Authorisation No. 6/2002 Concerning Processing of Certain Sensitive...
Authorisation No. 6/2002 Concerning Processing of Certain Sensitive Data by Private Detectives
Authorisation No. 6/2002 Concerning Processing of Certain Sensitive Data by Private Detectives
The Garante per la protezione dei dati personali
On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;
Having regard to, in particular, Section 22(1) of said Act, in which "sensitive" data are referred to;
Whereas private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ consent in writing;
Whereas a specific provision (Section 22(4) of Act no. 675/1996 as amended by legislative decree no. 467/2001) allows processing sensitive data without the data subject´s consent, where the processing is authorised by the Garante and is necessary in order to carry out investigations by defence counsel pursuant to Act no. 397 of 07.12.2000 or else to establish or defend a legal claim, which must be of an equal level compared with the data subject´s one if the data are such as to disclose the data subject´s health and sex life;
Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;
Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31st of January 2002 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;
Whereas it is necessary to ensure compliance with certain principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity;
Whereas the Garante issued a general authorisation with regard to data disclosing health and sex life (no. 2/2002, issued on 31 January 2002) as also related to the above judicial purposes;Whereas the processing of personal data for the above purposes is carried out, to a considerable extent, with the help of private detectives; whereas it is therefore necessary to supplement the provisions made in authorisation no. 2/2002 with an additional general provision taking account of the specific framework applying to private detectives´ activity also with a view to harmonising the measures applicable to this sector;
Whereas additional provisions and arrangements will be made by the Garante when the ad-hoc code of conduct and professional practice is finalised (as per Section 22(4) of Act no. 675/1996);
Having regard to Section 35 of Act no. 675/1996;
Having regard to the regulations including provisions on the minimum security measures as adopted by Presidential decree no. 318 of 28.07.99;
Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;
Having regard to official documents;
Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the rules of procedure for the Garante no. 1/2000;
Acting on the report submitted by Prof. Gaetano Rasi,
the processing of data disclosing health and sex life by private detectives, in compliance with the following requirements:
1) Scope and purposes of the processing
This authorisation shall be granted without any request being necessary, to natural and legal persons, institutions, bodies, associations and entities carrying out private investigation activities as authorised by licence of the prefetto (in pursuance of Section 134 of Royal decree no. 773 of 18.06.31 as subsequently amended).
Processing is only permitted:
a) in order to allow an individual committing a specific task to establish or defend a legal claim, on condition that the claim is of an equal level compared with the data subject´s one if the data are such as to disclose the data subject´s health or sex life, or else a claim in connection with personal rights or other fundamental, inviolable rights;
b) on defence counsel´s instructions in connection with a criminal proceeding in order to search and detect information in favour of the accused, such information being only used for the exercise of the right to bring evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000).
This authorisation shall be without prejudice to the other general authorisations that have been granted either for carrying out investigations in criminal proceedings or for the establishment of a legal claim, in particular as regards:
a) the employment context (as per authorisation no. 1/2002, issued on 31 January 2002);
b) data disclosing health and sex life (as per authorisation no. 2/2002, issued on 31 January 2002);
c) associations and foundations (as per authorisation no. 3/2002, issued on 31 January 2002);
d) self-employed professionals included in the relevant lists or registers, including defence counsel and their deputies and co-operating staff (as per authorisation no. 4/2002, issued on 31 January 2002);
e) judicial data (as per authorisation no. 7/2002, issued on 31 January 2002).
2) Data subjects and categories
Processing may concern the sensitive data referred to in Section 22(1) of Act no. 675/1996, provided this is absolutely necessary to discharge specific tasks that have been committed for specific and legitimate purposes as per 1) and cannot be accomplished by processing either anonymous data or personal data of a different kind.
The data must be relevant and not excessive in relation to the tasks committed.
3) Processing arrangements
Private detectives may not carry out, on their own initiative, investigations or researches or anyhow collect data. These activities may only be performed on specific instructions given in writing, even by defence counsel, solely for the purposes referred to under 1).
In the above instructions specific mention must be made of the legal claim to be established, or else of the criminal proceeding to which the investigations relate, as well as of the main facts underlying said investigations and the reasonable deadline for their completion.
The data shall be stored and processed exclusively in accordance with such logic and organisational data arrangements as are closely related to the purposes referred to under 1).
Data subjects or the persons from which the data are collected must be informed in pursuance of Section 10(1) of Act no. 675/96, by highlighting the private detective´s identity and professional capacity as well as the fact that the data are to be provided on a voluntary basis.
If the data are collected from a third party, it is necessary to inform the data subject thereof and obtain his/her consent in writing, (as per Section 10(3) and (4) and Section 22(4) of Act no. 675/96) exclusively if the data are processed for a longer period than is absolutely necessary for the establishment of the legal claim or the performance of investigations on instructions by defence counsel, or else if the data are used for further purposes which are not inconsistent with the initial ones.
The defence counsel or the entity which has committed the task to the private detective must be periodically informed of the investigations, also in order to allow them to timely make a decision concerning establishment of the legal claim or the right to bring evidence.
Private detectives must personally carry out the tasks committed and may not employ other detectives if the latter were not specifically referred to when the relevant task was committed.
If internal staff are employed in their capacity of either data processors or persons in charge of the processing - pursuant to Sections 8 and 19 of Act no. 675/1996 -, private detectives must assess, at least at weekly intervals, that the relevant laws and instructions are fully abided by. The above staff may only access the data that are closely relevant to the collaboration requested.
Where not expressly provided for herein, the processing shall be carried out in compliance with the provisions laid down in general authorisation no. 2/2002, with particular regard to data concerning unborn children and genetic data.
Data processing must also be in line with the provisions laid down in an ad hoc code of conduct and professional practice which is being drafted in pursuance of Section 22(4) and 31(1), subheading h), of Act no. 675/96.
4) Data retention
In compliance with the obligation referred to in Section 9(1), subheading e), of Act no. 675/1996, sensitive data shall be kept for no longer than is necessary to perform the relevant tasks.
To that end an assessment shall be carried out, also by means of regular controls, as to whether the data are relevant and not excessive in relation to the tasks committed and the purposes to be achieved.
Upon completion of the specific investigations, the processing operations must be terminated except for the immediate communication to defence counsel or the person who has committed the relevant task(s).
The fact that the proceeding to which the investigation relates is still pending before a court or has been referred to other courts prior to issuing the final judgment shall not justify, in itself, retention of the data by the private detective.
5) Data communication and dissemination
Data may be only communicated to the entity who/which has committed the relevant task.
No data shall be communicated to another private detective, unless the latter was specifically referred to when the task was committed and such communication is necessary in order to discharge the tasks committed.
Data disclosing health may only be disseminated if this is necessary for the prevention, detection or suppression of criminal offences in compliance with the relevant provisions, as laid down in Section 23(4) of Act no. 675/1996.
No data disclosing sex life may be disseminated.
6) Requests for authorisation
Where a processing operation falls within the scope of this authorisation, no request for authorisation shall have to be filed with the Garante by the relevant controller, on condition that the proposed processing is in line with the above provisions.
Any requests for authorisation which have already been received, or which will be received following the adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.
No requests to authorise processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation.
7) Final provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:
a) Section 4 (devices and equipment for the remote control of employees) and Section 8 (inquiries into employees´ opinions or any other facts that are irrelevant to the assessment of professional qualifications) of Act no. 300 of 20.05.70;
b) Act no. 135 of 05.06.90, concerning seropositivity and HIV-related infection;
c) procedural rules or any provisions against discrimination;
d) Section 734-bis of the Criminal Code, prohibiting disclosure of particulars or images of victims of sexual violence without the latters´ consent.
This authorisation shall be without prejudice to the obligations laid down in Sections 9, 15, 17 and 28 of Act no. 675/96 and in Presidential decree no. 318/1999.
More specifically, this authorisation shall be without prejudice to the obligations concerning the fair, lawful use of devices or equipment for the collection of information, including sound and visual information, or to those regulating access to data banks or the contents of correspondence, communications or conversations by telephone, electronic networks or among persons all present in the same place.
The possibility for natural persons to directly process data exclusively for the defence of a legal claim, also in connection with investigations relating to a criminal proceeding, shall be left unprejudiced. Act no. 675/1996 shall not apply to the above cases even if the data are occasionally communicated to judicial authorities or a third party, on condition that such data are not intended for systematic communication or dissemination (as per Section 3 of Act no. 675/96).
8) Effectiveness and transitional provisions
This authorisation shall be effective as of 1 February 2002 until 30 June 2003.
If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 6/2000, the data controller shall have to bring it into line with said provisions by the 31st May 2002.
This authorisation shall be published on the Official Journal of the Italian Republic.
Done in Rome, on this 31st day of January 2002.