Whistleblowing: the Italian DPA fines an hospital company and its IT provider

Whistleblowing, as correctly cited by the Guarantor in his measure, was regulated in Italy, at first, within general rules on public administrations and later with the law of November 30, 2017, no. 179, which introduced a new discipline referring to private entities, integrating the regulations on "administrative responsibility of legal parties, companies and associations, including those without legal personality". There have been, over the years, different kind of interventions by the supervisory authority on general principles and decisions on individual cases. In particular, as stated by Article 54-bis, paragraph 5, which provides the adoption by ANAC ("Autorità Nazionale Anticorruzione" - National Anti-Corruption Authority) of special guidelines regarding the procedures for the submission and management of these reports, the Guarantor, in a decision dated December 4, 2019, has confirmed that the whistleblowing should be coordinated with the legislation on the protection of personal data. Nowadays, the decree transposing EU Directive 2019/1937, which was finally approved by the European Parliament on April 16, 2019 and published on November 26, 2019, is still awaited in Italy.

In the specific case of the last measure of the DPA, the hospital company, in the preparation of its whistleblowing procedure, had planned, among the different channels for reporting, the use of a web application, managed and provided in cloud by a third-party company, appropriately appointed as data processor. However, during the inspection, the supervisory authority noted multiple failures by the data controller, as the omission of appropriate data mapping with the register of processing activities, information to data subjects on the specific purposes pursued and data protection impact assessment.

In particular, the DPA had not considered sufficient for employee’s information the mere provision of a section in the app on the function of the report and the anonymity of the reporter: those initiatives, the Guarantor says, cannot replace the information that the controller must give, before starting the processing, to the data subjects about the essential elements of the processing.

Pointing out the weak filling of the processing register, the authority had the opportunity to reinforce how the processing of personal data through the systems of acquisition and management of reports presents specific risks for the rights and freedoms of the data subjects, considering also the particular sensitivity of the information potentially processed, the "vulnerability" of the data subjects in the work context, as well as the specific regime of confidentiality of the identity of the reporter provided for by the whistleblowing framework, reason why such cases require the DPIA.

Moreover, the data controller was found to be defective with the adoption of technical and organizational measures to protect the data: the recording and storage, in the logs of the firewall equipment, of information relating the connections to the application in question allowed the tracking of the individuals using that application, including the reporters, in infringement with the measures adopted to protect the confidentiality of the identity; the management procedures for authentication credentials were not appropriate from a security point of view.

The sanction not only affected the data  but also the provider of the platform: during the inspection the DPA found out the provider used an external provider for the systems hosting service without giving specific instructions on the processing of the data of the data subjects and without notifying the healthcare facility, also using this hosting service also for its own purposes without any regulation or agreement on the roles and the use of the data.

The Data Protection Authority  therefore admonished the data controller, stating that even when the products or services belong to third-party providers the data controller is bound to carry out, also with the support of the DPO, a risk assessment on the processing and to make sure that the functions of the product or service that are not compliant with the declared purposes are disabled, all the more so if they are in contradiction with specific sector regulations provided by the system, such as the whistleblowing framework.