Annual Report for 2002 - Summary
Annual Report for 2002
1 – Consolidated Data Protection Statute and Codes of Conduct
The activities aimed at supplementing data protection legislation in view of the adoption of a consolidated data protection statute continued throughout 2002.
In particular, the deadline for adopting the consolidated statute was postponed to 30 June 2003 in order to allow transposing the new EC directive on privacy and electronic communications (2002/58/EC). The new consolidated statute is expected to allow making amendments and additions to streamline and enhance implementation of the provisions in force, also with regard to judicial and police activities.
As for codes of conduct, it may be pointed out here that decree no. 467/2001 made lawfulness of data processing conditional upon compliance with the provisions laid down in the relevant codes of conduct and extended further the scope of application of these codes to include categories in which the need for detailed as well as flexible regulations was especially felt – namely, processing in connection with communication and information services delivered via electronic networks and the Internet, processing in the employment and social security context, direct marketing and advertising, processing for commercial information purposes, processing in connection with data from public and/or publicly available registers, processing by credit referencing agencies, and processing performed by means of automated image acquisition systems (video surveillance).
There are already three codes of conduct in force, concerning journalistic activities, processing for historical purposes, and processing for statistical and scientific research purposes within the framework of the national statistics system, respectively – the latter having been adopted in July 2002 (see below). Two codes – on processing of personal data by lawyers and private detectives and on processing operations for statistical and scientific research purposes outside the national statistics system – are expected to be adopted shortly.
All the above codes will be annexed to the consolidated data protection statute and will provide significant guidance as also related to lawfulness of processing operations.
2 – Other Regulatory Developments
Several legislative instruments impacting on personal data processing were passed in 2002. The most important ones are listed below including those passed in the first months of 2003
a) Legislative decree no. 70 of 9 April 2003 – Implementing EC Directive 2000/31 on Certain Legal Aspects of Information Society Services in the Internal Market with Particular Regard to Electronic Commerce. This decree was aimed at the furtherance of free movement of services in the information society, including e-commerce; it refers expressly to Act no. 675/1996 as well as to legislative decree no. 171/1998 in respect of right to privacy and processing of personal data in the telecommunications sector. Specific safeguards are also laid down with regard to unsolicited electronic communications.
b) Act no. 88 of 24 April 2003, further to a decree (no. 28) of 24 February 2003 – This Act includes Emergency Legislation to Fight Hooliganism in Connection with Sports Events. The Ministry for Home Affairs will have to lay down, jointly with the Ministry for Cultural Heritage and the Ministry for Innovation and Technologies, after consulting the Garante's advice, specific arrangements to implement the provisions regulating access to sports facilities. Such provisions basically consist in setting up access points equipped with metal detectors and supervised by law enforcement staff, where the entrance tickets will be also electronically scanned. Another decree by the Ministry for Home Affairs, again pursuant to the procedure described, will have to implement the provisions in the above Act requiring that sports facilities should be equipped with devices to allow filming and recording images of the areas reserved for the public both inside and outside such facilities – including nearby areas.
c) Act no. 30 of 14 February 2003 – Enabling Government to Pass Legislation Concerning Employment and Labour Markets . It envisages re-shaping of the mechanisms applying to processing of job offer and demand data in compliance with the data protection Act. It is aimed at
- preventing additional, unjustified expenses in connection with statistical monitoring activities,
- preventing social exclusion and control by occupational agencies, in particular by banning public and private actors from performing surveys and/or processing data or pre-selecting candidates, even with the latters' consent, based on their membership of trade-unions or political parties, their religious beliefs, sex, sexual orientation, matrimonial or family status, pregnant status and possible litigations with previous employers,
- prohibiting collection, storage and dissemination of employee information that is not closely related to the employee's professional skills and recruitment. This Act will have to be reconciled with the provisions laid down in the consolidated statute on processing of personal data.
d) Act no. 17 of 5 February 2003, concerning New Provisions for Severely Disabled Electors to Exercise Their Voting Rights. This Act amended legislation on voting and elections; in particular, the following paragraph was added to section 55 in the consolidated Act referred to in Presidential Decree no. 361/1957: "Specification of the elector's right to vote with another's assistance […] is provided by the Municipality on whose electoral list the elector is included, at the elector's request, together with the relevant documentation, by inserting either a symbol or a code into the electoral card in compliance with the provisions in force concerning data protection, in particular with Act no. 675 of 31 December 1996 as subsequently amended".
