Annual Report for 2001 - Summary
Annual Report for 2001
Main Legislative and Regulatory Developments
As regards 2001, Legislative decree no. 467 of 28.12.2001 allowed supplementing the DP legislation in order to bring it further into line with certain principles of Directive 95/46/EC and, in particular, to simplify and streamline requirements of and prerequisites for the data processing and strengthen the safeguards applying to data subjects on the basis of the experience gathered in implementing the Data Protection Act.
On the one hand, application of the balancing of interests principle to determine the cases in which consent is unnecessary (Article 7, letter f) of EC Directive) was provided for by Section 12(1), letter h-bis of the Data Protection Act to allow for flexibility in assessing the cases in which the processing of "ordinary" personal data may also be carried out without the data subjects' consent. It will be up to the Garante to identify such cases on the basis of the principles enshrined in the relevant legislation, whenever the data controller's and/or the third-party recipient's legitimate interest applies and such interest is not overridden by the data subject's rights and fundamental freedoms, dignity or legitimate interest. In this way, the balancing of interests principle is turned into an additional criterion to establish whether the data processing is lawful.
As to the prior checking issue (as per Article 20 of EC Directive), it should be stressed that following implementation of prior checking mechanisms the processing of data possibly entailing specific risks for the rights and freedoms of the individuals to whom the processed information refers will have also to be compliant with the requirements laid down by the Garante. The abovementioned decree entrusted the Garante with the task of identifying, also by means of general provisions, the cases in which these new tools should be implemented as well as the arrangements and measures to be complied with in order to safeguard data subjects. This approach will allow simplifying application of the relevant provisions.
Additional legislative amendments made by the above decree had to do with notification requirements, which were also simplified. Based on the manoeuvring space allowed by the Directive, the current mechanisms entailing a general notification obligation – applying in all cases but those in which exemptions and/or simplified notifications are provided for – will be replaced by a system, in which notification will have to be only submitted if the processing can negatively affect a data subject's rights and freedoms because of either the relevant arrangements or the type of data that is processed.
Another instance of this simplification has to do with specification of the processor's data in the information to be given to data subjects, especially if a considerable number of processors have been appointed by a single data controller. Other provisions in the above decree better specified the scope of application of the relevant legislation as well as the applicable law, by requiring that the data controller's representative in Italy be referred to if said data controller is established outside the EU and makes use of equipment stably located in Italy.
Special emphasis is put in the decree on the adoption of new codes of conduct and professional practice, which have proven quite effective to fully implement the principles set forth in the Data Protection Act (no. 675/1996) as well as in Council of Europe's recommendations concerning several sectors, which have all been expressly referred to – such as communication services offered via electronic networks, in particular via the Internet, direct marketing, management of employer-employee relationships, commercial information, information systems managed by private credit referencing agencies, automated image acquisition devices, processing of data coming from public archives. In this way, the relevant sectors will be enabled to actively contribute to the introduction of veritable law sources, non-typical in nature, which will be referred to in order to assess lawfulness and fairness of the processing – in compliance with the adequate representation principle.
Decree no. 467/2001 also modified the punitive approach set out in Act no. 675/1996, by changing the nature of a few sanctions – related, in particular, to formal breaches in connection with notification procedures – and providing, to some extent, for recognition of a controller's "repentance" as regards breaches of the regulations concerning minimum security measures. At the same time, the scope of criminal punishability was expanded in respect of the failure to comply with important provisions made by the Garante – which is an instance of the overall greater powers conferred on the Authority to monitor processing operations, in line with the European directive. Additionally, serious instances of false statement and/or communication to the supervisory authority now carry criminal penalties.
Reference should also be made to the amendments made to decree no. 171/1998, which had transposed EC Directive 97/66 into Italian law. The extent of the transposition was not regarded as sufficient by the European Commission in respect of, in particular, Article 9 of the Directive – providing for the adoption of suitable measures to override the elimination of the presentation of calling line identification in case of emergency calls as well as for alternative payment methods -, which led to the institution of infringement proceedings against Italy. Therefore, Parliament considered it necessary to supplement decree no. 171/1998 by means of specific provisions that were also set forth in decree no. 467/2001. Such provisions concern, in particular, arrangements for making alternative payment methods actually available so as to ensure user anonymity, and the obligation for telecommunications service providers to adequately inform the public on calling line identification services and to grant elimination of the presentation of calling line identification in case of emergency calls. It should be pointed out, however, that following revision of EC Directive 97/66 in order to adjust its principles to technological development in the (tele)communications sector, the new text of the Directive will fully replace the existing one.
Of the legislation passed in the period considered here, special importance should be attached to
- an Act regulating voting rights of Italian citizens abroad, which provides for arrangements in respect of keeping consular filing systems,
- an Act concerning introduction of the Euro, including provisions on the "return" of capitals from abroad and requiring that the notice delivered to the competent authorities be processed in such a way as to ensure its confidentiality.
