Guiding principles on the processing of employees' personal data in the...
Guiding principles on the processing of employees' personal data in the public sector - 14 june 2007 
[doc. web n. 1693793]
Guiding Principles on the Processing of Employees´ Personal Data in the Public Sector - 14 june 2007
Adopted by the Garante on 14 June 2007
IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
1.1. Purpose of the Guiding Principles. In order to provide guidance and recommendations in connection with processing the personal data (sensitive or not) related to employees in the public sector, the Garante has considered it necessary to issue the following guiding principles – which are liable to be updated as required – taking account of the Garante´s case law in this sector.
These guiding principles are modelled after those adopted in respect of similar processing operations as carried out by private employers; whilst the principles partly overlap, they have been nevertheless reproduced here.
Separate guiding principles are required in respect of the public sector because it is necessary to highlight certain specificities applying to public sector employers as regards, e.g., the preconditions to be fulfilled in order to process personal data, specific provisions on mandatory data communication/dissemination, or specific situations – even though the principles applying to the employment context are basically the same.
Like for the private sector, the guidance provided here is without prejudice to application of laws and/or regulations setting our specific prohibitions and limitations in respect of certain sectors and/or processing operations (see sections 113, 114, 184(3) of the DP Code).
1.2. Scope. The issues considered relate, in particular, to data communication and dissemination and the processing of sensitive data – especially those suitable for disclosing health and religious beliefs – and/or biometric data relating to public sector employees.
2. Compliance with Personal Data Protection Principles
2.1. General. Public employers are required to process personal data by affording a high level of protection of fundamental rights and freedoms, implementing the basic principles of simplification, data minimization, harmonization and effectiveness. This applies both to the mechanisms deployed to allow data subjects to exercise their rights and to the fulfilment of the obligations incumbent upon data controllers.
Public sector employees have the right to obtain that the processing of their data by means of network-based and/or computerised technologies is grounded on respect for the rights and freedoms mentioned above.
Special importance should be attached therefore to the need for the public sector to seize the opportunity of the stepwise deployment of new processing methods – other than conventional manual processing – in order to assess beforehand how to enhance the effectiveness of their information systems and develop appropriate processing mechanisms that can afford full safeguards to their employees.
Precautions and arrangements should be implemented in an appropriately layered manner, by taking also account of the different types of processing and the different features of sensitive and non-sensitive personal information.
2.2. Lawfulness, Relevance, Transparency. Public employers may lawfully process employees´ personal data to the extent the processing is necessary to appropriately manage employer-employee relationships; in doing so, they must apply all the provisions concerning the respective institutional tasks and/or the employer-employee relationship whether they are set out in laws, regulations and/or (collective) agreements – the ultimate aim being to ensure that the personal data and processing mechanisms are proportionate to the individual purposes to be achieved.
The personal data protection Code (decree no. 196/2003) provides the following as regards processing personal data to manage employer-employee relationships, also pursuant to the requirements made in Community directives (95/46/EC and 2002/58/EC):
- data minimization, lawfulness and quality principles should be respected (sections 3 and 11);
- institutional functions should be abided by and the preconditions and limitations applying to the processing performed by – in particular – public bodies should be complied with as set out in relevant laws and/or regulations (section 18);
- the principle whereby sensitive and judicial data should be indispensable, i.e. it should be prohibited to process information and/or perform operations that are not really indispensable to achieve specific purposes, should be implemented in concrete and effectively (section 4(1), letters d) and e); and section 22, paragraphs 3, 5, and 9; and section 112);
- the processing of sensitive and judicial data should be limited to such information and processing operations as have been specified and disclosed publicly via regulatory instruments adopted in compliance with the Garante´s opinion (sections 20, 21, 112, and 154);
- data subjects should be informed appropriately beforehand (section 13);
- adequate security measures should be taken so as to protect the data against certain events including unauthorised access and usage, for which a public body may be held liable under both civil and criminal law (sections 15 and 31 et seq.).
2.3. Purposes. Personal – including sensitive – data related to employees may be processed if the purpose sought in concrete consists either mainly or exclusively in fulfilling the obligations and tasks arising out of the employer-employee relationship in the public sector employment context.
As well as laws and regulations, collective (national and complementary) agreements contain provisions that allow personal data to be processed lawfully as also related to trade union activities – e.g. in order to calculate basic wages and allowances; to grant leave of absence for trade union-related purposes; with a view to career advancements and/or job transfers; or to establish disciplinary liability.
Processing operations by public bodies must be compliant in concrete with the above provisions and remain compatible with the purposes for which the data were initially collected and/or processed (section 11(1), letter b.)
Special care should be taken in applying collective agreement provisions that require personal data to be disclosed to trade unions, in particular to ensure that data minimization and proportionality principles are paramount in fulfilling the obligations related to providing information to, consulting, concerting and/or negotiating with trade unions whenever such obligations entail the disclosure of personal information.
Indeed, public bodies might seize the opportunity provided by the re-negotiation of collective agreements to check whether the provisions contained in such agreements are updated and unambiguous as well as suitable for handling concrete cases – e.g. complaints lodged by a trade union against an employee that has applied for membership of several trade unions.
