The Presidency of the Council of Ministers - General Secretariat At State administrations also an autonomous At the Council of State - Office of the Secretary General At the Court of Auditors - Office of the Secretary General of the State Attorney General - Office of the Secretary General At agencies where the legislative decree n. 300/1999 all'ARAN At the High School of Public Administration To the non-economic public bodies (via the supervising Ministries) For the public authorities (art. 70 of Legislative Decree. N. 165/2001) For the research organizations (through Ministry of education, university 'and research) At universities (through the Ministry of education, university' and research) and, for information UPI ANCI UNCEM the Conference of Presidents of regions at the Conference of rectors of universities' Italian 1. Introduction. On January of 2004 and 'it came into force Legislative Decree 30 June 2003, n. 196, bearing the "Code regarding the protection of personal data", hereafter referred to as 'the Code', in which they are collected, in the form of a single text all the provisions on the protection of persons and other subjects regarding the processing of personal data and attivita 'connected. The text represents the first organic coding model of privacy in Europe and takes into account both the Community regulatory framework (Directive n. 95/46 / EC and no. 2002/58 / EC) and of the International. The discipline of the Code, similar to the one dictated by the preceding regulations, engages in a context mainly oriented to the publicity 'of the administration, by the Law of 7 August 1990. 241, and other industry regulations, and confirms the graduation of the different levels of protection required within the general category of personal data by providing guarantees more 'stringent with regard to sensitive data. The Code provides that citizens have a system of guarantees structured and simplified at the same time that, in identifying all the instruments to a full realization of the right to protection of personal data is a prerequisite for the enjoyment of all other fundamental rights of individuals which at that right they are obviously connected. In this context the principles set out in the consolidated text inform all aspects of social life and activity of the government and, in particular, so far as relevant here, even the aspects of human resource management in all organizational aspects, to safety and well-being. 2. The principles and obligations. It seems appropriate to recall here the principles that derive from the Code regarding the protection of personal data to which the administrative action must 'be inspired and which are intended to exert a great influence on the exercise of parental authority' organization of public administrations. The 'right to protection of personal data' as a fundamental prerogative of the person, and 'was introduced into implementing art. 8 of the Charter of Fundamental Rights of the European Union of 7 December 2000 and should be considered as a separate and distinct right over the right to privacy in sostanziandosi right of its owner to know and control the circulation of information concerning him. The code, which has thus stated, Art. 1, the right to protection of personal data is designed to ensure that the processing of this information "will be respect for the rights and freedom 'fundamental, as well as' dignity' of the person concerned, with particular reference to confidentiality, the identity 'and the right to personal data protection "(art. 2). A general principle of the guarantee system provided by the Code which must guide administrative action and 'constituted by the principle of' need 'the processing of personal data ", to be understood as a principle that complements that of" relevant and not excessive "of processed data (gia 'identified by law n. 675 of 1996) with reference to the configuration of information systems and computer programs. This rule prescribes to prepare the information systems and programs in order to use as few personal information and identity data excluding the treatment when the purpose 'pursued can be achieved through the use of anonymous data or mode' that allow identifying the person concerned only in case of need '(art. 3). It must be also remembered that the principle of necessity 'is a condition of lawfulness' of the processing of personal data and non-compliance with this and other conditions has important consequences for the administration. In fact, the Code, in dictating the rules for all the treatments marked the uselessness' of personal data processed in violation of the regulations governing the processing of personal data (art. 11, para 2). The right to protection of personal data potra ', therefore, be guaranteed only if the owners administrations of treatments inspire their activity' within the principles of the Code and, consequently, in addition to meeting the obligations expressly provided, will adopt a set of concrete behaviors, actions and organizational measures consistent with the principles governing the matter. In particular, the processing of personal data by public authorities, and 'allowed only if it is necessary for the performance of official duties respecting any other conditions and limitations laid down by the Code, as well as' the law and the regulations. In this regard, and 'necessary to point out that, except as provided for posts treatments in place by health care professionals and public health organizations (Part II of the Code), public authorities should not ask your permission. Sensitive data can, however, only be processed if the processing is authorized by an express provision of law which specifies the types of data that can be treated, the operations executable and purpose 'of overriding public interest purposes (Articles 18 , 19, 20 and 22 of the Code. For sensitive data v. more 'detail below the part concerning the "Regulations"). It 'also imposed on the authorities a duty to ensure the security in data management and systems so as to minimize the risk of destruction or loss, even accidental of the data, unauthorized access or treatment not allowed or not conform to the purposes' of the collection. Therefore, the government, or the subjects of custodial services and systems on behalf of the same, will have to take all precautions permitted by modern technologies preventing the risks arising from the organization and management of databases and information systems (3135 items and Technical Regulations in ' Annex B to the Code). Similar precautions