Privacy Guarantor: "Criticality on data for citizenship income"

According to the Agi, the Guarantor Authority for the protection of personal data in a memorandum presented to the Permanent Commission of the Senate highlighted that the rules for accessing databases, "monitoring" on the use of the card, discipline for issuing Isee certifications, website present "significant critical issues".

The mechanism - the Privacy Guarantor said - involves "large-scale processing of personal data, referring to applicants and members of their family unit (including minors) who are granted maximum protection due to their relevance to the most intimate sphere of person or because they are liable to expose the person concerned to discrimination ". But "having not previously been requested the opinion" required by the General Data Protection Regulation "it was not possible to highlight in detail the risks deriving from the various processing activities (which affect a large number of citizens, including those which are not interested in requesting the Rdc) and identify in advance suitable measures to mitigate them ".

The regulatory provisions "must identify with sufficient precision, in accordance with the principles of transparency towards the interested parties, minimization of the data processed, privacy by design and default setting: the data controllers, the types of data processed, the subjects to whom they may be communicated and their respective purposes, as well as data retention terms that are proportionate (and not excessive) with respect to the purposes pursued ". Well, "in these respects, the rules of the Rdc, as formulated, do not appear, in several points, suitable for satisfying the requirements of European law".

Digital platforms

For the Guarantor, “the decree-law contains provisions of general scope, unable to define with sufficient clarity the procedures for carrying out the consultation and verification procedures of the various databases. The public entities involved are not identified with sufficient clarity, nor are the criteria established on the basis of which the use of certain categories of information may be deemed justified from time to time, with respect to the specific objectives pursued and in compliance with the principle of proportionality " .

More specifically, the establishment of "two digital platforms" is envisaged, respectively at the Anpal and at the Ministry of Labor, in order to allow the activation and management of the employment agreements and the inclusion agreements social security connected to the Rdc, as well as for the purposes of analysis, monitoring, evaluation and control of the benefit provided. "Although some provisions of the decree-law delegate the detailed discipline to implementing decrees (on which the opinion of the Guarantor must necessarily be requested), they, as formulated, presuppose a massive flow of information among those assisted by greater protection, therein including those present in the archive of financial relationships between various public entities ".

"And this, in the absence of an adequate reference frame that identifies relevant rules for selective access to databases, introduces suitable measures to guarantee the quality and accuracy of the data, as well as technical and organizational measures aimed at avoiding the risks of access improper use, fraudulent use of data or violation of information systems, as well as suitable procedures to guarantee the interested parties the easy exercise of their rights ”, the statement continues.

Monitoring of expenses

Similar, "significant critical issues" can be identified according to the Authority in the discipline of "monitoring" the use of the Rdc card by the beneficiaries. "In addition to the centralized and systematic monitoring of purchases made through the card - which may also involve the acquisition of particularly sensitive data - there are, in fact, the punctual checks on individual consumption choices, conducted by the operators of the employment centers and municipal services, in the absence of well-defined procedures and regulatory criteria. In this context, the legitimate needs to verify any abuses and fraudulent behaviors translate into a large-scale, continuous and capillary surveillance of card users, thus causing a disproportionate and unjustified intrusion on every aspect of the privacy of the data subjects " . For these reasons, “the provisions in question should be implemented after careful risk assessment, in compliance with the requirements of the European Regulation.

The Isee attestations

"Strong perplexities" arouse some provisions on the discipline for issuing ISEE certificates "likely to jeopardize the security of the data contained in the tax registry and, above all, in the archive of the financial reports of the Revenue Agency, so far inaccessible even within the ordinary tax control activities, due to the high risks associated with the relative processing of such information ".

The provisions of the decree-law, "albeit with a view to simplification, subordinate the pre-compilation of the DSU (Single substitute declaration) to the release of consent, or to the failure to prohibit the processing of their data, that each member of the family , can demonstrate at the INPS offices, on the website of the Institute or the Agency, and at Caf. However, the introduction of this complex device of consent / inhibition of processing by the interested parties - which does not comply with the requirements of European law, since consent in this case cannot constitute a valid prerequisite for the lawfulness of the processing itself - does not represent a adequate supervision of the security of such information ".

For the Guarantor, the provisions in question "should be reformulated" and ", in particular, technical and organizational measures should be introduced to avoid the risks of fraudulent use of data, improper access or violation of information systems".

The website

Even the government website, dedicated to citizenship income "reveals, already in its current state of development, some shortcomings, in particular, in the information on data processing and in the technical methods of its implementation (which, to date, involve undue and non-transparent transmission of navigation data to third parties, such as IP addresses and connection times, by visitors to the same site). It is necessary that the realization of this tool take place after the adoption of suitable technical measures to effectively implement the principles of data protection, integrating the necessary guarantees in the treatment to reduce the risks to protect the rights of citizens ".

 

 

Privacy Guarantor: "Criticality on data for citizenship income"