It would also be appropriate to draw a distinction between cases in which only numerical aggregate data are to be disclosed and the cases where data related to individual employees may be disclosed because this is justified by having regard to the concrete circumstances – in view of ensuring transparency and enabling layered access by trade unions to personal information that is considered to be necessary in order to check on compliance by the employer with the provisions contained in the relevant collective agreement.
Given the above premises, the applicable agreement might provide that trade unions may, as a rule, access aggregate data related to either the whole establishment or individual organisational units and/or groups of employees; only if abnormalities are detected thereafter and/or specific oversight requirements arise would a trade union be allowed to also access personal information related to individual employees and/or a group of employees – in cases to be expressly and specifically provided for. At all events, it must be actually necessary, in the specific case, to access the information in question to provide proof that the negotiated arrangements have been implemented appropriately; the information disclosed should not go beyond what is relevant and not excessive for that purpose. Liability for the unlawful and/or inappropriate processing of the information obtained in the above manner will continue to be vested in the recipient trade union.
3. Data Controller, Data Processor, Persons in Charge of the Processing
3.1. Who Does What. It is important to clarify as appropriate who may process the data within the framework of the public administrative body acting as "data controller" – i.e. in the capacity of "data processor(s)" and/or "persons in charge of the processing" – by specifying the respective tasks (section 4(1), letters f, g. and h.; sections 28-30).
This point has been addressed repeatedly by the Garante; suffice it to mention here that, in principle, the role of data controller is vested in the central and/or local body/administration as a whole rather than in individual branches and/or natural persons managing and/or representing the said body/administration – such as a minister, director general, or President.
It is sometimes the case that individual officials and/or organisational units are actually empowered by law to make decisions in a fully autonomous manner as for the processing of personal data – especially in a large-sized public body and/or in the presence of several local branches. In that case such units/officials may be lawfully regarded as autonomous "data controllers", or possibly as "joint data controllers", in line with the DP Code (section 28) – this applies, for instance, to a given directorate general and/or local branch of a ministry featuring especially complex organisational arrangements.
In line with the general principles referred to above as applying to the processing of personal data (see point 2.), public sector bodies must regulate the processing by appointing data processors, if any, and at all events the persons in charge of the processing – who may lawfully access the data concerning employer-employee relationships in compliance with the functions respectively entrusted as well as with the appropriate written instructions (section 4(1), letters g. and h.; sections 29 and 30).
It should be recalled here that public bodies are empowered to appoint natural or legal persons as well as individual bodies and/or organisations as "data processors", in which case they have to set out a detailed list in writing of the tasks respectively allocated. Where appropriate, they may allocate responsibilities and competences to additional units within such data processors, on the basis of the organisational arrangements applying to the said units and/or departments or else by having regard to the type of processing, file and/or data – providing the experience, skills and reliability required by the law are actually available (see section 29).
Conversely, the performance of processing operations must be entrusted in writing to the individual employees in their capacity as "persons in charge of the processing"; every employee must also be duly trained as to accessing and using the personal information they may become apprised of in the course of their work. The persons in charge of the processing may be appointed either individually or – especially if the organisational structure is complex – by assigning the given employee to an organisational unit whose competence in terms of processing was set out beforehand in writing (section 30).
3.2. Physician in Charge. Public employers are also required to perform certain processing operations in pursuance of occupational health and safety legislation (section 1(1) and (2) of legislative decree no. 626/1994 as subsequently amended and complemented.)
The legislation in question transposes several Community directives and should be placed in the broader context of the measures required to safeguard employees´ mental and bodily health; the physician in charge of occupational health and safety is required to carry out the mandatory health controls including (as per sections 16 and 17 of decree no. 626/1994) the processing of data contained in health records.
Accordingly, the physician in charge carries out preventive, regular checks on employees (section 33 of Presidential decree no. 303/1956, and section 16 of decree no. 626/1994) as well as creating and updating a health and risk record (pursuant to specific legislation).
The record in question is kept at the public body´s premises "by respecting professional secrecy; a copy thereof shall be handed down to the employee upon termination of employment, or if the employee so requests." Upon termination of employment, the health record original is forwarded in a sealed envelope to ISPESL (an institution in charge of occupational health and safety).
Based on the above provisions, the physician in charge is allowed to process employees´ medical data also by noting them down in health and risk records; the appropriate security measures must be taken to ensure confidentiality of the information in question – regardless of who the data controller is.
Employers are not entitled to access the records at issue, as they are only required to contribute to ensuring that they are kept safely at the respective premises – also in view of the inspections that may be carried out by the entities in charge thereof under the law – "by respecting professional secrecy".
Public employers are required to take preventive and protective measures in respect of individual employees, either based on the opinion rendered by the physician in charge or upon being informed by the said physician of abnormalities that can be traced back to risk exposure. Within this framework, they are allowed to access the opinion rendered on a given employee´s eligibility to perform certain tasks – rather than the findings on the specific disease(s).
