Italy: Minimum Security Measures For Personal Data Protection

This article was first published in Computer Law Review International, Issue 6 Editor Verlag Dr. Otto Schmidt, Koln, Germany

The new Italian Data Protection Code (Legislative Decree no. 196 of 30 June 2003, which came into force on 1 January 2004) provides for data and system security and in particular for specific minimum security measures to be adopted by data controllers, prior to 31 December 2004.

As for the previous privacy legislation, Section 31 of the Code imposes on the data controller a general duty to minimise the risks connected with the processing of personal data by means of adopting suitable security measures. Failure to comply with this general duty and should the unlawful processing result in damage to an individual or entity, this may expose the data controller to civil liability.

Sections 31, 33 to 35 and the Technical Specifications (Annex B) of the Code provide for minimum security measures which the data controller, data processor, if appointed, and the person in charge of the processing must adopt in order to ensure a minimum level of personal data protection. Failure to comply with these minimum security measures may result in a criminal offence and the data controller, apart from the above civil liability, may incur criminal sanctions. These minimum measures, however, do not cover the entire obligations set out in Section 31. If, notwithstanding the adoption of minimum security measures, a data controller causes damages to any data subject, he will still be exposed to civil liability, even though he will be exempted from criminal liability.

The Code provides for separate minimum security measures depending on whether or not the processing is carried out by electronic means and whether or not it concerns sensitive or judicial data. The present update will only deal with processing personal data by electronic means (i.e. PCs).

Prior to processing personal data by electronic means, each individual in charge of the processing must complete an authentication procedure. This person must be provided with authentication credentials consisting in either a personal ID code associated to a personal and secret password or in an authentication device or in a biometric feature relating to the individual. Should the person or group of persons in charge of the processing deal with several personal data, an authorization system shall also be implemented and each person may only be allowed to access the necessary data. The data controller or data processor must instruct the person in charge of the processing to take the necessary precautions to keep confidential credentials or devices and also to ensure that his electronic equipment containing the personal data is not left unattended and accessible during processing sessions.

The data controller must also implement data back-up procedures every week. Furthermore, in order to protect the processing of personal data and to prevent vulnerability of the electronic equipment, the data controller must implement and keep updated, on a six monthly basis, suitable electronic protection means, such as antivirus systems.

When processing sensitive or judicial data, the data controller must implement and keep a security policy document up-to-date, indicating the list of personal data processed, the distribution of tasks and responsibilities and an analysis of the risk that may apply to the data together with the subsequent security measures to be taken to ensure data integrity and availability as well as protection of the premises and also a description of the disaster data recovery procedures. Furthermore, the data controller must indicate the training activities to be supplied to the persons in charge of the processing, concerning the risks, security measures, rules and responsibilities for the data processing activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.