e) Act no. 3 of 16 January 2003, concerning Organisational Provisions with regard to the Public Administration, which envisages actions aimed at enhancing technological innovation in the public administration with particular regard to the national card of services and computerised access to public administrative records. In this connection, it should be pointed out that the aforementioned Act no longer refers to the electronic ID card, further to an amendment made by Parliament. Said amendment was based on the need to prevent that such a sensitive issue, entailing control on personal data as well as requiring appropriate privacy safeguards, should be regulated via instruments adopted by Government.
f) Act no. 222 of 9 October 2002, including provisions to bring to light unofficial employment. In the course of the relevant legislative process, the Garante pointed out to Government that amendments were necessary with regard to two provisions of special interest in connection with the taking of fingerprints. Initially, the processing of personal data concerning non-EU residents, if acquired by means of fingerprints data, was to be regulated by the special provisions applying to processing operations by the Data Processing Centre of the Public Security Department; furthermore, it was envisaged that fingerprints would be taken from all Italian citizens at the time of issuing their – yet to be precisely regulated - electronic ID cards. We pointed out that the provisions regulating the data processing centre of the Public Security Department could not apply in full to the taking of non-EU residents' fingerprints, which is performed mainly for identification rather than for public security purposes. Secondly, we requested that a paragraph be added to specify that the envisaged taking of fingerprints from Italian citizens would in all cases be compliant with the data protection principles concerning use, storage and availability of the data. Government undertook to submit a report to Parliament on the criteria that are planned to be applied in order to implement the above provisions, in particular as for the taking of fingerprints.
g) Act no. 166 of 1 August 2002, concerning Provisions on Facilities and Transportation Means. Section 41 of this Act enables Government to pass legislation implementing the recently enacted Community directives on electronic communications (i.e. Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of 7 March 2002), as well as Directive 2002/58/EC of 12 July 2002 on the protection of privacy in the electronic communications sector. This directive will replace Directive 97/66/EC and addresses issues of considerable importance in terms of personal data protection – such as, inter alia, the arrangements for inclusion of subscribers into telephone directories, traffic data retention, user location and sending of unsolicited communications by e-mail and other electronic means (so-called spamming).
h) Act no. 189 of 30 July 2002 – amending the legislation on immigration and asylum. This Act provides that any foreigner applying for (renewal of) a residence permit is to have his/her fingerprints taken. The Garante pointed out – in a letter sent to the Chairmen of both Houses of Parliament – that in the light of the safeguards provided for at international level it was necessary to comply with data protection principles with particular regard to collection, retention and subsequent use of such data. Under Act no. 189/2002, implementing regulations are to be enacted also with regard to interconnection of the different filing systems; the Garante will not fail to provide its opinion and guidance as required by Section 31(2) of the DPA.
i) Decree no. 121 of 20 June 2002, converted into Act no. 168 of 1 August 2002 – emergency legislation to ensure road traffic safety. This decree provides, inter alia, for "distance" control of speed limit offences including, under certain conditions, the deployment of metering devices that may be used even in the absence of a police patrol. The Garante cooperated with the Ministry for Home Affairs in drafting an implementing circular letter concerning personal data protection issues.
j) Act no. 39 of 1 March 2002 – Provisions to Comply with Obligations Related to Italy's Membership in the European Community (2001 Community Act). This Act provides for transposition of four Community directives impacting on personal data protection – namely, the E-commerce directive, the e-money directive, the directive against discrimination for reasons related to race or ethnic origin, and the directive on compulsory insurance against civil liability in respect of the use of motor vehicles. The Act also includes provisions on teleshopping and TV programmes requiring specific safeguards for children.
3 – Action on Bills
In addition to the consultative activities concerning the legislation enacted as above, the Garante also followed the parliamentary debate in respect of other bills that are partly related to personal data protection. The most important bills are mentioned below.
a) A bill on simplification of administrative proceedings. Government proposed an amendment to the bill, tabled before the Constitutional Affairs Committee, to encourage computerisation in the judicial sector; in particular, this amendment would allow any interested entity to access the identification data included in files of cases that are yet pending before courts competent for administrative and accounting matters, also by publishing such data on the relevant web sites. The Garante provided its advice to the Committee in order to bring this initiative into line with data protection principles as applying to computerisation of judicial activities; the specific safeguards to be possibly laid down in the forthcoming consolidated data protection statute were also referred to.
b) A bill to allow the police to access the data held by air and naval carriers. On 14 January 2003, the President of the Garante, Prof. Stefano Rodotà, was heard by the competent Constitutional Affairs Committee at the Chamber of Deputies. Prof. Rodotà stressed the need for the bill to be compliant with personal data protection principles as applicable to processing operations for police purposes (Section 4 of the DPA). In particular, the request for such data should be as detailed and selective as possible and should only be aimed to prosecute serious offences related to terrorism and organised crime; additionally, the collected data should be erased as soon as possible if they are found not to be useful for the specific investigation(s).
c) A bill to amend and supplement Act no. 241 of 7 August 1990 (Freedom of Information Act). Section 13 of the bill would amend Section 25 of the Act by providing that the Garante is to be "heard" by the Committee for Access to Administrative Records when deciding on denial of access orders issued by public administrative agencies for reasons related to third parties' personal data. The competent Parliamentary Committee adopted an amendment to the bill under which the Garante would be required, in turn, to get the non-binding opinion of said Committee for Access if a proceeding concerning processing of personal data by public bodies deals with access to administrative records.
4 – Advice Provided to Government
Under Section 31(2) of the DPA, the Prime Minister and each Minister are required to ask for the Garante's opinion when drawing up regulations and administrative instruments that can be expected to produce effects on personal data protection. Our Authority did issue several opinions throughout 2002 concerning major issues – such as a consolidated text including laws and regulations on the criminal records office and the Register of offence-related administrative sanctions, which envisages setting up of an automated information system, a draft regulation to allow voting by Italians abroad, a draft regulation to implement anti-money laundering legislation, and a draft Presidential decree to regulate access to the Electronic Documentation (Case Law) Centre of the Court of Cassation.
It should also be pointed out that in some cases Government failed to ask for our advice as required by law, even though this occurred less frequently than in the past. Reference can be made, in particular, to a decree of the Minister of Health concerning the mechanisms to carry out anti-doping controls.
5 – In General
No major steps forward were made in 2002 as regards application of the principles set out in legislative decree no. 135/1999. Citizens' reports, sample audits and the many requests for information submitted did point out a persistently widespread failure to apply data protection principles – with particular regard to the obligation for public bodies to specify and publicly disclose the categories of data and operation they are allowed to perform in connection with the "instances of substantial public interest" served by the processing. Public administrative bodies continue adopting a formal approach to data protection, giving priority to compliance with formal requirements over the measures aimed at safeguarding fundamental personal rights. This is why co-operation with the bodies representing local authorities and regions has been enhanced.
6 – Sensitive Data and Other Special Categories of Data
On account of the widespread failure by public administrative agencies to apply data protection legislation, the Garante drew the Government's attention, pursuant to Section 31(1), letter m), of the DPA, to the need for taking suitable measures to ensure that the processing of sensitive and judicial data by several public bodies be brought into line with the provisions in force as expeditiously as possible. In this connection, some guidelines were laid down that should be followed by public administrative agencies in drawing up the relevant instruments. The Garante stressed, in particular, that administrative agencies should not reproduce the general provisions laid down in legislative decree no. 135/1999 in their own instruments, with regard to such concepts as relevance and proportionality of the data, data retention arrangements, and so on. In fact, they should clarify what categories of information they plan to use for the individual purposes and specify how they plan to use such information in practice.
The audits performed in the past year brought to light several breaches of data protection legislation by public bodies also on account of the failure to nominate the entities in charge of processing operations and take the so-called minimum security measures. With regard to sensitive and judicial data, reference should be made to the general authorisations that were re-issued by the Garante without major amendments compared with previous versions (General Authorisation no. 2/2002 and no. 7/2002, respectively).
7 – Openness in Administrative Proceedings
The issue of reconciling protection of private life with openness in administrative proceedings was addressed in several decisions issued in 2002. In particular, it was pointed out that the right of access under Section 13 of our DPA did contribute to increasing "openness" and transparency of the public administration. Reference can be made, inter alia, to the effects produced on the access to personal data related to deceased persons. Another important decision in this regard had to do with the possibility for a daily to access the data – held by INPS, i.e. Italy's National Social Security Agency – concerning the additional contributions paid by trade unions to the benefit of well-known trade union representatives that had been granted unpaid leave of absence. The Garante did not decide on admissibility of the request for access, which was to be left to the public body's discretion; however, we pointed out that there did not appear to be any limitations applying to disclosure of the information also by having regard to the Code of Practice for journalistic activities – which leaves unprejudiced freedom of information in respect of "well-known persons or persons discharging public offices".