should be taken in handling all actions and measures involving the use of personal and sensitive data. Within above general requirement to limit the extent more 'broad as possible certain risks, data controllers are required in any case to ensure a minimum level of data protection by adopting the "minimum security measures" identified in the Title V, Chapters I and II of Part II of the Code or to be identified in accordance with art. 58, paragraph 3, in relation to processing for purposes' of defense or covered by state secrecy. The discipline of the Code, finally, and 'informed by the principle of simplification whereby the high degree of protection of the rights and' insured in respect of the principles of simplification, harmonization and effectiveness of modalities' for exercising the right to data protection personal and other rights and freedoms' fundamental concerned and of the requirements facing data controllers (art. 2, paragraph 2). Derogations or together with the general rules are set by the Code in relation to specific areas of interest for the attivita 'administrative, such as the judicial sector, in Articles 46 to 52, treatments performed by the police, in articles 53 to 57, and those related to defense and national security, in art. 58. 3. Purpose 'of the directive. This Directive and 'aims to draw attention of the authorities on the provisions of the Code with the greatest impact in the public sector, requiring the adoption of effective organizational decisions to translate substantively the guarantees provided by the legislature, as well as' the consequences related to their failure to implement. The entry into force of the new Code entails, for public authorities, the need 'to rethink their activities' and its organization in order to allow a full and effective guarantee of the rights established in it. In fact, the issues related to privacy invest administrations in almost all 'of their activities', taking on significant importance in the performance of many of the institutional tasks entrusted to them by law, such as, the management of human resources. In view of what ', the Code (art. 176) added the paragraph 1-bis paragraph 1 of article. 2 of Legislative Decree 30 March 2001, n. 165. Therefore, the government will have to implement the guidelines of the office organization in compliance with the rules on the processing of personal data, in addition to the criteria set out in that provision. From what has been said shows the need 'to provide for the adoption of the instruments needed for the practical implementation of the Code, such as: regulations indicate the types of sensitive and judicial data that can be processed and the operations that can be performed on them in relation to the pursuit of purposes' of overriding public interest absence of any specific legislative indication (articles 20, 21 and 22); the information to the person (art. 13); the notification to the Guarantor in the cases provided for by art. 37; any notices to the Guarantor (art. 39); the minimum measures of security in particular, and the security policy document (Art. 34, paragraph 1, letter g) and Rule. 19 Annex B to the Code). It will be necessary 'also conduct specific surveys of data processed in the light of existing provisions and the revision of the modes' of management of the same, paying particular attention to the need' to ensure that the parties concerned the exercise of the right of access to data concerning them and other rights enshrined in Article. 7 of the Code, as well as 'the problems relating to access to administrative documents and the need' to balance the requirements of transparency of administrative action with protection of the right to personal data protection. Therefore it will appeal to managers and officials engaged in the united 'within their jurisdiction' cause part of the activities' of direction, coordination and control of the offices which are responsible for taking all necessary measures to ensure compliance with and full implementation of the principles of the Code, prevent the risks present in the individual activities' and adopt, therefore, all acts, organizational behavior and the necessary solutions. 4. Data classification and types of related formalities. 4.1. Personal data. Article. 4, paragraph 1, letter b) of the Code defines personal data "any information concerning a natural person, legal person, entity or association, identified or identifiable, even indirectly, by reference to any other information including a personal identification number" . The government, and 'allowed the processing of personal data when responding to the need' to perform his official duties. Therefore, except as provided for health care professionals and public health organizations (see the provisions of Part II of the Code), these bodies must not ask the consent in accordance with art. 18. In particular, the processing of data other than sensitive and judicial and 'also permitted in the absence of a specific legal provision purche' is intended for the performance of official duties of the administration, while the communication of these data by a government to another or to private or their spread and 'possible only when there is an express provision of law, as indicated in art. 19. In the event that the authorities have required 'to provide such information to another government agency, always for the purpose of carrying out activities' institutional, but without proper provision of law, may, however, 'to inform the Guarantor, pursuant to art. 39 of the Code. Under this new mechanism, elapsed forty-five days of notification to the Guarantor, the data communication operation can 'be initiated, without prejudice to the possibility' of a different determination of the Authority 'also subsequently adopted at the expiry of the term. It must be carried out prior notification to the Guarantor, pursuant to art. 39, even in the case of processing of data disclosing health status provided by a biomedical research program or health, in accordance with the provisions of Art. 110 of the Code. On government data controllers also it bears the obligation to notify the Guarantor of personal data which are listed in paragraph 1 of article. 