On June 22, 2004, the Government enacted a law decree which postpones the deadline for drafting the Security Policy Document to December 31, 2004, and for complying with minimum security measures by March 30, 2005.
(a) Data Protection Legislation In Italy. European Directive 95/46/EC on privacy protection was implemented in Italy in 1996 by Law no. 675. This first privacy act was followed by other pieces of legislation, recently consolidated in a single code (Legislative Decree 196 of 2003, hereinafter "Privacy Code"), which came into force on January 1, 2004.
(b) Basic Principles. The purpose of the Privacy Code is to ensure that personal data are processed by respecting the rights, fundamental freedoms and dignity of the data subject (i.e., of the subject whose data are processed), particularly with regard to confidentiality, personal identity and the right to personal data protection. Personal data undergoing processing must be processed lawfully and fairly, collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that it is not inconsistent with said purposes, accurate and, when necessary, kept up to date, relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed, kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed. The Privacy Code also mandates the so called "principle of data minimization", i.e., the obligation to minimize intrusion into interested subjects’ personal data to the extent possible, and to use either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity.
(c) Scope of the Privacy Code. The Privacy Code applies to the processing of personal data, including data held abroad, where the processing is performed by any entity established in Italy. Further, the Privacy Code applies to the processing of personal data by an entity established in the territory of a country outside the European Union, where said entity uses in connection with the processing equipment, whether electronic or otherwise, situated in Italy, unless such equipment is used only for purposes of transit through the territory of the European Union.
(d) Information and Consent. Before personal data are collected and processed, the interested subject providing such data must be fully informed of the purpose and the modalities of the processing, the optional or mandatory nature of the provision of the requested data and the consequence of his/her refusal to provide the requested data, the rights to which he/she is entitled pursuant to the law, the subjects to which the data may be communicated and those who are responsible for the processing. The above described information must be followed by the express consent of the interested subject. Such consent must be expressed in writing if the personal data provided fall within the category of "sensitive data", i.e., personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.
(e)Notification. When certain specific types of data processing are performed, the data controller must file a notification to the Italian Data Protection Authority. Such notification must describe the kind of personal data processed, as well as the purpose and modalities of the processing. The notification form which is available on the Authority’s web site (www.garanteprivacy.it) must be filled out, signed by electronic signature and submitted on-line to the Authority.
(f) Authorization to Process Sensitive Data. If personal data processed fall within the category of the so called sensitive data described above, in addition to the procedure of notification, data controllers must also request for an authorization to the Italian Data Protection Authority to process them. Such authorization to process the data must be obtained in advance to any collection or use thereof. The Italian Data Protection Authority issued 7 general authorizations, which permit the processing of sensitive data within the limit set forth therein. For example, such authorizations cover, among others, the processing of sensitive data of employees.
(g) The Minimum Security Measures. The Privacy Code imposes an obligation on data processors to preserve personal data in a manner that minimizes the risk that the data may be destroyed, dispersed, made known outside the allowed instances or processed in any unlawful way. Further, the processor is under a duty to use state-of-the-art protective measures. The Privacy Code sets forth the minimum required security measures ("Minimum Security Measures"), which must be adopted by private and public entities to avoid criminal sanctions such as up to two years’ incarceration or a monetary penalty between 10,000 and 50,000 euros. Enclosure B to the Privacy Code specifies in detail the Minimum Security Measures that must be adopted for processing, electronically or otherwise, of personal data.
(h) The Security Policy Document. Among the Minimum Security Measures required by the Privacy Code is the drafting of a security policy document ("SPD") by any person or entity that processes sensitive or judiciary data electronically. The SPD is a document that sets forth information on the type of processing to which personal data are subject, the risks affecting the data and the security measures protecting the data. The SPD must be kept in the records of the processing entity, and no notification to the Italian Data Protection Authority is required.
(i) Content of SPD. The required content of the SPD may be summarized as follows:
(i) list of types of processing of personal data;
(ii) allocation of duties and responsibilities within the organization of the data-processing entity;
(iii) analysis of risks affecting data;
(iv) measures to be adopted to preserve the integrity and availability of data, protect the areas and premises where data are kept, and safeguard their safety and accessibility;
(v) description of criteria and procedures for data recovery in case of destruction or damage;
(vi) training of the staff appointed to process data (incaricati), aimed at informing them of the risks affecting the data, the measures available to prevent damage to the data, providing basic information about the relevant legal provisions applicable to their activities, their consequent responsibilities, and of the means adopted by the processor of the data to update these employees’ knowledge of Minimum Security Measures. This training program must be in place starting from the moment employees start their duties, and must be provided whenever such duties change, or whenever any relevant change in the processing of data is introduced;
(vii) description of guidelines to guarantee that the Minimum Security Measures are followed if personal data are processed, in conformity with the Privacy Code, outside the organization of the processor;
(viii) for personal data that may reveal health status or information about the individual’s sexual life processed by an entity or professionals operating in the health sector, the processing protocol must identify criteria to encrypt or segregate such data from that individual’s other personal data.
(l) Deadline to Draft the SPD. On March 22, 2004, the Italian Data Protection Authority issued an opinion which, in light of the new provisions introduced by the Privacy Code, provided certain guidance on Minimum Security Measures and extended the deadline for adoption of SPDs from March 31 to June 30, 2004. For this year only, private companies and public bodies will have until the end of June to apply the Minimum Security Measures introduced by the Privacy Code and to draft their SPDs. It appears that the June 30, 2004 deadline will be applied both to entities which are drafting their first SPD, and to entities which are updating an SPD drafted last year. Note that an updated SPD must be drafted every year and, beginning with 2005, the deadline for the annual update of the SPD will be March 31.
(m) Other Minimum Security Measures. As mentioned above, the Privacy Code has strengthened the Minimum Security Measures to protect against risks of destruction, intrusion and unlawful use of personal data. In addition to the protections already provided by the legislation previously in force (identification code, password, antivirus, etc.), the Privacy Code has specified certain further safety measures, e.g., password of no less than eight digits, electronic authentication, encryption mechanisms and procedures to save data. Companies should carefully evaluate their systems to ensure that they are in compliance with the Minimum Security Measures set forth in Enclosure B to the Privacy Code.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.