Another decision in this sector addressed the dissemination of images filmed by a local TV station, in which the meetings of the Council of a local municipality were shown. We stressed that filming such meetings was to be permitted on condition that the entities participating in those meetings had been appropriately informed as to the presence of TV cameras and the subsequent dissemination of the images. Additionally, suitable precautions were to be taken to prevent unlawful dissemination of sensitive data. By the same token, we ruled in another decision that the data included in a public housing waiting list for tenants under eviction orders could not be disseminated freely exactly because those data included sensitive information – in particular, data on health of elderly and/or severely disabled family members.
8 – Access to Administrative Records
The relationship between right of access to administrative records and right to privacy has been dealt with repeatedly by our Authority. Any residual doubts as to whether this right of access also applies to especially sensitive information would appear to have been dispelled by Section 16 of legislative decree no. 135/1999 – which re-affirms that processing sensitive data serves a "substantial public interest" if it is necessary to defend a claim in administrative or ordinary judicial proceedings as well as if it is carried out in compliance with laws and regulations implementing the provisions on access to administrative records. Obviously, the right to access data disclosing health and sex life may only be granted if the right to be established and/or defended is at least equal to the data subject's right (Section 16(2) ). This point was made repeatedly with regard to the data contained in medical records, and we supported the view that only personal rights and other fundamental, inviolable rights should be considered "equal to" the data subject's right.
Out of the many decisions rendered by our Authority, special importance should be attached to the one concerning the possibility for a councillor of a local municipality to know the names of the local municipality's employees who were trade union members. We ruled that the employees' data, including sensitive data, could only be accessed if this was actually indispensable for the councillor to discharge his tasks – i.e. political and administrative supervision of the activity carried out by the personnel office. Failing the "substantive public interest", communication of the data would be unlawful and no access should therefore be permitted.
9 – Large Databases
The trend towards the growing development of large-sized databases - already pointed out in previous Annual Reports – was confirmed also with regard to 2002. Despite their being beneficial for administrative activities, such databases do entail increased dangers for fundamental human rights, in particular if they are set up in the absence of a legal basis and without any systematic approach.
An especially interesting case addressed in this regard had to do with processing of the data derived from the 2001 Population Census; it was reported that these data would be transferred to outsourcing companies located in Romania and Croatia to be subsequently processed. The Authority asked the competent National Statistics Agency (ISTAT) for clarification as to the legal basis of the transfer, given that both countries have not been found yet to afford adequate protection for personal data as required under the DPA and the Directive. The audit is still in progress.
With regard to the provisions laid down in Act no. 189/2002 on immigration and asylum in order to, inter alia, regulate recognition of unofficial employment in respect of non-EU citizens, we evaluated the circular letter issued by the Ministry for Home Affairs for organisational purposes and pointed out the need for paying greater attention to data protection issues. This applied, in particular, to the protection of sensitive data concerning the persons assisted by the non-EU citizens that had applied for legalisation of their stay in Italy by also attaching the relevant medical records. The Ministry answered that these data would only be stored in paper form and processed separately.
10 – Electronic ID Card, National Services Card, and Electoral Card
The issues related to establishment of an electronic ID card scheme in Italy have been followed with special attention by our authority. Whilst the initially planned adoption of an ad-hoc medical card was cancelled, there is a wealth of initiatives in the private sector aimed at making available a wide gamut of cards addressing specific categories of patient or disease. We are following the relevant debate carefully and have reserved the right to give our opinion on the final draft to implement the electronic ID card scheme – with particular regard to proportionality in the use of the personal data stored on the card and the possibility of turning the taxpayers' identification code into a general identification code, which actually could only be allowed on the basis of specific legislation setting out the relevant safeguards and conditions (as per the EC Directive 95/46).
Also in connection with the envisaged issue of a National Services Card – to facilitate citizens' access to public administrative services – specific importance should be attached to the planned establishment of an integrated network including the census register offices of all Italy's municipalities. As pointed out by the competent Parliamentary Committee further to the report submitted by the Garante, "it will be necessary to ensure that establishment of electronic ID cards and matching of the data among the different entities holding such data will not result into limiting personal privacy with particular regard to sensitive data; the purposes related to availability and use of that information will also have to be taken into account".
As for the electoral card, we have repeatedly urged re-consideration of the whole issue; the paper-based electoral card, as issued a couple of years ago, was firmly criticised by the Garante on grounds that remain fully applicable – i.e. the risk that using the paper-based electoral card might result into disclosing (sensitive) information on the electors' conduct. Recently (December 2002), the Minister for Home Affairs and the Minister for Innovation and Technology declared that it was necessary to switch to a computerised version of the electoral card; it is to be hoped that this subject matter will be dealt with expeditiously also pursuant to the considerations made by our Authority.
