Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on novembre 25, 2014

Electronic signatures

(No comments)

The long-awaited measure of the Italian Data Protection Authority in the field of biometrics recognition and graphometric signature was recently signed and published on the Register of measures (decision no. 513 of 12 November 2014).

The measure governs the processing of biometric data for purposes of computer authentication, access control and underwriting documents. An analysis on the changes introduced will be soon published on our blog.

You can find the document (in Italian) on the  Italian Data Protection Authority website.

 

 

A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.

The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.

The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.

The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.

As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.

This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.

As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.

According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.

Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.

Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.

Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.

The new technical rules on electronic signatures have recently been published in the Official Journal.

Here follow the complete references: DPCM 22 febbraio 2013 “Regole tecniche in materia di generazione, apposizione e verifica delle firme elettroniche avanzate, qualificate e digitali, ai sensi degli articoli 20, comma 3, 24, comma 4, 28, comma 3, 32, comma 3, lettera b), 35, comma 2, 36, comma 2, e 71”.

The new rules give full legal value to a new type of electronic signature known as the “Graphometric Signature”, which consists of a handwritten signature being added to a digital document by means of a tablet using a special pen. According to the Italian Digital Administration Code currently in force, this signature can be regarded as either an electronic signature or as an advanced electronic signature. Whether it is an electronic signature or an advanced electronic signature depends on the security measures adopted.

“Graphometric Signatures” are used particularly by banks, but could be used in any field. The only limitation concerns contracts regarding real estate, which cannot be signed with a “Graphometric Signature”, but require a digital signature.

 

 

  • Recent comments

  • Popular posts

    • None found