From the Authority's investigation it emerged that, at least on three different occasions, the "Virtual Workers' Desk" would have allowed some users to accidentally consult the information of others. "Public bodies must take appropriate technical and organisational measures to avoid breaches" 30 May 2022 F. Me
All public bodies, in particular those with relevant institutional competences, must take appropriate technical and organisational measures to avoid personal data breaches. This was reiterated by the Privacy Guarantor in sanctioning Inail, which recorded three IT incidents that led to unauthorized access to the data of some workers, in particular those on health and injuries suffered. From the investigation of the Guarantor it emerged that, at least on three different occasions, the "Virtual Workers' Desk" managed by the institution would have allowed some users to accidentally consult the practices of accident and occupational disease of other workers. In one case, however, the incident occurred as a result of the execution of an outdated version of the "Virtual Workers' Desk", due to human error. In the measure, the Authority noted that an entity with such significant institutional competences, which involve the processing of particularly delicate data referable to even vulnerable interested parties, is required to adopt, in line with the principle of accountability required by the Gdpr, technical and organizational measures that ensure on a permanent basis the confidentiality of the data processed, as well as the integrity of the related systems and services. The Privacy Guarantor, taking into account the full collaboration offered by the public administration during the investigation and the small number of people involved in the identified data breaches , imposed a penalty of 50,000 euros on the institution.