He put the data of 9,000 innovation managers online


Tax codes, e-mails and mobile numbers of innovation managers, innovation experts, gathered in a clear online register without protection. And without the interested parties knowing

The Ministry of Economic Development (Mise) has recently published thelist of innovation manager which Italian companies can contact for their digital innovation path and whose advice can be paid by voucher. Going on dedicated site, the company can search for the profile it needs (expert in cyber security, big data, robotics etc.) in the area closest to its location.

An excellent initiative if it wasn't for that the data of almost 9 thousand professionals are all clear, no need to access an ad hoc platform. You can see name, surname, tax code, email, curriculum vitae and, until the afternoon of Thursday 7 November, even the cell phone.

The thing has caught the managers by surprise who had applied to be admitted to the list of the Mise. Several of them communicated the unpleasant surprise on social networks while others contacted us directly to report the incident.

However obvious it is to everyone the strangeness that this data is accessible to anyone, Wired he tried to understand if the same managers had been notified by the Mise at the time of the candidacy. Unfortunately many of them, as was obvious, hastily clicked on consent to the review of the privacy policy and therefore did not know if this warning existed.

The link where aspiring managers could apply did not refer to the same form and therefore it was not possible to read the original privacy policy which, as per regulation, should indicate the legal basis and purpose of the processing for the requested data.

According to the Gdpr, the general European data protection regulation, the data controller must indicate in the information sheet which is the legal basis for that processing. If it were, as possible, the law on transparency, this law should be indicated. The same applies to the purposes that should explain how those data will be used. Were the innovators accurately warned (not only) in the privacy policy that the data would be made clear to anyone? For what Wired could see nothing has been said about this in the candidacy instruction manual.

Asked about this, the Mise replied that the legal basis for the processing is a managerial decree of 29 July 2019, which specifies what was anticipated in the ministerial decree of 7 May 2019, or that on vouchers for innovation. Everything, according to the Mise, would be confirmed by the privacy policy that managers have accepted, but that at the time of writing this article was not provided. However, this does not change much the situation: if in the privacy statement we were told to give our first child to Satan, having accepted it would not be a legal constraint.

Transparency and privacy: this is not a crossroads

If the reason was a law on the transparency of public administration, this must always be balanced by other fundamental rights such as the protection of personal data. "This case shows how there is in the public administration a high level of irresponsibility in technical terms and lacking the awareness that in making or not doing an action one or more laws may be violated. That a PA has no such awareness is also an ethical problem. I realize that it is not easy to understand where to put the bar between administrative transparency and protection of personal data but the Gdpr mentions three principles that should not be forgotten: proportionality, purpose and minimization of data", Said Rocco Panetta, owner of the law firm Panetta & Associati and responsible for Italy of Iapp, the largest worldwide association of privacy professionals.

Ernesto Belisario of eLex, a lawyer who has been dealing with privacy and digital administration for years, said the same: "The PAs want to be transparent but we must affirm the principle that privacy is not a limit but a way of being transparent. We are happy when the PAs publish data but must be careful do not expose people to unpleasant consequences. The tax code can only be published in certain cases as it can be used not only for phishing emails but also for personal replacement crimes"

As the data is now shown, the entire data base can be easily downloaded in a few simple steps. In less than a minute it is possible to have mobile phones, e-mails, tax codes and resumes of nine thousand people. If you then think that for a twenty-year-old practice still indicate the complete address residence in your resume, you will understand what risk we are talking about. It is about very attractive data for any attacker, served on a silver platter.

What could be done

If the service is aimed at companies to put them in contact with professionals, the Mise should act like brokerage platform to protect the data of both parties. You should only be able to access personal data by logging in. It's not the case.

Clearly there could be the name and surname but not the tax code, which indicates date and place of birth and is used for different delicate operations such as banking. The principles of the Gdpr indicate that when the same result can be achieved by revealing less personal data, that is the way forward. And that way must be followed in respect of the privacy by design, which aims to limit damage in the event of data breach. Put simply, they don't show all the data of everyone interested in anyone.

The lighthouse of the Guarantor

Wired asked the office of Guarantor of privacy if they were aware of the fact. The authority has made it known that after this signaling it is put to work to deepen what happened.

Disclaimer: The editorial staff of Wired has reflected on how to communicate the news, weighing the duty of reporting to that of protecting the managers whose data are exposed. The magazine chose the line of full information transparency, with the aim of warning the many professionals involved in the matter.

You may also be interested

Source link



Please enter your comment!
Please enter your name here

twelve + 12 =