A provision worth mentioning in this context relates to the possibility for disabled citizens to have a symbol or code added upon request to their electoral cards, to signify their entitlement to being assisted (e.g. by a nurse) in the voting procedure; this amendment to the new Act regulating exercise of voting rights by severely disabled electors (no. 17/2003) was made thanks to the guidance provided by our Authority, which stressed that full disclosure of the relevant medical data in the electoral card failed to comply with the DPA as it was irrelevant and excessive for the specific purpose.
11 – Census Registers and Electoral Rolls
Many requests for clarifications were submitted also in 2002 by both local municipalities and citizens with regard to the processing of data included in census registers, registers of births, deaths and marriages, and electoral rolls. These requests concerned a wide range of topics – from the arrangements applying to the census registers and electoral rolls of Italian residents abroad, containing irrelevant data as pointed out by our Authority, to the possibility for a local municipality to provide the Italian Motor Vehicle Association, which is a public body, with the full list of citizens' names and addresses in order to allow the Association to better discharge its institutional tasks (which we considered lawful on account of the public interest served). As repeatedly pointed out, the regulations on census registers and electoral registers are left unprejudiced by the data protection legislation in force; in particular, electoral register data may be provided to any person whomsoever – although the appropriateness for a local municipality to process such registers in order to extract certain types of information as requested by an applicant is to be questioned – whilst census register data may only be communicated to public administrative agencies on public interest grounds.
12 – Education
Data protection in the educational context is of special interest on account of the frequent involvement of underage data subjects. Two decisions of 2002 should be mentioned here. One concerned the possibility for a school to provide the names of pupils attending a quit-smoking programme to their respective families; the Authority decided that this information should not have been supplied to families without previously informing the pupils themselves, and in any case that suitable safeguards should have been adopted given the sensitive nature of the information at stake – for instance, by failing to specifically refer to the subject of the programme and using more general wording as for its purposes (such as "medical education and prevention"). In another decision it was ruled that a state-accredited school was not entitled to obtaining, from a local municipality, a list of the resident children's names and addresses with a view to promoting educational programmes; indeed, census register data may only be provided by a local municipality to public bodies on public interest grounds.
13 – Public TV Corporation's Yearly Subscription Charge
The Garante has already investigated the extent to which certain arrangements between Italy's public broadcasting corporation (RAI) and the Minister of Finances are compliant with data protection legislation (see Annual Reports for 2000 and 2001). No major changes did take place during the past year with regard to the main issue at stake – i.e. whether RAI may collect data on purchasers of TV sets from retailers in order to request those purchasers to start a subscription and pay the relevant fee. We had pointed out that the TV corporation acted as a public body in collecting subscription fees, since the ultimate recipient of these fees was the Ministry of Finances on whose behalf RAI was collecting the charges. However, as a public body RAI may only perform the processing operations that are provided for specifically in laws and regulations. Given that no legislation currently requires retailers to supply the names and personal data of TV purchasers to the national TV broadcasting corporation, RAI is not entitled to collect these data, not even with the individual purchasers' consent – which cannot serve as the legal basis for public bodies to lawfully process personal data. The TV corporation challenged our decision before the higher administrative court, and several consumers' and users' associations filed suit against RAI. The final decision is still pending.
14 – Local Authorities
A major issue addressed with regard to the activities of local authorities is related to the so-called System for Access to and Exchange of Census Register Data, which is based on the electronic exchange of data and information between local municipalities as well as between the latter and other public bodies to streamline administrative activities and facilitate monitoring by the Ministry for Home Affairs. We have repeatedly provided advice to the latter Ministry in order to ensure compliance of the System with data protection legislation, and we continue following up the relevant developments on account of the many sensitive issues at stake.
As already pointed out, a feature of the activity of public bodies in Italy with regard to data protection is the widespread failure to implement regulations on processing of sensitive data – as required under a decree of 1999. Local authorities are no exception to this rule; indeed, investigations carried out on a sample of Italy's municipalities (selected by extraction) did show that most entities failed to comply in full with the provisions in the DPA as well as in the abovementioned decree (135/1999).
