Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Italy adopts minimum security requirements [1999] PLBIRp 53; (1999) 51 Privacy Laws and Business International Report 10

Italy adopts minimum security requirements

A report by Rosario and Riccardo Imperiali

ITALY'S DATA PROTECTION ACT has been supplemented by a regulation on data security. The level of security required depends on the nature of the data, as well as the scope of the processing. Organisations have until the end of March to implement the new provisions.

The European Directive 95/46/ EC, introducing a framework of legal provisions for personal data protection, requires^[1] that the Member States of the European Union ensure that controllers adopt adequate technical and organizational measures, in order to safeguard personal data against destruction, accidental loss and unlawful processing.

Italy's law implementing the Directive^[2] assigns the Government the task of issuing regulations on security measures^[3]. The Government recently adopted a regulation, published in the Official Journal on the 14th September 1999.^[4]

These new rules define the minimum level of security that companies must ensure. Non-compliance with these provisions by the data controller is a crime, and can be punished by up to two year's imprisonment. According to the Italian law, companies must implement the regulation by 28th March 2000.

In order to prevent companies from adopting only minimum measures without taking into account specific circumstances requiring stricter protection, the Italian legislator required that measures should be adequate to the nature of the data, and the scope of the processing.

In other words, if a company adopts all the minimum measures but they are not adequate, it may result in the payment of damages in the event of data loss or destruction. A judge will then decide whether adequate measures have been taken.

NETWORKED ENVIRONMENTS NEED SPECIAL ATTENTION

Ensuring the security of personal data represents a mandatory task which involves everyone processing personal data within a company. Security management is a more complex matter, and therefore more difficult to ensure in networked environments. There are three principal reasons:

1. The distributed systems may lack functions, such as those for system integrity, identification, authentication, control: all of them are essential for security.

2. Network equipment may not support confidentiality, access authentication and control.

3. The system's physical security is difficult to ensure because of the number of components and their wide geographical spread.

A strategy for security management has the following requirements:

a) Risk analysis and management

b) Separation of duties and responsibilities

c) Updating of technology and regular security adequacy tests

d) Restricted access to the physical areas where computers are located

e) System access control and transmission procedures

f) Education and training at every level

g) Security policies within the company.

In short, that means a methodology, which can reconcile reliable and acceptable security and business needs.

The Italian legislator has established not only minimum requirements, but also adequate and proportional measures depending on the nature of the data and the scope of their use. In addition, non-adequate implementation entitles the individual to compensation claims for damages.

Therefore, in order to obtain a reliable framework, it is necessary to draft a comprehensive security plan which provides for:

a) Internal audits in order to identify the implemented minimum requirements, and the general status of the level of security

b) Access authorisation profiles connected to level of responsibility

c) Co-ordination between security procedures and operational needs.

ADEQUACY CRITERIA

According to the Italian law, the security measures need to be adequate to protect special categories of personal data. The level of adequacy required depends on the nature of the data, and, for example, its sensitivity and to whom it is transferred. Sensitive data, therefore, requires higher security levels than the processing of ordinary personal data, such as names and addresses.

Adequacy control can be accomplished in different ways, for example:

a) Periodical reports on the difficulties experienced in implementing a security plan in any area

b) Processors' reports on planned modifications to security in their sector

c) Processors' reports on security breaches monitoring the effectiveness of the company's security system

d) Security measures revision, modification and updating by data security personnel.

Adequacy criteria assessment requires some indication of the evaluation of different processing environments:

1. Physical security requirements: Access procedures to areas where data are stored should be checked, so that both means of access and disaster recovery systems can be assessed.

2. Logical security requirements: It is necessary to establish whether passwords are known only by authorised persons and whether they are periodically changed, whether access codes allow access to the whole system or just parts of it.

It is also important to check whether the system is able to evaluate validity of data, how back-ups work, and whether these functions are effectively used. It is also necessary to know whether the system identifies the work of individuals.

3. As for organisational security requirements, security measures must take into account, for example, data integrity, the emphasis given to the operators' responsibility in personal data processing operations, the existence of educational and training programmes, highlighting the principle of using data only for the specified purposes, the disciplinary measures for non-compliance with privacy principles, and the separation of duties between the data controller and third party processors.

The regulation establishes different levels of protection according to the nature of the data, such as

1. Manual or automatic data

2. Sensitive data

3. The scope of processing

4. Data processed in computer networks or in stand-alone computers.

For every class of data there are minimum security standards to be implemented.

AUTOMATED PROCESSING

Processing personal data by standalone computers requires an access password. Processing on computer networks requires different measures depending whether the data being processed is sensitive or not. Before processing personal data in public or private networks, a user-ID should be assigned to each user, which must be altered if unused for more than six months or if there are authorisation changes. Antivirus software must also be checked or updated every six months.

Processing sensitive data in private networks requires assigning authorisations for access to the persons in charge of processing operations or maintenance.

Processing sensitive data in public networks requires drawing up a Security Policy and Standards Document, which needs to be updated and tested annually. Based on a risk assessment and the duties and responsibilities assigned, the Security Policy and Standards Document shall define technical criteria and procedures for:

a) Controlled areas protection, personnel access control (physical security)

b) Data integrity (logical security)

c) Data transmission security

d) Computer access restrictions

e) An education and training plan for operators.

MANUAL AND SENSITIVE PROCESSING

The regulation includes specific minimum security requirements for manual processing, i.e allow access according to specific business needs ^[5], and storage documents containing data in "selected access sites". ^[6]

With regard to sensitive data, the regulation requires, for example, the storage of personal data in "lockable filing cabinets^[7]", and restricted access to files.^[8]

The management must identify which requirements have been adopted, and which are still needed in terms of sensitive data and other data files, archives, plans to inform and train internal staff, assigning passwords to protect computer access, control procedures for erasing data, and destroying data which is out of date.

In addition, the minimum requirements should effectively control access to processing equipment (to prevent unauthoriseddestruction of data) and application systems (to prevent unlawful access or modification of data). The same applies to inputting data - it should be possible to check the type of personal data being added, how much, when, and by whom.

OTHER DECREES

There are also other new data protection provisions. The following regulations, adopted since January 1999 amend the Italian Data Protection Law 675/96:

Legislative decree 51/99:

• Establishes the Data Protection Authority staff

• Assigns the Authority the task of organising personnel and budget matters.

Legislative decree 135/99:

• Authorises the processing of sensitive or judicial data by public administrations. The regulation states which data can be processed, which operations are allowed, and defines the concept of “public question.

Legislative decree 281/99:

• Provides for processing of historical, statistical, and scientific data by public and private sectors.

Legislative decree 282/99:

• Completes rules on sensitive data processing by regulating processing by public or private health organisations. It also regulates the distribution of health smart cards.

Footnotes:

[1] Article 17, European Directive 95/46

[2] Law 675/96

[3] Article 41, Law 675/96.

[4] Offcial Journal n.216

[5] Article 9, p. b), D.P.R. n.318/99

[6] Article 9, p.1, a), D.P.R. n.318/99

[7] Article 9, p.2, a), D.P.R. n. 318/99

[8] Article 9, p.2, b), first part, D.P.R. n.318/99

This report was written for Privacy Laws & Business by Rosario and Riccardo Imperiali, who are lawyers specialising in data protection at Studio Legale Imperiali, C. SO V. Emanuele 30, 80121 Milan, Italy. Tel: + 39 02 7601 6505 Fax: + 39 02 7601 7465 e-mail: imperialiro@imperiali, Internet: http://www.imperiali.com