Opinions rendered by the DPA: As to the legislation that has been the subject of opinions issued by the Garante, reference can be made to the following items:
- an Act providing for reformation of tourism laws, including specific regulations on the so-called "hotel registration cards". The provisions previously in force were modified, in that hotel managers are currently required to provide competent authorities with the identification data of their guests by delivering a copy of the relevant card(s); alternatively, these data may be communicated via electronic and/or computerised networks in accordance with the arrangements laid down in a decree by the Minister for Home Affairs. No specific mention is made in the Act of arrangements for and limitations on the processing of the personal data acquired by law enforcement agencies.
- A decree regulating installation and use of electronic devices and technical equipment intended for the control of individuals under house arrest or detention – the so-called "electronic bracelets". Under section 4 of this decree, concerning the processing of personal data, the implementation of said devices and equipment must respect the data subject's dignity; the data acquired will have to be kept for a limited period, and it will be necessary to specify who is entitled to process such data - in compliance with the security measures as per Section 15 of Act no. 675/1996.
Main Decisions by the DPA
Protection of employees' personal data and evaluation data and access by employees to the data concerning them
This issue was attached considerable importance by the Garante. The Authority issued decisions concerning, in particular, the distance monitoring of employees; more specifically, the arrangements for employers to monitor employees' access to electronic networks and e-mail services were taken into consideration. As regards complaints, it was observed that employees increasingly tended to apply to their employers for accessing all the personal data the latter held in their respect – including, especially with regard to white-collar staff and directors, the data and information contained in records related to assessments, performance scoring and/or yearly reports. After the initial, inevitable difficulties, the controllers' response to such requests can be said to be currently more timely and complete; data subjects are therefore provided with ample opportunity for acquiring the information sought, whether on paper or on other media.
Medical data and data included in forensic medical reports
Various cases were addressed in connection with requests for fully accessing these data that had been lodged with hospitals and/or health care professionals; in some instances, these requests were related to quite large data banks concerning a number of activities carried out by health care bodies as well as especially complex diseases. The Garante also repeatedly dealt with the processing of medical data as included in forensic medical reports with regard to insurance policies; this issue is currently much debated also on the basis of the existing case law.
Data concerning children
Several complaints had to do with requests for accessing personal data processed by either psychologists or social and medical assistance bodies within the framework of complex litigation cases that were related to legal separation and child custody. In these cases, the requests made by one parent were aimed at accessing personal information concerning both his/her child(ren) and sensitive personal data in connection with the other parent. The Garante also paid special attention to the role played, in particular, by the professionals drafting the relevant reports.
Data processed by private detectives
The proper use of information by private detectives – whose activity is regulated by specific provisions in the Data Protection Act (no. 675/1996) as well as by an ad-hoc general authorisation concerning the processing of sensitive data – was the focus of significant decisions, in which scope and limitations applying to investigational activities were highlighted and the attempt was made to strike a balance between exercise of activities that are fundamental with a view to fully ensuring the right of defence and the requirements related to the respect for private life.
Data processed by private credit referencing agencies
The biggest portion of the complaints lodged by data subjects was related, also in 2001, to the activity of credit referencing agencies. These complaints had to do with access, rectification and – quite often – erasure of one's personal data. In particular, the Garante addressed quite sensitive issues concerning the retention period of personal data, which also spurred the general re-consideration of the actual arrangements applying to collection, processing and retention of these data – which produce significant effects on the free exercise of economic activities by data subjects.
A general provision, in which the many cases submitted to the Garante by both individuals and consumer associations were taken into account, laid down a set of initial, minimum pre-requisites for collecting, keeping and using the information included in the data banks of credit referencing agencies as used by banks and financial companies.
Telephone traffic data
This is another sector in whose respect many requests were made for access and rectification of data concerning holders of telephone cards, as well as applications were lodged in order to get information on both "outgoing" and "incoming" phone calls with regard to a given telecommunications terminal. The Garante re-affirmed, in its decisions, that data subjects were entitled to access in full the personal data included in the itemised bills concerning "outgoing" phone calls without deletion of the final three digits. As to the nature of the data concerning "incoming" traffic, the considerations made by the Garante were supported by Section 6 of legislative decree no. 467/2001; the latter decree added letter e-bis to Section 14(1) of the Data Protection Act (no. 675/1996), under which exercise of the right of access was ruled out with regard to the data collected by "providers of publicly available telecommunications services in respect of the personal data allowing calling line identification, unless this may be prejudicial to performance of the investigations by defence counsel".
