Learner’s Submission: Online Public Services in Italy

“Over the past years, the Italian government implemented several new online public services such as Administration portals G2G (Government to Government) and G2B online portals (from Government to Business). Moreover, in the last couple of years, these telematic websites such as “OpenCoesione” and “CampoGiovani” have been used quite a lot by myself. However, the most important and yet the most popular online service in Italy that I have made use of is surely the “certified electronic mail” (in Italian Posta Elettronica Certificata).

The Posta Elettronica Certificata is an electronic mail by which a Public Administration delivers an online service allowing someone to bypass phishing emails and spam filters when sending emails messages to its subscribers, in return for paying a fee to the certifying service. The certified e‐mail (PEC from the Italian acronym of Posta Elettronica Certificata) it ensures the sender of the actual delivery of the message to the addressee and provides the same legal value of a letter sent by recorded delivery and receipt (in Italian raccomandata). For this reason, the person who decided to send an email can then be sure that his messages have reached their recipients without being blocked, or having links or images stripped out of them, by spam filters. The purpose of certified email is to allow Public Administrations to reliably reach the citizens by email, while giving recipients certainty that a certified message is legitimate and is not a forged spamming attempt. Thanks to the certified e‐mail system, the interaction between citizens, Public Administrations (PAs), Professionals and Companies is simplified because any user, from any online computer, can comfortably send letters and documents that previously could only be processed by Post Offices.

In the early 90s, the internet became very popular in Italy. Since 1997, the Italian laws have recognized electronic delivery systems as legally usable. Furthermore, in 2005, after two years of technical tests, the characteristics of an official electronic delivery service, named “certified electronic mail” (in Italian Posta Elettronica Certificata) were defined, giving the system legal standing. The design of the entire system was carried out by the National Center for Informatics in the Public Administration of Italy (DigitPA), followed by efforts for the implementation and testing of the service. The DigitPA has given the Italian National Research Council (CNR), and in particular the Institute of Information Science and Technologies at the CNR (ISTI), the task of running tests on providers of the service to guarantee the correct implementation and interoperability.

Nowadays, the Posta Elettronica Certificata allows citizens to obtain such a great advantage from it. For instance, the electronic management of communications and documents are therefore now certified and traceable, enjoying full legal validity, from your own computer this means that time and costs are now drastically reduced since your are not supposed to reach your Post Office physically. Furthermore, citizens will now have the advantage of having the option of a “read return receipt” that will not only confirm delivery but also the actual “reading” of the e‐mail from the addressee and finally each citizen will be able to communicate from their computers in a safe, non‐costly and exclusive form with the Public Administration, companies, and professionals in all cases where a communication with legal value is required.

To conclude, the Posta Elettronica Certificata has become a great success throughout the whole country. Recent data confirms that the Certified e‐mail development process is well on its way counting over 9.500 Certified e‐mail accounts have been activated by the Central and Local Public Administrations.” – Alessio Manes – Rome, Italy

Learner’s Submission: Data Protection in India

“With the development in the field of information technology industry, cyber crimes have become a terrible headache for the government of every country . The existing laws is not enough to cover all the issues and circumstances that make the new digital world a threat to personal privacy. So all the developed countries have framed and established their data protection laws. The law relating to privacy is under the scope of Article 21 of the constitution in India. IT Act 2000 has been introduced in 2000 and it has certain provisions that provide protection to stored data and the issues relating to computer system.

Under IT Act, 2000, Section 43 provides protection against unauthorized access of the computer system. Under section 65 of this Act, protection has been provided against tampering of computer source documents. Section 66 provides protection against hacking. Section 70 provides protection to the data stored in the protected system. Under section 72, protection has been provided against breach of confidentiality and privacy of the data.

The ‘Personal Data Protection Bill 2006’ has been introduced in parliament on 8 December, 2006  to provide protection to the personal data and information of the person collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial and other purpose. Data controllers are to look upon the issues of violation of the Act. The Bill was drafted wholly on the structure of the UK Data Protection Act . But this proposed Act has lapsed now.

The Indian Government on behalf of Ministry of Communications and Information Technology has notified the “Information Technology ( Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” on 11 April 2011 under Section 43A of the Information Technology Act, 2000,  to implement certain provisions. In  August , 2011 , the Ministry of Communication and Information Technology issued a press note also to clarify some of the provisions of the Rules.

The provision of The Information Technology Rules , 2011 is to protect sensitive personal data. Sensitive Data means personal information of a person in relation to:

1. Passwords;
2. Financial information such as Bank account or credit card or debit card or other payment instrument details;
3. Physical , psychological and mental health condition ;
4. Sexual orientation ;
5. Medical records and history ;
6. Biometric information ;
7. Any detail relating to the above clauses as provided to body corporate for providing service ;
8. Any of the information received under above clauses by body corporate for processing , stored or processed under lawful contract.

In the Press Note, it has been clarified that The Rules are applicable to body corporate or any person.  The term ‘ body corporate ‘ is not limited to a ‘body corporate’ located in India . It means any company or other association of individuals engaged in commercial or professional activities. It also includes a foreign body corporate . The Rules will apply to sensitive data of any individual collected , processed or stored in India via computer resources by any entity , whether located in India or not .

Sensitive data can be transferred to third party in India or outside India but the body corporate should be aware of the fact that: the provider has consented to such transfer , the third party is able to provide adequate level of protection for such data via legislative or other means and the transfer is necessary for the lawful contract .

The companies or the corporate houses are now making several agreements with other companies , partners , agencies or clients to provide adequate protection for their data . ‘ User license  agreements’ , ‘ non circumvention and non-disclosure agreements, referral partner agreements are such agreements that covers privacy and confidentiality clauses and also arbitration clauses for resolving any dispute if arises .The body corporate is allowed to adopt any other information security policies and standards approved by the Central Government to run their business smoothly. BPO companies have implemented security control measures like BS 7799 and the ISO 17799 standards of information security management. The body corporate  also implements the recognized and approved international standards like IS, ISO ,IEC 27001 on ‘Information Technology – Security Techniques –Information Security Management System –Requirements’.

As per The Rules , the security standards adopted by the body corporate should be audited at least once every year by an auditor approved by the Central Government.

The big question here arises : is our data safe ?  This  essay certainly has thrown ample light on  the Data Protection Legislation in India . Indian Penal code imposes punishment for crimes relating to data protection but it is a matter of surprise that how easy we are  providing room to the miscreants to do crimes through the easiest medium while using internet ,credit card etc. The criminals are being able to collect the secured information only by using computers and electronic gadgets.

Many countries other than India have framed their data protection law as a separate discipline. So it has raised concerns that a qualitative effort must be taken by the Government to frame and establish a most comprehensive data protection law.” – Dr. Mahabur Rahaman Mondal – Kolkata, India