JUDICIAL AND LAW ENFORCEMENT ACTIVITIES
15 – In General
Certain processing operations for judicial purposes, the prevention and suppression of offences and those performed by the Data Processing Centre of the Public Security Department as well as by security and intelligence services are partly outside the scope of application of data protection legislation (as per Section 4 of the DPA). However, the principles relating to quality of the data do apply to these processing operations as well – which is why we repeatedly stressed in 2002 that, in particular, the data processed by police and judicial authorities should be relevant and not excessive by having regard to the institutional purposes. The forthcoming Consolidated Statute of data protection legislation is expected to also make such amendments and additions as are required to better implement the data protection legislation in force also in these sectors.
16 – Processing of Personal Data in Connection with Judicial Activities
With regard specifically to this type of processing operations, reference can be made to a decision in which it was ruled that providing judicial offices with personal data concerning the opposing party in order to defend a legal claim in a judicial proceeding is to be regarded as processing for exclusively personal purposes (under Section 3 of the DPA).
17 – Service of Process
Several reports were received in 2002 concerning inappropriate and/or incorrect arrangements for service of process, such as the delivery of judicial notices into the hands of third parties without safeguarding the addressee's privacy. We repeatedly referred to the guidance already provided in the past few years concerning this issue; in particular, we suggested that – pending enactment of legislation to allow judicial documents to be served on third parties in closed envelopes, if the relevant addressee is not to be found – the provisions already available to reconcile right to privacy and effectiveness of judicial activities should be applied. Reference is made especially to the possibility to send taxation-related documents (e.g. default notices) by mail except where this is expressly prohibited by law.
18 – Police Activities
The Authority continued receiving many complaints against the processing of inaccurate, incomplete or outdated information by the Data Processing Centre at the Public Security Department. These processing operations are partly outside the scope of application of the DPA, however, as already mentioned, the principles concerning fairness, accuracy, updating, relevance, completeness and proportionality are fully applicable to the information processed by law enforcement agencies with regard to their institutional purposes. Furthermore, the retention time of this information should not exceed what is necessary to achieve the specific purposes. This is why we called upon the Ministry for Home Affairs and the Police Department to ensure that the data are compliant with the relevant provisions in the DPA. The consolidated statute of DP legislation might hopefully allow, inter alia, streamlining the procedure to update and amend the data processed by the different law enforcement agencies.
19 – Schengen Information System
In its capacity as supervisory authority for the national portion of the Schengen Information System (N.SIS), the Garante received several requests for checking existence of alerts in the System pursuant to the Schengen Agreement Implementing Convention. In many cases it was necessary to obtain information from supervisory authorities in other Schengen Member States, which had entered the original alert(s). It should be pointed out that there was a considerable increase in the number of requests lodged with us during 2002, partly on account of the enactment of legislation (Act no. 189/2002, see above) on legalisation of residence for non-EU citizens working in Italy. The excellent cooperation with Italy's SIRENE bureau at the Ministry for Home Affairs and the Immigration and Customs Police Service at the Public Security Department allowed dealing with the different issues quite expeditiously.
The forthcoming adoption of the new Consolidated Data Protection Statute might provide the opportunity for re-considering the mechanism for access to SIS data, by shifting to a system – already in force in most Schengen countries – whereby citizens can directly apply to the competent police authorities rather than indirectly lodge a request for access via the national supervisory authority, as is currently the case in Italy.
20 – Processing of Data Disclosing Health
Reference has already been made to the fact that the regulatory system applying to the processing of data disclosing health has not been implemented in full owing to the failure by the Ministry of Health to enact regulations in which simplified arrangements should be laid down for providing privacy notices and getting the data subjects' consent (legislative decree no. 282/1999, see above).
The Garante has repeatedly reminded data controllers of the need for the communication of data disclosing health to comply with the requirement made in Section 23(2) of the DPA – i.e., data disclosing health may only be communicated to a data subject either by a physician nominated by the data subject or by the data controller himself/herself.
Among the many cases addressed by the Authority, reference can be made in particular to two decisions. One concerned compliance with DP legislation of a 1997 decree by the Ministry of Health requiring, inter alia, that a physician applying for a drug that is not marketed in Italy should provide the Ministry and the Customs Office with the relevant patient's identification data. This was found to be disproportionate and irrelevant in respect of the purposes sought; furthermore, the provision in question did not appear to serve a "substantial public interest" as actually necessary for a public body to process sensitive data. We pointed out to the Ministry the need for amending the text to bring it into line with the DPA. Another interesting decision was related to a complaint lodged by a patient that had alleged inadequacy of the answer provided by a hospital further to his request to access his personal data as contained in the relevant medical record. We pointed out, in particular, that the information should be provided to the data subject in an "intelligible" form – which means that if the information is undecipherable on account of the quality of the handwriting, a transcript must be provided to the patient.