The physician in charge may be supported by health care practitioners, including those employed by the public body in question; such practitioners will have to be appointed as persons in charge of the processing of personal data and provided with specific instructions to safeguard confidentiality of the information to be processed (section 30 of the DP Code). In that case, the physician in charge will have to take suitable measures to ensure respect for professional secrecy by his/her collaborators where the latter are not bound by professional secrecy obligations under the law – regardless of who the data controller is and whether official secrecy rules apply; for instance, he/she will have to draw their attention to the relevant legislation and the applicable punishments.
4. Sensitive Data in the Employment Context
Public bodies are required to enhance safeguards if the personal information is suitable for disclosing very sensitive features of employees´ lives such as health, sex life, political opinions, membership of trade unions, philosophical or religious beliefs, and racial or ethnic origin (section 4(1), letter d., of the DP Code).
In general, public employers may use sensitive information related to their staff in pursuance of the legislation applying to recruitment and management of employer-employee relationships; for training-related purposes; and to grant allowances and other benefits (sections 112, 95, 68 of the DP Code).
As already pointed out, public employers must limit the processing of sensitive and judicial data to such information and operations as have been specified and disclosed publicly via the regulations adopted after being endorsed by the Garante (sections 20, 21, 112, 154 of the DP Code).
In pursuing the above purposes, data minimization and indispensability principles will have to be respected – whereby the use of personal data should be minimised; thus, if one cannot do without sensitive or judicial personal data, such data and operations should be used as are indispensable for the specific purpose of managing employer-employee relationships (sections 3 and 22 of the DP Code).
As of February 27, 2007, public bodies may only process sensitive data if they are compliant with the above requirements; if not, the processed data may not be used and judicial measures may be imposed, up to blocking or prohibiting the processing.
This is without prejudice to the possibility for a public body that failed to adopt the required regulatory instruments within the above deadline to do so expeditiously in order to ensure that they process sensitive and judicial data lawfully.
5. Communication of Personal Data
5.1. Communication. Specific laws and/or regulations clarify the cases in which the public sector has the right to communicate information relative to employees to third public or private entities/parties (Section 19 of the Code).
When such a specific provision is lacking, personal data regarding the employees (e.g. those concerning the circumstances applying to recruitment, the status or position filled, the imposition of a disciplinary sanction, job transfers as well as other information contained in the personal/individual employment contract) may not be communicated to third parties such as associations ( including a trade association), acquaintances, relatives and parents.
The communication of sensitive information relative to one or more employees to third parties is to be considered as a general rule lawful when it is truly indispensable in order to pursue the goals of substantial public interest connected with the creation and management of the working relationship on the part of public entities referred to in section 112 of the Code. Such communications may concern data located in the administration records and which are in concrete terms necessary, relevant, and not excessive by having regard to the duties and the obligations incumbent upon the public entity (sector) in its capacity as employer - based upon the legislation on public employees (section 20 and 22 of the Code) (14).
Additionally, data protection legislation allows the public employer to disclose personal data regarding an employee to a third party, in pursuance of legislation laying down preconditions, mechanisms and limits in order to exercise the right of access to administrative documents (containing personal data) or which provide for a specific regime of accessibility to such information, or else by virtue of a power of attorney granted by the data subject.
In addition to designating the entities that may lawfully gain knowledge of the data inherent to the employment relationship, such as the persons in charge of the processing and/or the data processor(s), the employer must adopt particular precautions in personal data flows that may occur between the said persons in charge and/or data processors in connection with organization and management of personnel. With regard to the said data flows, one should refrain, in principle, from making pointless, specific references to particular physical conditions applying to individual employees especially where related to their health . One should follow the principle of selecting the information that is indispensable, relevant, and non excessive from time to time (section 11 and 22 of the Code) (17).
For the above purposes, it might be useful to disclose delicate situations of personal discomfort only by way of generic expressions and using, where appropriate, numerical codes; additionally, the information in question might be reported - where underpinning the adopted measures - only in the instruments/records made available at the premises of the given office for inspection by the claimants and any counter-claimants. One should therefore merely refer to them also in internal communications by mentioning the essential data and/or an abstract of their contents (18).
5.2 Relations with trade-union organizations. Public administrations may communicate, in a truly anonymous form, data obtained from information relative to individual and/or a group of employees to third parties – e.g. the total extra-time or the hours not worked in the various administrative agencies, or salary brackets or benefits applying to the individual positions/professional levels, even within the framework of individual functions or organizational units.
Based on the regulations of collective labour agreements, the general criteria and modalities inherent to certain aspects of employment relationships attract specific rights of prior and/or subsequent information with regard to trade unions.
Excluding the cases in which the applicable collective labour agreement clearly provides that the labour union information should also include nominal employee data to verify the correct implementation of some organizational measures (19), the public administration may provide the unions with numerical or aggregate data rather than those referring to one or more identifiable employees (20). This applies, for example, to the information pertaining to the evaluation system of the executives´ activities, the allocation of extra-time and relative services, as well as the payment of allowances (21).
The possibility of lodging requests for access to the personal data concerning one or more employees remains viable to the labour union either by delegation or by letter of attorney (section 9, paragraph 2, of the Code), as also the power to exercise the right to access administrative documents on personnel management, subject to the conditions, limitations and modalities provided for by the existing laws to safeguard a legally relevant interest vested in the labour union (section 59 and 60 of the Code) (22). A refusal to grant access to administrative documents, even in a tacit and/or implied manner, may be challenged before the regional administrative court (TAR), the Commission for Access to Public Records at the Prime Minister´s Office, or the Ombudsman (section. 25 et seq. of Act no 241 dated August, 7 1990; section 6 of Presidential decree dated 12 April 2006, no. 184).
A public administrative body may also notify labour unions of personal information regarding deductions paid by the respective members, in compliance with the relevant provisions contained in the applicable contract (23) as well as with the security measures provided for by the Code (section 31-35).
5.3. Arrangements for Data Communication.
Except where the form and arrangements of the disclosure of personal data are specifically regulated (see section 174, paragraph 12, of the Code), the public body must communicate individually with each employee and take the most appropriate measures in order to prevent the unjustified exposure of personal data, in particular if sensitive, to entities other than the recipient – irrespective of whether such entities are in charge of (part of) the processing – e.g. by forwarding communications in a sealed or stapled envelope; inviting the recipient (addressee) to personally collect the documentation at the appropriate office; communicating directly with the employee via electronic networks.
The use of a fax as a means of communication is permitted although, in some cases, specific provisions are made for appropriate ways of sending communications, e.g. in the context of disciplinary proceedings (24). The appropriate precautions must be adopted also when using a fax in order to ensure that the documents are only disclosed to the individuals who are authorised thereto.
6. Dissemination of Personal Data
The dissemination of personal data regarding employees may take place when it is specifically provided for by legal or regulatory measures (section 4, paragraph 1, litt. m) and 19, paragraph 3, of the Code), also by means of computer networks (section 3 of legislative decree March 7, 2005, no. 82, containing the "Code for the Digital Administration" ).
Apart from what is provided for in respect of specific categories of instrument/record, government agencies, on the base of appropriate statutory measures, may resort to computer networks to make available records and documents containing personal data (i.e. open competitions (public examinations) or public selections) in compliance with the principles of necessity, relevance and non-excessiveness (section 3 and 11, paragraph 1, lett. d), of the Code).
A specific analysis is needed to select the information that is potentially suitable for revealing the data subject´s health, whose dissemination is prohibited (section 22, paragraph 8, of the Code). It is not allowed to derogate from this prohibition by alleging a general need of publicity connected to the transparency in staff and office management procedures, such as those relating to the job mobility of public employees (25). For instance, disseminating the names of those having the right to mandatory job placement as contained in lists and rankings is not allowed, given that the prohibition against disseminating any data revealing a person´s health is expressly reaffirmed by the Code also for any activities related to the granting of benefits and allowances pursuant to laws and regulations (section 68, paragraph 3, of the Code) (26).
6.1 Data regarding public examinations and selections.
Within the framework of government agency activities, it is standard practice to publish lists and scores from open examinations and public selections.
For example, the lists of those who passed public examinations for recruitment in a public administrative agency and/or for specific professional appointments must be published in the gazette either of the Prime Minister´s office or of the agency concerned, and a notice thereof must also be given in the Official Journal - where required (27).
A similar system of publicity/disclosure is foreseen in the recruitment procedure for permanent (tenured) university professors and researchers, as for the information contained in the Board of examiners´ summary reports regarding the comparative evaluation and the accompanying individual and collegiate score given to the candidates. (28).
The dissemination, which the public sector may lawfully carry out on the basis of specific legislative or regulatory provisions, must only concern the personal data that are relevant and not excessive to correctly perform the examination procedure and ensure that it complies with the parameters established in the announcement of the public exam (lists of names to which scores from intermediate tests are attached, lists of the candidates admitted to the oral or written examinations, score referring to single topics of examinations; total/final score obtained).
Reporting other types of irrelevant information in the administrative acts to be published, such as for example, home or mobile phone numbers or the national tax code, is not lawful (29).
Also in this context the public sector could make use of new technologies to facilitate the communication process regarding public position examinations or open selections, by means of, for example, the on-line reception of applications for public position examinations and open selections accompanied by various personal data. In this regard, it should be pointed out that the legislation applying to the publication of job lists, score, and examination assessments, generally speaking, considers it lawful to circulate the respective personal data regardless of the means used.
The legislation on the protection of personal data regulates the circulation of such information in a basically uniform manner (see section 19, paragraph 3, of the Code), irrespective of whether it takes place via written publications or by means of its availability on the Internet on a web page (30).
Nevertheless, it should be highlighted that, due to the availability of well-known search engines external to web sites, the characteristics of Internet allow anyone in real time and indiscriminately to gather a substantial collection of more or less up-to-date and diversified personal information made available on line (31).
