In a completely interconnected world, where personal data travels as much and sometimes more than goods and people, the management of this enormous amount of information assumes strategic importance for any organization. This is also the case at INGV, where the research and monitoring activities inherent in mission of the Organization are inevitably intertwined with variously consolidated practices concerning, precisely, the collection, management and processing of personal data of researchers and employees in general. And, in the case of the Institute, theAffair it becomes even more intricate when, looking beyond national borders, it becomes necessary to compare the legislation in force in our country with that of the countless realities, not only European ones, with which INGV works on a daily basis.
To find out more, we interviewed Lucio Badiali, the Institute's Data Protection Officer, who guided us in discovering the numerous nuances surrounding the role and duties of this fundamental figure in any company organization chart.
Lucio, let's start with a definition: who is the DPO of an institution or organization?
The acronym “DPO” stands for “Data Protection Officer.” In Italian it translates as "Personal Data Protection Officer": as often happens in the transition from English to ours, the result is not only longer, but risks confusing the figure of the DPO with that of the "Data Protection Officer". personal".
The DPO is a professional with legal, IT, risk management and process analysis. The figure in itself is not historically 'new' because, for example, in the Anglo-Saxon world it was already known with the term of "Chief Privacy Officer" (CPO), "Privacy Officer", "Data Security Officer", as well as, for the precisely, "Data Protection Officer".
What is the work of a DPO?
In the meantime, let's try to frame it. The DPO does not have an executive but a consultative responsibility. It can be seen as the "adviser" of the Entity, in the sense that the Entity itself is the owner of the processing of personal data in the figure of its legal representative, typically the President. The responsibility of the DPO lies in observing, evaluating and organizing the management of the processing of personal data - and therefore of their protection, in all senses - within the Organization, so that these are treated in compliance with the European and national regulations on privacy.
Speaking of privacy, is there a difference between this concept and that of personal data protection?
Yes, there is a difference: we could say that, to date, the protection of personal data is a larger and more general "container" which also contains privacy.
In the Anglo-Saxon world, the old concept of privacy was even born in the nineteenth century when it was expressed above all in the motto “the right to be let alone”, a right to privacy which is one jus solitudes almost induced by the advent and proliferation of the press, which at times was considered increasingly invasive.
Shortly before Christmas 1890, the two American jurists Samuel Warren and Louis Brandeis published an essay entitled "The Right to have privacy" in the prestigious Harvard Law Review. One passage read as follows: “Instant photographs and journalistic initiatives have now invaded the sacred confines of private and domestic life, while a great number of mechanical devices threaten to fulfill the prediction that 'whispering inside the closet will be like launching proclamations from the rooftops'".
In fact, at that time the press was beginning to use a new revolutionary medium, photography, which allowed it to forcefully enter people's lives even without their permission. Rereading this passage today, it doesn't seem so incomprehensible to us: it is the prehistory of multimedia, which today is in turn already history.
With the phrase "protection of personal data", however, the horizon widens considerably. Personal data is not limited to some distinctive feature but becomes everything that allows a person to be identified, even indirectly. The novelty introduced in Europe with the General Data Protection Regulation (GDPR - 2016/679) is that there is no longer an absolute ban on the processing of personal data. The first articles of the European Regulation establish a resonance between two apparently opposite concepts: protecting personal data and, at the same time, also the rules relating to the free circulation of data.
In fact, in a hyper-related world like the current one, we carry with us a physical identity as well as a digital one, in a certain sense our double. Confidentiality is no longer, or rather, not only the central point of the question, but also knowing where our data is and who is processing it. It is a world, the one we live in, which is moving towards a monetization of personal data in exchange for the services offered. A world in which some personal data always and in any case travel outside our known perimeter and it therefore becomes increasingly important to know where they go, who processes them and who could misuse them. An example is the web. We have a part of us that travels the net and leaves traces. Every "IT" and "IT" data starts from us and starts traveling the world: our emails, our nicknames or our IP addresses. For the GDPR, all personal data is to be considered.
How long have you held the role of DPO at INGV?
The European Regulation that I mentioned earlier effectively became applicable in all Member States, including Italy, on 25 May 2018. As INGV we were already ready and, therefore, we were able to immediately formalize my appointment to the Guarantor Authority for the protection of personal data.
In addition to being DPO of INGV, they are also DPO of the EPOS-Eric research consortium: in this context, the challenge is, if we like, even more interesting because the practice of data protection it affects not only our organization but many European partners and their countries on a spatially distributed infrastructure.
How do the DPO's skills facilitate or support the work of researchers?
The entire research system in Italy cannot fail to have contact with the protection of personal data. Suffice it to say that we too, as employees, provide data that is constantly processed by the administrations and the state. But even in the scientific projects in which the Institute is a partner we enter an enormous amount of personal data. We are about to launch European projects in which, at the request of the European Commission, macro-areas of ethics and data protection: among these, for example, I would like to mention the project “H2020 e-SHAPE. EuroGEO Showcases: Applications Powered by Europe”, in which 54 EU research institutes, universities and companies collaborate.
Can you tell us about any experience that has involved you in these years as DPO of INGV?
Well surely I am reminded of the table of all the DPOs in the research sector which was created by the Conference of Presidents of Public Research Bodies together with the Conference of General Managers: a table which is often attended by a representative of the Guarantor Authority, for the through one of his delegates, and in which it is possible to discuss, exchange experiences and solve some complex problems together (some institutions, for example, deal with biomedical and health research, areas in which the impact of the "privacy" factor is particularly felt ).
Furthermore, our President and his counterpart from CREA, the Council for Agricultural Research and Analysis of the Agricultural Economy, have just signed an agreement aimed at setting up a coordination table for the protection of personal data led by the DPOs of the two entities.
Have the changes introduced by the Covid-19 emergency in the traditional ways of carrying out the work of the Public Administration - such as, for example, the use of smartworking - affected your business?
I must say that since the methods of using agile working were implemented, I have received a large number of requests, many more requests for support than in the recent past. We had to analyze the lawfulness of some data processing. “Can we do this according to the law?”. Among the most recurring topics, invitations for electronic recruitment, measures to protect the personal data of employees subjected to checks, assessments on the legitimacy of publication of data exceeding the actual use for administrative transparency. And let's not forget the cookie policies of the various websites...
What future developments are planned for the role of the DPO in the Institute?
We have a lot to do. First, we need to do an assessment of personal data assets: answer the question "who does what" about personal data and how it is protected. The first step will be the training of employees (including top management) which is a legal obligation. We must also continuously review the technical and organizational measures, the state of data security and analyze the risk associated with a loss or data breach. It is then necessary to update the Treatment Register... And this is only a small part of what we have to do because the law requires it. The work is a lot and the road is still to go!
For further information, see the new issue of Miscellanea INGV, “Research institutions and the protection of personal data: an introduction to the GDPR”: