1.1. Purpose and structure of the document¶
These guidelines are adopted in implementing Articles 68 and 69 of the Digital Administration Code (hereinafter CAD):
- as provided for in Article 68(1b), identifying in Chapter 2 Guidelines for acquiring software, the methods and criteria by which an administration must carry out the comparative assessment described in the aforementioned article when selecting a method for acquiring software.
- as provided for in Article 69(2a), identifying in Chapter 3 Guidelines for software reuse (Article 69), the platform for the publication of source code under open licence and software documentation available for reuse by administrations, specifying the technical methods for use.
They also replace the previous Circular 63/2013, entitled ‘Guidelines for comparative assessment provided for by Article 68 of Legislative Decree No 82 of 7 March 2005, the Digital Administration Code’ and its annexes.
This document and the methodology described within are to be understood as aids to a decision-making process that remains under the full responsibility of administrations, when they share solutions as well as when they adopt them for reuse in compliance with the regulations in force, in particular with regard to digital public administration, public contracts and the protection of personal data. With reference to the latter area of law, EU Regulation 2016/679 has defined/specified principles and criteria that are particularly relevant with respect to the subject matter of these guidelines. Among these principles and criteria, the requirement to consider data protection from the design stage and by default (Article 25 of the aforementioned regulation) is highlighted. Furthermore, attention should be paid to AgID technical rules that may affect the subject matter, such as the Minimum security measures (Circular 2/2017) and Guidelines for the development of secure software.
This document is the starting point of a cultural process in which public administrations are the protagonists for the increasing use of open software, as is evident from Article 69(1), which requires public administrations ‘that own solutions and computer programs created at the specific instructions of the public client’ to ‘make the relevant source code available, complete with documentation and released in a public repository under open licence. . . ‘
Therefore, the aforementioned regulation was the starting point for the preparation of these guidelines, highlighting the vigorous drive of the legislator towards the increasing use of open source software by public administrations. This can be seen from the simultaneous elimination of the provision of the so-called ‘reuse catalogue’, without this preventing, if necessary, public administrations from entering into agreements (for example, on the basis of Article 15 of Law No 241/90) for the reuse of solutions that do not comply with the provisions of Article 69(1) and that cannot fall within the scope of the cases dealt with here, which, it is stressed, must be those that are subject to an open licence.
In any case, the legislator, adopting this strong propensity towards open source for public administrations, has reasonably provided for a general exclusion, only for ‘justified reasons of public order and safety, national defence and electoral consultations’ - in Article 69(1), final bullet point - , in order to safeguard those more sensitive areas of digital government of the country, which from the sharing and community management of open software may be exposed to risk.
The approach described above, which favours open source, can also be inferred clearly from the wording of Article 69(2), which requires public administrations ‘in project specifications’ to ‘always be the owners of all rights to programs and information and communication technology services, specifically developed for them’.
A safeguard has also been provided for in this case, uniquely for circumstances in which ‘this is excessively onerous for proven technical-economic reasons’.
Consequently, Article 68 shall be understood and implemented in this document, in full compliance with the aforementioned interpretation of Article 69.
Public administrations are in the position to best know their requirements and will be capable of rejecting the methodology proposed here, in relation to its context, as well as to the characteristics of the acquisition to be carried out.
In this sense, the guidelines are not merely a regulatory tool, but suggestions for new follow-up, awareness and information processes.