The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police.
Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.
Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.
In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.
The Italian Data Protection Authority has provided clarifications on the processing of health data by means of a note issued on March 7, 2019.
On the basis of section 9.2 letter h) and section 3 of GDPR, the Authority has indicated that healthcare professionals who are subject to a duty of confidentiality (or other professionals also subject to confidentiality obligations) will no longer require consent of the patient in order to process data for the purpose of providing healthcare services.
Processing of personal data beyond what is necessary to provide healthcare services will, instead, continue to require the patient’s express consent. Consent is required, for example, for the use of medical apps, for any use of personal data for marketing purposes and for the inclusion of data in electronic health records.
In any case, the patient must receive information about how her/his data will be processed (including the duration of the data processing). The Data Protection Authority clarified that such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. For hospitals processing data in complex ways, the Authority suggests that information is given to interested data subjects and when necessary (mass information to all is not a good idea).
Lastly, the Authority notes that the appointment of a Data Protection Officer is required in case of large scale processing of health data, which occurs in hospitals (regardless of their public or private nature), but does not apply to individual medical professionals, pharmacies or orthopedic firms. The keeping of a register of processings, instead, remains a key requirement and a basic element of accountability and risk management in any case of health data processing.
A summary of the Authority’s clarifications can be found here.
A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.
The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.
The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.
The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.
In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.