the Ministry in respect of the "bingo" lottery; the opinion focussed especially on the use of CCTV equipment in the premises hosting the lottery. The Garante specified that this would only be allowed in respect of the devices for drawing lots, whereas no recordings were admissible in respect of players and/or bystanders. Additionally, the proposal to keep a record of all the persons entering bingo premises, located throughout Italy – which was allegedly meant to prevent access of certain individuals such as children, persons under the influence of alcohol or carrying weapons – was found to be in conflict with the data relevance and purpose limitation principles, and was therefore rejected by the Garante;
- draft regulations on the criteria for assessing life-style and status of applicants for security benefits or allowances. A decree published in 1998 had already set forth a few "unified criteria" for assessing the applicants' economic status also based on an "equivalent economic status" index. The latter had been regarded by the Garante as a cause for some concern, since it was necessary to reconcile, via primary legislation, the public purposes served by this index with data subjects' fundamental rights. These considerations were taken into account to a limited extent, and the draft regulations are an attempt to make adjustments to the system in force. The Garante pointed out the need for adding provisions to regulate use and circulation of personal data more clearly – especially because of the planned collection of both sensitive and non-sensitive data. In particular, the setting up of a large database by INPS [the National Social Security Agency] required adequate data protection safeguards in addition to those concerning data security and integrity.
Finally, many complaints and reports were received in 2000 from citizens and consumer groups as regarded the letters sent by RAI – Italy's Public Broadcasting Corporation – to persons apparently not included in the lists of subscribers to the broadcasting service in order to urge them to pay the relevant yearly subscription charge. In particular, it was requested whether RAI could lawfully process the data concerning persons who were relatives of and/or cohabited with the registered subscribers by matching its own databases with those of census registers and telephone directories. Additionally, it was claimed that RAI had often dismissed the requests to exercise data subjects' rights (access, rectification, erasure, etc.) by alleging that it was not obliged to provide information on the measures taken to detect breaches of the provisions regulating the delivery of its services. This is a complex issue as a number of laws and regulations apply to RAI and its operation. However, it was found that RAI could lawfully process subscribers' data as also related to collecting additional information on them, on the basis of the framework agreement made by finance administration bodies with municipalities and other entities for the transmission of data and/or documents. The information collected in this way may be used by RAI for the purposes sought by the financial administration, including subscription management and levying of the relevant charges; all the necessary safeguards will have to be adopted as provided for by data protection provisions. However, RAI had failed to adequately inform the addressees of the above letters – i.e., as to whether the information requested was to be provided on a compulsory basis or not, what consequences could result from a person's refusal to provide the information, the rights of access and rectification referred to in the DP Act. Additionally, the Garante pointed out that RAI was compelled to answer the requests for access to the data in pursuance of Article 13 of the DP Act, as this right was vested in every data subject regardless of the procedure followed for processing his/her data – except as provided for in specific laws and/or regulations, which was not the case here. It was also stressed that each data subject was entitled to lodge a complaint either with judicial authorities or with the Garante in case RAI failed to answer or dismissed a request for access to the data after 5 days from the date of its receipt.
13. Files Concerning Non-EU Nationals
A few sensitive cases were dealt with in 2000 concerning setting up, management and interconnection by public bodies of files including data on non-EU nationals. These initiatives entailed the processing, at times, of sensitive data concerning aliens, which is why it was found that the complex, wide-ranging provisions applying to this subject matter – as also related to ordre public and immigration – were to be reconciled with the provisions and principles applying to personal data protection. The Garante gave a favourable opinion on the draft decree of the Ministry for Home Affairs concerning communication of data on aliens, also by way of electronic networks, between census register offices of local municipalities, Archives including data on non-EU workers and the competent central and peripheral bodies of the Ministry for Home Affairs.
The Garante also called upon the Public Security Department of the Ministry to consider the need for making the processing of data related to residence permits for social protection purposes compliant with personal data protection – namely, by using alphanumerical codes that would allow only the competent departments to identify the permit category.
LAW ENFORCEMENT AGENCIES, JUDICIAL AUTHORITIES, INTELLIGENCE AND SECURITY SERVICES
Under Article 4 of the DP Act, certain processing operations as performed in the public sector fall partly outside the scope of application of personal data protection laws; this is the case, in particular, of processing operations "for reasons of justice", for the prevention and suppression of offences, in connection with data stored in or to be transferred to the Data Processing Centre at the Public Security Department as well as of processing operations performed by intelligence and security agencies.
However, the provisions on lawfulness and security of processing as well as on the Garante's power to perform inspections and controls do apply to the above processing operations. In particular, judicial and police authorities are required to comply with the "proportionality" principle in processing personal data and to take such measures as are necessary to ensure data security. Whilst the necessary amendments and additions to the relevant legislation are expected to be made by 31st December 2001, the Garante has addressed issues related to scope of and limitations on the above provisions in respect of the processing operations considered.
15. Data Protection and Judicial Activities
The Garante has repeatedly reminded judicial authorities that procedural rules should be amended in light of the safeguards provided for by data protection legislation. This happened, for instance, in connection with the processing operations performed within the framework of a judicial proceeding that had been instituted by persons affected by specific syndromes following administration of infected blood products. The Garante stressed that the principles laid down in the DP Act, albeit not fully implemented in civil and criminal procedural laws, should be put into practice also by way of organisational measures – such as those aimed at preventing disclosure of the data of the said persons following publication of their list on a web site in order to speed up serving of the relevant summonses.
In another case it was pointed out by the Garante that complaints or reports may be lodged with the authority in order to urge checks on lawfulness of specific processing operations; however, the rights of access, rectification etc. cannot be exercised by applying directly to the judicial authority concerned or else by lodging a formal complaint with the Garante. It is expected that new tools will be made available for data subjects to establish their rights under the DP Act once the required legislative amendments are implemented – in line with the statute enabling government to pass the necessary laws and regulations.
Special precautions are required – as repeatedly stressed by the Garante – in order to safeguard the privacy of persons on whom judicial writs are to be served. Amendments to the procedural rules applying to this subject matter are required; this is likely to take place during this Parliament.
16. Police Activities
Special importance can be attached to a decision issued by the Garante in respect of the processing of personal data by the Italian Carabinieri [an armed forces corps carrying out various police functions], following a number of reports submitted by both members of the armed forces and civilians.
The inquiries made into the processing operations performed by the Carabinieri showed that there were various sectors in need of reformation, especially with regard to the processing of data for non-administrative purposes. Indeed, in addition to the processing of personal data concerning employees (which is fully covered by the Italian Data Protection Act), there are many activities in connection with ordre public, safety and military policing that are only regulated in part by the Italian DP Act – although they involve the processing of a considerable amount of personal data. This is why the Garante urged the government to pass the relevant regulations.
Consideration was also given to the long-standing practice by which the individual Carabinieri stations keep so-called "permanent files". These files (numbering over 95 million throughout Italy) currently include and/or assemble information on individuals which often dates back to over 50 years ago and has been collected pursuant to regulations that are in conflict with the current data protection principles. The Garante therefore suggested that :
a) the period for which this information may be kept should be laid down in accordance with proportionality criteria;
b) suitable arrangements should be made in respect of the information collected in remote years, especially whenever it includes sensitive data and/or opinions expressed in the past on the public repute of a given person;
c) it should be checked regularly that the information is actually relevant and not excessive in respect of the purposes sought.
Finally, the need was re-affirmed for ensuring full compliance with the Italian DP Act in respect of the right of data subjects to access their personal data processed for administrative/management purposes. These processing operations, as already pointed out, are fully covered by the DP Act; therefore they admit of no limitations in respect of the exercise by data subjects of their rights (pursuant to Article 13 in the Italian DP Act).
The Carabinieri corps took steps to comply with the suggestions made by the Garante and gave assurances as to their intention to bring all processing operations into line with the DP Act.
17. Schengen Information System
In its capacity of supervisory authority over the operation of the national Schengen Information System (N.SIS), the Garante received many requests for verification of the personal data included in the system as well as of lawfulness of processing operations pursuant to the Convention Implementing the Schengen Agreement and the DP Act. Most requests were submitted directly by data subjects, whilst in a few cases the competent supervisory authorities from other Schengen countries forwarded the requests to the Italian authority.
A considerable portion of the requests had to do with the failure to obtain visas; a smaller number concerned the reasons underlying administrative measures prohibiting entrance into and residence in our country, or else had to do with usurped identity or similar circumstances. There was an increase in the number of requests submitted to the Garante compared with 1999, partly due to the awareness-raising campaign launched in Italy and in all Schengen countries in coordination with the Schengen Joint Supervisory Body.
18. Intelligence and Security Agencies
Supervision over specific processing operations carried out by intelligence and security agencies in Italy (SISMI, SISDE and CESIS) continued throughout 2000, on the basis of the reports lodged by individual data subjects. The greatest cooperation was shown by all the competent bodies. It could be established that, on the whole, processing was lawful and adequate in the over 30 cases taken into consideration; however, a few suggestions were put forward in order to streamline implementation of the DP Act in this sector – with particular regard to the need not to collect information that is irrelevant for the purposes sought (i.e., State security and defence).
Greater care should also be taken as regards the retention period of these data, by screening the information available also by way of computerised means and providing for diversified access and/or retention mechanisms in respect of remote facts and events.
Considerable difficulty was experienced in implementing the new provisions set forth by Government in 1999 with regard to the processing of medical data by public health care bodies and related entities (medical professionals and so on). In fact, the measures laid down in articles 22 and 23 of the DP Act as amended by the provisions on the processing of sensitive data by public bodies and confidentiality of personal data in the health care sector are supposed to be applied by way of specific regulations, to be issued by the Minister for Health. These regulations have not been developed in full yet, despite the efforts of all the parties concerned (including the Garante); the main issues to be addressed have to do with suitable mechanisms for providing data subjects with the information on processing operations and obtaining their consent to the processing, in the light of the various requirements of the individual stakeholders in the health care sector.
The general authorisation (no. 2/2000) for the processing of data disclosing health and sex life was renewed until 31st December 2001; this authorisation allows the relevant entities to process medical data and data disclosing sex life without having to lodge a specific request with the Garante – as provided for by the DP Act -, on condition they obtain the data subject's consent and comply with the conditions set forth in the authorisation.
Various decisions by the Garante dealt with issues related to the processing of medical data. Reference can be made to:
- data subjects' consent, as required for a company's clients to consult, via the Internet, their own medical profiles in a restricted access area on the Web,
- adoption of suitable security measures for processing medical data, in order to ensure, for instance, that the data included in so-called certificati di assistenza al parto [certificates of attendance at childbirth, issued to certify birth in a midwife's and other medical professionals' presence] are kept confidential on account of their sensitive character and the existence of provisions for ensuring the mother's right to anonymity,
- exercise of the rights of access, rectification etc., so as to ensure that the information requested by a data subject is provided if necessary by extracting it from non-reproducible documents or media – such as an echogram – and wording it in an easily understandable fashion.
20. Genetic Data
Based on the decree passed in 1999 (no. 135), the processing of genetic data will be allowed in pursuance of a general authorisation to be issued by the Garante. The latter instrument will have to regulate purposes and mechanisms of data collection and communication, lay down measures to allow data subjects to knowingly consent to the use of their genetic data without being discriminated against, ensure that the data subject's refusal to be informed on the outcome of medical investigations is respected, regulate the security measures to be adopted. Until this authorisation is issued, genetic data may be processed on the basis of general authorisation no. 2/2000 (see paragraph 19) exclusively with regard to such information and operations as are required to safeguard bodily integrity and health of data subjects, third parties or the community as a whole.
A meeting was held in June 2000 by the Garante in cooperation with the National Bioethics Committee and Legambiente [an environmentalists' association] to deal with opportunities, risks and rights in connection with "our" genetic data. In particular, the need to prevent the commoditisation of these data was stressed as also related to the international context; it should be pointed out that genetic data – like all personal data - may only be transferred to countries ensuring adequate protection (as per directive 95/46/EC) and are not included in the "Safe Harbor" agreement.
21. Medical Research
No changes were made in 2000 to the provisions regulating medical research, which stipulate that medical data may be processed for medical and epidemiological research purposes without the data subject's consent if the research activity is referred to in laws or regulations or else is carried out within the framework of the national biomedical programme; otherwise the provisions included in the Garante's general authorisation no. 2/2000 (see above) will have to be complied with until the ad-hoc regulations are issued by the Ministry for Health. The codes of conduct and professional practice are expected to also play an important role in this regard.
The basic assumption in this sector is that entry into force of data protection provisions has not resulted into the repeal of the provisions already in force as applying to confidentiality and dignity of AIDS patients. Indeed, the latter have been specifically left unprejudiced in the DP Act. However, the Garante has repeatedly addressed the relationships between DP Act and laws/regulations applying to prevention of and fight against AIDS.
In particular, a case was dealt with concerning publication on a court's web site of the writ of summons to the preliminary hearing in a large trial involving hundreds of persons affected by AIDS. In this case, as already pointed out, the Garante reminded the Ministry of Justice as to the need to improve the procedural rules in force in order not to breach the confidentiality rights of persons who, on account of disclosure of their medical condition, might refrain from exercising their right of defence in full.
The Garante has been also investigating the activity of a few health care bodies that were planning to set up data banks for the surveillance of HIV patients, as reported by the press; the inquiries are focussed, in particular, on compliance of such data banks with the provisions on AIDS and epidemiological surveillance, on the purposes sought, the data processing and retention mechanisms – as also related to security – and the information provided to data subjects.
EMPLOYMENT AND SOCIAL SECURITY
23. Data Protection in the Employment Context
The Garante paid special attention to data protection issues in the employment context throughout 2000. In particular, access to evaluation data concerning employees was a big issue, which gave rise to many decisions by the authority and a trail of judicial proceedings challenging these decisions.
The Garante re-affirmed the employee's right – as a data subject – to access his own personal data, and the employer's duty – as a data controller – to provide information on all the data concerning an employee, including such personal data as are connected to the employer-employee relationship or the employee's legal status and salary – regardless of whether they have to do with career, leave of absence, holidays, shifts, payslips, etc. . In this regard, it was held by the Garante that employees are entitled to also access the evaluation data concerning them as used by an employer to formulate the yearly performance score; personal data is defined (in Article 1 of the DP Act) as "information concerning a natural or legal person", which also includes news, information or items adding to knowledge of an identified or identifiable person. These items of information have autonomous significance irrespective of their being ultimately summarised in the yearly performance score, and may therefore be accessed by the relevant data subject, who can have them supplemented if necessary.
The decisions by the Garante were challenged by the employers concerned and reversed by the courts dealing with the cases; the final decision by the Court of Cassation is pending. It is to be expected that the Court will also take account of the Resolution adopted on 22 March 2001 by the Article 29 Working Party, in which evaluation data were recognised to be personal data.
24. Surveillance Systems in the Employment Context
Surveillance of employees is another major issue; in Italy this is regulated by an Act of 1970 under which implementing devices for the remote surveillance of employees is prohibited as unconstitutional, whilst the use of surveillance devices in connection with production management purposes is allowed on condition that various requirements are complied with (including an agreement with the relevant trade union associations).
The Garante had to address various cases in which the surveillance of employees was involved, with particular regard to access to electronic networks by employees and use of e-mail facilities. The general principles laid down in CoE Convention No. 108, EC Directive 95/46 and the opinions given by the Article 29 Working Party were taken into account in this exercise, partly because no specific laws or regulations are in force in Italy concerning (video) surveillance and data protection. The need for striking a balance between data subjects' rights and fundamental freedoms and the requirements related to employment performance and discharge of official duties has been repeatedly stressed. Further initiatives are in progress.
25. Employment Database
Within the framework of the advisory activities carried out by the Garante, consideration was given to the regulations applying to the so-called employment databases, which are aimed at facilitating the exchange of information between job-seekers and prospective employers at national level. The Garante requested that these regulations should include more detailed provisions as regarded the data flows envisaged and organisation of the databases, which under the law must be in line with the principles of the DP Act.
The planned creation of an employees' "professional card" has been received with some misgivings, as the function of this card and the relevant data processing mechanisms have not been clarified yet; this also applies to the proposal for Regions to issue a "personal electronic card" for employees, especially in the absence of framework regulations that might have been better harmonised with the provisions recently enacted in respect of electronic identity cards.
