Whistleblowing: Italian DPA fines “La Sapienza” University € 30,000

The Italian DPA fined La Sapienza University in Rome € 30,000 for having spread the names of two individuals who had reported potential wrongdoings online. In doing so, the DPA stressed the importance of employers adopting adequate technological procedures for ensuring the the anonymous reporting of potentially illicit behaviour, also known as whistleblowing. Specifically the Garante stated that employers should, “verify that the technical/organisational measures and the software used are adequate to protect the confidentiality of the complainant.”

The Garante Privacy found that the data breach had occurred due to inadequate technical measures (in this case, access controls) and pointed out that “according to the Regulation, it is primarily the responsibility of the data controller (in this case the University) – taking into account the nature, object, context and purpose of the processing – to implement technical and organizational measures to ensure a level of security appropriate to the risk. These include a procedure to regularly test, verify and evaluate the effectiveness of the measures taken. In the case in point, on the other hand, the university limited itself to implementing the design choices made by the supplier of the application, which did not provide for the encryption of personal data (identity of the reporter, information relating to the report, any attached documentation), nor the adoption of a transmission protocol that would guarantee secure communication, both in terms of confidentiality and integrity of the data exchanged, and the authenticity of the website displayed by the reporter. The seriousness of the violation is exacerbated by the particular confidentiality regime established by the rules on whistleblowing, precisely for the greater protection of those concerned.”

The university informed that as a result of a software update of the platform, access permissions to some internal web pages of the whistleblowing portal had been overwritten. This resulted in making the names and data of those who filed reports to be visible and also even indexed on certain search engines until the university remedied the situation.

You can consult the Italian DPA’s press release here and the decision here.

Comments are closed.