The law n.675 del 31/12/1996 (law on privacy) refers to the protection of subjects against processing of personal data, or sharing of confidential data. The law on privacy regulates either data processing through information technology as well as through different means, i.e. on paper. So it deals with data stored on the Web as well as data stored in archives or recorded on paper. This law has been integrated and modified by many other rules, so a general bill on privacy has been issued, decreto legislativo 30 giugno 2003 Num. 116 its object is The Code on personal data protection. Starting from January 1st, 2004 this decree will substitute the previous law.
Here you find a glossary of the main terms:
- Anonimous datum: the datum that in the beginning, or after being processed, cannot be associated with an identified or identifiable subject.
- Personal datum : "any information concerning a physical or legal person, company or association, identified or identifiable , directly or indirectly, by referring to any other information, including a personal identification code."
- Sensitive data:personal data that can reveal race, origin, religious or philsophical beliefs, political opinions, trade union, political party, religious or political associations membership and also personal data revealing health conditions and sexual life.
- Processing: "Any operation or series of operations performed to collect, register, organise, store, modify, select, extract, compare, use, interconnect, block, delete, disseminate and distribute data".
- In charge of data processing:is the school and the School Principal is appointed to control it.
- Data processing administrator: is appointed by the School Principal and must guarantee that rules concerning data processing and security are respected, his duties must be stated in writing. To appoint an administrator is optional and does not exempt the School Principal from his responsibility.
- Computer system administrator: is the person in charge of planning automation implementation and of adopting cautions and security measures, as established by the law dlgs 39/93.
- deputy:the subject appointed by the School Principal or the administrator to handle personal data.
- Interested actor: the subject to whom personal data are related.
The school's secretary's offices will soon (see cm114/2002) have to manage local area networks of personal computers where sensible data are stored. Such networks will be connected to Internet to allow electronic mail exchange, and to access to resources made available by the MIUR and local administrations. This new situation implies the necessity of enhancing security measures in sensible data processing on internet.
The most important addition to Law 675 is the directive DPR Num. 318 del 28/07/1999 that deals with rules to determine the minimum security means to adopt in personal data processing. More in detail, the directive examines the procedures for access to personal data and establish that a programme on security be released and yearly updated to highlight the following issues:
- list of personal data processes;
- allocation of tasks and charges;
- evaluation of risk;
- measures to adopt in order to grant integrity;
- procedures for data recovering;
- development of a training plan for data processing personnel.
Default in adopting minimum security means will be considered a legal offence for failing to adopt measures for data security, instituted by article 36 of the law 675/96.
This rule is applicable not only to the data processing administrator but also to the deputy, in case he is also responsible for security.
We remind also that adopting minimum security means will avoid legal pursuit.
What School Principals must do:
- appoint one or more administrators;
- appoint deputies;
- make a census of data processes within the organization in order to notify the subjects involved;
- issue a policy on data processing, communication and disseminatrion;
- issue a communication;
- adopt a plan to enhance security measures and prepare a plan of action for security.
Generally the subject in charge of darta processing, or the school Principal, has the option of appointing one or more administrators, i.e.:
- one or more computer system administrators in charge of network maintenance, including security devices (firewall and filters). If possible choose the teacher who has been trained in C2 - FORTIC project;
- one or more personal data administrators charged to monitor the respect of the present rules on data processing (access procedures, password, data backup etc.) .
However, we must underline that the computer system and web security administrator cannot be held responsible for personal data processing without a formal appointment where his new duties are stated in writing.
The preminent reference on privacy issues for Italy is: