Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
vuoi
o PayPal
tutte le volte che vuoi
ITALY PRIVACY CODE
o - Law related to protec on of personal data (also commonly known as the Privacy Code) as a provision of the
Italian Republic, enacted with Legisla ve Decree 30 June 2003, n. 196
From that date, if someone wants to collect, use, treat our data, he needs our explicit consensus
- The first ar cles recognized the absolute right of each individual on its own data, sta ng that "Everyone has
the right to protec on of personal data concerning him."
- The purpose of the legisla on was to prevent that the processing of data is done without the consent of the
person en tled
- For this purpose, the Title II, Ar cles 8 to 10, defined the rights of those concerned, the collec on
arrangements and data requirements, the obliga ons of those who collect, hold and process personal data,
the liability and sanc ons in case of damage
Current Privacy Regula ons: GENERAL DATA PROTECTION REGULATION (GDPR)
- Regula on by which the European Parliament, the Council of the European Union and the European
Commission intend to strengthen and unify data protec on for all individuals within the European Union
It’s more than a law, it regulates everything relates to a personal data protec on
- Enforced of European level since 25 May 2018 -> two years are given me to companies and hospital to
comply on
FROM PRIVACY TO DATA PROTECTION 06/10
With the GDPR, it is necessary to switch the approach from the classical privacy one (in which everything is
o concerned with the human right, but it doesn’t deal with the technology too much) to data protec on
PRIVACY:
o - It concerns rights and respec ng rights, thus it implies the use of technologies, networks, equipment,
so ware, but all are above the company itself
When you deal with the privacy code, make your company/hospital, have to prepare a lot of official
documents and procedures to show, demonstrate and guarantee that the fundamental rights of subjects to
their privacy is respected; the laws don’t care too much about technology (it’s somehow le upon the
company itself)
It’s a big step with respect to previous situa on in which no law was exis ng, but it’s par al with respect to
the technology permissions
- It needs legal requirements, but there aren’t any technological implica ons for authen ca on, provider,
encryp on… -> it is a par al technology provisions
DATA PROTECTION: integrity + confiden ality + availability
o - With GDPR the companies/ins tu ons have a privacy obliga ons (first order of law maintained) but also to
protect personal data (specific requirement) -> law standpoint + technological standpoint
- It needs technological requirements (engineering role became more important and determinant -> DPO:
data protec on officer, a professional working in between law and engineering backgrounds, legal and
technical parts)
- It is impossible to precise the technological part (that I shall adopted to guarantee the protec on) inside the
law, that is wri en in a precise date (2018), because it’s impossible to track the technological advances
inside the laws, that could be update week by week; moreover we are in free economy, so any
hospital/company can adopted any solu on they want
- The pillars on which GDPR informa on security relies are Confiden ality-Integrity-Availability (CIA), like
standard inves ga on objec ves:
1. Confiden ality means that only authorized people can access the data, so means also authen ca on
(= people are recognized -> correct access rights -> GDPR is accessed only authorized users)
2. Integrity means that data cannot change or if it’s changed with any change has to be registered/track
any only authorized people can do it
3. Availability means that the data are available in any moment when I need them, so they are present in
our system
- Data protec on is less specific than cybersecurity but includes some aspect of it
GDPR ACTORS:
1) DATA SUBJECT (individuals):
- A “data subject” is a natural person, a living human being -> GDPR does not apply if there aren’t subjects,
instead if there are data subject means that we have individuals (ex. account in University, Hospital, e-mail,
social media, gym), that can provide some data in depending of the ac vity (-> personal or sensi ve data)
- Personal data: Any informa on related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly iden fy the person
can take several forms: a name, a photo, an email address, bank details, posts on social networking
It
websites, medical informa on, or a computer IP address
data include sensi ve data
personal
- Sensi ve data: Informa on including (discrimina on possibility in the base of them) the racial or ethnic
origin of the data subject, his poli cal opinions, his religious beliefs or other beliefs of a similar nature,
whether he is a member of a trade union, his physical or mental health or condi on (including gene c and
biometric data), his sex life and sexual orienta on, the commission or alleged commission by him of any
offence; or any proceedings for any offence commi ed or alleged to have been commi ed by him, the
disposal of such proceedings or the sentence of any court in such proceedings
How the hospitals can provide services, if it is not possible to collect mental health status? There are some
excep ons, so it is necessary to accept the consensus explicitly
- The data subject are provided to someone representa ve of the company (ex. rector in the University,
owner of the gym, the legal representa ve of the hospital), so the data controller
2) DATA CONTROLLER (organiza ons):
- The Data Controller defines what personal data the company needs and for what purposes and for providing
services -> is the official representa ve of the company/organiza on (ex. University director)
One person legally responsible (but can also be shared its role), that represent the organiza on, has some
du es towards to you and you have some rights towards the data controller; these du es (to no fy you/
supervisory authority in case of data breach, to minimize your data so store/treat/collect only the minimum
amount of data which is necessary for the purposes of the organiza on) and rights (to change, to portability,
access) are defined by GDPR this is the two-way link between the data subject and data controller
But the data controller has in this term two-way link with the supervisor authority
- The company then requests that data from people (employees, customers, public etc.)