21 – Genetic Data
Currently, genetic data may only be processed in compliance with the requirements and safeguards set out by the Garante in an ad-hoc authorisation. The latter has yet to be issued – the relevant procedure being quite complex and involving the Minister of Health as well as the Higher Council for Health -, which is why the applicable regulations can be found so far in a general authorisation (2/2002) issued by the Authority with regard to the processing of data disclosing health. In practice, genetic data may be processed with the data subjects' written consent insofar as the information and the processing operations are indispensable to safeguard physical integrity and health of the data subject, a third party or the community as a whole; however, if the data subject's consent is unavailable, a specific authorisation by the Garante will be necessary on condition that the processing is aimed at protecting physical integrity and health of a third party and/or the community as a whole. Failure to comply with these provisions carries criminal penalties.
CODES OF CONDUCT AND PROFESSIONAL PRACTICE
Special attention was paid by the Garante to the work in progress concerning several codes of conduct and professional practice as required by Section 20 of Legislative Decree No. 467/2001. Reference should be made here to the code applying to processing of personal data for statistical and scientific research purposes in the public sector — which was published in the Official Journal on 1 October 2002 under the Garante's responsibility. The code on the processing of personal data for statistical and scientific research purposes in the public sector was drafted in cooperation with the Garante by public and private entities representing the categories concerned. The provisions laid down in the code — which is to be abided by in order for the relevant processing operations to be lawful — apply to the processing carried out by statistical bodies and agencies taking part in implementing the national statistical programme.
The main features of this code are the safeguards to ensure anonymity of citizens, including the criteria to assess the identification risk related to the association between identification data and collected information as well as specific safeguards in respect of processing sensitive data. The code also contains provisions requiring data subjects to be adequately informed as well as specific rules of conduct, and the security measures to be adopted with particular regard to the retention of identification data.
PRIVATE SECTOR BODIES
Employment: Collecting personal data via coupons and job advertisements - The Garante has repeatedly addressed the processing of personal data that are collected via coupons and/or job advertisements published in newspapers and journals. In particular, following several reports as well as the assessment carried out on a sample of job advertisements, the Garante issued a new provision of a general nature (10 January 2002). Having established that several advertisements contained inadequate information and that the wording used to request consent to the processing of personal data was often generic and inappropriate, the Garante reaffirmed that respect for the fairness principle required applicants to be unambiguously informed at the time job advertisements were published on processing mechanisms and use of the personal data they were required to provide. In practice, each company should allow for the applicants' free informed choice and obtain, if necessary, their specific consent. The Garante also made available the text of a standard information notice to be possibly reproduced in job advertisements, including the use of standard wording.
Spamming - In 2002, the Garante blocked the processing of personal data stored in the databases of seven companies operating on the web. These companies acted in breach of the privacy law using e-mail addresses unlawfully, without the data subjects' informed consent, to send unsolicited commercial and promotional messages.
Transborder Data Flows
Survey on Data Transfer Instruments - Between the second half of 2002 and the first months of 2003, the Garante carried out a survey on a sample of companies, including the 50 biggest companies based in Italy, to assess what tools were implemented in order to transfer data abroad (SHA, standard contractual clauses, consent, contractual obligations, etc.). The findings of this survey showed that 5 of the 41 companies transferring data abroad made use of the SHA, i.e. 12.2 % of the total; 23 of 41 companies transferred data to the United States, therefore, 5 of 23, i.e. slightly more than 20 % of those in this group, implemented the SHA for their transfers. All of them had correctly notified the relevant countries of destination. Importantly, most companies availed themselves of the data subjects' consent to lawfully transfer the information. As for the categories of transferred data, 35 companies transferred human resources (HR) data, 23 companies transferred customer-related data, 18 companies transferred data concerning suppliers and/or trade partners and 11 companies transferred other categories of personal data (obviously some companies specified more than one category of transferred data).
