From a privacy perspective, SPID – Italian Public Service for Digital Identity is compliance with GDPR, because is a precaution to protect personal data (Art. 32).
Currently, in many online Personal Health Record services, is possible to perform the authentication by Level 2 of ISO / IEC DIS 29115 (Level of Assurance 3 (LoA3)) and not by Level 3 of the ISO / IEC standard (Level of Assurance 4 (LoA4) DIS 29115).
However, this appears to be at odds with the GDPR since, according to the SPID definition, level 2 is not an appropriate measure of caution for personal health data. The highest level of protection (level 3 of ISO / IEC DIS 29115) already exists and is provided free of charge to the citizen, not with SPID but through the National Health Card.
The transposition of the law did not take into account the ISO / IEC DIS 29115 standard. This is probably because, in the past, to make easy for the use of online services to the citizen, some health companies have lowered their Security in the authentication process by implementing an OTP – One Time Password mechanism. As a result, the risk associated with this process has increased.
However, citizens using SPID or other OTP authentication systems are not aware that their data is not guaranteed with the maximum security level expected.
There are a number of malware that can eavesdrop the password and the OTP on the same device: smartphone authentication with OTP via SMS can be quietly ‘hacked’.
I propose two questions: in case of violation of health data, how will responsibility be shared? Can the liability also be extended to the IP – Identity Provider who provided the authentication service with a non – standard assurance level?