When using the Internet to publicize information, it is therefore necessary to envisage adequate mechanisms for the selection of information, which could otherwise be massively aggregated by means of any external search engine. Reference can be made here to the web pages containing data regarding testing results, job lists and assessments, which - generally speaking - should be more properly known only by consulting a specific web site, or assigning data subjects a personal access code (to access various data regarding the examination procedure, or else only the information concerning them), or making available institutional sites with an equally restricted access area in which additional information also accessible by the counterparties could be reported (32).
Even if, at times, the sector-related legislation provides expressly for specific, limited forms of dissemination (by means of, for example, making documents only available at the offices or only affixing documents on a bulletin board on the agency´s premises, or rather by means of posting on the public notice board (33)), such forms of publication do not authorize, per se, the transposition of all the documents containing personal data published in this way to a section on the public administrative body´s freely accessible internet website. At the same time, this does not prevent the administration from reproducing some of the abovementioned documents on line, based on a reasonable assessment that should be mindful of the restrictions posed by the relevance and non-excessiveness principles.
In any case, posting an announcement on the Internet to indicate the period in which specific documents can be consulted at the public administration´s premises is obviously permitted. (34).
6.2 Data relative to office organization, salary, and persons in charge of public offices and positions.
A few specific regulatory prescriptions -which include but are not limited to the examples referred to below- require the public sector to make specific personal data concerning their employees known by means of their own internet websites (e.g. organizational chart of the offices with a list of the directors´ names; a list of the institutional emails). (35)
Such data, even if it is in fact available on the Internet, may be used by third parties (in particular, email addresses) only in relation to events, communications and objectives that are related to the institutional functions and the office filled by the data subject inside the public office. This data may not be therefore freely used by anyone to send, for example, electronic communications with business or advertising content (36).
Pursuant to the legislation on State senior officials, the public sector may, moreover, circulate the personal data of the directors/senior officials assigned to each administration on internet (section 23 of legislative decree dated March 30, 2001, no. 165), in compliance with the principles of completeness, accuracy, updating, relevance and non-excessiveness of the data (section. 11 of the Code) (37).
Moreover, specific publicity regimes are provided for by legislation in this sector for some personal information regarding the wages, salary levels, or the financial situation of holders of public offices and positions.
By way of example, one may mention the case of the public administrations and organizations being required to publish, on their internet websites, the fees and wages of the directors from the companies that are partly owned, directly or indirectly, by the government; the executives in charge of certain assignments (conferred under section 19, paragraph 6, of legislative decree no. 165 dated. March 30, 2001); as well as the advisors, members of boards and panels and the holders of any post paid by the government, public entities and/or unlisted State-controlled companies (38).
A regime of widespread accessibility to the salary levels and financial situation of MPs and counsellors of local authorities is also provided for by specific legislation, although by means of different mechanisms (39). A few provisions, moreover, permit public employers to acquire, but not to publish, certain personal data relative to the financial situation of their executives and, if they so consent, of their executives´ spouses and cohabiting children, subject to the provision of appropriate information on the envisaged processing operations (section. 13 of the Code). However, the same provisions do not allow the public authorities to take cognizance of the complete income tax returns, which might include information in excess to reconstruct the data subjects´ financial situation, whilst part of that information might also be "sensitive" in nature (think, for example, of certain expenses which entitle to specific tax allowances) (40).
6.3. Acts on Office Organization.
Unless one of the cases mentioned above applies or certain legal or regulatory provisions so require, it is not, as a rule, lawful to disseminate personal information relating to individual employees by publishing such information in internal communications and documents affixed in the workplace, or documents and circular letters addressed to all employees, as in the case of information regarding individual labour contracts, the payment of wages and/or benefits, sick leaves, holidays, paid leaves, registration with and/or support for associations on the part of individual employees.
In the presence of legal or regulatory provisions which require the deliberations adopted by the administration (41) and/or the final acts of certain administrative proceedings to be published, there is a need to carefully evaluate the drafting techniques applied to any provisions or deliberations regarding personnel organization. Without prejudice to the obligation to provide adequate justification of administrative acts/decisions (42), the information to be disseminated is to be selected in light of the principles of relevance and necessity vis-à-vis the purpose underlying the individual measures, by having also regard to the ban on disseminating data which may reveal health conditions (sections 11 and 22 of the DP Code). A careful evaluation in the above terms is essential, above all, when sensitive or judicial information is involved: think of, for example, the documents concerning the granting of benefits applicable under Act no. 104 dated 5 February 1992 and the measures taken following a disciplinary action or concerning legal disputes involving individual employees (43).
Taking, for instance, application of the regulations on the granting of economic benefits and concessions, the processing may include the dissemination of sensitive data only when it is essential for the transparency of the activities, in compliance with the law, and for the supervision and follow-up of the said activities, without prejudice in any case to the prohibition of disseminating data suitable for disclosing health conditions (section. 68, paragraph 3, of the Code).
Where disclosure of the information in question is an essential requirement for the adopted measures, such information may be reported only in the documents made available in the offices and accessible exclusively to the data subjects and their counterparts; that is, the information should not be included in the body of the documents to be published and should only be referred to summarily and/or by way of an abstract of the relevant records.
