Annual Report for the Year 2010 ? Summary
Italian Data Protection Authority
Annual Report for the Year 2010 – Summary
Main Legislative and Regulatory Developments
- Public Opt-Out Register: A decree was adopted by the Italian government in July 2010, following the DPA's favourable opinion, to set up a public register for users to opt-out from unsolicited telemarketing communications – as per Section 130 of Italy's Data Protection Code. The decree regulates the criteria for telecom operators and users to access the register and include/update the opt-out information, and provides that a third party (i.e. other than the competent ministry) will manage the register and the relevant services. Additionally, it was clarified (as requested by our DPA) that the current opt-in regime for telemarketing would continue to apply until the opt-out register became fully operative.
- The DP Code was amended (section 19, paragraph 3-bis) to enable disclosure of certain non-sensitive personal data relating to the performance of public employees, as part of the policy pursued by the Italian government to foster openness of public administrative activities.
- The DPA was heard several times as part of Parliamentary hearings on major issues involving, in particular, immigration policy, "anagrafe tributaria" [Taxpaypers' Registry], and simplification of the relationship between public administration and citizens.
Main Activities and Decisions by the DPA
- The DPA approved important guidelines concerning, in particular, disclosure of information on legal persons; the rules to be complied with by public administrative bodies when posting online administrative records and documents that contain personal data; and customer satisfaction measurement in the health care sector.
- General decisions were issued with regard to specific sectors such as video surveillance; electoral propaganda; the so-called "tessera del tifoso" (soccer fan card); telemarketing; number portability; credit information systems; telephone registries and "reverse searches"; use of the data in the "pubblico registro automobilistico" (i.e. the registry containing data relating to vehicles); security measures for customer data held by banks.
- Regarding, in particular, video surveillance, the rules set forth in the general decision issued by the DPA in April 2010 provided specific safeguards for the privacy of any individual whose data are collected and processed via such systems. The decision replaced a previous one issued by the DPA in 2004 so as to take account not only of supervening legislation, but also of new technologies and the substantial increase in the use of video surveillance for multifarious purposes. Special attention was paid to measures informing data subjects that CCTV cameras are in operation in the areas/premises they are about to access (obligation to provide specific information notices, except in case of CCTV cameras in use for public security purposes) and to the limits on retention of data collected by CCTV cameras and video surveillance systems (the images, where recorded, should be kept for a limited period of time, which should not be in excess of 24 hours. A longer retention period is envisaged in specific cases, such as police and judiciary investigations, security of banks, etc.).
- Some initial guidance was provided to users of cloud computing services via a booklet called "Cloud computing: guidelines for a knowledgeable use of these services". In particular, reference was made to the need for prior risk-based assessment, also including reliability of the individual providers, and for checking the specific contractual clauses applying to the provision cloud-based services (including the location of the cloud server, the typology of services offered, and training of the personnel in charge of data processing). Specific rules on security measures will be developed in the near future.
Additional areas of activity for the DPA in the course of 2010 included health care (electronic health record and health file, on line examination records, booking and collection of examination records in pharmacies, scientific and pharmacological research, project of epidemiologic surveillance on soldiers in Bosnia, collection of HIV data in health care institutions, privacy rights in hospitals/health care institutions, storage of medical documents); public administration (dissemination of data on real estate owned by public entities, transparency of grants and salaries accorded by public administrations, on line publication and dissemination of personal data by public bodies, data base on paedophilia, registry for homeless persons, security measures for the Anagrafe tributaria [i.e., the information system of the Revenue Service], interconnection and security of public data bases); marketing (unsolicited phone calls and opt-out register, spam, fax and unsolicited e-mails); electronic communications (storage of telephone and Internet data for judicial purposes, "reverse searches", security measures, customer profiling); journalism and information (judicial records reported by the press, protection of the privacy rights of children and victims of violence, data on health and sexual activity, adoption, pictures of persons under arrest, newspaper archives on line); employment (detection systems based on biometric data, employee location systems, monitoring employees' use of the internet, video surveillance in the workplace); police and justice (judicial data as related to mediation activities aimed at conciliation of civil and commercial disputes; digital civil trial [e-justice], security measures for judicial offices, new information system for the administrative justice, CED – IT database of the Police Public Security department, air passengers' data, security measures for the Schengen database); Internet (search engines, Google Street View, Google Buzz, Facebook and social networks, unlawful storage of internet usage data, forums and blogs, simplified security measures for small Internet service providers, on line profiling); new technologies (geo-location, RFID-based technologies ); processing of personal data by schools and universities ("anagrafe nazionale degli studenti" [national students' registry], use of video surveillance in schools, publication of grades and exam results, pupils' rankings, personal data used for enrollment with universities); processing by private bodies ("tessera del tifoso" [soccer fan card], wedding agencies, ski passes, condos) and corporations (transfers of personal data to third countries, data relating to social security, rating agencies and oversight on conflicts of interests, simplified data protection measures, information of a commercial nature); issues relating to banks, financial institutions and insurance companies (access to customer data held by banks, security measures, information systems on credit histories, access to consumer credit data by EU lenders).
- At European and international level, the DPA continued working in and contributing to the many forums dealing with DP issues (EU's Article 29 Working Party, OECD's Working Party on Information Security and Privacy, Council of Europe's Consultative Committee of Convention 108/1981 and Bureau, Joint Supervisory Authorities for the Europol, Schengen, Customs, and Eurodac information systems, International Working Group on DP in Telecommunications – "Berlin Group"); in particular, the DPA acted as rapporteur for the joint enforcement action waged by the Article 29 Working Party in Brussels on the application of the data retention directive 2006/24/EC, and contributed to the work done on DP and law enforcement in the context of the WPPJ (Working Party on Police and Justice), chaired by the President of the Italian DPA.
- Reference should also be made to the DPA's awareness-raising initiatives, especially aimed at young people, which included the issuance of booklets on DP and social networks, school, and the health sector. A video-clip competition was launched by the Italian DPA for high school students called "Privacy 2.0. Youths and New Technologies". Two information documents – the one referred to above on cloud computing and an additional one on DP-related implications of smartphones and tablets, respectively – were also published jointly with the DPA's Annual Report to lay out common principles and guidance on data protection as adapted to the new technological developments.
Approximately 500 inspections were carried out in 2010; in 55 cases infringements of a criminal nature were detected and accordingly reported to judicial authorities. The main shortcomings found in the course of inspections activities concerned missing information notices; lack of security measures; failure to provide information and/or documents to the DPA; missing or incomplete notification to the DPA; breach of a decision by the DPA; breach of provisions on data retention; multiple breaches by data controllers of large-scale or sensitive data databases. The fines imposed in connection with the above activities amounted to about 4.8 million Euro.