Tag Archives: health data

Don’t Miss our European Biotech Week 2024 Webinars

Events, , , , , ,

Hungry for content? The life sciences practice of Gitti and Partners has an interesting program of webinars/seminars in store for you within the framework of the EUROPEAN BIOTECH WEEK 2024:

See you soon!

Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

Legal news, , , , , , , , , , , , , , , , , , , , , ,

On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

Additional guidance is provided as to:

  • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
  • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
  • The specific rules applicable to cross-border data transfers and data transfer to third countries.

Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.

The European Health Data Space

Legal news, , ,

On May 3, 2022 a Proposal for a Regulation on the European Health Data Space has been published. The proposed European Health Data Space draws from the premise that access and sharing of health data within and across Member States is difficult due to the complexity and divergence of rues, structures and processes. The European Health Data Space aims at harnessing the power of health data for people, patients and innovation by pushing towards health data science that will transform public health and foster innovation, while empowering individuals to take control of their health data. This proposed legislation is also a product of the Covid-19 pandemic, where the role of up-to-date, reliable and FAIR health data (i.e., data that is based on principles of Findability, Accessibility, Interoperability and Reusability) have been key in responding to the crisis and developing cures and vaccines. The ultimate goal is to build a European Health Union[1] that would strengthen resiliency of health systems and deliver to each Union citizen.

The European Health Data Space Communication supports both primary and secondary use of health data. With regard to primary health data, patients will have their health data available through access points established by Member States, but connected through a cross-border digital infrastructure, will be able to control and share their health data and mandatory requirements on interoperability, security, safety and privacy will apply. Electronic health record systems are subject to mandatory self-certification schemes, which must comply with essential requirements related to interoperability and security. The European Health Data Space promises to “make continuity of care across EU a reality[2].

Secondary use of data (i.e., health data used for research, innovation and public health) will also be supported by a European framework. Permit to use the data will obtained by health data access bodies, designated by Member States, which will establish how the data will be used and for which purposes (charges may apply), but always requiring closed secure environments, anonymous or pseudonymised data and transparency in their use. The platform HealthData@EU will facilitate cross border studies.

Governance of the European Health Data Space will be up to a new body, named European Health Data Space Board, chaired by the Commission. The Communication does not forget that investments in digitalization are costly and has made available 810 million euros to support the European Health Data Space.

Benefits of the European Health Data Space are expected for citizens, health professionals, researchers, regulators and policy-makers and for the industry.

[1] Bucher, A. (2022) ‘Does Europe need a Health Union?’ Policy Contribution 02/2022, Bruegel

[2] See page 12 of https://ec.europa.eu/health/publications/communication-commission-european-health-data-space-harnessing-power-health-data-people-patients-and_en

Italian Data Protection Authority Plans to Inspect Life Sciences Companies in 2020

Legal news, , ,

The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police. 

Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.

Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.

In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.

Clarifications on the Processing of Health Data by the Italian Data Protection Authority

Legal news, , , , , , ,

The Italian Data Protection Authority has provided clarifications on the processing of health data by means of a note issued on March 7, 2019.

On the basis of section 9.2 letter h) and section 3 of GDPR, the Authority has indicated that healthcare professionals who are subject to a duty of confidentiality (or other professionals also subject to confidentiality obligations) will no longer require consent of the patient in order to process data for the purpose of providing healthcare services.

Processing of personal data beyond what is necessary to provide healthcare services will, instead, continue to require the patient’s express consent. Consent is required, for example, for the use of medical apps, for any use of personal data for marketing purposes and for the inclusion of data in electronic health records.

In any case, the patient must receive information about how her/his data will be processed (including the duration of the data processing). The Data Protection Authority clarified that such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. For hospitals processing data in complex ways, the Authority suggests that information is given to interested data subjects and when necessary (mass information to all is not a good idea).

Lastly, the Authority notes that the appointment of a Data Protection Officer is required in case of large scale processing of health data, which occurs in hospitals (regardless of their public or private nature), but does not apply to individual medical professionals, pharmacies or orthopedic firms. The keeping of a register of processings, instead, remains a key requirement and a basic element of accountability and risk management in any case of health data processing.

A summary of the Authority’s clarifications can be found here.

Health Data Registries and Surveillance Programs, a New Italian Regulation Steps Up the Game

Legal news, , , , , , , , , , ,

A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.

The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.

The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.

The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.

In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.