Privacy, all the risks of principals

by Antonio Ciccia Messina
School leaders risk getting burned with privacy and a draconian sanction system. The grip of the tax liability trap is there ready to spring. As has happened very recently: some judgments of the Court of Auditors testify to this. And how could it happen in the near future if, after the cyclone of MonitoraPA access requests, defaults worthy of administrative punishment emerge before the eyes of the authorities guarding privacy.

The inevitable aftermath of the injunctions of the guarantor of privacy, imposed on public administrations, in fact, is the search for faults, the serious ones, which are the basis for overturning, in whole or in part, on the assets of individuals the sums paid by the school to state coffers for privacy violations.

In the background and in the foreground, at the same time, stands the GDPR, the EU regulation on privacy. About it the only thing everyone agrees on is that it is almost impossible to be in good standing and that the most that can be done is to show that you have given it all. This is especially true when it comes to the protection of data from the attacks of cybernetic leviathans, omnipresent, elusive, always lurking inside a computer and on the other side of the planet, and always ahead of the cops of the virtual world. Other faces of the GDPR are the grid of precepts and that of punishments, the former as frayed and out of place as the latter is massive and heavy.

Article 5 of the GDPR takes your sleep away, because you are punished if you violate the most atypical of precepts, a violation of correctness is enough, without a catalog of improprieties to be consulted first, to pass from the naive hope of clemency to the fatalistic resignation of punishment . But then there is also that article 83, also of the Gdpr, in which the gap has blades that start from zero and widen up to 20 million euros: the arc is so wide it is evident that the sanction and backwards the precept fade into unpredictability. In the first place, the school is called to declaim the defenses.

The Court of Cassation taught us why. And if, in retrospect, that responsibility is reconstructed, then the injunction is triggered, which when it targets a public body – it digs, digs – is nothing more than a round of taxpayer money, from a budget of a PA to budget of another administration. But in the public sector the injunction of an administration sanction is not a story that ends only when the treasurer of the paying public body settles the account with the creditor public body.

At that moment the opening credits of the films of the tax fault begin, which counts to its credit the film of the sentence of the section of the Court of Auditors for Lazio, released on May 28, 2019 with the number 246: here we have four characters, an executive school and three professors. They are called to repay to the professional institute in which they work the damage caused following the payment of a fine imposed by the Privacy Guarantor (20 thousand euros), as a result of the publication on the internet of an Institute circular containing data suitable for disclosing the state of health of children under age and with disabilities.

The manager signed the circular, the first professor wrote it, the third professor sent it to the fourth (site manager), who published it without checking anything. The frame before the “end” sees, on the one hand, the breathless smile of the three professors mandated for their marginal role and mere executors of the instructions issued by the head teacher and, on the other hand, you can hear it, even before you see it , the rumble of the court gavel on the head of the head teacher, as burdened with the responsibility of the school organization and management, condemned albeit with a discount (7500 euros the reduced amount on her account).

The other episodes, which we report below, concern other public bodies, but the legislation on tax liability (law 20/1994) is unique for all public employees: the principles applied, therefore, are directly applicable also to the school sector.

Continuing the excursus, the protagonist of the episode of the sentence of the section of the Court of Auditors for Lazio, released on 14 September 2021 with the number 672, went better: in the center of the screen the director of human resources of an Italian metropolis, acquitted for lack of gross negligence in the face of the publication on the institutional website, just three days before retiring from the service, of a ranking of the sensitive data of the participants in a public selection: the plot of the superfetation of the rules on transparency, capable of confusing even the super- jurists, he saved the director.

The sequel, with a once again ominous outcome, is the sentence of the section of the Court of Auditors for Friuli Venezia Giulia, released on 18 January 2022 with the number 2: here we see (first scene) a health company sentenced to a fine of 4 thousand euros for the publication on the website, for more than 15 days, of a resolution, in which negative facts were indicated on the account of a nurse, therefore not confirmed during the probationary period; and then (final scene) the image of the general manager is projected, sentenced to pay a thousand over another 2 thousand and a few hundred as partial reimbursement of the sums paid out by the health company to compensate the nurse for damage in a civil suit, originated from the same fact.

In this scenario, it may be useful to study the paths of the GDPR to take small steps along the path of minimizing the risks of liability.

Privacy, all the risks of principals