Multinational Companies and Transborder Data Flows - At the end of 2002, a draft project was submitted to the Garante envisaging implementation of a centralised information system at international level for managing a corporate group's human resources, to be outsourced to a US-based company. The above system would be managed with the support of entities located in several EU and non-EU Member States. The outsourcer and outsourcee had already entered into a so-called global agreement based on the standard contractual clauses for transborder data flows between data controllers. The outsourcer company considered it appropriate — prior to implementing the project — to first consult some European supervisory authorities including the Italian DPA. Taking account of the considerations made by this authority as well as by the other European supervisory authorities contacted, the company decided to revise the so-called global data transfer agreement previously made with its outsourcee and supplement it with or replace it by a new agreement, based mainly on the standard contractual clauses for transferring personal data to processors established in third countries. However, the clause concerning the data exporter's and importer's joint and several liability for damage caused to data subjects on account of the infringement of the rights and principles set out in the agreement was retained in the new version. In the DPA's view, supplementing the controller-to-processor data transfer clauses by providing for the joint liability of both entities could result in a higher level of protection for data subjects' rights, as this approach could better ensure payment of damages, if any, to data subjects, who may take legal action directly against both contractual parties. Furthermore, the Garante shared the corporate group's view that the draft agreement should be subsequently stipulated by each affiliate that had not conferred any specific mandate on and/or granted power of attorney to the holding company. Therefore, the Garante confirmed that the general authorisation concerning transborder data flows from Italy to processors established in third countries could apply to the data transfer at issue, and that there was no need for a new ad-hoc authorisation.
Credit Reference Agencies - The Garante has repeatedly addressed the processing of personal data by the so-called private credit referencing agencies (CRAs) as well as by banks and financial institutions accessing the relevant information systems, which include data on contractual and pre-contractual relationships in respect of the granting of credit, loans and/or mortgages with particular regard to consumer credit.
Ultimately, the Garante issued a general decision in July 2002 to provide guidance in this connection. The main features of this decision are the following.
(a) With regard to data quality, it should be carefully verified that the detailed data stored in information systems are relevant and not excessive. Defaulting should only be reported to a CRA if it concerns large sums and/or several instalments, or else if it is related to a marked delay; in any case, banks and financial companies should inform data subjects in advance so that the latter can take steps before their defaulting or another negative item of information is reported to a private CRA. Furthermore, data concerning credit applications should not be retained for longer than is necessary in connection with the preparatory activities prior to granting the credit.
(b) Proportionality is fundamental with regard to the retention of data concerning the relationships with the credit grantor(s). Accordingly, data concerning defaults that have been settled without losses, residual debts and/or unsolved claims are to be erased from the files held by private CRAs within one year either of the relevant settlement or, at all events, of the date on which the line of credit was extinguished. In addition, data concerning pending defaults should be kept for as long as the credit line is operating and, at all events, for no longer than three years after the date on which they had to be last updated by the CRA. Furthermore, the companies managing and/or accessing private CRAs must carefully assess the criteria implemented and the checks aimed at ensuring that the information is correct and updated, and data subjects should also be granted access to the data stored in the form of a score concerning their reliability and/or creditworthiness.
Video Surveillance - Many complaints, reports and claims were received by the Garante also in 2002 concerning the processing of data by means of video surveillance both in the public and in the private sector. In several decisions, it was stressed that the principles set out in a general provision issued in 2000 were to be abided by — namely, the obligation to provide an information notice, complying with the purpose specification and proportionality principles, ensuring that the processed data were accurate, relevant and not excessive, and limiting the data retention period. Additionally, many inspections carried out by the competent department at the Garante had to do with video surveillance. All the issues addressed will play a key role in contributing to the code of conduct that will specifically deal with processing operations carried out by means of video surveillance equipment.
De-baptising - The Garante dealt, once again, with claims lodged by citizens requesting that their personal data as contained in the baptism registers kept in parish archives be modified on account of their having changed their religious orientations, alleging that their claims were grounded in their atheist beliefs. The Garante stressed that it was impossible to delete the claimants' names from the relevant baptism registers, as the entries referred to an event that had taken place in reality; however, the claimants' request that their current religious orientations should be reported accurately was found to be justified. To that end, it was suggested that the baptism registers could be updated and supplemented by simply adding a rider to the information to be rectified.
Memorandum of Understanding with the Finance Police - In carrying out inspections, the Garante may avail itself, if necessary, of the cooperation of other State bodies, in particular police bodies. Therefore, the Garante and the finance police stipulated a memorandum of understanding with a view to enhancing supervision and control activities by means of increased cooperation between the two institutions. Under this memorandum, the finance police will cooperate in the inspection activities carried out by the Garante — in particular by locating data and information on the entities to be inspected, allowing own staff to participate in the activities aimed at accessing databases and carrying out inspections, assessments and other investigations at the premises where processing operations are performed, providing assistance in all relationships with judicial authorities, performing activities under delegation of authority by the Garante in order to detect breaches of criminal and/or administrative law, and carrying out surveys on the implementation of data protection legislation in specific sectors.