Use of assessment and scoring algorithms in schools: reputational rating under the lens of the Italian Data Protection Authority
In a statement issued on 3 May 2022, the Italian Data Protection Authority sent a request for information to the Crop News Onlus Association, which operates in the ‘reputational’ rating sector and is alleged to have promoted a software to test, with students, the ‘reputational’ rating processed based on algorithms by the Mevaluate platform.
On the subject of the use of platforms for the elaboration of reputation profiles, the Italian Data Protection Authority had expressed its opinion in Order No. 488 of 2016, considering that the processing of personal data carried out by the owner of the platform subject to verification by the Authority did not comply with Articles 2, 3, 11, 13, 23, 24 and 26 of the Legislative Decree 196/2003 (repealed in 2018 by the D.Lgs. 101/2018).
Given the sensitive nature of the project, which is aimed at particularly vulnerable data subjects (students and minors), the DPA asked the Association to provide, within 30 days, any information useful for assessing the data processing carried out.
The Italian Data Protection Authority calls for more guarantees on the platform for e-voting
The Italian Data Protection Authority has issued an unfavorable opinion to the Ministry for Technological Innovation on the draft Dpcm establishing the rules of the platform for the collection of signatures for referendum and bills.
The Authority considers that there are too many critical aspects arising from the examination of a measure that affects constitutionally guaranteed institutions of direct democracy, such as referendum.
The draft submitted to the Authority, in fact, currently lacks adequate safeguards for the full respect of citizens’ fundamental rights and freedoms and, for this reason, it has indicated to the Ministry a detailed set of conditions and observations to be complied with, to avert the risk of personal data processing that does not comply with current legislation.
The Italian Data Protection Authority sanctions a public research institution for inappropriate security measures to ensure password
With provision no. 46 of 2022, the Italian Data Protection Authority fined a public research institution €6,000.00 for infringement of the principles of Articles 5(1)(f) and 32 of Regulation (EU) 2016/679.
It follows from the measure that if the data controller is required to identify the best measures to protect passwords, in accordance with the principle of accountability, the fact of not even adopting the measures contained in Annex B of the Code or in AgID Circular No. 2/2017, which predate the EU Regulation (2016/679), can entail the risk, for the data controller, of being sanctioned by the Italian Data Protection Authority.
The Italian Data Protection Authority fines a data processor for lack of the security measures
The Authority has fined €10,000.00 exclusively against a data processor, a software provider, for infringement of the principles of Articles 5(1)(f) and 32 of Regulation (EU) 2016/679 (hereinafter “GDPR” or “Regulation”), following a personal data breach concerning data contained in a software used to manage traffic fines.
According to the Authority, there were no grounds for imposing a provision against the data controller, a public body, since the data processor had failed to comply with its obligation to provide adequate security measures on the basis of the contract entered into with the data controller. It should be recalled, in fact, that Article 28 of the GDPR allows the data controller to outsource a processing to a third party who is competent to implement appropriate security measures.
This is a provision with a decidedly innovative scope if one considers that, in general, the sanctions of the Data Protection Authority are mainly applied to data controllers or, at most, jointly to data controllers and data processors.