37 of the Code. This requirement must be made before the start of treatment and only once, regardless of the operations that must be performed (unless, of course, the obligation to notify any changes to the treatment or its cessation). Under Articles 37 and 38, the notification is intended to only validly effected if sent electronically using the mode 'indicated by the Guarantor through the model provided for that purpose and available on the website of the Authority' (www.garanteprivacy.it). In this regard it is noted that, with provision no. of harm to the parties concerned and then subtracted to the notification referred to in that Article 1 of the March 31, 2004, which is also available on the website of the Authority ', identifying some of the data processing not likely in practice. 37. Finally, it is recalled that on the basis of the discipline of the Code constitutes a 'communication' of personal data to give away this information to one or more 'different by the interested parties, in any form, including by making available for consultation . Can not 'be regarded as such, however, the communication made to the affected person, the representative of the owner in the State of the administrator or the person (art. 4, paragraph 1, letter l). 4.2. General rules for the processing of data. The general rules, common to all processing of data, can be found in Articles 11 to 17 of the Code. 4.2.1. Mode 'of processing and data requirements. In particular, Article. 11, in attaching mode 'of processing and data requirements, also identifies the conditions of lawfulness' of treatment. According to the regulations introduced by the Code, any violation of the conditions laid down by that provision and other relevant rules on personal data processing involves the uselessness' of data (art. 11, para 2). 4.2.2. Owner, manager, in charge. As for the persons who carry out the treatment, Article. 28 clarifies that the "data controller", in the case of government, coincides with the entities' as a whole or with the unit 'or the peripheral body exercising decision-making power entirely independent on purpose' and the mode 'of treatment, including on safety, rather than' with the individual hinged organ or authority office. For complex administrative structures it is suggested to make use of the right 'granted to the holder art. 29 of the Code to designate one or more '' controllers ', between all the partners, to quality' professional and personal, provide sufficient guarantees regarding compliance with the applicable provisions. This designation must be accompanied by the analytical specification in writing the tasks and the periodic supervision over compliance of the instructions given and the overall compliance with the rules on personal data protection, as provided by paragraph 5 of article. 29. A system shutdown and 'placed the forecast for the "data processors", the only ones who might actually carry out the processing operations of personal data. The officers work under the direct authority 'of the owner or manager, after designation expressed in writing, containing the precise scope of their treatment allowed detection and indication of instructions to be followed in carrying out the treatment. To simplify this requirement, given the frequency with which staff are subject to rotation and rotation within the administrative structures, the Code considers equivalent to the registered designation of those in charge, the preposition to a unit of 'organizational personnel (for example, through a service order) for which is altresi' identified in writing the scope of the permitted treatment to employees who work within the same units'. 4.2.3. Information to interested parties. In exercise of rights to protection of personal data, the Code imposes on the obligation of the data controller, provided by art. 13, to provide interested parties with adequate information. The interested party or the person who collected the personal data must therefore be informed orally or in writing, among other things, the purpose 'and the mode' of data processing, of any Obligations' of its contribution, the consequences relating to the refusal to provide the data, the rights can be exercised by the interested party as well as' the identification details of the data controller and the data processor. For more 'responsible designation, the Code introduces a further simplification giving possibility' of the person in the informative report to the identification of only one responsible for simultaneously indicating the mode 'through which and' knowable the list and updated data processors (for example, by indicating the administration's corporate website where the list and 'eventually published). 4.3. Sensitive data. Article. 4, paragraph 1, letter d) of the Code defines sensitive data "personal data revealing racial or ethnic origin, religious beliefs, philosophical or other beliefs, political opinions, membership of parties, unions, associations or religious, philosophical, political or trade union, as well as' personal data disclosing health and sex life. " The processing of sensitive data and 'allowed only if expressly authorized by law indicating which of the types of data that can be treated, the operations executable and relevant purposes' of public interest pursued. If a statutory provision does not specify the types of sensitive and judicial data that can be processed and the operations that can be performed on them, the administrations are required to identify and make public the types of usable data and executable operations, in relation to the pursuit of purposes' deemed by the law of overriding public interest, updating and integrating the periodic identification (art. 20, paragraphs 1, 2 and 4, of the Code). In this regard, Part II of the Code specifies certain activities 'of overriding public interest, among which are relevant for public administrations, for example, the activities' aimed at the application of the rules on access to administrative documents (Art. 59 ), or the rules relating to the granting, validation, modification and revocation of economic benefits, concessions, donations, fees or other qualifications (art. 68), the activities' social welfare (art. 73), and relating to the establishment and management by public entities of labor relations (art. 112). In case instead the authorities intend to carry out a processing of sensitive data that proves not expressly provided for by a provision of primary law status, they can apply to the Guarantor are discernible if the conditions of overriding public interest which authorizes the use, according the mechanism provided for by art. 26, paragraph 2, of the Code. In this case, treatment and 'allowed only if the administration concerned them take care altresi' to identify and make public the types of usable data and can do with an act of a regulatory nature (art. 20, paragraph 3, of the Code, the respect, v. more 'detail below the part concerning the "Regulations"). 