Italy’s social security and pensions agency Istituto Nazionale della Previdenza Sociale (INPS) has been ordered to pay €300,000 for contravening privacy protection laws when investigating politicians claiming state aid during the coronavirus crisis.

A public outcry ensued after the La Repubblica newspaper reported last August that the agency’s anti-fraud unit discovered five MPs and 2,000 regional or local politicians had claimed the government’s ‘Covid bonus’ of up to €1,000/month to help VAT-registered self-employed people through the early stages of the pandemic.

However, the methods employed by the INPS were subsequently investigated by the Italian Data Protection Authority Garante.

While acknowledging INPS’s anti-fraud probe was of significant public interest, the DPA said it found numerous critical issues in the methods used by the agency.

Garante concluded INPS had failed to define the criteria for processing data of some applicants of the Covid bonus; used unnecessary information for control purposes; used incorrect or incomplete data; and inadequately assessed the privacy risks.

The DPA also found INPS was unable to demonstrate it had carried out checks to comply with the EU’s General Data Protection Regulation (GDPR), violating the principles of privacy by design, privacy by default and accountability.

After obtaining information from open sources on tens of thousands of people who held political positions, the agency cross-referenced that with data on those who had requested the bonus, without first determining if the politicians were entitled to the benefit or considering the different nature of the offices held.

“In this way, the INPS violated the principles of lawfulness, correctness and transparency established by the EU regulation on the protection of personal data,” said Garante.

In addition, the agency did not respect the data minimisation principle, said the DPA, as it initiated checks aimed at recovering bonuses from applicants who had not received it, given that their request was rejected for reasons independent of the office held.

It also emerged that INPS had inadequately assessed risks associated with such delicate data processing by not carrying out an impact assessment on the rights and freedoms of the data subjects.

As well the fine, Garante is requiring INPS to delete unnecessary data processed up to now and carry out an adequate privacy impact assessment.

 PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.