Annual Report 2005 Summary
Annual Report 2005 Summary
Annual Report 2005
The Annual Report of the Italian data protection authority for 2005 was submitted to Parliament on 7 July 2006.
This summary is meant to provide an overview of the work done by the Garante in the many sectors that required steps to be taken in order to protect fundamental rights of individuals. The Garante´s activity was aimed – like in the past – to build up a veritable culture of personal data protection.
The Work Done
A feature of the activities performed by the Garante throughout 2005 was the major commitment towards regulating wide-ranging sectors of social and economic life and enhancing controls and supervision on compliance with data protection provisions.
The main areas of activity included: electronic communications; interception of communications; major public and private databases; Internet; consumer credit; confidentiality in health care; electoral propaganda; education and schools; monitoring of employees; video surveillance; freedom of the press; chain stores; hotels; condominia; and credit factoring.
Increased attention was paid to the huge opportunities made available by the new technologies for collecting and retaining personal data; the need for ensuring security of databases; the growing use of biometric data; and the potentially ubiquitous exploitation of highly sensitive personal information such as genetic data.
The new collegiate panel of the Authority (Prof. Francesco Pizzetti, President; Giuseppe Chiaravalloti, Vice-President; Mauro Paissan, Member; Giuseppe Fortunato, Member) attached special importance to the activities carried out by the public administration, which allowed public bodies to come to grips with their delay in drafting the required internal regulations on the processing of sensitive and judicial data and thereby make a new start in their relationships with citizens.
Emphasis was also put on fostering the concept that privacy is an "added value" to the business economy, in view of giving rise to a new relationship with users and consumers, and that data protection can become a major resource as well as a quality asset in the globalised economy.
724 collegiate provisions were adopted by the Garante in 2005, of which 634 were related to the handling of complaints. Taking account of some cases that came up in 2005 and were concluded recently, the Garante replied to 324 requests for information and 1.633 reports and claims. 31 opinions were rendered on regulatory provisions to be adopted by Government, and 61 draft regulations were adopted in respect of the processing of sensitive data by the public administration.
Over 100 general provisions were issued, including the renewal of six general authorisations for the processing of sensitive data [Authorisation no. 1/2005, no. 2/2005, no. 3/2005, no. 4/2005, no. 5/2005, no. 6/2005].
With regard to inspection and control activities, there was a considerable increase in the number of inspections, which rose to 200 in 2005 and totalled 145 in the first six months of 2006.
94 administrative sanctions were imposed and information was preferred to judicial authorities in 10 cases.
About 12.000 notifications were submitted to the Garante in respect of processing operations that were started, modified and/or terminated with regard to the categories of data expressly laid down in the data protection Code (genetic data, biometric data, health care data processed for assisted reproduction purposes, data processed for staff recruitment purposes, data aimed at profiling consumers, etc.).
Main Steps Taken
The main areas of activity were the following [LINKS to the main provisions adopted by the Garante in the different areas, in English; either the full text or a summary is available]:
Journalism and media (reporting judicial cases; privacy of public figures; protection of children; publishing medical data);
Internet (spamming; search engines; online health care services; right to oblivion);
Marketing (provision of information and consent; profiling for commercial purposes; unsolicited phone calls and faxes; loyalty cards and programmes);
Health care ( confidentiality in health care services; DNA databases; monitoring of health care expenditure; dissemination of medical data via the Internet; assisted reproduction);
Judicial and police activities (data processing centre at the public security department; multipurpose judicial cards; legal informatics);
Political associations and movements ( electoral propaganda decalogue; electoral lists);
Regulated professions (simplifications applying to lawyers and notaries public; regulations on using sensitive and judicial data);
Schools and universities (educational "portfolio"; pupils´/students´ marks and exams; advance applications for enrolment at universities);
Business economy (transborder data flows; security measures);
Banking and Insurance (consumer credit; e-banking; customer identification in banks; image and fingerprints acquisition systems; access to forensic experts´ reports).
Codes of Practice
Following publication of the codes of practice adopted by journalists (1998), historians and archivists (2001), public statistical research bodies (2002), and private statistical research bodies (2004), the code of practice applying to consumer credit came into force in 2005. This code set out the rules for communicating and retaining data in the information systems managed by private credit reference agencies (or credit bureaus).
Work is in progress with other industry sectors to draw up codes of practice in such important areas as the Internet, investigations by defence counsel, employment, and direct marketing.
At the international level, the Garante contributed first and foremost to the work of the Article 29 Working Party [ http://ec.europa.eu] – composed of representatives from the EU´s data protection authorities – by working out opinions on geolocalisation, intellectual property, use of RFID devices, and e-health.
In 2005, the collaboration between the Article 29 WP and the European Commission, in particular the vice-President in charge of Freedom, Security and Justice matters, was strengthened further. Considerable attention was paid to the exchange of data for judicial co-operation and security purposes, in particular to the creation of a new information system (SIS-II) that is expected to replace the current Schengen information system as well as to the database containing information on applicants for short-stay visas, i.e. the so-called VIS (Visa Information System).
Regarding the retention of telephone traffic data, an opinion was adopted in 2005 by the Article 29 WP under the co-ordination of the Italian Garante; the opinion concerned the (then) draft data retention directive, which was subsequently adopted by the European Commission, and asked for specific safeguards protecting European citizens.
Within the context of the debate on the balance to be struck between security and privacy, reference should also be made to the efforts made by the European data protection authorities in respect of the transfer of flight data concerning EU citizens to customs authorities of non-EU countries. The debate was recently re-vamped by the decision of the European Court of Justice to set aside the regulatory instruments adopted by the EU Council and the Commission to make it legitimate to transfer PNR (Personal Name Record) data to US authorities.
The Italian Garante participated in all the international conferences of data protection authorities ( Montreux, Madrid, Budapest, Warsaw) and contributed to the activities of the OECD working party in charge of privacy issues.