Tax codes, e-mails and mobile numbers of innovation managers, innovation experts, gathered in a clear online register without protection. And without the interested parties knowing
The Ministry of Economic Development (Mise) has recently published thelist of innovation manager which Italian companies can contact for their digital innovation path and whose advice can be paid by voucher. Going on dedicated site, the company can search for the profile it needs (expert in cyber security, big data, robotics etc.) in the area closest to its location.
An excellent initiative if it wasn't for that the data of almost 9 thousand professionals are all clear, no need to access an ad hoc platform. You can see name, surname, tax code, email, curriculum vitae and, until the afternoon of Thursday 7 November, even the cell phone.
The thing has caught the managers by surprise who had applied to be admitted to the list of the Mise. Several of them communicated the unpleasant surprise on social networks while others contacted us directly to report the incident.
Transparency and privacy: this is not a crossroads
If the reason was a law on the transparency of public administration, this must always be balanced by other fundamental rights such as the protection of personal data. "This case shows how there is in the public administration a high level of irresponsibility in technical terms and lacking the awareness that in making or not doing an action one or more laws may be violated. That a PA has no such awareness is also an ethical problem. I realize that it is not easy to understand where to put the bar between administrative transparency and protection of personal data but the Gdpr mentions three principles that should not be forgotten: proportionality, purpose and minimization of data", Said Rocco Panetta, owner of the law firm Panetta & Associati and responsible for Italy of Iapp, the largest worldwide association of privacy professionals.
Ernesto Belisario of eLex, a lawyer who has been dealing with privacy and digital administration for years, said the same: "The PAs want to be transparent but we must affirm the principle that privacy is not a limit but a way of being transparent. We are happy when the PAs publish data but must be careful do not expose people to unpleasant consequences. The tax code can only be published in certain cases as it can be used not only for phishing emails but also for personal replacement crimes"
As the data is now shown, the entire data base can be easily downloaded in a few simple steps. In less than a minute it is possible to have mobile phones, e-mails, tax codes and resumes of nine thousand people. If you then think that for a twenty-year-old practice still indicate the complete address residence in your resume, you will understand what risk we are talking about. It is about very attractive data for any attacker, served on a silver platter.
What could be done
If the service is aimed at companies to put them in contact with professionals, the Mise should act like brokerage platform to protect the data of both parties. You should only be able to access personal data by logging in. It's not the case.
Clearly there could be the name and surname but not the tax code, which indicates date and place of birth and is used for different delicate operations such as banking. The principles of the Gdpr indicate that when the same result can be achieved by revealing less personal data, that is the way forward. And that way must be followed in respect of the privacy by design, which aims to limit damage in the event of data breach. Put simply, they don't show all the data of everyone interested in anyone.
The lighthouse of the Guarantor
Wired asked the office of Guarantor of privacy if they were aware of the fact. The authority has made it known that after this signaling it is put to work to deepen what happened.
Disclaimer: The editorial staff of Wired has reflected on how to communicate the news, weighing the duty of reporting to that of protecting the managers whose data are exposed. The magazine chose the line of full information transparency, with the aim of warning the many professionals involved in the matter.