26. Identification Badges
An important decision was made by the Garante concerning the identification badges worn by employees. It was ruled that the personal data included in badges worn by employees who have regular contacts with the general public should be in line with the provisions of the Italian DP Act – that is, they should be relevant and not excessive in relation to the purposes sought. The Authority's opinion had been asked in this regard by public administrative agencies, transportation companies, health care units as well as by many employees. The latter in particular complained that making publicly available certain personal data (such as their full name and particulars) resulted into the dissemination of excessive information and entailed the risk of their being exposed to undue pressure or subsequently contacted for purposes unrelated to the functions discharged.
In addressing this issue, the Garante started from the assumption that data must be relevant and not excessive in relation to the purpose(s) sought (see Article 9 of the Italian DP Act). The data included in the identification badges worn by employees are disseminated, in that they are disclosed to the general public; under the Italian DP Act, both public and private bodies can disseminate personal data if this is provided for by laws or regulations. Such laws and regulations do exist, in both the public and the private sector. They refer to wearing identification badges for purposes related to awareness-raising and enhanced transparency, as well as with a view to allowing customers to exercise their rights in respect of individual employees; however, they do not specify the information to be included in these badges. Therefore, the Garante stressed that the relevance and proportionality principles must be taken into account in this regard, and prohibited the dissemination of data that were irrelevant or excessive compared with the purposes sought by private and public bodies in having their employees wear identification badges.
STATISTICS AND SCIENTIFIC RESEARCH, HISTORICAL RESEARCH
27. Statistics and Scientific Research
The Garante promoted the drawing up of codes of conduct and professional practice for the processing of personal data in sectors serving the public interest, including statistics and scientific research. The relevant provision was published on Italy's Official Journal in February 2000. The codes of conduct are attached special importance from a legal standpoint, as compliance with them is "a fundamental requirement for the processing to be lawful". Work was in progress throughout the year with representatives from the public and private sectors involved, and an advanced stage was reached in drafting the relevant codes.
Statistics and scientific research issues were also addressed in various provisions and decisions by the Garante, with particular regard to the opinions given by the authority to government under the DP Act. One of these opinions concerned the draft regulations applying to the National Statistics System – which also includes ISTAT, Italy's National Statistics Institute – where the need for enhancing privacy safeguards was pointed out.
Another important opinion was given in respect of the draft regulations applying to the 14th general population census scheduled for October 2001. In this case we asked ISTAT to include additional information on the first page of the census forms in line with Article 10 of our DP Act (information to data subjects), to better specify data subjects' rights of access to and rectification of the data. Additionally, various items in the questionnaire (e.g., medical data, leave of absence due to disease, nationality, refugee status) would not seem to be in line with the data relevance requirement; this is why we asked ISTAT to re-consider the appropriateness of their being included in the census form in light of the purpose limitation principle. Moreover, we drew their attention to the need for ensuring that the persons in charge of distributing the forms and collecting them after they are filled in be familiar with data protection requirements, in particular as regards secrecy obligations and security against access by unauthorised third parties.
ISTAT complied with our suggestions only in part; this is an issue the Garante is monitoring.
28. Historical Research and Archives
Application of data protection provisions to processing operations for historical research purposes has required a specific approach, because of the need to reconcile privacy safeguards with the requirements made by historical research activities - which are in conflict, as such, with the temporary data retention principle laid down in the DP Act and EC directive.
The Garante therefore promoted the drafting of a code of conduct for the processing of personal data in connection with historical research activities, also applying to archivists and users of archive facilities. The code was finally published in April 2001 in Italy's Official Journal, after being developed by a working party including representatives from private and public entities, scientific societies and the relevant trade associations. The Code is available in English on our web site; here it will be enough to say that it consists of three parts concerning general principles, rules of conduct for archivists and rules for users, respectively. The basic assumption is that the use of personal data acquired in connection with historical research activities as well as the access to records and documents must not be in breach of data subjects' rights, fundamental freedoms and dignity. This entails limitations on the principle of free access to public archives, as required in order to protect privacy and prevent the disclosure of irrelevant information. Reference was made to the need for archivists to implement suitable security measures and abstain from using the archived information for personal purposes, and to the requirement that users take special care in collecting, using and disseminating the data included in the records accessed and only use these data for the purposes described in a specific research project.
ASSOCIATIONS, POLITICAL GROUPS AND PARTIES, RELIGIOUS DENOMINATIONS
29. Data Protection and Associations
The Garante re-affirmed that it is unlawful to use the lists including data on members of an association for purposes other than those specified in the relevant information. This finding was made, in particular, in a case concerning political propaganda activities. The same applies to using data on members where the information provided to the latter is excessively broad and generic and therefore prevents identifying the purposes of the processing operations performed.
The above cases and other cases already dealt with in the past years led the Garante to lay down a sort of "decalogue" applying to the use for political (propaganda) purposes of the data concerning members of non-political associations – including trade unions, trade associations, sports societies. Such use is allowed if it is expressly referred to in the information provided to the members at the time of their registration/enrolment (or renewal of membership). In this regard, investigations were started into the inappropriate use for electoral purposes of the patients' data that medical doctors and/or health care institutions had collected for medical purposes.
30. Use of Personal Data for Political and Electoral Purposes
Important decisions were made by the Garante in connection with the general elections scheduled for March 2001 in Italy. In particular, a provision by the Garante drew the attention of political parties and groups to some basic principles that must be complied with in order to ensure that the processing of personal data for electoral purposes is in line with the DP Act.
In this regard, mention should be made of another provision in which the Garante exempted political parties and groups, supporting committees and candidates – until 30 June 2001- from the obligation to provide information to data subjects as per the DP Act, on condition that the personal data were taken from publicly available documents, lists or records and only were used for political propaganda or communication purposes. It was pointed out that the above exemption did not apply to the sending out of e-mail messages or letters, as in these cases it was possible to include the information for data subjects into each message and/or letter.
A specific issue addressed in this context had to do with the source of the personal data used for electoral purposes. The Garante ruled out the possibility for a political association to use e-mail addresses gathered from the Web in order to send out political messages and information without the addressees' consent. The decision came after a number of reports in which citizens complained either that they had received unsolicited e-mail with political content from the association or that they had been unable to obtain cancellation of their data from the mailing list after having repeatedly requested the association to do so. The association had alleged that the over 390,000 e-mail addresses included in their mailing list had been gathered from the Web via a specific software picking up all the addresses appearing on web pages with given domain names – e.g., ".it", ".org", ".com", ".net" . The allegedly public availability of such data would make it possible to dispense with the consent requirement in respect of data subjects. However, the Garante pointed out that the basic requirement of obtaining the data subject's consent for processing his/her data can be overridden if, inter alia, the data are taken from "public registries, lists, instruments or publicly available documents" . The public nature of such documents is related to the existence of a legal provision laying down the general availability of the information included in them. Since this did not appear to be the case under the circumstances described, nor could any proof be obtained that the data subjects' consent had been obtained in order to disclose their data for purposes of a political nature, the allegations made by the association were found not to be consistent either with the Italian DP Act or with EC Directive 95/46 (in particular, Article 7 concerning lawfulness of the processing). Another allegation made by the association was that many of the e-mail addresses had been gathered from newsgroups and discussion forums; it could therefore be argued that the users had decided to publicise their own e-mail addresses and were supposedly aware that such addresses would be read and collected by any person visiting the relevant web page. Again, this allegation was found to fall short of the requirements laid down both in the EC directive 95/46 and in the Italian DP Act. Indeed, collecting - with a view to totally unrelated purposes - the data made available by users who participate in a newsgroup exclusively for the purpose of debating on given issues or topics is against the fairness and purpose specification principles laid down both in Italy's DP Act and in Article 7 in the EC directive 95/46. This view was also supported by Article 29 Working Party in its Opinion no. 1/2000 on Certain Data Protection Aspects of Electronic Commerce – where it is stated that "If an e-mail address is collected in a public space on the Internet¸ its use for electronic mailing would be contrary to the relevant Community legislation (...)".
