Garante per la protezione dei dati personali (Italy) - 9582723
Garante per la protezione dei dati personali (Italy) - 9582723 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5 GDPR art. 5(7) Legislative Decree n. 33/2013 |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 23.04.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 9582723 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Italian DPA website (in IT) |
Initial Contributor: | Davide C. |
The Italian DPA found that the disclosure of certain databases regarding COVID-19 by schools in the Province of Modena may enable the identification of pupils and their health status, even where data which directly identifies the pupils is removed.
English Summary
Facts
A committee, made up of families, school professionals and students active in civil society, has submitted requests for generalised civic access - pursuant to art. 5, paragraph 2, of Legislative Decree n. 33/2013 - to several schools in the province of Modena aimed at obtaining data about COVID-19 report that are sent weekly by the schools to the Health Surveillance System. ls of the Province of Modena to the Health Surveillance system (e.g. number of cases of quarantine, number of cases with positive or negative results, number of classes in preventive quarantine).
Many schools rejected the request, claiming that although no identity data are required, such information is likely to lead to the identification of the students and their health status.
Therefore, the committee asked the Officer of transparency and corruption prevention of Emilia-Romagna for assessing the claim. Then, the Officer asked for the advisory opinion of the Italian DPA.
Holding
The Italian DPA agrees with the considerations of the schools. In fact, the display of all the information requested, even if deprived of the directly identifiable data of the data subject, when combined with verbal information that can be easily acquired, especially in small schools, may enable the identification of the data subjects. According to the DPA, combining the requested data with other information got by third parties might allow the indirect identification of the minor pupils at stake, with disclosure to the general public of his state of health or other sensitive data concerning their possible state of quarantine/isolation.
Furthermore, definitive data is processed by the health monitoring bodies and not by schools. Consequently, the requested information may be incomplete or inaccurate; and the relative communication or dissemination could be in contrast with the principle of data accuracy, enshrined in art. 5(1)(d) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9582723] Opinion on the request for civic access - 23 April 2021 Record of measures n. 157 of 23 April 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, "concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC (general regulation on data protection) "(hereinafter" RGPD "); GIVEN art. 154, paragraph 1, lett. g), of the Code regarding the protection of personal data - d. lgs. June 30, 2003, n. 196 (hereinafter the "Code"); GIVEN art. 5, of the d. lgs. n. 33 of 14 March 2013, containing «Reorganization of the regulations concerning the right of civic access and the obligations of publicity, transparency and dissemination of information by public administrations»; GIVEN the Determination n. 1309 of 28/12/2016 of the National Anti-Corruption Authority-ANAC, adopted in agreement with the Guarantor, entitled "Guidelines containing operational indications for the purpose of defining the exclusions and limits to civic access pursuant to art. 5 co. 2 of Legislative Decree 33/2013 ", in the Official Gazette general series n. 7 of 10/1/2017 and in http://www.anticorruzione.it/portal/public/classic/AttivitaAutorita/AttiDellAutorita/_Atto?ca=6666 (hereinafter "ANAC guidelines on civic access") ; GIVEN the provision of the Guarantor n. 521 of 15/12/2016, containing the aforementioned "Understanding on the outline of the ANAC Guidelines containing operational indications for the purpose of defining the exclusions and limits to civic access", in www.gpdp.it, doc. web n. 5860807; GIVEN the request for an opinion from the Head of Corruption Prevention and Transparency (RPCT) of the Regional Education Office for Emilia-Romagna submitted pursuant to art. 5, paragraph 7, of the d. lgs. n. 33 of 14 March 2013 on «Reorganization of the regulations concerning the right of civic access and the obligations of publicity, transparency and dissemination of information by public administrations»; CONSIDERING that the aforementioned art. 5, paragraph 7, provides that the Guarantor makes a decision within ten days of the request; CONSIDERING that the short period of time to deliver the expected opinion does not allow the state to convene the Board of the Guarantor in good time; CONSIDERING that the conditions for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, in the part in which it is foreseen that "In cases of particular urgency and non-postponement that do not allow the convocation of the Guarantor in good time, the president can adopt the measures of competence of the body, which cease to be effective from the moment of their adoption if they are not ratified by the Guarantor at the first meeting, to be convened no later than the thirtieth day "(in www.gpdp.it, web doc. n. 1098801) ; Having seen the documentation in the deeds; WHEREAS A Committee - made up of families, school professionals and students active in civil society - identified in documents (hereinafter the "Committee"), "with the sole objective of making the state of diffusion of CoViD-19 in the schools of the Province fully transparent [identified in deeds] »has forwarded applications for generalized civic access - pursuant to art. 5 paragraph 2, of the