6.4. ID badges.
Similarly, the display of personal data on ID badges pinned, for instance, on the clothing or uniform of the employees of certain public administration offices or public agents – in pursuance of administrative instruments concerning organisational matters – entails the dissemination of personal data (44).
As regards employment in the public sector, ID badges can be a valuable tool for ensuring the transparency and efficacy of administrative activities (45), as well as for improving the relationship between civil servants and the public.
When selecting the personal data to be disseminated through ID badges, the administrations are required to comply with the relevance and non-excessiveness principles in relation to the objectives pursued (section 11 of the Code), especially in the absence of the necessary legal or regulatory provisions mandating the adoption of ID badges for certain employees and also specifying their contents.
Considering such cases, and in the light of specific requirements to customize and humanize services and/or foster collaboration by the public, it may be appropriate, in specific cases and by having regard to specific categories of employee, to include personal details beyond the individual´s title, professional role, picture and/or ID code – such as, for instance, the individual´s name (think of hospitalization services and of the relationship based on trust which arises between a patient and the caregivers involved).
7. Fingerprints and Workplace Access
Also in the public employment sector (46), the blanket use of automatic recognition systems to establish the presence of employees by means of collecting biometric data, especially if gathered from fingerprints, is not allowed. Biometric data, being peculiar in nature, requires the adoption of elevated precautions in order to prevent possible biases against data subjects, with particular regard to unlawful conduct which may lead to the unauthorized "reconstruction" of fingerprints from their reference model (template), and their further "use" without the data subjects´ knowledge.
7.1 General Principles
The processing of personal data to keep track of employees´ work hours may be ascribed to the aims pursued by public bodies as employers having the right to ensure the hours of work are respected by means of "objective and automated ways of monitoring " (47); however, it must be carried out with full respect for the protection of personal data.
The principle of necessity obliges every administration (acting as data controller) to establish if the desired objectives can be accomplished without biometric data or to avoid any excess in their use which would entail disproportionate processing (sections 3 and 11 of the Code). Therefore, other physical and logistical security systems, devices, and measures should be considered which could ensure the accurate, reliable verification of workplace presences and entries.
The use of fingerprint recognition systems to verify that job duties are being properly fulfilled remains without a legal basis insofar as "conventional" measures could be implemented that are not prejudicial to personal rights - such as, for example, signing in, also in the presence of personnel in charge, using attendance sheets, or using clocking in systems via magnetic badges.
As a rule, it is therefore not permitted to process fingerprint data in order to control the number of hours worked by employees, including staff posted off-site or external employees, with reference, for example, to the need for objectively calculating shift work, flex hours, making up for lost hours, paid leaves, over-time, and meal tickets, as well as preventing eventual badge misuses and oversight.
It cannot be assumed that simply sending the Data Protection Authority a note/letter regarding the planned deployment of fingerprint recognition equipment entails the implicit approval thereof if the said note/letter is not expressly replied to by the Authority.
7.2. Specific Cases.
As a rule, fingerprint recognition systems in the workplace may therefore be deployed only for specific access control needs to special workplace areas in which elevated, specific security levels must be ensured, by having regard to specific needs such as, for example, the fact the area at issue is intended for:
1. the performance of activities being particularly confidential in nature and/or carried out by employees selected for and involved in activities which require the processing of strictly confidential information (e.g. access to operational rooms where communications connected with anti-crime measures are handled; areas intended for activities related to National Security and Defence; airport control tower areas);
2. the preservation of valuable objects or objects whose availability must be limited to a small number of employees insofar as their incorrect use may bring about serious, tangible risks to the health and safety of others or themselves (e.g. areas where narcotic drugs or psychotropic substances are kept).
In the situations outlined above, the processing of fingerprint data is allowed on condition that:
- it passes the prior checking assessment – following, as a rule, a request made by the data controller - which the DP Authority reserves the right to carry out under section 17 of the Code also for specific categories of individuals or of processing;
- Notification is given beforehand to the Data Protection Authority (section 37, paragraph 1, litt. a), and section 38 of the Code);
- The entire image of the fingerprint is not recorded, but rather only the reference model (template) is taken from it;
- The model is not kept on file in a centralized data base, but rather on a medium made available exclusively to the data subject (smart card or analogous device) and without name-linked information tracing back to the latter (it being sufficient to provide each employee with a personal code);
- A specific information notice for the processing in question is provided to the employees concerned (section. 13 of the Code).
8. Data Suitable for Disclosing Health
8.1. Health Data
Public sector employers must observe particular caution also when processing sensitive data (section. 4, paragraph 1, litt. d), sections 20 and 112 of the Code), especially data suitable for disclosing health.
In processing this information the administration must respect, above all, the principles of necessity and indispensability, evaluating specifically the relationship between sensitive data and the requirements deriving from tasks and responsibilities provided for by law (sections 20 and 22 of the Code). It is important to implement such principles when applying work regulations and internal procedures which antedate the legislation on protection of personal data.
