Garante issues findings in four privacy cases
By Rocco Panetta
Names of disabled persons online: sanctions for an Italian Region
The Italian DPA (Garante) ordered the Region of Puglia to pay €40,000 as a punishment for publishing some information on its institutional Web site about the health conditions of 4,500 disabled persons who received some government benefits to buy PCs.
For a long time, it was possible to read some lists containing all the applications for the subsidy on the Region of Puglia Web site, and next to each name were associated the pathologies like impairment of hearing and talking or sight or moving disabilities. By publishing such sensitive information, the region committed an unlawful processing of health data.
Considering the social importance of the initiative, the region should have taken all precautions to avoid serious injuries to many disabled people who applied for subsidy when disseminating health data online.
Contraception and minors: parents cannot access relevant prescriptions
Parents cannot access the health records of minor children who ask a medic centre for the prescription of contraceptives without their knowledge/consent. In this context, minors’ privacy must be protected to guarantee effectively the right of self-determination.
The Garante confirmed this interpretation to the Presidency of the Council of Ministers—Committee on Access to Administrative Documents, sharing the comments made by the same committee about a case raised by a local health centre. The story concerns a parent who found some used contraceptives in the room of a sixteen-year-old daughter and decided to ask the local medical centre to read the most recent health records of the child to ensure that the product was really prescribed by medical staff.
The Garante document confirmed the opinion of the committee that minors, under Law No. 194/78, can apply to hospitals and clinics without informing their parents. The purpose of this rule is to preserve the minors’ anonymity if they do not want to or cannot inform the parents. But a purpose even more important is to avoid that the minors could secretly ask for help of unreliable, unserious and unprofessional people rather than authorized medical centres that can provide the necessary guarantees.
A company must stop locating the employees
It is forbidden to use employees’ geolocalization systems without union agreements or the permission of the local labor office.
The Italian DPA (Garante) ordered an Italian company to stop processing personal data of its employees collected by means of the installation of GPS systems on some company vehicles. The measure was adopted after the report of some workers that complained about being controlled while they were going to help customers for assistance activities that were regularly planned. The geolocalization systems could reveal some information about the way, the stops and the travelling speed of employees.
The IDPA found that, according to the Workers Statute (Law No. 300/70), it is possible to install employee localization systems only on the basis of an ad hoc union agreement or permission of the local labor office. The investigation revealed that none of these conditions was met.
As a consequence, the Garante stopped any further processing of employee data collected by localization systems. If in the future, the local labor office will authorize the installation of GPS systems, and the company will have to inform the Garante about the processing of the data and indicate the people charged with these activities authorized to access the information.
Main risks and guarantees for consumers
It is allowed to enter a debt position in the Banking Information System (SIC), the databases with all the information about people’s credit rating that once were called private “risk centrals,” only after informing the consumer asking for financing. All the data registered in the SIC must be continually checked and updated.
The Italian DPA (Garante) confirmed it, while asking for the cancellation of some data registered in a SIC about a person asking for financing. This person, asking for a mortgage loan, knew that he was included in this database, without his knowledge and consent, as a “bad-payer” for an old funding he received.
During the investigation, the finance company claimed that the registration of this person depends on the fact that he paid 35 of 36 installments specified in the repayment plan. The payee, on the other side, proved that he paid all the installments that were planned, but one was not registered by the financing company.
It was also proved that, even though the loan was paid off in February 2003, the registration of this information was made only in July 2008 and that, in this period, no one thought to inform the customer about the delay of the payments or to forewarn him about the registration of his name in the SIC.
Explaining the decision to order the cancellation of these data from the SIC, the IDPA noted that the code of conduct dealing with information systems establishes that, for delayed payments, the consumer must be always informed before the upcoming registration in the SIC or “risk centrals” and that these databases must contain only exact and updated personal information.
Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.