Annual Report 2005 Summary
- Authorisation no 1/2005 Concerning Processing of Sensitive Data in the Employment Context - 
- Authorisation no 2/2005 Concerning Processing of Data Suitable for Disclosing Health or Sex Life 
- Authorisation no 3/2005 Concerning Processing of Sensitive Data by Associations and Foundations 
- Authorisation No 4/2005 Concerning Processing of Sensitive Data by Self-Employed Professionals 
- Authorisation No 5/2005 Concerning Processing of Sensitive Data by Various Categories of Data Controller 
- Authorisation No 6/2005 Concerning Processing of Sensitive Data by Private Detectives 
- Processing of Sensitive Data by Public Administrative Agencies
- Revenue and Taxation Services
- Video Surveillance The general provision adopted by the Garante - 29 aprile 2004 
- Electronic Passport 05
- 'Smart (RFID) Tags': Safeguards Applying to Their Use ' March 9, 2005 
- Interception of Communications 05
- Telephone Directories
- Unsolicited Telephone Services: Enhancing the Safeguards for Citizens - 16 February 2006 
- Interactive TV: Measures That Are Both Necessary and Appropriate to Bring Processing Operations into Line with the Legislation in Force - February
- Oblivion Rights
- Loyalty cards and safeguards for consumers: guidelines applying to loyalty programmes - February 24, 2005 
- Health Care Dignity
- Internet ' Monitoring by Employers Must Be Proportional - 2 febbraio 2006 
- Use of Fingerprints for Assiduity Control at the Workplace ' Provision of July 21, 2005
- Electoral Propaganda: A Decalogue by the Garante ' September 7, 2005
- Taxicabs and Customers' Data
- Data Protection and Management of Condos ' Provision of 18 May 2006 
- Debt Collection and Processing of Personal Data - 30 novembre 2005 
- Separate Waste Disposal
- Limitations and Safeguards Applying to Taking of Fingerprints and Image Acquisition by Banks - Provision of 27 October 2005 
- Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability,
- 27a Conferenza internazionale sulla protezione dei dati - Montreux 14-16 settembre 2005
Annual Report 2005
The Annual Report of the Italian data protection authority for 2005 was submitted to Parliament on 7 July 2006.
This summary is meant to provide an overview of the work done by the Garante in the many sectors that required steps to be taken in order to protect fundamental rights of individuals. The Garante´s activity was aimed – like in the past – to build up a veritable culture of personal data protection.
The Work Done
A feature of the activities performed by the Garante throughout 2005 was the major commitment towards regulating wide-ranging sectors of social and economic life and enhancing controls and supervision on compliance with data protection provisions.
The main areas of activity included: electronic communications; interception of communications; major public and private databases; Internet; consumer credit; confidentiality in health care; electoral propaganda; education and schools; monitoring of employees; video surveillance; freedom of the press; chain stores; hotels; condominia; and credit factoring.
Increased attention was paid to the huge opportunities made available by the new technologies for collecting and retaining personal data; the need for ensuring security of databases; the growing use of biometric data; and the potentially ubiquitous exploitation of highly sensitive personal information such as genetic data.
The new collegiate panel of the Authority (Prof. Francesco Pizzetti, President; Giuseppe Chiaravalloti, Vice-President; Mauro Paissan, Member; Giuseppe Fortunato, Member) attached special importance to the activities carried out by the public administration, which allowed public bodies to come to grips with their delay in drafting the required internal regulations on the processing of sensitive and judicial data and thereby make a new start in their relationships with citizens.
Emphasis was also put on fostering the concept that privacy is an "added value" to the business economy, in view of giving rise to a new relationship with users and consumers, and that data protection can become a major resource as well as a quality asset in the globalised economy.
724 collegiate provisions were adopted by the Garante in 2005, of which 634 were related to the handling of complaints. Taking account of some cases that came up in 2005 and were concluded recently, the Garante replied to 324 requests for information and 1.633 reports and claims. 31 opinions were rendered on regulatory provisions to be adopted by Government, and 61 draft regulations were adopted in respect of the processing of sensitive data by the public administration.