- The Data Controller is responsible for compliance with the regula on
It can involve other organiza ons to do its role of responsibility
- Under the new law, the controller must be able demonstrate compliance with the technical phase (the state
of the art behind the legal part) at any given me following a request from the SA or the Data Subject
3) SUPERVISORY AUTHORITY:
- An independent public authority which is established by any Member State to enforce legisla on locally
It is a na onal authority (in Italy ‘Garante per la protezione dei da personali’), who is the overwhelming
authority on the topic of data protec on
- It makes sure that the regula on is executed in each state
- It is responsible for imposing and managing administra on fines to controllers and processors (monetary
part of GDPR)
- It must coordinate with other Supervisory Authori es when there are mul ple actors in more than one
member state in any dispute or ac on
The authority has the ability to give sanc ons in case that are clear non-compliance issues or misbehaviors
by data controllers, so it enforces the rules and the laws towards the data controllers and the data controllers
must demonstrate that they are ac ng the right way to the supervisory authority
In case the a ack produced a data breach meaning that the data was affected personal data, then the data
controller has to no fy the supervisory authority given all the details of it and this is compulsory according to
the GDPR and it must happen within 72 hours from the discovery of the data breach (done by the hospital,
so it needs an intrusion detec on system in order to have the capacity to discover cybera acks/data breach)
Cybera ack may imply the data breach or may not imply the data breach, because it is linked to the fact that
the data of the pa ents (due to the a ack affected the electronica health records) was, respec vely, affected
or not; for this reason in the hospital it is important the role of the forensic, that are engineers who are able
to enter the systems a er an a ack and understand if the a ack affected the personnel
It is important to underline that the zero probability of sudden a ack is unfeasible (completely avoidable)
and the supervisory authority is not making you liable: ex. if an hospital has never suffered from an a ack
and this is the first one it is communica ng, s ll it needs to show to the supervisory authority the personal
responsibili es, that it was taking all the state of art measures for data collec on; so the authority will
enforce you the obliga on to show that all you had before/during/a er the a ack is the best you could do,
for the interna onal community, according to the state of the art protec ng measures, equipment, so ware,
hardware
Ex. HOSPITAL: pa ent -> data subject; hospital -> data controller; ‘Garante per la protezione dei da
personali’ -> supervisory authority
The state of the art is very very rare (municipali es are completely less protected than the hospital)
4) DATA PROCESSOR (organiza ons):
Big issue in the hospital: there is a lot of providers, for example camera machine, pa ent registry so ware,
technological provision (sold by someone else); so the hospital has a lot of interac ons with other
companies, hospitals and ins tu ons (external laboratory that examine the blood sample) and it needs to
send and receive data from others
There must be exchange of data between two hospitals, one hospital and one company, between two
companies: these third par es are considered as data processes
- A natural or legal person, public authority, agency or organiza on or other body which processes and treats
personal data on behalf of the data controller (delate)
- The processors do not determine the purpose and or means of the processing, but they just process the
data as requested by the controller (ins tu on responsible)
The data controller can sign some agreement with one or more data processors who become responsible for
that part of data protec on, so all data, that are transferred to data processor, become under the
responsibility of data processor (un l they are collected and processed by it)
If a cybera ack or a data breach happens while the data processor is processing data, the responsibility is on
the data processor
Actually the responsibility is s ll first on the data controller, because if I am a pa ent of a hospital, I gave my
concept to the data controller
Accedi a tutti gli appunti
Tutor AI: studia meglio e in meno tempo