Setting up of large data banks and population census
The Garante has always paid considerable attention to this issue in order to assess the impact of new technologies on fundamental rights of individuals. At the instance of the Minister for innovation and technologies, the Garante cooperated in drafting the call for e-Government projects concerning the year 2002 and gave assurance that it would be ready to evaluate them in respect of personal data protection features. Equal attention was paid to the population census issue with regard to several phases of the relevant operations – from the advisory to the supervisory phase. The Garante repeatedly provided advice and pointed out solutions in respect of, in particular, the collection of information on a person's language group that is to be supplied in a few areas of Italy. The sensitive issues raised by this requirement were also submitted for the attention of the competent EU bodies.
This issue is followed with special interest by the Garante both because of the increasingly widespread use of this technique and because of the considerable sensitivity shown by citizens in this connection. Pending specific legislation, the applicable provisions can be found in the general data protection Act. After carrying out a detailed survey on the territory, which allowed more specific, thorough information to be gathered concerning this issue, the Garante decided to issue a "decalogue" including the basic rules to be complied with in order for the relevant data processing to be lawful. The Authority stated its utmost readiness to cooperate with public bodies at both local and national level in order to perform prior checking of the projects envisaging control activities of specific areas by means of electronic equipment. Additionally, it was decided that audits would be carried out – based mostly on the reports submitted by citizens, as well as ex officio – in respect of businesses, organisations and associations that had installed cameras in places that were either public or accessible to the public without providing the information required by law – or else by providing incomplete information. These activities resulted into detecting breaches by, in particular, two companies and a public body in the transportation sector as well as by two supermarkets belonging to major sales groups represented all over Italy, two banks and an association managing publicly-owned sports facilities.
Processing of biometric data
Following detailed investigations, the Garante ordered deactivation of systems for acquiring biometric data (fingerprints data) that had been installed by some banking institutions. The Garante pointed out in the relevant decision that the blanket use of such systems may not be allowed on a general basis; in fact, they should only be used with regard to situations in which specific, actual dangers exist as related to objective circumstances, without prejudice to the discretionary assessment performed by the individual bank. The issue raised by the use of such techniques is especially sensitive as regards banks, since obtaining and failing to obtain the services required from a bank that can only be accessed following acquisition of one's biometric data may be made conditional ultimately on one's giving or failing to give his own consent to having his fingerprints scanned. In a decision issued in September 2001, the Garante took note – at the request of a few banking institutions – of existing specific security requirements in connection with the forthcoming introduction of the single currency as well as with the considerable amount of cash available in branch offices; as a consequence, a set of conditions were laid down under which said systems for the automatic acquisition of biometric data could be installed on a temporary basis.
Codes of conduct and professional practice
The activities aimed at setting forth codes of conduct and professional practice continued throughout 2001. The code of conduct applying to the processing of personal data for historical purposes could be finalised. This code is aimed at ensuring that the use of personal data collected within the framework of historical research activities as well as in connection with the exercise of the right of research and information and with the activity of archives takes place by respecting data subjects' rights, fundamental freedoms and dignity, and in particular the right to private life and identity – without negatively affecting those activities, indeed by promoting them. The proceeding leading to adoption of the code applying to statistics and scientific research activities as carried out independently of the National Statistics System was also as good as finalised; drafting of the codes concerning processing of personal data by defence counsel and private detectives also progressed considerably during 2001.
Other initiatives undertaken by the Garante
In 2001, the auditing activities were pursued with vigour in the various forms in which these controls can be carried out by the Garante, including
- inspections (with and without prior notice),
- accesses to data banks,
- cooperation activities,
In particular, several inspections were carried out on a sample basis with regard to local municipalities in order to check the actual arrangements made by census officers to acquire – during the general population census of 2001 – the data concerning families and businesses and also related to adequacy of the guidelines issued to census bureaus by the National Statistics Institute and the security measures adopted by the individual municipalities.
Special care was taken in respect of communication activities. Several tools were used, ranging from traditional ones such as press releases, newsletters and press conferences, up to multimedia and interactive initiatives that allowed circulating and making available documents and publications on our Web site. The weekly Newsletter has been published since 1999 to provide the public with information on the DPA's activities; it has allowed contacting increasingly large sectors of the public. The Newsletter has proved not only a communication tool, but also a sort of "archive" to be browsed with regard to the various sectors in which the Data Protection Act is being implemented and the Garante is taking steps. The digital archive called "Citizens and the Information Society" achieved its fifth edition in 2001. This archive includes all the documents and records concerning the Garante's activity – from national and international reference laws up to the various publications printed. The CD-ROM is sent free of charge to any person requesting it. Over 9,000 copies were circulated in 2001 among public bodies, private entities, professionals and citizens. Finally, mention should be made in this connection of the Bulletin called "Citizens and the Information Society", which includes the provisions issued by the Garante, the relevant legislation, press releases and other documents of interest.