Annual Report for the Year 2009 ' Summary
Italian Data Protection Authority
Annual Report for the Year 2009 – Summary
Main Legislative and Regulatory Developments
In 2009, Parliament enacted a few measures that led the DPA to voice its concerns as for their possibly negative impact on the protection of personal data.
More specifically, Act no. 15/2009 on the enhancement of productivity in the public sector introduced an amendment to Section 1 of the DP Code (196/2003), whereby "The information on performance of the tasks applying to any entity that is in charge of public functions including the respective evaluation data shall not be the subject of privacy safeguards." The DPA drew Government's attention to the advisability of moving this provision to the chapter in the DP Code that regulates processing operations by public bodies and also questioned its conformity with both Constitutional and Community law – as certain items of information and whole categories of data subject are placed outside the scope of protection afforded by data protection legislation.
Section 130 and Section 162 of the DP Code were also amended in 2009 to enable the companies that had created databases by extracting information contained in public telephone directories prior to 1 August 2005 to continue using such data for promotional purposes; a public opt-out register was also introduced and placed under the DPA's supervision. It should be recalled that on 28 January 2010 the European Commission sent the Italian Government a letter with a request for information on the above amendments as it found that the latter were in breach of directives 2002/58 and 95/46 – this being the first step in the infringement procedure envisaged by Community law.
Reference should also be made here to Act no. 69/2009, which introduced various requirements to foster computerisation of public administrative agencies and the online publication of judicial decisions. Data protection-relevant provisions are contained in section 21 thereof, which requires public administrative bodies to publish senior officials'/executives' annual salaries, CVs, e-mail addresses and office phone numbers on the respective web sites; section 32, whereby the requirements applying to publicity of administrative decisions and instruments are fulfilled by publication of such decisions and instruments on the relevant agencies' websites; section 36, which is aimed at expediting the implementation of the "public connectivity system" to ensure "full interoperability of databases and census registers" in order to afford better services to citizens and enhance efficiency of the public administration; and section 45, which amends the civil procedure code by allowing judicial decisions to be also published on Internet websites.
Another important piece of legislation enacted in 2009 was aimed at implementing the provisions contained in the Prüm Treaty by setting up the national DNA database and laying down the relevant procedural mechanisms (Act no. 85/2009). The national DNA database will be set up at the Ministry for Home Affairs and include DNA profiles obtained in the course of judicial proceedings along with those of missing persons and/or their blood relatives, unidentified corpses and human remains, and individuals placed under judicial measures restricting their personal freedom. The Italian DPA will be in charge of supervision over this database. Most of the suggestions and amendments proposed by the DPA were taken on board, in particular those aimed at ensuring respect for the individuals' dignity and proportionality of processing operations; additional safeguards will have to be set forth via secondary legislation, to be adopted after consulting and/or in agreement with the Italian DPA. However, the recommendations concerning the overly broad scope of the provisions on coercive taking of DNA samples and the excessively long data retention periods were not dealt with satisfactorily.
Written Submissions to Parliament – A written submission to Parliament was made in December 2009 concerning advisability of passing ad-hoc legislation to regulate whistleblowing (integrity lines) in the corporate sector. The DPA drew attention in particular to the need for regulating the lawful use of personal data collected via the "good faith" reports lodged by whistleblowers as well as access by data subjects to their own data as collected in this manner.
Parliamentary Hearings - The DPA was heard several times in 2009 on major issues addressed by the competent parliamentary committees either within the framework of fact-finding initiatives or in the course of the debate leading to the adoption of bills that impacted on personal data protection. Reference can be made in particular to the hearing of 30 January 2009 before the Parliamentary Committee for Security of the Republic on a case entailing the collection of personal data in the course of judicial investigations and the role of court-appointed experts and consultants; the hearing of 15 July 2009 before the Constitutional Affairs Committee of the Chamber of Deputies, which was part of a fact-finding initiative on computerisation of public administrative agencies; and the hearing of 25 November 2009 before the Financial Committee of the Chamber of Deputies, which was part of a fact-finding initiative on consumer credit with particular regard to credit reference agencies, implementation of the relevant code of conduct and professional practice, and the bills related to identity thefts and fraud in this area.