For example, the procedures used by the military and police administration regarding the organization of work and/or work shifts do not appear to be lawful insofar as they foresee the compilation of a list including the names of officers and/or agents on leave and:
- information on whether the person is "recovering" or "on leave of absence", in order to regulate access to the police station/barracks by the personnel on leave (49);
- information, as reported on job assignment orders or other documents affixed at/in the workplace, on the grounds for the employees´ absence from work (using, for example, expressions such as "at rest on medical grounds").
Special arrangements for the handling of sensitive data may be also laid down in legislation other than the Personal Data Protection Code, the aim being in any case to limit the data employers may access to what is indispensable in order to establish and manage the employment relationship (50).
The provisions contained in the Code must, therefore, be consolidated and integrated (see point 3.2.) with other sectoral (51) or special rules (52).
8.2. Sick Leave
Regarding the processing of data which is suitable for disclosing health, the legislation on employment relationships and the provisions found in collective labour contracts may justify the processing of data relative to cases of illness which determine an incapacity for work (either temporary or permanent), with the administration´s consequent verification of the employee´s health conditions (53), also to establish the employee´s fitness for work, ability to carry out his/her responsibilities, or carry out his/her work productively (54). Information relative to sick leave may fall within the abovementioned situations, regardless of whether the diagnosis is explicitly mentioned jointly with the said information (55). On the same note, the employer may in some cases legally process sensitive data relative to disability or the belonging to legally protected categories, in accordance with the mechanisms and for the purposes prescribed by the relevant laws in force (section 112(2) of the Code) (56). In this regard, the existence of specific regulatory obligations vested in employees should be pointed out in order to allow the employer to verify the worker´s health conditions under the law (57). In order to implement such obligations, it is for example provided that a special document be handed in to the employee´s administration to justify absence from work, consisting of a medical certificate that only contains information on the start and the expected duration of the illness: so-called "prognosis" (58). In the absence of special regulatory provisions that lay down different requirements for specific professional figures (59), the public sector employer is not allowed to obtain medical certificates with information also on the diagnosis (60). Even where the collection of data regarding the diagnosis is carried out legally on the base of specific regulations, in compliance with the proportionality and indispensability principles, the administration is not allowed to report the information concerning prognosis and diagnosis from the certificates provided by it´s employees in order to justify their absence from work onto the personal files and/or service records (section 11(1), letter e) and 22(9) of the Code) (61). In fact, it should be recalled that in case the employee provides medical documentation containing diagnosis information along with the prognosis, the administration (subject to special cases as provided for under the terms indicated above) must abstain from further using such information (section 11(2) of the Code) and invite the employee not to provide other certificates with the said characteristics (62) Generally speaking, with regard to the results of the medical check-ups carried out by the physicians of the public health service (as per section 5 of Act no. 300 dated May 20, 1970) (63), the public sector employer is allowed to become aware of their employees´ personal data regarding work capacity or incapacity and the prognosis found, excluding any information relating to the diagnosis (64). Within this framework, the employer may, in order to establish his rights in relation to cases of supposed absenteeism and allegedly forged medical certificates, draw up informative material, reports or complaints containing detailed references to the reasons and conditions of each absence and determine the recipients thereof in obedience to the principles of indispensability, relevance and non-excessiveness (65). Based on the elements acquired from reports and queries received by this DPA and in the light of the provisions contained in collective labour agreements, it can be argued that the administration may legitimately know personal information relative to it´s employees´ medical examinations, specialist examinations or clinical tests, as well as the presence of diseases and/or illnesses which require disabling therapies (66), whenever the employee requests sick leave and/or paid leaves for absences connected with such needs.
8.3. Reporting to the National Institution for Occupational Insurance (INAIL).
In order to implement communication obligations relative to health data, the employer may become acquainted with its employees´ health conditions in certain cases.
The reports to INAIL (Italian occupational insurance body) on occupational accidents and illnesses involving workers can be numbered among the most frequent cases; it is expressly provided that such reports must be submitted jointly with specific medical certifications (sections 13 and 53 of Presidential decree no. 1124/1965).
In such cases the administration may take cognizance of the diagnosis, however it may only provide INAIL with the medical information relative to or connected with the pathology reported on, rather than health data relative to other absences which may have occurred throughout the employment relationship. Such information would be excessive and irrelevant – and consequently unusable –, since it has to do with data that is not relevant to the subject-matter of the report (section 11(1) and (2) of the Code) (67).
8.4. Medical-Legal Examinations.
Public sector administrations may legally process data suitable for disclosing their employees´ health not only to verify through the competent public healthcare bodies, even ex officio, that they continue to be fit for work, capable to carry out responsibilities and work productively (68), but also to identify a work-related accident and/or illness, to grant retirement scheme benefits or just compensation (69) or to ascertain, always for retirement pension-related purposes, medical conditions incompatible with work and/or non-work related disabilities (section 20 and 112(2) letter d) of the Code) (70).