4.4. judicial data. Article. 4, paragraph 1, letter e) of the Code defines "judicial data" personal data revealing iscrivibili measures in the criminal records indicated by art. 3, paragraph 1, letters a) to o) and from r) to u) of the Decree of the President of the Republic November 14, 2002, n. 313, or the quality 'of the accused or suspected person under Articles 60 and 61 of the Criminal Procedure Code. And 'possible for public authorities treat such information when this' is envisaged by a provision of law or by an order of the Garante purposes explicitly stated in the relevant' public interest purposes, personal data that can be used and the processing operations executables. In the event where the law only specifies the purpose 'of overriding public interest, apply the requirements for the processing of sensitive data, according to art. 20, paragraphs 2 and 4 of the Code with regard to the need 'to identify and make public through an act of a regulatory nature types of usable and executable operations data (art. 21). 4.5. Regulations. Articles 20, paragraph 2, and 21, paragraph 2, of the Code provide that, where a statutory provision has specified the purpose 'of overriding public interest, but not the types of sensitive and judicial data that can be processed and the operations can be carried out on them, governments will have to adopt a special regulation by which to identify and make public, by the parties that perform the treatment, the types of usable data and executable operations, in relation to the institutional purposes intended and in compliance with the principles established by art. 22 of the Code. The adoption of these measures presupposes the prior review of all activities' carried out by the public entity that involve the processing of sensitive or judicial data, as well as' the evaluation of INDISPENSABILITY 'of the data used and the operations carried out under these activities 'with respect to the purposes' from time to time pursued. The processed data will be indicated by category (eg, data on health, sexual life, racial, ethnic origin, etc.), Taking into account that the data types not identified in the Regulation can not be treated. In other words, using these must 'be clear regulations to citizens the connection between the purpose' of overriding public interest pursued by the authorities in relation to the tasks conferred by them and ways' in which they are actually used the information concerning them . In order to give effect to the system of guarantees outlined in the Code for sensitive and judicial data, and 'therefore necessary that the administrations following action such identification, where missing, by regulatory acts, by December 31, 2005, after obtaining the opinion of compliance 'of the Guarantor in accordance with art. 154, paragraph 1, letter g) of the Code (art. 3, Decree-Law 24 June 2004, n. 158, converted by Law 27 July 2004, n. 188, amending art. 181, paragraph 1, letter a) of the Code). The identification of the types of data and operations, and 'then updated and supplemented periodically, as indicated by art. 20 of the Code. To make more 'easy and rapid adoption of such acts, the Code states that the opinion of the Guarantor can also be formulated on the type scheme. In the event that the regulatory scheme set up by the government correspond to the models on which the Guarantor has made an assent, it will not be 'therefore necessary to subject them to the specific case by case examination by the Authority'. To this end, we urge the authorities to initiate any useful initiative to identify areas of activity ', common to most' administrations, for which its future can be drawn up jointly by type schemes to be submitted to the Guarantor, also through projects that this Department automatically boots' in collaboration with Formez. 4.6. Criteria applicable to the processing of sensitive and judicial data. Article. 22 indicates the criteria applicable to the processing of sensitive and judicial data. First, governments should pay particular attention to the prevention of possible harm to the person concerned, by conforming the treatment of this information in order to prevent violations of rights, freedoms 'fundamental and dignity' of the person concerned. In this context, it assumes particular importance to the principle of indispensability ', according to which can only be dealt with sensitive and judicial data essential to the performance of official duties that could not be otherwise fulfilled (through the use of anonymous data or personal data of a different nature). Similarly, the sensitive and judicial data indispensable, governments can only carry out treatment operations strictly necessary to achieve the purposes' permitted in individual cases. Compared to the previous legislation, and 'finally it confirmed the ban on disseminating the data to reveal the state of health. 4.7. data security. Particular attention and 'placed in the Code, in Section 31 and following, the issues of security of data and systems. The Code distinguishes in this regard the security measures to be taken: appropriate and preventive measures to reduce minimizing the risk of destruction or loss, even accidental, of the data, the risk of unauthorized access or treatment not allowed or not in accordance to the purposes' of the collection (art. 31); minimum measures set out in Articles 34 and 35 according to the procedures' application analytically specified in Annex B) of the Code and diversified depending on whether the treatment is carried out or not by electronic means, or by identifying, pursuant to art. 58, paragraph 3, in relation to processing for purposes' of defense or covered by state secrecy (art. 33). The distinction is relevant to sanction 'cause, while the failure to observe the' minimum 'measures constitutes a punishable conduct committed, pursuant to art. 169 of the Code, non-compliance with measures 'appropriate' makes the illegal processing and, in case it causes damage to the person, exposes the perpetrator to possible actions for damages by the injured party (art. 15 of the Code). In particular, the failure to adoption of minimum safety measures and 'punished with imprisonment up to two years or a fine of 10,000 euro to 50,000 euro. In this case and 'but' provided the "active repentance" mechanism applicable to those who comply promptly with the requirements given by the Guarantor after having satisfied the offense and carry a charge through the administrative of a sum equal to one quarter of the maximum fine , thus achieving 'the extinction of the crime. 