d. lgs. n. 33/2013 - to various educational institutions aimed at obtaining data in the form of "" Sars-Cov2 report "that are sent weekly by the Schools of the Province of Modena to the Health Surveillance system" and "Specifically [...] a copy of the database of historical series containing the following surveys: - number of cases in isolation - number of quarantined cases - number of cases subjected to swab (molecular or antigenic) - number of cases awaiting outcome - number of successful cases - number of cases with negative results - number of classes in isolation - number of classes in preventive quarantine - number of outbreak classes (with positive swab cases subsequent to case 1) with weekly temporal granularity with temporal depth from the beginning of the survey, with detail and hierarchy for single club / school and single plexus ». The documents show that many schools concerned have denied civic access with the same provision, for reasons relating to the protection of personal data, representing that the display of the set of information requested, even if deprived of the data directly identifying the interested parties, " when combined with verbal information that can be easily acquired, especially in contained school situations, they allow us to trace the identity of the subjects involved and, therefore, their state of health ". The applicant for civic access has therefore submitted a request for a review of the refusal measures to the RPCT of the Regional School Office for Emilia-Romagna (Article 5, paragraph 7, of Legislative Decree no. 33/2013), deeming them not legitimate and insisting on their requests, also asking that "the willingness to identify the most convenient way to collect [the] information [requested] with the intention of not burdening the activities of the School" be offered. With the note in the file, the Head of Corruption Prevention and Transparency (RPCT) of the Regional Education Office for Emilia-Romagna asked the Guarantor for the opinion required by art. 5, paragraph 7, of the d. lgs. n. 33/2013. OBSERVE 1. The regulatory framework Pursuant to sector legislation, "anyone has the right to access data and documents held by public administrations, in addition to those subject to publication pursuant to this decree, in compliance with the limits relating to the protection of legally relevant interests in accordance with the provisions from article 5-bis "(article 5, paragraph 2, of legislative decree no. 33/2013). In relation to the profiles of competence of this Authority, it should be noted that the aforementioned art. 5-bis provides that civic access must be refused, among other things, "if the refusal is necessary to avoid a concrete prejudice to the protection [of] the protection of personal data, in accordance with the relevant legislation" (paragraph 2, letter a), and is in any case "excluded" in the "cases of access or disclosure prohibitions provided for by law" (Article 5-bis, paragraph 3). In this context, it is specified that personal data means "any information concerning an identified or identifiable natural person (" interested party ")" (art. 4, par. 1, n. 1, RGPD). Having said this, it must be borne in mind that in the assessments to be carried out in relation to the possible display of personal data (or documents containing them), through the institution of civic access, it must be taken into account that - unlike the documents to which one has been accessed pursuant to l. n. 241 of 7/8/1990 - the data and documents that are received following a request for civic access become "public and anyone has the right to know them, to use them for free, and to use and reuse them pursuant to article 7", although their further processing must in any case be carried out in compliance with the limits deriving from the legislation on the protection of personal data (Article 3, paragraph 1, of Legislative Decree no. 33/2013). Consequently, it is also in the light of this amplified publicity regime of civic access that the existence of a possible concrete prejudice to the protection of the personal data of the counter-interested parties must be assessed, on the basis of which to decide whether or not to refuse access to data, information or documents requested. Furthermore, it is necessary to comply, in any case, with the principles of the RGPD of "purpose limitation" and "data minimization", according to which personal data must be "collected for specific, explicit and legitimate purposes, and subsequently processed. so that it is not incompatible with these purposes ", as well as" adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed "(art. 5, par. 1, lett. b and c). This also taking into account the reasonable expectations of confidentiality of the interested parties and the unpredictability of the consequences deriving to the latter from the availability of the requested data by anyone (see par. 8.1 of the ANAC Guidelines on civic access, cit. ). It should also be remembered that the RGPD defines as "data relating to health" the "personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (art. 4, par. 1, no. 15; recital no. 35). In this context, it is noted that the Code, for the protection of individuals and in "respect for human dignity, fundamental rights and freedoms of the person" (Article 1, paragraph 1), provides for an express "prohibition of dissemination", that is the possibility of giving "knowledge [...] to indeterminate subjects, in any form, including by making them available or consulting" "data relating to health" (art. 2-septies, paragraph 8; art. 2-ter, paragraph 4, letter b). The same prohibition is also established by d. lgs. n. 33/2013, which in art. 7-bis, paragraph 6, similarly provides as «The limits remain […] to the dissemination of data suitable for revealing the state of health […]»). Consequently, when an instance of civic access concerns data relating to health, the "exclusion of civic access" provided for by the state legislation on transparency becomes applicable, which expressly provides for how civic access must be excluded. in "cases of access or disclosure prohibitions provided for by law" (Article 5-bis, paragraph 3, of Legislative Decree no. 33/2013). The above is also confirmed by the ANAC guidelines on civic access with reference to the "Absolute exceptions" to civic access, where it is indicated that "In assessing the request for access, the administration must [...] verify that the request does not concern deeds, documents or information removed from the possibility of ostension or “conditional” access as they fall within one of the cases indicated in art. 5-bis co. 3 "(par. 6). Specifically, in par. 6.2., Entitled "Other cases of secrecy or prohibition of disclosure", it is also specified that "[...] some disclosure prohibitions are provided for by current legislation on the protection of confidentiality with reference to: data suitable for revealing the status of health, that is to any information from which it is possible to infer, even indirectly, the state of illness or the existence of pathologies of the subjects concerned, including any reference to the conditions of invalidity, disability or physical and / or mental handicap (Article 22, paragraph 8, of the Code [today art. 2-septies, paragraph 8]; art. 7-bis, paragraph 6, legislative decree no. 33/2013) "(regarding health data, see also, between the others, the opinions given by the Guarantor in the provisions n.188 of 10/4/2017, in www.gpdp.it, web doc. n. 6383249; n. 206 of 27/4/2017, therein, web doc. n. . 6388689; n. 98 of 02/22/2018, therein, web doc. 8165944; n. 226 of 04/16/2018, ibid., Web doc. 8983848; n. 2 of 1/10/2019 , ibid, web doc. no. 9084520). 2. Civic access to data and information not yet held by the public administration. The issue submitted to the attention of the Guarantor concerns the display, through the institution of civic access, of databases and data relating to the health emergency and the detection of cases of spread of Covid-19, of isolation / quarantine, of carrying out of swabs referring to pupils of schools located in the same province, on a weekly basis, starting from the date of the first survey, contained in the reports sent by the Schools "to the Health Surveillance system". From the documents and from the civic access request it is not clear whether the access request concerns only past cases or the desire to activate a real systematic communication - also for the future - on such data and information, on a weekly basis, from the administration to the Committee. In any case, in order to avoid any possible doubt, it should be noted that the institution of civic access can only concern data and documents "held" by public administrations (Article 5, paragraph 2, of Legislative Decree no. 33/2013), with the impossibility of accepting requests that concern data or information not yet in the possession of the public administration o the activation of future data communication flows. The ANAC itself, in the aforementioned guidelines on civic access, highlighted that the administration has the obligation to "allow access to documents containing information already held and managed by the administration itself", excluding that the same "is required to form or collect or otherwise procure information that is not already in its possession" (par. 4.2.). 3. Access to health emergency data held by educational institutions referring to pupils It should be noted as a preliminary point that the data and information referring to individuals, identified or identifiable, who have contracted the virus from Covid-19 certainly fall within the definition of health data for which civic access must be excluded pursuant to the aforementioned art. 5-bis, paragraph 3, of the d. lgs. n. 33/2013. It must also be highlighted that the information referring to individuals, identified or identifiable, who - although not positive for Covid-19 - have been subjected to a buffer (molecular or antigenic), or to quarantine or isolation, are of a particularly delicate nature. , being however referred in the case in question to minors. Any display of such personal data, combined with the particular advertising regime of the data subject to civic access, can be a source of specific risks for the interested parties, determining possible negative repercussions on a personal, social and relational level, both internally and outside the school environment. In this way, an unjustified and disproportionate interference in individual rights and freedoms could effectively arise, in violation of the principle of data minimization (Article 5, paragraph 1, letter b and c, of the GDPR), causing precisely that concrete prejudice to the protection of personal data protection provided for by art. 5-bis, paragraph 2, lett. a), of d. lgs. n. 33/2013. In this regard, it is also necessary to take into account the reasonable expectations of confidentiality of the counter-interested parties in relation to the processing of their personal data at the time they were collected by the educational institutions, as well as the unpredictability, at the time of data collection, of the consequences deriving from minors and their families, from the possible knowledge, by anyone, of the data requested through civic access (see par.8.1 of the ANAC Guidelines on civic access, cit.) 4. The case submitted to the attention of the Guarantor In the light of everything represented, it is necessary to carry out a weighted analysis of the ostensibility of the information requested by the Committee, which, even if without the indication of the name and surname of the pupils concerned, contain detailed information - divided by single club / school and complex - refer to the number of cases in isolation, quarantine and swab (with specification of the type: molecular or antigenic); the number of cases awaiting outcome (with specification for each case if with positive or negative outcome); the number of classes in isolation or preventive quarantine, the number of outbreak classes (with specification of positive cases for the swab after case 1). In this regard, the individual educational institutions recipients of requests for civic access - on the basis of the assessments carried out as data controllers and in compliance with the principle of responsibility / accountability (articles 5, par. 2; 24; recitals no. 75 and 76, of the RGPD) - in their refusal measures they stated that the display of the required information, even if deprived of the directly identifying data of the interested parties, "when combined with verbal information that can be easily acquired, especially in contained schools", can allow to trace the identity of the subjects involved. On this point, no elements emerge from the documents that allow this Authority to deviate from the evaluation carried out by the data controller, especially considering the restricted area of reference (club / school or complex), the variability of the number of cases (which could also be weekly small); the particular regime of publicity of the data received through civic access (Article 3, paragraph 1, Legislative Decree no. 33/2013) and the "comparison" of the requested data with other information possibly in the possession of third parties that could allow - even a posteriori - the indirect identification of the minor pupil concerned, with disclosure to the general public of his state of health or of other delicate data concerning the possible state of quarantine / isolation. In this regard, it should in fact be remembered that, pursuant to the RGPD, "identifiable" is considered "the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, data relating to location, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(art. 4, par. 1, n. 1). This orientation is also confirmed in the previous opinion of the Guarantor no. 155 of 3/9/2020 (in www.gpdp.it, web doc. 9461036), adopted on a similar issue, and cited both by the RPCT and by the applicant, in which it was agreed with the decision of a Region of not to provide detailed data on the health emergency that could allow indirect identification of the interested parties and to provide, instead, in any case - in order to satisfy the information needs underlying civic access and to "favor widespread forms of control on the pursuit of institutional functions and on the use of public resources and to promote participation in the public debate "(Article 5, paragraph 2, of Legislative Decree no. 33/2013) - aggregate data on the health emergency, on wider territorial base, at the municipal level. However, it is believed that the aforementioned solution may not be useful with particular reference to the data of minors enrolled in educational institutions, considering - for example - that in very small municipalities there could also be individual schools / school complexes and aggregation at municipal would be substantially useless, coinciding with the single school or complex. Furthermore, in the specific case under examination, this Authority believes that it cannot even suggest providing the requested data and information at a more extensive level of aggregation than the "single club / school and single complex". This is because the instant Committee has submitted requests for access to individual schools that have information related to their own situations and not at a more extensive level. Nor is it therefore possible to ask - through the institution of civic access - to individual schools, or to the RPCT of the regional school office that requested the opinion of the Guarantor, to provide data or information that is not already held or in possession of the single administration. In this regard, even the ANAC in its guidelines, highlighted that the institution of generalized civic access, concerning data and documents "held" by public administrations (Article 5, paragraph 2, Legislative Decree no. 33 / 2013) cannot imply that the administration, to respond to the request, "is required to form or collect or otherwise obtain information that is not already in its possession [, not having] the obligation to reprocess the data for the purposes of generalized access, but only [to] allow access to documents which contain information already held and managed by the administration itself ". Moreover, to this is added a further circumstance that must be properly considered. In relation to the health emergency data from Covid-19, educational institutions are not the parties responsible for the processing of "official data", which is instead entrusted to the bodies responsible for health surveillance. Consequently, the requested data, of different types referring to the pupils (e.g .: number of pupils subjected to a swab, with the indication of the positive or negative outcome; the number of pupils subjected to quarantine or isolation), possibly detained by them also incidentally ( for example because transmitted by parents or other subjects) may be incomplete or incomplete; and the related communication or dissemination could, depending on the individual case, conflict with the general principle of "data accuracy", enshrined in art. 5, par. 1, lett. d), of the GDPR. WHEREAS, THE GUARANTOR expresses an opinion in the terms set out above on the request of the Head of Corruption Prevention and Transparency of the Regional School Office for Emilia-Romagna, pursuant to art. 5, paragraph 7, of the d. lgs. n. 33/2013. Rome, April 23, 2021 PRESIDENT Pasquale Stanzione