Over 100 general provisions were issued, including the renewal of six general authorisations for the processing of sensitive data [Authorisation no. 1/2005, no. 2/2005, no. 3/2005, no. 4/2005, no. 5/2005, no. 6/2005].
With regard to inspection and control activities, there was a considerable increase in the number of inspections, which rose to 200 in 2005 and totalled 145 in the first six months of 2006.
94 administrative sanctions were imposed and information was preferred to judicial authorities in 10 cases.
About 12.000 notifications were submitted to the Garante in respect of processing operations that were started, modified and/or terminated with regard to the categories of data expressly laid down in the data protection Code (genetic data, biometric data, health care data processed for assisted reproduction purposes, data processed for staff recruitment purposes, data aimed at profiling consumers, etc.).
Main Steps Taken
The main areas of activity were the following [LINKS to the main provisions adopted by the Garante in the different areas, in English; either the full text or a summary is available]:
- Journalism and media (reporting judicial cases; privacy of public figures; protection of children; publishing medical data);
- Internet (spamming; search engines; online health care services; right to oblivion);
- Marketing (provision of information and consent; profiling for commercial purposes; unsolicited phone calls and faxes; loyalty cards and programmes);
- Health care ( confidentiality in health care services; DNA databases; monitoring of health care expenditure; dissemination of medical data via the Internet; assisted reproduction);
- Judicial and police activities (data processing centre at the public security department; multipurpose judicial cards; legal informatics);
- Political associations and movements ( electoral propaganda decalogue; electoral lists);
- Regulated professions (simplifications applying to lawyers and notaries public; regulations on using sensitive and judicial data);
- Schools and universities (educational "portfolio"; pupils´/students´ marks and exams; advance applications for enrolment at universities);
- Business economy (transborder data flows; security measures);
- Banking and Insurance (consumer credit; e-banking; customer identification in banks; image and fingerprints acquisition systems; access to forensic experts´ reports).
Codes of Practice
Following publication of the codes of practice adopted by journalists (1998), historians and archivists (2001), public statistical research bodies (2002), and private statistical research bodies (2004), the code of practice applying to consumer credit came into force in 2005. This code set out the rules for communicating and retaining data in the information systems managed by private credit reference agencies (or credit bureaus).
Work is in progress with other industry sectors to draw up codes of practice in such important areas as the Internet, investigations by defence counsel, employment, and direct marketing.
At the international level, the Garante contributed first and foremost to the work of the Article 29 Working Party [ http://ec.europa.eu] – composed of representatives from the EU´s data protection authorities – by working out opinions on geolocalisation, intellectual property, use of RFID devices, and e-health.
In 2005, the collaboration between the Article 29 WP and the European Commission, in particular the vice-President in charge of Freedom, Security and Justice matters, was strengthened further. Considerable attention was paid to the exchange of data for judicial co-operation and security purposes, in particular to the creation of a new information system (SIS-II) that is expected to replace the current Schengen information system as well as to the database containing information on applicants for short-stay visas, i.e. the so-called VIS (Visa Information System).
Regarding the retention of telephone traffic data, an opinion was adopted in 2005 by the Article 29 WP under the co-ordination of the Italian Garante; the opinion concerned the (then) draft data retention directive, which was subsequently adopted by the European Commission, and asked for specific safeguards protecting European citizens.
Within the context of the debate on the balance to be struck between security and privacy, reference should also be made to the efforts made by the European data protection authorities in respect of the transfer of flight data concerning EU citizens to customs authorities of non-EU countries. The debate was recently re-vamped by the decision of the European Court of Justice to set aside the regulatory instruments adopted by the EU Council and the Commission to make it legitimate to transfer PNR (Personal Name Record) data to US authorities.
The Italian Garante participated in all the international conferences of data protection authorities ( Montreux, Madrid, Budapest, Warsaw) and contributed to the activities of the OECD working party in charge of privacy issues.