g-docweb-display Portlet

Processing of Sensitive Data by Public Administrative Agencies

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

Processing of Sensitive Data by Public Administrative Agencies

With reference to the processing of personal data performed by public entities, mention can be made of the Guidelines issued in April 2005 by the Minister for Public Administration, which recalled the obligation for  public bodies to adopt ad-hoc privacy regulations on processing of sensitive and judicial data. The Italian DP Code (196/2003) allows public bodies to process sensitive and judicial data only if this is provided for by specific laws and/or regulations; however, if the latter do not detail the processing operations and data categories involved – which is usually the case – the individual public administrative bodies are required to set them forth via ad-hoc regulations. This has not happened so far, and the Minister´s Guidelines have set the framework within which public bodies are to adopt the relevant measures – which must rely on a careful assessment of the purposes pursued via the various processing operations as well as of the personal data that are actually required ("indispensable") thereto.

Additionally, the DPA issued a provision (published in the Official Journal no. 170 of 23 July 2005)  [ doc. web n. 1144445]  setting out the measures that are both necessary and appropriate for the processing of sensitive data by public data controllers to be in line with the data protection Code. Public administrative agencies are also required to spell out the personal information they collect and clarify how such information is used for the substantial public interest purposes referred to in the law. In order to facilitate compliance with these requirements, cooperation with the Prime Minister´s Office, the Public Service Department, and the organisations representing Regions, municipalities and Universities was stepped up so as to draw up model regulations that can help streamline the safeguards afforded by other administrative agencies as well as simplify the process leading to adoption of the relevant regulations. Indeed, the latter must be adopted in pursuance of the  DPA´s opinion, which is to be rendered within 45 days of receiving the corresponding request.

The DPA detailed the contents of the said regulations with particular regard to the following:

a) specifying the data the are indispensable (by category) in respect of the institutional activities to be performed;

b) specifying the processing operations that are indispensable to pursue the substantial public interest set out in the law;

c) providing an overview of the activities carried out by the public body concerned, with particular regard to the issues producing the greatest effects on citizens´ rights. In this connection, public bodies should take adequate measures to ensure that the decisions made in respect of the processing of sensitive and/or judicial data are suitably publicized, availing themselves not only of their web sites but also of targeted institutional communication initiatives.

On the whole, 33 regulations have been issued so far by public bodies – including, in particular, the Ministry of Environmental and Cultural Heritage, the Ministry of Defense, the Ministry of Education, and the National Research Council as well as several Chambers of Commerce, Regions, Municipalities and independent administrative authorities.