When arranging for such verifications, the administrations may communicate their employees´ sensitive data, which they have at their disposal, to the competent medical panels, in compliance with the principle of indispensability (section 22, paragraphs 1, 5 and 9) (71); furthermore, they must arrange the processing of employees´ health data according to procedures aimed at preventing the infringement of data subjects´ rights, fundamental freedoms and dignity, by having also regard to the right of personal data protection (see par. 4.3) (72).
Similar precautions must be adopted by local health authorities both when summoning the interested party to the medical collegiate examination and when communicating the examination results to the employee´s administration, and possibly to the interested party (data subject) as well. As regards, in particular, medical examinations aimed at verifying an employee´s fitness for work, ability to carry out responsibilities and work proficiently, the medical examination panel must send the employee´s administration the respective medical visit record(s), in light of the principle of indispensability, including only the panel´s assessment of that employee´s fitness for work, unfitness, or other forms of inability (73).
If reports containing a diagnosis of the infirmity and/or injury that makes an employee unfit for work are forwarded by the medical examining bodies, the employer may in no case make further use of such information (section 11, paragraph 2, of the Code).
8.5. Firearms and Driver´s Licence
In accordance with the regulations on police authorization to possess and carry firearms, the administrations may, as a rule, process data on the results of medical-legal examinations their employees undergo in order to enable the competent offices to issue a police gun permit, when dealing with law enforcement officers, qualified to carry a gun (74).
Conversely, sector-related regulations and the provisions found in collective agreements do not authorize the public sector to communicate data suitable for revealing their employees´ health to the competent offices of the Department for ground transportation, even if the data have been obtained lawfully, in order to allow the said offices to verify that the employees in question continue to meet the physical and mental requirements drivers are to fulfil by law. (75). Given the current legislation, such a practice involves a flow of sensitive personal data to the transport administrations that lacks any legal basis (76), nor can it be otherwise ascribable to the purposes of substantial public interest connected to human resource management on the part of employee´s administration (section 112 of the DP Code) (77).
The above communications cannot be considered to be lawful even if carried out by the armed forces and the police force who, according to the highway code, are empowered to directly evaluate and establish fulfilment by their employees of the conditions for driving the respective fleet and to issue the respective permits (78), given the different conditions for conferring, suspending and/or withdrawing a military driver´s licence compared to a civilian driver´s licence and the attending sphere of discretion (79).
8.6. Other Categories of Health-Related Information.
Other cases in which the processing of employees´ (and also spouses´) health data may be carried out should be taken into consideration, in order to allow them to enjoy their legal rights: consider, for example, the support provided for to assist the family members of disabled people, paid leaves and family leaves.
Pursuant to the principles of indispensability, relevance and non-excessiveness, on the occasion of requests to make use of paid leaves on the part of employees with a disabled family member, the employee´s administration may not get to know the handicapped spouses´ personal data concerning the diagnosis or the spouses´ medical case history as verified by a medical commission pursuant to section 4 of Act no. 104 dated February, 5 1992 (80). For this purpose, in fact, the employee is required to provide the employer with a medical certificate establishing only the existence of a serious handicap as verified by a medical board pursuant to section 1 of Act no. 295 dated October 15, 1990 (81).
Conversely, in order to take time off or be granted leaves of absence for a serious illness or other serious family reasons, the employee is bound by law to provide his/her administration with appropriate medical documentation testifying the serious illness and/or the serious pathologies affecting family members (82).
In the same way, the employer may learn about the drug addiction of one of its own employees and/or the employee´s family members, in case there is a request for access to or enrolment in a rehabilitation or therapeutic program whilst retaining one´s job without pay, since there is an obligation to produce specific medical documentation to the employer according to the terms set forth in the collective labour contract as well as in public sector labour agreements (83).
9. Data Suitable for Revealing Religious Beliefs
Similar care must be taken when processing other types of sensitive employee information, such as information that is suitable for revealing religious beliefs. Generally speaking, the processing of this information can be considered lawful only when it is indispensable for the management of human resources by the public employer, and, in particular, in order to allow the practice of religious freedom acknowledged to employees belonging to certain denominations, in compliance with legal or regulatory provisions applying to the relationship between the State and these denominations.
For example, data on religious beliefs may be disclosed in connection with the employee´s request for time off for religious observance as justified on the basis of the employee´s belonging to a particular denomination (84). Data on religious beliefs may have to be processed, moreover, in connection with several specific choices, corresponding to specific religious requirements, made by the employee at the workplace with regard to the canteen services possibly provided therein – depending on the specific context and/or the features of the processing operations involved.
Moreover, according to specific provisions regulating public sector recruitment and the procedures for public competitive examinations, one-time examinations and other forms of recruitment in the public sector, the oral and written examination tests may not take place, pursuant to Act no. 101 dated March 8, 1989, during Jewish religious holidays as made known by way of a decree of the Minister for Home Affairs published in the Official Journal of the Italian Republic. This also applies to Waldensian religious holidays (85).
Given the above premises, there is accordingly no justification for the practice of systematically collecting information on the candidates´ religious beliefs prior to setting the time schedule of public competitive examinations, (86) as it is sufficient to hold the testing on the days which do not coincide with the aforementioned holidays.