The Garante therefore ruled that the association was to refrain from further using the personal data of users who had not given their prior consent to the processing of their data for receiving political information messages. Additionally, the association was urged to take suitable steps in order to rapidly comply with the requests lodged by data subjects to have their data erased in pursuance of Article 13 of the Italian DP Act. It must be pointed out that the Garante's decision was challenged by the association before Rome's court; the final judgment is pending and we are monitoring the relevant developments.
31. Condominiums and Corporations
As regards the processing of personal data in connection with condominiums, the Garante stressed that such personal data may be processed as are collected and used for the purposes specified in the relevant sections of the Civil Code; the tenants are to be regarded as joint controllers of the processing. We also pointed out that the DP Act had not modified the relevant provisions, in particular those concerning the mechanisms for convening a tenants' meeting and issuing legally sound deliberations – i.e., it is necessary for the tenants' particulars to be available so as to allow their identification, by taking account of the data relevance and proportionality principles. Therefore, it will not be necessary for a tenant to disclose his/her phone number as this information is not necessary in order to verify whether he/she is entitled to take part in the meeting.
As to corporations, the Garante seized the opportunity provided by a decision on a complaint lodged by the partner in a corporation to point out that the provisions included in the DP Act are compatible with those on company registers. In particular, partners are entitled to access data, news and documents related to a corporation's activity, in line with the relevant laws, regulations and community rules; they may access the data and records included in company registers, irrespective of the data subjects' consent, since these registers are referred to by law as publicly available documents.
LEGAL PROFESSION, PRIVATE DETECTIVES, FREELANCE PROFESSIONALS
32. Activity of Freelance Professionals
The Garante has dealt repeatedly with the effects produced by the DP Act on the activities carried out by freelance professionals, starting from the publicity of professional rolls and related records.
In particular, the Garante stressed, once again, that the DP Act did not modify the laws and regulations applying to publicity of professional rolls and related records, since these rolls are intended, by their very nature and function, for public dissemination - partly with a view to safeguarding the rights of the parties having contact with the persons included in them.
It should be also mentioned that the Garante re-issued general authorisations no. 4 and 6 concerning the processing of sensitive data by freelance professionals and private investigators, respectively. These authorisations will be applicable until 31st December 2001.
33. Data Collection in the Exercise of the Right of Defence
An important issue that we addressed repeatedly in 2000 had to do with the collection of personal data in the exercise of the right of defence, with particular regard to private detectives' activities. The provisions included in General Authorisation no. 6/2000 and no. 7/2000 are especially relevant in this context.
Another side to this topic consisted in the many complaints lodged by persons who had been denied access to the personal data included in a judicial case file; the Garante stressed that the provisions of the DP Act apply only in part to these processing operations, and in particular that those on the rights of access, rectification etc. and regulating submission of complaints to the Garante are not applicable currently. Therefore, no complaint may be lodged against judicial authorities for accessing personal data in judicial case files nor may a request for data access be submitted in pursuance of our DP Act; rather, a claim may be submitted to the Garante to request a check that the processing operations performed by judicial authorities are compliant with the requirements set forth in the relevant laws and regulations.
Specific mention should be made, in this context, of the innovations brought about by the new Act on the investigations that defence counsel are allowed to carry out in criminal proceedings (Act no. 397/2000). The collection of personal data by private detectives and technical experts acting on defence counsel's instructions will have to be regulated in greater detail and the safeguards provided for by the DP Act will have to be ensured – which applies especially to the need for providing adequate information to data subjects, as also required by the Criminal Procedure Code. As pointed out by the Garante, this can mostly be achieved by modifying the current practices accordingly; self-regulation may play an important role under this respect.
34. Codes of Conduct
As regards the investigations carried out by defence counsel, other issues as yet unsolved have to do with retention period of the data, collection of certain sensitive data and the obligations applying to the entities that take part in processing the data for the above purposes. These issues are currently being addressed by a working group, which has been tasked to draft codes of conduct under the auspices of our authority. It should be pointed out that both legal professionals and private detectives have already taken steps in this direction. In particular, Italy's Association of Criminal Lawyers approved a set of "Lines of Conduct" for criminal lawyers carrying out investigations in criminal proceedings, where account is also taken of data protection requirements. These and similar initiatives will facilitate drafting of a code of conduct on the use of personal data with a view to exercising the right of defence in criminal, civil and administrative proceedings.
CREDIT, FINANCIAL AND INSURANCE ORGANISATIONS
Principles and provisions of the Italian DP Act have had a major impact on the activity of credit, financial and insurance organisations in terms of collection and processing of personal data. A number of requirements to be met by these organisations have produced considerable effects on their everyday activities and customer relationships. Additionally, these are the economic sectors where users/consumers have proven especially keen on the safeguards afforded by privacy laws, exactly because of the important role played by personal information in connection with the services provided as well as on account of the large databases and considerable data flows concerning as good as every citizen in Italy. This may account for the increasingly frequent recourse to the remedies available for data subjects to establish and defend their own rights and fundamental interests in this field.
A considerable number of complaints, reports and queries were received in 2000 by the Garante concerning the above sectors, with particular regard to two sectors where the number of litigations would appear to be bound to increase in the short-to-medium term, i.e. before legislative amendments are made, if any, or unified guidelines are issued by the Authority. Reference is made here to
- functioning and operation of credit rating systems and the so-called credit reporting bureaus managed by private bodies, with particular regard to consumer credit, and
- access by policyholders to forensic medicine reports drafted by health care professionals as appointed by insurance companies in connection with claims for damages and/or the payment of damages as regards both car insurance and medical insurance policies.
As regards the reports submitted by citizens in connection with banking activities, it should be pointed out that there was a considerable increase in the number of complaints lodged against banks that were alleged to violate privacy and confidentiality rules – namely, by disclosing information on customers' transactions and/or accounts, often in connection with proceedings pending before judicial authorities. Based on the findings made in dealing with these complaints and reports, it appears that the drafting of a code of conduct applying to the processing of personal data by banks and financial institutions is increasingly necessary as a means for providing consumers with guidance on where to expect adequate safeguards for the confidentiality of their data. The Garante has already taken a few steps in order to promote these initiatives.
36. Forensic Medicine Reports and Insurance Litigations
A considerable number of complaints were lodged in 2000 in connection with the processing of personal data in the insurance sector, which confirmed the high litigation rate applying to this sector – as already pointed out in previous annual reports by this Authority. These cases had mostly to do with victims' requests to access their personal data as included in the report drafted by the insurance company's medical expert.
The Garante has repeatedly stressed that the information included in these reports can be considered personal data; indeed, though including different types of information, the data in question provide direct and indirect clues on the person concerned, his/her diseases, if any, and the relationships between such diseases and other events in the person's life. The personal data concept, as enshrined in the European Directive and Italy's DP Act, is actually quite wide-ranging, since it includes not only census register and/or "objective" information, but any news or information such as to contribute to the knowledge of an identified or identifiable person.
In particular, the Authority pointed out in a decision that the relationship between performance scoring and employees' conduct did reflect the underlying relationship between the scoring and facts and circumstances that could be precisely identified and did not merely relate to opinions and representations. Thus, it was necessary to consider medical evaluation data as personal data in that they disclosed the data subject's health; these data are included in a document which is the outcome of a process by which the medical expert formed his opinion based on medical reports and information resulting from the relevant medical examinations. It was therefore ruled that the complainant was entitled to access his own personal data as contained in the insurance company's medical expert's report; this also applied to the personal information consisting in an opinion on the degree of permanent inability affecting the data subject as a result of an accident and to additional information underlying the medical expert opinion. The insurance company was ordered to comply with the data subject's request in a 30-day period.
The above decision and additional ones have been challenged (although to a limited extent) before ordinary courts; the final decision by Italy's Court of Cassation is pending. It should be pointed out that an issue also addressed by the authority in connection with access to these data consists in the possibility of deferring access for as long as this might jeopardise defence counsel's investigation and/or the establishment or defence of a judicial claim. In these cases the authority has stated that it is necessary to decide on a case by case basis, by considering all the relevant circumstances as pointed out by the data controller. It is, again, a matter of striking a balance between conflicting rights.