4.8. Security Plan. Among the minimum security measures provided by the Code also includes the Security Policy Document (DPS), which is compulsory for those who make a treatment of sensitive and judicial data with the help of electronic instruments. This document shall contain, in particular, the analysis of the risks to personal data, the identification of measures to be taken to prevent their possible destruction, accidental loss or unauthorized access and organizing training in respect of the staff. The DPS should be adopted, by the department, office or individual to what 'empowered for such is for the administration and prepared (or updated for the authorities who were already' required to prepare or update the DPS according to the former discipline) to more 'later than 30 June 2005 (art. 6, decree-law of 9 November 2004, n. 266 amending art. 180 of the Code). Upon expiry of the transitional period related to the entry into force of the Code, as specified by the Guarantor in the opinion of 22 March 2004, and thus since 2006, the deadline for annually updating the DPS remain 'attached to the deadline of March 31 each year, as has the technical regulation no. 19 Annex B) of the Code. Authorities who, for objective technical reasons can not, in whole or in part, apply by June 30, 2005 the minimum measures introduced by the new regulations with reference to computers and programs used may be allowed a more 'broad term for 'adaptation (September 30, 2005, according to the provisions of art. 6 of the decree-law cited), as long as' prepare a document having certain date, which describes these technical obstacles and keep him at your facility. Waiting to adapt their technological equipment, the administration and 'but' required to take all possible security measures in relation to detainees electronic instruments, so as to avoid the risks, as indicated in art. 31 of the Code, of destruction, loss, even accidental, of data, unauthorized access or treatment not allowed or does not conform to the purposes' of the collection. 5. Access to data and access to documents. 5.1. Access to personal data. It 'worth recalling some important elements introduced by the Code in respect of access to personal data. How 'known, the Code recognizes to various rights in relation to the authorities who process personal data, including, in particular, the right to access data concerning him, to obtain the updating, rectification , integration, cancellation, transformation into anonymous form or blocking if used in violation of the law, to oppose the processing for legitimate reasons (art. 7). To exercise these rights you must submit a request to the administration process owner (or manager, where the administration has made use of this faculty) without any particular formality '(art. 9). The request, if it does not refer to a particular treatment or specific data or categories of personal data, must be regarded as referring to all the personal data concerning him in any case treated by the administration (art. 10) and can 'include information evaluative, except with regard to the correction or integration (art. 8, paragraph 4). The receiving administration of the request and 'held to provide feedback and analysis made to the person within 15 days of its receipt, or 30 days, by giving notice to the person, if the operations required for a full response are of particular complexity 'or uses another just cause (art. 146). The feedback can 'be provided orally, however, in the presence of a specific instance, the administration and' required to transpose the data on paper or magnetic media or electronically transmit them to the person (art. 10). We therefore urge the authorities to put in place appropriate mechanisms and procedures to implement fully the provisions of the Code in respect of access to data, in order to facilitate access by interested parties to the information about them, including through the use of ad hoc software aimed at a careful selection of data relating to individuals, and to simplify the arrangements' and reduce the time for replying to also interested in the field of office for relations with the public. 5.2. Data access and access to administrative documents. It should be stressed, finally, some elements that differentiate the right to access personal data and other rights introduced by the regulations on protection of personal data The right of access to administrative documents provided for in Articles 22 and following of the law n. 241/1990 and other legal provisions, as well as' relevant implementing regulations. It is, in fact, as recalled more 'times by the Guarantor, of two different and independent access rights that differ in terms of the subject and conditions of their exercise. The right of access to personal data and other rights enshrined in the Code concerning personal data (instead of 'acts and documents) and can be exercised by the people to which the data relate with no particular formalities' and limitations, except for certain rights that require a specific situation (for example, the adjustment may 'be required only in respect of inaccurate data and deletion only in respect of data used in violation of the law) and of the exclusion cases strictly specified by the Code (art. 8). In particular, the purpose of exercising the right of access to data, the person concerned is not 'required to explain the reasons for his request for access, which can' only relate to information related to their own person and can not 'be extended to data to third parties. The right of access to documents and ', however, only guaranteed in relation to documents of public administration and certain other persons by any person is the bearer of a personal interest and qualified for the protection of legally relevant situations, as well as' by administrations, associations and committees representing public interests or disseminated. For cio 'that concerns the modalities' of responses, in the case of exercise of the right of access to data, the administration and' obliged to extrapolate from its archives and documents all personal information concerning him, reported also in electronic format, and to communicate them to the latter in a suitable form to make them easily understood. Unlike access to documents, the administration and therefore not 'obliged to produce or deliver a copy to the person of acts or documents containing information relating to him or (possibly) also data from third parties, unless the' data extraction is particularly difficult and the information concerning the applicants and third parties are intertwined to such an extent as to be incomprehensible if displaced or deprived of some elements (art. 10, paragraphs 4 and 5). 