Main Decisions by the DPA
Raising Youths' Awareness and Social Networks
The Italian DPA decided to launch an initiative targeted to students on the occasion of the European privacy day (28th January). The initiative was termed "Cinema & Privacy" and lasted four days; it was aimed at raising youths' awareness of the importance of protecting privacy in today's society and of the need for learning how to protect one's privacy. Movies chosen as particularly relevant in addressing privacy issues from different standpoints were shown at the Conference Room of the Italian DPA. Each movie was introduced by one of the four members of the DPA's collegiate panel as well as by a video created on purpose by the Italian DPA to describe – again with the help of movies – minor and major "intrusions" into our private sphere. Students from high schools in Rome were invited to the shows and called upon to discuss and exchange views
Additionally, a booklet was produced by the DPA in 2009 to provide guidance (especially to youths) in dealing with social networks and making a knowledgeable use of their potential. The booklet, called "Social Networks: Watch out for Side Effects" was made available for free in the main Italian post offices. This initiative was aimed at helping both experienced and inexperienced users to take full advantage of the potential inherent in these innovative communication tools without endangering their private and professional lives.
The DPA reviewed and recast (on 25 June 2009) a decision dated 28 November 2008 to enhance the safeguards for data subjects in connection with the activities performed by "system administrators" – a concept that is actually not defined expressly by the Italian law. The new text was meant to clarify various points, partly to take account of queries lodged with the DPA. The requirements set forth by the DPA had to do more specifically with access logging (systems must be in place to log accesses to processing systems and electronic databases as performed by system administrators, e.g. via timestamps and event descriptions, without recording the activities performed by system administrators following their access); supervision by data controller on the activities performed by system administrators (to verify that they are compliant with the organisational, technical and security measures provided for in data protection legislation); drafting of a list of system administrators and their features (containing information to identify system administrators including a list of the functions committed to them), which should be reported by each data controller in an internal document that should be made available for inspection by the DPA. The DPA highlighted the need to take special care in assessing experience, skills, and reliability of any individual that is entrusted with system administrator functions, in particular to ensure full compliance with data protection legislation as also related to security.
Sensitive Data and Health Care
Online Examination Records. The Italian DPA provided guidance on the use of personal data in connection with "online access to examination records". The Guidelines are meant to lay down a specific, unified framework of safeguards for citizens, in particular as for the optional nature of the online access to examination records. Data subjects should be permitted to freely decide whether to access the online examination records service – based on a specific information notice and after obtaining ad-hoc consent for the processing of personal data related to the service in question; they should be enabled in all cases to continue collecting such examination records on paper at the individual health care provider(s). Specific technical arrangements are set forth to ensure appropriate security measures: secure communication protocols based on encryption standards for electronic data transfers, including digital certification of the systems delivering network-based services; suitable arrangements to prevent acquisition of the information contained in the electronic file if the latter is stored in local and/or centralised caching systems after being consulted online; short-term (maximum 45-day) availability of the online examination record.
Guidelines on the Electronic Health Record and the Health File. The Guidelines suggest that the Electronic Health Record should be set up by prioritizing solutions that do not entail duplication of the medical information created by the health care professionals/bodies that have treated the given data subject.
Since the medical data and documents contained in a EHR are collected from different sources, the appropriate measures should be taken to allow tracing back the entities responsible for creating and collecting the data and making them available via the EHR - also with a view to accountability. In particular, taking account the circumstance that separate clinical records are at issue, it should be ensured that each entity that has created/drafted those records continues to be, as a rule, the sole data controller in their respect.
The data subject must be in a position to freely decide whether an EHR/HF should be set up by including the medical information concerning him; his consent must be given on a separate, specific basis; suitable explanations should be provided to data subjects. "Partitioning" of consent should be envisaged to enable data subjects to indicate their wishes. Specific limitations are laid down on the purposes served by the EHR/HF, by clarifying that processing of personal data via an EHR/HF is only aimed at prevention, diagnosis and treatment activities in respect of the data subject; accordingly, it should only be performed by health care practitioners. This modular approach allows, for instance, selecting the health care information that can be accessed by the individual data controller authorised to access the EHR as a function of the respective sector of practice - e.g. in the case of an oncology network made up of operational units specialising in cancer treatment. Similarly, a few categories of practitioner such as pharmacists may only access such data (or data modules) as are indispensable to administer drugs.
Public Transparency and Online Posting of Medical Data. The DPA required medical information relating to over 4,500 disabled individuals to be taken down from the institutional website of a Region and also initiated a sanction proceeding against the competent local authority. It was found that the list of disabled individuals that had been granted an allowance by the Region to purchase a PC could be browsed freely online – including their names, disabilities, places of residence and birth dates. The DPA reaffirmed that medical information may not be disseminated unrestrictedly and that public transparency requirements should not override data protection obligations as applying to public bodies – in particular, the obligation not to disclose excessive information compared to the specific purposes.
National and Regional Registries of Mammal Prostheses. The DPA objected to the setting up of a registry including the names of women that have had mammal prostheses implanted, in connection with a governmental bill related to breast surgery. It was recalled that the monitoring of plastic surgery could be ensured by respecting anonymity of the individuals operated upon and using statistical codes and tools. The DPA pointed out the need for detailing who would be entitled to access the registry and for what specific purposes, since the wording used in the bill was excessively vague.
Mergers and Split-ups – The DPA clarified what obligations should be fulfilled by companies in cases of mergers (by absorption and/or amalgamation) and split-ups to ensure compliance with privacy legislation. In particular, the companies involved should notify their customers, employees and suppliers of the name(s) of the new data controller and data processor(s), if any; to that end, simplified mechanisms may be used such as posting the information initially on the companies' websites and providing individual information to their personnel thereafter.
Business Information Services – The DPA exempted various companies providing business information services from the obligation to provide information notices to all data subjects, as it found that this obligations entailed a disproportionate effort compared to the interests at issue; however, the DPA required effective alternative measures to be deployed by the companies involved.
Anti-Money Laundering Legislation and Financial Brokers – It was clarified that financial brokers belonging to the same corporate group may lawfully communicate and process personal data without the data subjects' consent in connection with reporting "suspicious" transactions to the extent this reporting activity is in line with anti-money laundering legislation and is aimed exclusively at countering money laundering.
Company Registers – The DPA clarified that the DP Code does not place any limitations on access by shareholders to the personal data contained in company registers, nor is it in conflict with openness of corporate activities. Shareholders are entitled to know addresses and personal information related to other shareholders in order to contact them and defend their legitimate claims.
Telephone and Electronic Communications
Telemarketing. The possibility to further use (until 31 December 2009) the data contained in telephone directories set up prior to 1 August 2005 for marketing purposes without the data subjects' consent, introduced by Act 14/2009, had prompted the Garante to clarify the limitations applying to compilation and use of such data via an ad-hoc decision (March 2009). More specifically, the DPA had required, inter alia, the data controllers wishing to avail themselves of the above possibility to provide proof that the data had been actually extracted from telephone directories compiled prior to 1 August 2005 and to only use the data for contacting subscribers for promotional purposes, i.e. it was clarified that marketing companies were prohibited from contacting subscribers in this manner in order to surreptitiously obtain their consent to use their data for promotional activities also after 31 December 2009. Following the amendments made to the DP Code by Act 166/2009 (see above), which extended the deadline for using the data in question and also provided for the establishment of an "opt-out register" applying to telemarketing by 25 May 2010, the DPA decided to extend enforceability of the requirements laid down in the above decision accordingly. On this same note, the DPA rejected the practice of using randomly created phone numbers to contact subscribers for promotional purposes, as it found that such numbers, though created via randomized mechanisms, do represent personal data under the Italian DP law and as such enjoy all the safeguards provided for in the law – including the need to obtain the subscribers' prior informed consent to using them.
Customer Profiling – Specific obligations were imposed by the DPA (decision dated 25 June 2009) on the providers of publicly available electronic communications services as regarded profiling of their customers. A detailed analysis was carried out, which led to distinguishing among different categories of profiling and requiring data controllers to make different arrangements. In particular, two scenarios were envisaged: 1. profiling based on "identifiable" personal information, which requires the data subjects' free, informed, specific consent; 2. profiling based on "aggregate" personal information, i.e. aggregate data derived from identifiable personal information, which requires either the data subject's consent or, where this has not been obtained, a prior checking application to be lodged with the DPA by the data controller pursuant to Section 17 of the DP Code. In the latter case, account will have to be taken of the aggregation level (i.e. the level of detail of the aggregated data) and the technical arrangements applying to the processing. Additional obligations such as notification to the DPA and the provision of appropriate information to data subjects were also laid down.
On several occasions, the DPA had to step in to safeguards privacy rights vested in children. In particular, a few newspapers were prohibited from publishing names and pictures of children involved in reported cases and/or providing information that would allow identifying those children. In child abuse cases, the DPA recalled that it was necessary to safeguard the privacy both of the children and of the other individuals involved – by refraining from disclosing the child's age, sex and place of residence; the relationship between child and suspect, if any; or the father's job or profession.
Several requests were lodged with the DPA to have data and pictures available on the Net (e.g. via Google, Emule, YouTube, forums, and blogs) erased. In some cases the DPA could not take any steps directly because the controller of the Internet website was not resident in Italy; conversely, in other cases instructions were provided to the data controller to erase the pictures/data considered to be in breach of the law.
Two cases handled by the DPA concerned newspapers and TV channels that had published pictures taken directly from Facebook when commenting on the death of two individuals, even though the pictures in question did not correspond to the deceased individuals but rather to namesakes. The DPA found that publication of those pictures was in breach of data protection legislation as accuracy of the information collected had not been checked thoroughly and erroneous personal information had been disseminated. It should be pointed out that an increasing number of complaints relate to the processing of personal data extracted from Facebook profiles; misuse of personal information and defamation are the most frequent complaints in this regard.
Another important decision in this area reiterated that filming and using images of individuals within private premises without the individuals' consent was unlawful. The DPA prohibited the dissemination/publication by whomsoever of images acquired and/or obtained in breach of the safeguards applying to private premises, in particular considering the privacy-intrusive techniques implemented to capture those images, the lack of consent by the relevant data subjects, and the exclusively personal nature of the activities shown in those images.
In 2009, there were 360 decisions on formal complaints (which are specifically regulated and time-barred as per sections 145-151 of the DP Code). Like in previous years, most of them concerned banks, financial companies and credit reference agencies. However, the most interesting issues had to do with the voice as personal data, the exercise of data protection rights concerning deceased persons, and the posting on-line of publicly available information.
Voice as a personal data. The DPA granted the complaint lodged by a consumer against a telephone operator that had implemented a contract based on a "verbal order". The DPA found that the recording of the call should be made available to the data subject requesting it, as it was not enough for a summary transcript of the relevant contents to be provided. The rights set forth in data protection legislation can be exercised by data subjects also in respect of sound and image data, which are personal data; accordingly, the right to access the personal data contained in the "verbal order" is only fulfilled by making available the recording of the call so as to access the specific voice data.
Clinical records of a deceased person. The DPA granted the complaint lodged against a university hospital that had failed to reply to several requests for obtaining the personal information related to the treatments that the complainant's partner had undergone. The DPA found that the partner of a deceased person had the right to access that person's clinical record in order to establish judicial claims on the conduct held by the caregivers. Under section 9(3) of the DP code, the right to access personal data related to deceased persons "may be exercised by any entity that is interested therein or else acts to protect a data subject or for family-related reasons deserving protection" – and the complainant had clarified that the data in question were necessary with a view to taking legal action to establish the caregivers' flawed and/or negligent conduct.
Online publication of the resolutions by a municipal body. The DPA ordered a municipality to erase the complainant's address from a resolution that had been posted on the municipality's institutional website and could be retrieved by means of external search engines. The complainant had claimed that blanking his address from the resolution was not in conflict with the transparency of electronically published public instruments and records. The DPA pointed out the need to carefully select the personal data to be published in this manner, as their publication should prove necessary under the specific circumstances for the purposes sought by the given measure – in compliance with the principles of relevance and non-excessiveness and by balancing the right to privacy with the obligation to ensure publicity of the decisions made by a local authority. Publishing the resolution at issue in full impacted disproportionately on the complainant's rights as it resulted into disseminating irrelevant information on the web.
The DPA was strongly committed to inspection activities also in 2009. Based on six-monthly inspection plans, 449 inspections were carried out as a whole. In performing such inspections, the DPA can avail itself of a specialised corps within the Financial Police, which is in charge of checking compliance with the requirements concerning notification, information notices, security measures, and enforcement of the resolutions adopted by the Garante. Forty-five inspections were carried out directly by the inspection department at the DPA concerning, in particular, public bodies that access the information system of the Revenue Service (13); companies providing databases to third parties for marketing purposes (10); and telephone operators as for the retention of traffic data for customer profiling purposes (9). As for the inspections performed by the Financial Police upon the DPA's instructions (which specify data controller and scope of the inspection), the following areas were covered: private hospitals (35); public hospitals and nursing homes (35); public transportation companies (30); casting companies (26); suppliers of building materials (25); golf clubs (25); businesses controlled by municipalities dealing in waste collection (20), sales of methane (20), and sales of water (20); tourist harbours (20); betting agencies (15); ski lift companies (10); companies selling electronic ware (10); pharmacies (20); companies that notified the use of databases on creditworthiness/defaults (20); other entities as per the specific requests made by legal departments at the DPA (83).
Following the inspections, 43 reports were preferred to judicial authorities and 368 procedures initiated to issue administrative sanctions; additionally, in about 150 cases proposals were submitted to the competent legal departments at the DPA to impose obligations on the data controllers aimed at bringing processing operations into line with the law.
One-hundred and seventy sanction procedures were finalised in 2009 and a total of 1,572,432 Euro was levied via the relevant fines.
As for criminal cases, several had to do with the failure to take minimum-level security measures (24); unlawful data processing operations (7), the provision of untrue statements and information to the DPA (6), and non-compliance with orders/measures issued by the DPA (4) were also detected.