37. Data Collection in the Insurance Sector
In addition to the issues mentioned above, other questions raised in the insurance sector during the past few years have to do with the requirements imposed on data controllers by data protection legislation – with particular regard to the information to be provided to data subjects. The Garante has been pursuing, with the competent trade association, simplification of the forms to be used for providing information and obtaining consent by taking account of all the processing operations and data categories involved. This is especially important in the light of the many sensitive data (medical records) typically processed by insurance companies; it is no mere chance that a general authorisation for the processing of sensitive data was issued by the Garante exactly with regard to the activities of insurance companies (no. 5/2000).
Reference should also be made in this regard to the setting up of a database concerning car accidents; this database will be supervised by ISVAP (Italy's independent supervisory authority having competence for insurance companies and pension funds) in order to better prevent fraudulent practices in this sector. Insurance companies are required to transmit data on accidents in which their policy-holders have been involved starting from 1st January 2001; the actual operation mechanisms of the database will have to be set forth in a specific regulation by ISVAP. Given the sensitive issues involved – such as identifying the personal information to be included in the files and specifying the private and public bodies that will be entitled to access the data -, the Garante has been cooperating with ISVAP in order to bring this initiative into line with data protection requirements.
38. Credit Reference Bureaus and Financial Companies
A considerable portion of the complaints received in 2000 concerned processing operations performed by credit and financial institutions as well as by entities managing credit reference services whether in the public sector (Bank of Italy) or in the private sector. These activities produce considerable effects on the consumers concerned; indeed, at times they entail serious consequences – such as preventing a consumer from getting any type of financing or the violation of basic privacy principles as also related to fundamental rights and human dignity. We believe it is high time homogeneous criteria and mechanisms were laid down in order to better reconcile the requirements related to adequate management of financial risks with those resulting from the need to safeguard personal data. In this regard, it can be expected that the forthcoming code of conduct applying to this sector will prove especially useful – also in order to prevent additional litigations.
Meanwhile the Garante has already started investigating various cases in connection with complaints where the failure to erase personal data had been claimed. Additional information and explanations were requested from various financial companies and private credit reference bureaus as for the information provided to customers, the mechanisms for obtaining their consent, the retention period of credit reference data, etc. . We have been also cooperating with the Bank of Italy in order to lay down the regulations applying to a new centralised system for monitoring financial risk; the latter system will be managed by a private body in agreement with Italy's Banks Association. A favourable opinion was given by the Garante since the guidelines provided in this respect had been complied with – as regards, in particular, information to customers, security measures, exercise of right of access.
Many requests, queries, reports and complaints were received in 2000 in connection with the processing of personal data for journalistic purposes. This is clearly related to the importance of journalistic activities (and the media in general) in today's society – which entails the need for striking a balance, on a case by case basis, between the material character of the information disclosed and the public interest in getting informed on a given subject. Journalism-related issues are being raised with increasing frequency as also related to the disclosure of personal data via the Internet, which is becoming growingly common as a communication medium.
40. Official Secrecy, Professional Secrecy and So-Called Investigational Secrecy
Limitations on Confidentiality of Sources in connection with Judicial Investigations
Journalists are entitled to keep confidential their sources of information, unless a court orders them to disclose such sources because the information is required as proof of a crime and it is necessary to verify its reliability by identifying the source. In this regard, a case can be mentioned in which a journalist complained that this confidentiality principle had been infringed following a search ordered by the public prosecutor's office, in connection with investigations into the alleged disclosure and utilisation by a civil servant of information covered by official secrecy. The investigations had been started exactly following publication of an article by the journalist, in which the latter mentioned that a person had been arrested in connection with a criminal investigation. The Garante decided that the complaint was groundless on the basis of the findings made during the proceeding; however, the decision was important in that it allowed us to clarify that, based on the competence currently recognised to the DPA in respect of processing operations performed by judicial bodies, it is not possible to apply to the Garante in order to challenge either the evidence acquired during pre-trial investigations or the validity of procedural measures – such issues being reserved for the competence of courts.
Journalists' Professional Secrecy and Exercise of Access, Rectification, Erasure etc. Rights
The limitations to be imposed on journalists' professional secrecy have been taken into account in a case related to the exercise of access, rectification etc. rights as laid down in Article 13 of Italy's DP Act. In particular, the Garante found that the right of a person to get access to the personal data concerning him/her also applied to the request lodged by a citizen to know the source of the information (a confidential letter) published by a journalist in an article. The data subject's right of know existence and source of personal data concerning him must be respected as also related to journalistic activities, unless the source of the information is covered by professional secrecy on account of the trust relationship between the source and the journalist.
Lawful Collection of Data Subsequently Disseminated via the Media
A significant example of this issue is provided by a complaint in which a lawyer requested termination of the dissemination, via a videotape sold jointly with a magazine, of an interview between the complainant and another colleague; the interview had been allegedly recorded via a hidden camera without his being aware of it. After ordering precautionary suspension of the publication, the Garante ruled that the complaint was admissible and confirmed the suspension order. Indeed, although it is permitted to record an interview without the other party's consent if this is necessary for defending a judicial claim – as provided for by the DP Act -, the relevant recording may only be used without the data subject's consent for the same purposes – i.e., for judicial purposes. Therefore the videotape including the recorded interview should not have been sold with the magazine, whilst it was undoubtedly possible to send it to judicial authorities.
41. Journalistic Activities and Compliance with Data Protection Principles
The Garante has repeatedly stressed that the – largely special – provisions applying to processing of personal data for journalistic purposes are to be complied with. Therefore, if publication of news and information is aimed at informing the public on the development of a story that has been followed with keen interest at national level, and if the information provided is material to the story and relevant data are reported, the processing of such data is to be regarded as lawful even in the absence of the data subject's consent – which is expressly ruled out by Article 25 in our DP Act. This also applies to disclosure of sensitive data via the media, on condition that the information is of material character and no reference is made to relatives or parties that are not involved in the facts considered – as set forth in the journalists' code of conduct (available on our website).
Privacy of Public Figures
The private life of persons holding public offices and/or especially known to the public can be considered to be somewhat reduced in scope. This concept was taken into account in the journalists' code of conduct, however it was also stipulated that the private life of these persons is to be respected if the news or information are irrelevant to their office or public life.
This principle was re-affirmed in many cases addressed by the Garante during the past year. From a general standpoint, it was stressed that quite detailed information may actually be provided in the presence of certain circumstances – such as the fact that a person is (regarded as) a public figure.
Information Disclosed Either Directly by Data Subjects or via their Public Conduct
If the information concerning a data subject has been made available by the latter, no measure may be taken by the Garante – considering that this is a case specifically referred to in the DP Act as entailing unrestrained freedom of processing for journalistic purposes. This is why the authority dismissed a complaint lodged by the natural father of a child who had made a few statements in this connection during a TV show.
Publishing Disciplinary Measures Taken by Trade Associations
We stressed repeatedly that the DP Act did not modify the legislation applying to publicity of professional rolls and related documents. This is why the privacy of a professional who is the subject of disciplinary measures cannot be considered to prevail over the public interest in being informed of said measures, possibly by way of their publication on magazines, newsletters or other media – also with a view to safeguarding the rights of the persons having contacts with that professional for whatever purposes.
Publishing Information on Tax Returns
This issue has been quite often addressed by our authority. We explained that, under the laws in force, certain lists of taxpayers and their income have to be published; additionally, local municipalities are required to set up lists including the names and particulars of all the taxpayers submitting tax returns and/or managing commercial enterprises or working as professionals, and these lists must be deposited for one year with the Revenue Offices and the local municipalities in order for any person to freely inspect them. This information being therefore publicly available, we ruled that it was possible for newspapers and/or magazines and/or other media to publish it without any consent being required.
42. Protection of Minors
Minors are undoubtedly prone to the risk of infringements of their fundamental rights, in particular of their rights to privacy, as caused by the media. This is why the Garante has repeatedly called upon the relevant stakeholders to respect the limitations imposed on disclosure of personal data concerning minors. As also specified in the journalists' code of conduct, the particulars of minors involved in specific events should not be published; additionally, a minor's right to privacy is always to be given precedence over freedom of the press. Therefore, if disclosure of images and/or information concerning minors is considered to serve an important public interest, journalists should also consider whether such disclosure is objectively beneficial to the minor – in accordance with the principles laid down in the relevant Code of Conduct.
