The Italian Data Protection Authority has provided clarifications on the processing of health data by means of a note issued on March 7, 2019.

On the basis of section 9.2 letter h) and section 3 of GDPR, the Authority has indicated that healthcare professionals who are subject to a duty of confidentiality (or other professionals also subject to confidentiality obligations) will no longer require consent of the patient in order to process data for the purpose of providing healthcare services.

Processing of personal data beyond what is necessary to provide healthcare services will, instead, continue to require the patient’s express consent. Consent is required, for example, for the use of medical apps, for any use of personal data for marketing purposes and for the inclusion of data in electronic health records.

In any case, the patient must receive information about how her/his data will be processed (including the duration of the data processing). The Data Protection Authority clarified that such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. For hospitals processing data in complex ways, the Authority suggests that information is given to interested data subjects and when necessary (mass information to all is not a good idea).

Lastly, the Authority notes that the appointment of a Data Protection Officer is required in case of large scale processing of health data, which occurs in hospitals (regardless of their public or private nature), but does not apply to individual medical professionals, pharmacies or orthopedic firms. The keeping of a register of processings, instead, remains a key requirement and a basic element of accountability and risk management in any case of health data processing.

A summary of the Authority’s clarifications can be found here.