Security measures to prevent access to the PA’s internal networks, prohibition of unnecessary tracking of users, timely preservation of data, greater transparency. These are some of the important guarantees requested by the Personal Data Protection Authority in its opinion to AGID on the public wifi directive.
The Italia Digital Agency will have to integrate the scheme to do so in accordance with the provisions of the European Union Regulation and the Privacy Code.
The privacy directives provide information to PAs that offer citizens wireless internet connection through offices and other public places, in particular in the school, health and tourist sectors, also making available to citizens the unused portion of the band from offices.
The offer of this service implies the processing, by the administrations, of data that users benefit from, characterised by different risk profiles.
For this reason, the Authority has considered that the directives must be integrated to call on public administrations to guarantee the correct application of the Regulation by adopting technical and organisational measures appropriate to the risk and by configuring the service in such a way as to ensure the protection of the data processed up to the pre-defined design and configuration.
The scheme submitted to the Data Protection Authority recommends, in particular, that PAs identify users, in order to be able to locate possible malicious behaviour. On this point, the Authority has specified that administrations are not authorised to store telematic traffic data and has asked AGID to incorporate the directives by indicating to the administrations ways of complying with the Regulation in order to identify those responsible for unlawful behaviour (for example, by using only data on the connection and disconnection of users).
The Authority has asked to provide information to the administrations on the types of data to be collected and on the retention times, in compliance with the principle of minimisation. Any processing of data for the purpose of location or travel tracking (by means of Wi-Fi location tracking techniques) must be prohibited, allowing only the use of data that is indispensable for access to the service or for individual illicit purposes.
It is also possible for the free public Wi-Fi service to be offered to tourists, through hotels. In this regard, the Authority has requested that the scheme be integrated by specifying that the tourist must be able to decide independently whether to join the free Wi-Fi service in the interoperability or use only the hotel’s connectivity. Any interoperability should not automatically provide for the communication of hotel guest data to administrations.
Finally, the Guidelines should reiterate to PAs the need to adopt appropriate security measures, including for the management of personal data breaches (Articles 32, 33 and 34 of the Regulation), as well as suggest specific precautions in case the free Wi-Fi service is also used by employees of the public administration providing it.
SOURCE: FEDERPRIVACY