5.3. judicial protection. As for the protection in court the right to access personal data and other rights under the Code, the new framework provides that 'any dispute concerning, however, the application of the provisions of the Code, including those relating to the provisions of Supervisor concerning the protection of personal data or their failure to take "compete to authority 'ordinary courts (art. 152). In relation to the protection in place legal right of access to administrative documents, the law n. 241/1990 ordered, however, art. 25, paragraph 5, which against administrative decisions concerning the right of access and in case of refusal, express or implied, or deferral of access and 'gave appeal within thirty days, the Regional Administrative Court. In this regard, and 'showed an address in the administrative case law, either generally also shared by the Court of Cassation (see Civil Cassation, sez. A., May 28, 1998, n. 5292), according to which one must recognize the existence an exclusive administrative jurisdiction with regard to the feedback of legitimacy 'of administrative acts which decide on the request for access, regardless of consistency in the legal position relied on and what' even in cases where the administration, in pursuing their interests have acted as a private entity (see State Council, sect. IV, 3 August 1995, n. 589). 6. Issues of interest in the field of personnel management. How 'known since' the public administration is characterized by being a productive organization based on work, human resources management, including the activities 'carried out by it, plays a crucial role it intersects with the parental authority' organizational attributed to administrations . In this context, it should pay special attention to the principles established by the Code. The profiles for the protection of privacy are well known to the public administrations and in particular to the offices which is responsible for personnel management. The latter hold and acquire a high number of employee information administration. From what 'comes the need' to a preliminary survey of its activities' in the light of the rules that must be constantly updated. In this regard, it is worth remembering some of the problems that emerged in recent years and highlighted on several occasions by the Guarantor. Since the Governments collect, more and more 'often through computer technology, a large number of data, both with regard to the institutional tasks, both in relation to management of employees (for all phases related to the employment relationship, from 'access to extinction), it must be recalled, first, that the configuration and management of these databases must be done while respecting the principle of necessity' enshrined in Article. 3 of the Code (v. More 'widely above the section on "Principles and obligations"). In general, in Title VIII of Part II of the Code, entitled 'Employment and social security', Article. 112, consider overriding public interest a number of sensitive and judicial data processing related to workers and aimed at the establishment and management by public entities of labor relations of any kind employed or self-employed or even honorary or time partial or temporary and other forms of employment that do not involve the establishment of an employment relationship. Among these treatments are included, in particular, those made in order to ascertain the possession of particular requirements for access to specific uses, or that the conditions for the suspension or cessation of employment or service (art. 112 , paragraph 2, letter c), to meet their obligations related to the definition of the legal and economic status of the personnel, nonche 'to the relative wage obligations, tax and accounting (d), to fulfill specific obligations or duties provided for hygiene and safety (e), to carry out activities 'seeking to establish the liability' civilian, employee discipline and accounting (g). In particular, regarding the publication of lists of staff selection procedures, stressing the need 'to ensure that the information contained in the lists do not result in the disclosure of data to reveal the state of health and to use rather generic endorsements or numerical codes, so you do not fall under the prohibition to disseminate health-related information contained in Article. 22, paragraph 8, of the Code. Similar precautions should be taken in drawing up the lists on the allocation, liquidation, modification and revocation of economic benefits, concessions, donations, fees or other qualifications. The inclusion in such acts, intended for publication of information regarding the state of health of members (eg about the status of disability 'of a member of the household of one of the beneficiaries) contrasts, in fact, with the rules on protection of personal data that prohibits public entities, authorized to grant specific benefits related to disability' civil, to spread data on the state of health of beneficiaries (art. 68 of the Code). The adoption of these measures, however, should not prejudice the possibility 'for people to what' legitimate access to any other information relating to the members on the list, even sensitive, in compliance 'with laws and regulations relating to access to administrative documentation. Another aspect that, in addition to particularly engage the government, has aroused some jurisprudential speeches, it deals with requests for access to examination papers. On this point, see, more 'in general, the next part where you call the current guidelines jurisprudential right of access to documents held by public authorities. In terms of handling personal data of employees are the most important aspects. With regard to the data contained in the personal files, the Ombudsman was able on occasion to emphasize that medical certifications made to justify sick leave must contain only the prognosis and not a diagnosis on the pathology suffered by the worker. The administration, which is not 'entitled to treat these data must therefore endeavor to obscure the diagnosis port present on medical certificates already' detainees and adopt suitable measures even towards workers and doctors so that 'are only certified products which indicate the existence and the duration of the state of inability 'of the worker, with no indication diagnostics. In addition, Article. 