A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.
The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.
The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.
The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.
In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.
Privacy of individuals is framed as a fundamental right in the European Union. In fact, the new European Union Regulation no. 2016/679 reiterates this in the very first of its “whereas”.
Yet, it is clear to everyone that such “fundamental” nature is regularly questioned by various factors, and particularly:
- Technological progress, coupled with people’s growing addiction to smartphones, allowing the collection of an amazing number of personally identifiable information and leading to big banks of intrusive data; and
- Security threats that prompt governments to closely monitor citizens’ behavior.
Once upon a time courts were called to decide on how to balance conflicting rights. These days, the act of balancing privacy and other issues has become much more common and it is in the hands of a variety of subjects, such as data processors, who must carry out a data protection impact assessment according to Section 35 of the EU Regulation no. 2016/679, and data protection authorities, who provide both general guidelines and specific advice.
A couple of recent decisions by the Italian Data Protection Authority have led me to believe that the Authority is readier than before to accept that there are justified limits to the right to privacy:
- On July 14, 2016, the Italian Data Protection Authority has decided that a bank is allowed to analyze behavioral/biometric information regarding its customers (such as mouse movements or pressure on the touch screen) as a measure to fight identity theft and internet banking fraud. Of course, a number of limitations have been set by the Authority, in addition to consent of the customer/data subject, such as specific safety measures, purpose and time limitations, and the segregation of the customer names from the bank’s IT provider.
- On July 28, 2016, the same Authority has granted its favorable opinion to the use of a face recognition software at the Olimpico stadium during soccer games in order to check that the data on the ticket and the face of the person actually attending the event correspond. Provided that strong security measures are used and that the processing is carried out by police forces, the processing was deemed to be necessary.
A tougher stance, instead, is adopted by the Italian Data Protection Authority in cases of processing aimed at marketing purposes, as in this decision, for example. (I note, however, that the code of conduct applying to data processing for the purposes of commercial information that will enter into force on October 1, 2016, blessed by the Italian Data Protection Authority, continues to allow the dispatching of commercial communications to individuals whose personal data is included in public listings, even without the data subject’s express consent).
Balancing rights and interests is inherent to law and justice. It remains to be seen, considering the obvious (and absolutely reasonable) limitations to which the right to privacy is subject, if it will continue to make sense to frame it as “fundamental” right.