Provision on the Security of Telephone and Telematic Traffic Data and Log Management

Articles

  • log
  • log management
  • regulatory compliance

Provision on the Security of Telephone and Telematic Traffic Data and Log Management

The Provision on the “Security of Telephone and Telematic Traffic Data” issued on January 27, 2008, is a measure by the Italian Data Protection Authority (Garante Privacy). Its objective is to establish measures and precautions for electronic communication service providers to adopt in the storage of telephone and telematic traffic data. Why is this necessary? The processing of such data presents specific risks to the rights, fundamental freedoms, and dignity of the data subject that the Garante aims to protect.

The provision on the Security of Telephone and Telematic Traffic Data – January 17, 2008

The provision is divided into several sections:

  1. Preliminary considerations
  2. Framework
  3. Providers required to retain traffic data
  4. Types of traffic data to be retained
  5. Objectives pursued
  6. Data acquisition methods
  7. Prescribed measures and precautions
  8. Application of certain measures to data processed for other purposes

In this article, we will focus only on specific points related to log management.

2 Framework

Current regulations require electronic communication service providers to retain telephone and telematic traffic data for 24 and 6 months, respectively. This retention period can be extended by an additional 24 and 6 months, respectively, in cases of investigation and prosecution of offenses under Article 407, paragraph 2, letter a) of the Italian Code of Criminal Procedure (c.p.p.), and offenses against computer or telematic systems. The minimum necessary time for data retention is established from the outset.

3 Providers required to retain traffic data

Entities required to retain traffic data include providers of electronic communication services on public communication networks. Certain categories are excluded from this requirement, such as:

  • Entities that directly provide electronic communication services to specific groups of people.
  • Entities that do not generate or process relevant traffic data.
  • Owners and operators of public establishments or private clubs that only provide terminal devices for communications, including telematic communications, or points of access to the Internet using wireless technology, excluding public payphones solely enabled for voice telephony.
  • Operators of websites that distribute content on the network (so-called “content providers”).
  • Search engine operators.

4 Types of traffic data to be retained

The obligation to retain data applies to traffic data related to telephone communications, including unanswered calls, as well as telematic traffic data, excluding the content of communications. Specifically, the data subject to retention is the data that providers process for the transmission of communication or related billing purposes.

But how do telematic and telephone service data differ? The former includes:

  • Access to the Internet.
  • Email.
  • Fax (including SMS and MMS messages) via the Internet.
  • Internet telephony (VoIP).

While telephone traffic data includes:

  • Phone calls, including voice calls, voicemail, conference calls, and data transmission via fax.
  • Supplementary services, including call forwarding and call transfer.
  • Messaging and multimedia services, including SMS.

7 Prescribed measures and precautions

This section is particularly interesting as it explicitly refers to log management and the preparation of reports for inspection or periodic control purposes.

7.1. Authentication Systems

The processing of data covered by the provision should only be permitted for authorized personnel and should be conducted using strong authentication systems (comprising at least two different authentication technologies used simultaneously).

Specifically, for data retained for the purpose of investigating and prosecuting offenses, one of the authentication technologies must be based on the individual’s biometric characteristics to verify their physical presence at the terminal.

These procedures apply not only to personnel involved in data processing but also to all technical staff who may access the data, such as System Administrators, Network Administrators, and Database Administrators.

Furthermore, a log of access and events must be maintained for all activities performed by these technical staff, especially when they carry out non-direct interventions on the data covered by the provision, such as troubleshooting and repairs, installations, updates, and reconfigurations.

7.5. Data Deletion

Upon expiration of the data retention period (24 and 6 months as stated in point 2), the data must be promptly deleted.

7.6. Other Measures

Audit Log

To ensure control over activities related to traffic data by authorized personnel, all operations directly or indirectly carried out on traffic data and other related personal data must be recorded in a dedicated audit log.

Audit log systems must guarantee the completeness, immutability, and authenticity of the records containing all processing operations and security-related events subject to auditing.

Before writing, data or data groupings must undergo computerized procedures to ensure their integrity based on the use of cryptographic technologies.

7.7. Internal Audit – Periodic Reports

An internal control activity must be conducted at least annually by data controllers, entrusted to a different organizational unit or personnel not involved in processing the data covered by this provision.

The controls must also include retrospective checks on alerts and anomaly detection.

The activity must be thoroughly documented, and the results of the control must be:

  • Communicated to individuals and authorized bodies responsible for making decisions and expressing the company’s will at various levels according to internal regulations.
  • Referenced in the security program document, which must indicate any necessary interventions to adapt security measures.
  • Made available to the Data Protection Authority or judicial authorities upon request.

In conclusion

It should be noted that the following subsequent measures and regulations have integrated, replaced, or amended the provision discussed in this article:

  • Provision on System Administrators – November 27, 2008.
  • EU Regulation 2016/679 (GDPR).
  • Minimum Measures by AgID (Agency for Digital Italy).

For more information on the Provision on the “Security of Telephone and Telematic Traffic Data” and log management, you can request further details by completing the form below.

< Back to the blog