113 of the Code refers to the provisions of art. 8 of 20 May 1970, n. 300, which states that 'and' forbidden to the employer, for purposes of employment, such as during the course of employment, to conduct investigations, even through third parties, political opinions, religious or trade union of worker as well as 'of no facts relevant to the employees' professional qualifications assessment. " Another theme of great actuality 'and' what the surveillance of electronic communications and Internet use in the workplace with respect to which refers to the working document of the authorities' European data protection gathered in the Group of European Guarantors, established Article. 29 of Directive n. 95/46 / EC, adopted on 29 May 2002 (1) as well as' the jurisprudence of the European Court of Human Rights relating to Article. 8 of the European Convention on Human Rights. Relating to the control of the workers, it should be recalled the ban on remote control of the attivita 'labor and other guarantees provided labor art. 4 of Law n. 300/1970 called the Code. These guarantees must be respected, in particular, in the case of installation in the premises of the administration of video surveillance equipment for security reasons or for organizational and production process requirements, keeping in mind the obligation to inform, even with synthetic formulas, employees and visitors who are going to access or located in an area under video surveillance and the possible registration (art. 13 of the Code). On the specific issue is reminiscent of the guidelines formulated by the Group of European Guarantors, in the opinion of 11 February 2004, n. 4, the processing of personal data through video surveillance (2), and the decision of 29 April 2004 of the Guarantor with which the conditions of lawfulness' of the installation of video surveillance systems have been shown. In particular, the Authority 'reiterated that public bodies can enable video surveillance systems only insofar as they are instrumental in the execution of their official duties and has argued that the installation and' lawful only if and 'proportionate to the objectives to be pursued ( art. 11, paragraph 1, letter d) of the Code), the other being really inadequate and unworkable measures (for example, alarm systems or security measures at the entrances). It should be altresi 'assess whether it is really necessary to collect detailed images, thereby indicating the location and type of equipment to be installed (fixed or mobile), and strictly limit the creation of databases when, for the purpose' pursued, and 'sufficient to install a single closed loop system of vision of the images without recording (for example, for controlling the flow to a door). In keeping with the principle of necessity 'enshrined in the Code (art. 3), through such systems and' then people can resume only if identifiable, to achieve its aims, they can not be used anonymous data. The citizens transiting in the supervised areas also need to be informed of data collection (art. 13 of the Code). In this regard, it is recalled that the measure cited the Guarantor has made available a simplified model of information, which must be clearly visible and indicate who makes the detection of the images and for what purposes. Finally, based on Art. 111 of the Code, and 'intended to be taken through a process that will involve' the categories concerned, a code of ethics and good conduct relating to the processing of personal data relating to the employment relationship management. The provisions of the code of ethics once published in the Official Gazette by the Guarantor, upon verification of their compliance 'with laws and regulations, will acquire binding legal force, since' their respect will constitute '' an essential condition for the lawfulness' and correctness of the processing of personal data "also carried out by public entities under the management of employment (art. 12 of the Code). 7. The access to administrative documents and the protection of confidentiality: The reconciliation of interests and legal guidelines. As known to the related underlying problem applicability 'of the legislation on the protection of confidentiality to the public administrations and' based on the possible conflict between the principle of transparency in administrative action, and then the advertising 'and to disclose' the acts of the public authorities, enshrined in law n. 241/1990, and the principle of legal privilege. Both principles are derived from the Constitution being respectively impartiality expression 'and the good performance and the protection of the inviolable rights of the person. These principles take on a great significance for the government, since 'the rules that have given concrete implementation have permeated deeply and incisively directed the attivita' administrative. In the system of law no. 241/1990 the protection of confidentiality is a limit to the access rights (see Art. 24, paragraph 2, letter d), as an exception to the rule of accessibility 'to the administrative acts. This intention and 'was later confirmed by the decree of the President of the Republic June 27, 1992, n. 352, bearing the Regulation on the regulation of mode 'operating and cases of exclusion of the right of access to administrative documents, which stipulates that the person concerned may have vision of documents relating to the administrative procedure when this' is needed to treat and defend their legal interests. In subsequent years, the debate and 'unraveled around the theme of comparison of opposing values, articulated mainly on the contrast between protection of the right to privacy on the one hand and protection of the right of access to documents for the defense of a legal interest. The possibility 'that deregulation regulations, to which the law n. 241/1990 had delegated the discipline of objective limits to the exercise of the right of access, would provide elements effectively subtle problem, and not 'checked, because' these were limited, essentially, to indicate the access stolen documents. The government, therefore, for a long time found themselves in the situation of having to assess each case what was the prevailing need, in fact performing a function of the interest composition. Some landmarks have been developed, especially in the case law of the State Council, who has always believed that it should always help the legislative framework (see for instance the State Council, sect. V, 5 May 1999, n. 518) . The