On the above grounds, we ordered suspension of the processing of data concerning sexual harassment of a girl that had been kidnapped, since publication of this information would be markedly prejudicial to the data subject – apart from the consideration of possible criminal consequences. On the other hand, we also stressed (in a press release published in August 2000) that the blanket dissemination of information is not allowed by our legal system. In particular, publishing the lists of persons that had been convicted in the past of serious crimes entailing violence against minors is arguably effective as a means for preventing similar events; in addition, it may harm the minors victimised by those offenders, make the publishers liable to litigations in case the data published are inaccurate and, above all, violate the "right to oblivion" that must be granted to persons who have been convicted of crimes committed many years before.
SURVEILLANCE AND BIOMETRICAL INFORMATION
43. Video Surveillance
Video surveillance received special attention by our authority during the past year – both because of its increasing use and on account of the many reports submitted by citizens in this regard. Pending the issue of specific regulations applying to the deployment of video surveillance equipment, it can be argued that the general data protection provisions are also applicable to images and sound where the equipment used allows identifying, directly or not, a given person. This consideration is based on the definition of personal data, being any information "relating to persons that are identified or can be identified by reference to any other information" – the latter consisting, for instance, in the link to other information sources, such as identi-kits or police files including images.
Based on the above premises, it should be stressed that many local municipalities sought our opinion in connection with the planned deployment of video surveillance systems either for traffic control purposes or with a view to prevention and detection of offences. We pointed out such amendments as were required by data protection laws, in particular as regards prevention and detection of offences – which do not necessarily fall under the scope of competence of local municipalities. Adequate arrangements were suggested in order to take suitable security measures and provide information to data subjects. Data quality issues were also raised by imposing limitations on the mechanisms implemented for filming and specifying the entities who are entitled to access and use the recorded data.
An important initiative was also undertaken by the Garante in the past year – namely, a survey of video surveillance devices as used for the surveillance of public areas in a few Italian cities selected as a significant sample (Milan, Verona, Rome, Naples). This survey was carried out as a pilot study in cooperation with a company specialising in statistics analysis, to serve as the basis for a wider-range study in order to assess the "environmental impact" of video surveillance. A total of 1095 video cameras could be identified, which allows estimating a total number of video cameras in Italy of about 1 million. No significant differences could be found among the four cities considered; in most cases the surveillance equipment was deployed near banks, at door level, and could be identified easily. The only difference consisted in the uniform distribution of cameras throughout the territory of Milan municipality, whilst in Rome, Verona and Naples cameras were especially frequent in downtown areas.
The results of this survey prompted the authority to issue a sort of "decalogue" applying to the use of video surveillance equipment in public places. In this regard, account was also taken of the draft guidelines laid down by the Council of Europe, which are expected to be finalised shortly. The basic assumption is ensuring the proportionality between means implemented and purposes sought; the following guidelines were therefore set forth:
a) it is necessary to clarify the purposes sought and verify that they are lawful in accordance with the laws in force.
b) The data must be processed for specific, explicit, lawful purposes.
c) Data controllers required to notify processing operations must also refer to the collection of data via video surveillance equipment.
d) Citizens must be made aware, even in a summary fashion, of the presence of video cameras and the rights they are recognised in respect of their own data – especially if the equipment is not immediately visible.
e) The prohibitions and safeguards set forth in the Workers' Statute [an Act passed in 1970 to regulate employer-employee relationships] are left unprejudiced as regards the "distance" control of employees.
f) Only such data must be collected as are necessary for the purposes sought – i.e., only such images must be recorded as are necessary, by limiting the visual angle, avoiding detailed images or zooming, locating cameras appropriately, etc.
g) The retention period of recorded images is to be specified; as a rule, images may only be kept in connection with offences and/or police/judicial investigations.
h) The persons entitled to use surveillance equipment and access the images recorded will have to be specified in writing.
i) Data collected for a given purpose may not be used for different purposes except where they are necessary for police or judicial investigations; no communication or dissemination of these data is allowed.
j) Images recorded for traffic control purposes must be compliant with the relevant regulations and be kept for no longer than is necessary in order to charge a driver with a traffic offence.
It should also be pointed out that the installation of video surveillance equipment in one's own private premises does not fall under the scope of application of the DP Act, as the data are processed for personal purposes. There are, however, a few requirements that must be abided by even in this case – e.g., only the area immediately pertaining to one's private dwelling must be kept under surveillance, and the information collected must not be communicated or disseminated to other persons.
44. Fingerprints and Biometrics
The use of biometrics-based systems for security and identification purposes was addressed by the Garante on various occasions in the past year. Three basic issues could be distinguished so far, on the basis of the experience gathered in connection with fingerprint-based systems:
a) need to comply with the proportionality principle as related to the purpose(s) sought. In the cases considered, the blanket collection of significant data (fingerprints + video-taped images) was found to be excessive compared with the purposes to be achieved - in the absence of circumstances pointing to an actual, present danger.
b) insufficient or no information is provided to data subjects, which is all the more serious as biometrical data potentially enable deep-ranging inferences on a person's status.
c) more detailed arrangements are required concerning mechanisms of data collection and classification, retention period, security measures, access by the organisation's staff and/or the police.
The processing of fingerprints data was therefore suspended by the Garante in the cases considered, which all had to do with banks and financial institutions. In-depth analysis of this topic is being carried out by the authority in order to strike a reasonable balance between the individual requirements.
45. Electronic Bracelet
Considerable interest was raised by the controversial implementation of devices enabling remote surveillance of persons under house arrest. These measures were put into practice at the beginning of 2001, with an order by the Minister for Home Affairs where account was taken of the suggestions and considerations made by the Garante in respect of the processing operations entailed by this initiative. In particular, amendments were made to the mechanisms applying to collection and processing of the data, retention period of the information collected, security of the personal data stored.
46. Information to Data Subjects and Specific Consent
The importance to be attached to personal data collection in connection with direct marketing activities is self-evident; indeed, personal data can be said to be the main commodity for direct marketers, who are keen on information concerning suitable candidates for the purchase of goods and services on offer. It should be pointed out, however, that a growing number of businesses are realizing the importance of privacy as an asset in customer relationships, and therefore aim at setting up data banks based on the free, informed consent of their addressees.
As regards, in particular, the collection of data via questionnaires and vouchers, we took the opportunity to issue a few basic guidelines for direct marketers that were also published on our Web site (the English version is available). These guidelines served as the basis for many decisions by the authority in this sector, where the following issues were raised: a) the information provided to data subjects on the vouchers/forms used for collecting data often proved incomplete and in need of re-wording; b) the arrangements made by, in particular, tele-marketing companies needed amending. Indeed, data subjects contacted on the phone must be provided information - at least in a summary fashion - on the processing operations that are planned in respect of their personal data; c) the data subject's consent is required in respect of further processing operations and disclosure of his/her data to third parties, in accordance with an "opt-in" rather than "opt-out" approach.
In addition to pointing out the required amendments to the individual companies, the Garante convened two meetings with trade associations in order to exchange views and suggestions in this field. During these meetings it was stressed that consent must be given freely and expressly for the purposes specified by the data controller, and proof of consent must be retained in writing. The trade associations convened declared their readiness to set up a working party to consider the issues related to implementing the DP Act in the direct marketing sector, possibly with a view to setting forth guidelines and simplified forms for use by the relevant organisations.
It can be reasonably argued that privacy policies in connection with e-commerce have become a competitive advantage for businesses, which are increasingly realising the importance of fairness and openness in handling their customers' personal information. The trends and adjustments required in this sector by data protection legislation have been highlighted at Community level as well, in particular by a study on spamming published at the beginning of the past year and in many documents adopted by the data protection working party (see relevant links). From a general standpoint, these documents and studies show that protecting privacy is actually a prerequisite for e-commerce to develop; additionally, consumers and users tend to select businesses on the basis of their privacy policies, and aggressive marketing practices – apart from violating fundamental individual rights – are often ineffective or even counterproductive as lead to the generalised rejection of all such communications (as is the case with spamming). Providing users with exhaustive information on the processing operations scheduled and obtaining their informed consent are fundamental also with a view to long-term consumer loyalty.
48. Case Studies
Monitoring of a few web sites was undertaken in the past year in order to verify the information provided to users and the mechanisms for obtaining their consent, if necessary. Additional verifications are in progress following reports submitted by citizens in respect of the so-called "hidden processing operations" allegedly performed by other web sites. Many decisions are pending in respect of unsolicited e-mails and/or fax communications sent in breach of the relevant laws and regulations.
ELECTRONIC NETWORKS AND TELECOMMUNICATIONS SERVICES
Telecommunications issues were the focus of special attention by the Garante during the past year. Many reports and complaints were received, which shows both the sensitivity of public opinion to TLC privacy issues and the growing familiarity with the use of TLC equipment. Privacy laws and regulations can be said to play a fundamental role in this regard, also in the light of the increasingly sophisticated profiling and categorizing techniques implemented by businesses and service providers. This is why most of our activity in this sector consisted in checking that TLC services were delivered and implemented in compliance with data protection regulations, with particular regard to Internet and mobile and fixed telephony services.
50. Transparency and Fairness toward Internet Users
It is a fact that surfing the Internet is nowadays an activity fraught with many dangers for one's privacy. Indeed, users are often unaware that their personal data are collected and subsequently processed for purposes of which they have no inkling; therefore they are prevented from taking informed decisions in this regard.
We have repeatedly considered fairness and transparency of the mechanisms adopted by Internet access providers for processing personal data. In particular, we pointed out the changes required for a major free access provider to ensure lawfulness and fairness of its processing operations. The suggestions made being actually applicable in general terms, a copy of this decision was sent to sector organisations for awareness raising purposes. Data subjects must be allowed to decide how their data are to be used, by receiving all the required information concerning purposes and mechanisms of the processing. Additionally, this information will have to be posted before an user has his/her own personal data recorded, and also refer to the rights of access, rectification etc.. Disclosure of the data to other categories of controller must be referred to; in particular, the voluntary disclosure of certain items of information – which access providers actually use for profiling purposes – will have to be pointed out in the access application form. Appropriate measures will have to be implemented in order to prevent the collection of sensitive data.
Defamation via the Internet
Freedom of speech is subject to such limitations as are provided for in criminal and civil laws. However, the powers recognised to a data protection authority do not extend to punishing defamation or libel, since the latter are regulated by specific statutory provisions. This is the case, for instance, of a complaint that was lodged with the Garante by two persons requesting the personal data disseminated via certain web pages to be either erased or blocked. The authors of these pages were said to have disclosed information that was allegedly untrue and defamatory in respect of the complainants, and not to have complied with the limitations imposed on freedom of the press (in particular, the requirement that the information should be of public interest, true and accurate) and the data protection principles applying to journalistic activities and the temporary processing of personal data for the occasional publication of intellectual works. The request made by the complainants in pursuance of Article 13 of the DP Act – i.e., erasing the data - had been however complied with by the authors in the meanwhile, and therefore we ruled that the complaint was inadmissible. It was pointed out, however, that the decision left unprejudiced the complainants' right to seek judicial remedy in connection with other issues (such as the claim for defamation or damages) - which do not fall under the scope of the Garante's competence.
Obviously, the Garante is entitled to suspend publication of data that are processed unlawfully or else disclosed in breach of confidentiality rules.
51. Processing of and Access to Traffic Data
Many complaints were received in 2000 concerning the obstacles allegedly created by TLC companies in accessing data concerning telephone bills. It has been repeatedly pointed out by our authority that the privacy act allows subscribers to access both inbound and outbound traffic data without any (judicial) authorisation and/or order being required. In this case, however, the final three digits of the called numbers must be blanked – pursuant to the guidelines laid down in directive 97/66/EC. These are much debated issues, and the revision process of the TLC regulatory framework at Community level can be expected to lead to considerable changes in this sector.
52. Publicly Available Directories and Data Subjects' Rights
In a decision taken in mid-January 2000, the Garante ruled out the possibility for a political association to use e-mail addresses gathered from the Web in order to send out political messages and information without the addressees' consent. The decision came after a number of reports in which citizens complained either that they had received unsolicited e-mail with political content from the association or that they had been unable to obtain cancellation of their data from the mailing list despite having repeatedly requested the association to do so.
The association alleged that the over 390,000 e-mail addresses included in the mailing list had been gathered either from the Web via a specific software picking up all the addresses appearing on web pages with given domain names – e.g., ".it", ".org", ".com", ".net" , or from newsgroups and discussion fora. It was the association's opinion that in both cases the data could be considered to be publicly available, since the users were supposedly aware that their addresses would be read and collected by any person visiting the relevant web pages; therefore, there was no need for obtaining data subjects' consent. However, the Garante pointed out that the fact that a given personal data is available to a number of entities, whether on a temporary basis or not, does not imply that the data is "publicly available" in the sense set out by the DP Act. Indeed, public availability is related to the existence of a legal provision laying down the general availability of the information included in a given document or record. This did not appear to be the case here, nor could any proof be obtained that the data subjects' consent had been obtained in order to disclose their data for purposes of a political nature. On the other hand, it was stressed that collecting - with a view to totally unrelated purposes - the data made available by users who participate in a newsgroup exclusively for the purpose of debating on given issues or topics is against the fairness and purpose specification principles. This view was also supported by the Article 29 Working Party in its Opinion no. 1/2000 on Certain Data Protection Aspects of Electronic Commerce – where it is stated that "If an e-mail address is collected in a public space on the internet¸ its use for electronic mailing would be contrary to the relevant Community legislation (...)".
The Garante therefore ruled that the association was to refrain from further using the personal data of users who had not given their prior consent to the processing of their data for receiving political information messages. Additionally, the association was urged to take suitable steps in order to rapidly comply with the requests lodged by data subjects for the erasure of their data in pursuance of Article 13 of the Italian DP Act. Our decision was challenged by the association; the final judgment is pending.
Directories of Subscribers to Mobile Telephony Services
Recently enacted regulations provide for the possibility of publishing directories of subscribers to mobile telephony services. Subscribers are free to decide if and how to be included in these directories, and to specify that their data may or not be used for marketing purposes. Directories of subscribers who have not expressly objected to being included in a directory are to be made available to the public on paper and/or electronic media and regularly updated.
We requested mobile telephony service providers to notify us of the measures planned in order to set up these directories and inform data subjects, also in order for the latter to exercise the rights recognised to them under data protection legislation. There is the risk that the regulations are implemented without fully ensuring data subjects' rights, in the light of Opinion no. 7/2000 of the Data Protection Working Party as well as of the forthcoming revision of directive 97/66/EC – which would appear to favour an "opt-in" approach as to the possibility for subscribers to decide whether to be included in a publicly available directory. Adequate information to subscribers is fundamental in respect of the purposes of these directories and the use possibly made of their personal data.
53. Location Services
Location data are already available on mobile communications networks; there are, however, new services allowing location of an user's mobile device to be identified precisely, in order to subsequently deliver so-called value added services. In the past year, we investigated reports according to which a few access providers were planning to implement location services for mobile telephony based on CellPoint Finder technology. In addition to requesting information on features of the software used for this purpose, data storage arrangements, notification to subscribers and users and consent requirements, we convened the providers involved in order to jointly evaluate the material submitted. The issue is currently under scrutiny both by our authority and by the authority for communications safeguards.
DATA AND SYSTEMS SECURITY
54. Implementing Security Measures : State of the Art
The "minimum security measures" to be taken by data controllers in compliance with their duty to minimise the risk of destruction or loss of the data, unauthorised access or unlawful processing were finally set forth in regulations that came into force in March 2000. These regulations provide that data controllers are obliged not only to take the minimum measures as above, but also to keep and control the data by adopting suitable, preventative security measures that are broader in scope. The deadline for taking the minimum security measures referred to in the regulations was subsequently postponed (by a specific statute) to the 31st December 2000, on condition that the controllers drafted a document in order to explain the reasons that justified their delay in complying with the original term and outline the security criteria to be implemented. This was followed by a provision of our authority, in which guidelines were laid down on how to draft this document and ensure that it would bear a certified date.
55. Initial Implementation
The Garante addressed the implementation of minimum security measures by data controllers on various circumstances. In an opinion rendered further to a request submitted by Italy's Convention Against AIDS (LILA), we stressed that health care bodies are to adopt specific safeguards to ensure confidentiality of the data they process – with particular regard to keeping census register data separate from medical data and encrypting the information included in lists and/or databases. Suitable technical and organisational measures must be adopted by the relevant controllers in order to prevent the data from being destroyed or used unlawfully. Specific authorisations are required for the access to "particular categories" of data by sub-contractors. Similar recommendations were made in respect of judicial authorities and attorneys processing their clients' or others' personal (often sensitive) data.
It was also specified, in a decision rendered at the beginning of 2001, that based on the regulations on minimum security measures it is unlawful for an employer to prevent his employees from changing the passwords they are required to use for accessing electronic networks; in fact, employees must be free to change their passwords autonomously, and there must be specific arrangements in force for them to communicate the new passwords to the office/department/person in charge of securing this information.
THE GARANTE : ORGANISATION AND FEATURES
56. The Commission
The Commission was set up initially in 1997, following adoption of the DP Act by Parliament. Its term of office (four years) expired at the beginning of 2001; its President, Prof. Stefano Rodotà, and Deputy-President, Prof. Giovanni Santaniello, were re-elected, whilst Rep. Mauro Paissan and Rep. Gaetano Rasi took the places of Prof. Ugo De Siervo and Mr Claudio Manganelli in the panel. The position of Secretary General to the Commission is still filled by Mr Giovanni Buttarelli.
57. Relationships to Citizens
Citizens can contact our office in different ways. Special importance must be attached to the helpline service operating from 10 to 13 on a daily basis, which is meant as a first-help service to provide basic guidelines and information; we are planning to enhance our PR infrastructure by setting up a department in charge of assisting the public in its relationships with DP legislation. However, reports and queries can reach us by mail, facsimile or electronic mail. We have repeatedly highlighted – via press releases and on our Web site - the need for citizens to first apply to data controllers in order to exercise the rights recognised to them under the DP Act – to access their personal data and/or have them rectified, erased, supplemented. A standard form was developed and posted on our Web site in order to help citizens submit their requests to data controllers in this regard. The requirements applying to complaints as referred to in our DP Act are outlined below.
A few figures may be provided here:
- a total of over 9,000 requests for information and/or questions were received by phone, plus over 3,000 concerning specifically notification procedures
- 3,661 reports and queries reached the Authority in 2000, 1,569 formal requests for information were submitted
- 187 complaints – in the sense described below – were dealt with during the past year
- 122 requests for access to the Schengen Information System were addressed and dealt with
- the total number of notifications registered by our office at the 31st December 2000 was in excess of 295,000
- 70 opinions were rendered to Government on as many regulatory instruments and statutes
- 71 press releases were issued concerning multifarious issues.
It should be pointed out that the complaints referred to here only include those lodged with the authority after a data subject has been unable to exercise the rights (of access, rectification, etc.) recognised by the directive and the DP Act. These complaints are regulated by strict deadlines – the whole procedure must be completed within 30 days of receiving the complaint - and provide an alternative remedy to judicial proceedings in case of breach of privacy legislation.
For the rest, no formal requirements apply to the submission of reports and queries, which were dealt with by the competent departments in accordance with the standard practice developed over the past few years. They make up a considerable workload, and the office was able to respond only in part to the demand coming from citizens; indeed, most of the proceedings instituted following the reports submitted in the past year could not be addressed in full. The need for increasing the staff deployed at the authority was especially felt in the past year, and the forthcoming competitions for the filling up of the vacancies are expected to alleviate this problem.
58. Information and Communication Activities
Great emphasis was put by the authority in its awareness-raising activities, which are also provided for expressly by the DP Act. Among the most important initiatives undertaken, reference can be made in particular to:
- the weekly newsletter, which is published to inform specialised and non-specialised audience concerning decisions and/or recommendations issued by the authority as well as to report important items of information in the international context;
- a CD-ROM including all the relevant legislation and regulations plus all the decisions by the authority (May 1997 to April 2001), which was distributed on the occasion of various meetings and exhibitions in which representatives from the authority took part and is currently sent to any organisation requesting it, free of charge. This CD-ROM also includes a "Help" section in which basic guidelines are provided in order to comply with various administrative requirements in connection with the DP Act (how to submit notifications, how to lodge a complaint, how to request access to one's own personal data, etc.);
- the monthly bulletin "Cittadini e società dell'informazione" [Citizens and the Information Society], where the main decisions and provisions made by the authority are regularly published; an online version is also available on our web site.
The past year witnessed, in particular, the final setting up of the authority's web site, which started operating officially as of March 2000. This was a major success for the authority, as shown by the average number of read pages (10,000 to 12,000 daily, with peak values in excess of 40,000 on specific circumstances); 3,500 to 4,000 users access the site daily, with a considerable increase over the past few months. The site was created with a view to allowing easy navigation in privacy-related matters, and provides many links to Italian and foreign sites of interest in addition to timely updates on the most important areas of activity. Download areas have been set up in order to allow users to download forms and other documents they may require in connection with DP regulations (notification, requests for access to data). An English section is also available, including legal texts and a selection of the most important decisions. The whole structure and organisation of the information on the web site will be re-considered shortly in order to improve readability and searchability of the data.
59. Venice Conference – 22nd International Conference of Privacy and Data Protection Commissioners
The Garante hosted and organised the 22nd International Conference of Privacy and Data Protection Commissioners, which was held in Venice from the 28th to the 30th of September 2000. Organising the Conference was a daunting task for the office, but it was also a major opportunity for exchanging views and information with colleagues, scholars and experts from over 50 countries in the world. The Conference was focussed on the motto "One World, One Privacy", i.e. on the need to pursue common privacy policies and approaches. The Final "Venice Declaration" was undersigned by the representatives of 27 countries where a data protection authority was established, to reaffirm that privacy is a fundamental human right and that general consensus was achieved on common principles and criteria applying to data protection as already set forth in OECD Guidelines, Council of Europe Convention no. 108/1981, EU directives and other international instruments. These principles – it was pointed out - are to be considered the starting point for a common activity aimed at securing their worldwide application taking due account of the many technological and social changes. The Declaration stressed that the final target should be reaffirming the binding nature of these principles, with particular regard to the purposes of data collection, the need for fair, transparent processing operations (especially in respect of the so-called invisible processing operations), proportionality, quality of data, time for which the data can be kept, access and the other data subjects' rights. Data subjects must be provided with more effective protection via the independent supervision of processing operations and the availability of user-friendly remedies; moreover, it is necessary to enhance the safeguards applying to the processing of certain categories of data such as genetic data or data related to the various types of electronic surveillance. The common objective must be to attain an adequate, more widely shared level of protection regardless of the place where the processing is performed and irrespective of the instruments used for implementing protection in national and international fora. Data protection and privacy commissioners undertook to cooperate with other entities to elaborate and implement the globally recognised principles.
60. Participation in International Forums and Activities
The Garante contributed throughout 2000 to the activities of many groups and forums set up at international level in connection with data protection and privacy issues. Reference can be made here cursorily to the Working Party established under Article 29 of the Data Protection directive; to Council of Europe's groups of experts on data protection (CJ-PD, J-PD, T-PD), working on various draft recommendations and documents in this sector as well as on a General Report on Video Surveillance issues which was commissioned to the Secretary General to our authority in addition to a set of corresponding guidelines; Europol and Schengen Joint Supervisory Bodies; the Complaints Handling Workshops held under the auspices of the European Data Protection Commissioners' Conference.
The Garante also proposed and implemented a project within the framework of the "Falcone Programme", which was co-funded by the European Commission with a view to assessing data protection issues and problems in connection with the processing operations performed for law enforcement and judicial purposes. Two workshops were held in The Hague and Paris, respectively, and a final meeting in Rome provided the opportunity for drawing tentative conclusions from this exercise which were summed up in a Final Report (also available on our Web site, in English translation). This Report pointed out, in particular, the many issues and difficulties raised by the need to balance data protection and ordre public/judicial requirements, and the need for greater harmonisation or, at least, a greater attention to data protection principles by the relevant stakeholders.