Plenary Gathering of the State Council, by Decision No. 5 of February 4, 1997, in line with the spirit of the law on open government, said that the legislation grants preference to the principle of publicity 'than that of protection of privacy, allowing access even in respect of documents containing confidential data, provided that the instance ostensive It is supported by the need 'to protect its legal interests and the modal limit of one vision, not being feasible the mode' more 'penetrating and potentially harmful for the extraction of copies. With reference, however, to access to administrative documents containing sensitive data, Legislative Decree of 11 May 1999, n. 135, integrating the rules on the processing of these data by public entities (art. 16), he had already 'filled the legal vacuum determined by the absence of an express legislative provision on access to documents containing sensitive information. Compared to the previous legislation, the Code confirms the compatibility 'of the provisions on access to administrative documents with those on the protection of personal data, stating that the conditions, the mode', the limits for the exercise of the right of access to administrative documents containing personal data and its judicial protection, remain governed by the law n. 241/1990 and other legal provisions, as well as 'relevant implementing regulations, also for cio' that concerns the types of sensitive and judicial data and the processing operations executed in pursuance of a request for access (Art. 59 ). The new framework also reproduces the prediction already 'contained in art. 16 of Legislative Decree n. 135/1999, with regard to sensitive data treatment by public entities, considering the activities' aimed to the application of rules on access to administrative documents of public interest. For cio 'that concerns the limits to the right to access, in the event that the administrative documents which the request for access related data contain health and sex life, the Code, solving some interpretative doubts arose on the basis of Article. 16 of Legislative Decree n. 135/1999 and in line with the interpretative approach adopted in this regard by administrative law (CdS, sect. VI, no. 1882/2001), provides that the processing of sensitive data intended to allow access and 'allowed only if the legal position which it aims to protect the access request and '' to rank at least equal to the rights', or consists in a right of personality 'or another right or freedom' fundamental, inviolable (art. 60). In this regard, the State Council held that this assessment has to be done in concrete terms "to avoid the risk of pre-built solutions that rest on an abstract hierarchy of rights in dispute" (CdS Sec. VI, 30 March 2001, n. 1882 and May 9, 2002, n. 2542; see. also CdS Sec. V, 31 December 2003, n. 9276). (3) By the decision of 9 July 2003, the Ombudsman addressed the issue, referring in particular to requests for access to medical records, but also providing information useful for other types of documents held in the public sector, whose ostensibilita 'to people different by the person still requires an assessment of the status of the various rights involved by the receiving authority of the access request. In this measure, the Authority 'stated in particular that it is necessary to have this, as a comparative element for the balancing of the interests, not already' the right to judicial protection, as well, and that 'constitutionally guaranteed, but rather' the subjective right below which it wishes to claim on the basis of documentary material which would have knowledge. The communication of data that fall within the privacy of the person concerned may 'be regarded as justified and legitimate only if the applicant's right is part of the personality' oe 'rights category between other fundamental and inviolable rights. For this' concerns access to examination papers, it is recalled that the administrative case law favors for favorable access thesis. Cio 'in consideration of the fact that, being the elaborate bankruptcy, by their nature designed to an evaluation and a comparison, the confidentiality of this may not' evidence be considered predominant with respect to the need for defense of legal interests. Therefore, the right to access can 'be done also apply before there is a real injury, and goes to the right to have copies of the documents and securities of the other candidates (see the State Council, sect. IV, 13 January 1995 , n. 5, the State Council, sect. VI, 13 September 1996, n. 1221). More 'recently Administrative Court has affirmed a principle of greater caution, that 'what the relevance, under which access to the acts of a bankruptcy proceeding should be allowed, subject to securing anonymity of the other competitors, in relation to the same tests incurred by the applicant (see TAR Toscana, sect. I, 9 March 1999, n. 146). The government will initiate all direct information and training initiatives to increase awareness of the Code and of this Directive in order to promote, in particular, the implementation of regulations concerning the processing of personal data, sensitive and judicial. The Ministries will provide to urge the government to be vigilant because they 'establish, within the terms provided, the regulatory acts referred to in Articles 20, paragraph 2, and 21, paragraph 2, of the Code. This Directive and 'sent to the Inspectorate for Public Service to which and' delegated Ordinamento the activities 'monitoring and verification of the implementation and proper application of the administrative reforms, with particular reference to the most' significant innovations in the field of relations between citizens and public administrations, as provided by the decree on the internal organization of the Department of public Service to be published. Rome, February 11, 2005 The Minister of Public Administration: Baccini Recorded at the Court of Auditors 4 April 2005 Institutional Ministries, Prime Ministers, log n. 4, page no. 224 (1) Available at the: http://www.europa.eu.int/comm/internal market / privacy / workingroup / wp 2002 / wpdocs02 en.htm (2) commonly available at: http: // www .europa.eu.int / comm / internal market / privacy / workingroup / wp 2004 / wpdocs04 en.htm (3) On this line of interpretation and 'move the subsequent case law (see. eg. TAR Lazio, sez. Latin, November 15, 2002, n. 1179; TAR Abruzzo, sect. Pescara, 14 June 2002, n. 533; TAR Lazio, March 8, 2004, n. 4874; Liguria Regional Administrative Court, February 26, 2004, n. 414).