Data collection for research purposes may conflict with data protection in Italy
Digital transformation and the use of artificial intelligence intertwine with the Gdpr. Besides, Italy has three regulatory levels - EU, national and soft law - which at times appear to contradict each other.
According to a recent study by Porsche Consulting, "Digital MedTech Transformation", digital transformation is key for all pharmaceutical companies. Today, the sector is facing radical transformations, as it is increasingly grounded on advanced genomics, on research based on Big Data and Digital Twins, on apps that monitor the patient’s health conditions and reactions to therapies, on the exploitation of the Internet of Things to interact with the patient, thus customizing treatment and maximizing performance on the basis of individual reactions.
The entire sector is therefore shifting from the traditional production and marketing of products to a more advanced provision of health services.
This transformation involves all stakeholders that are, for example, developing sophisticated Artificial Intelligence applications to improve the execution of trials and to understand how pharmaceuticals are used after market introduction. Many of those who provide information, technologies and services to health care professionals are already developing epidemiological, prescriptive and predictive analysis services based on administrative databases and registers, patient data deriving from digital media and wearables, health care programs, algorithms and artificial intelligence applications, big data, in order to support a better diagnosis and prognosis of health care professionals.
However, this evolution is now faced – in Italy - with the Regulation on data protection, and the implementation of the amended Privacy Code.
The issues to be addressed are two: the qualification of data and the purpose of scientific research, which we are going to analyze separately.
The first issue regards the need to assess whether the data collected for the services listed above are to be qualified as "personal data" (thus within the scope of the Gdpr and of the Privacy Code) or can be defined as "anonymous data" (outside the scope of the Gdpr). While the definition of personal data has not changed in the transition from Directive 95/46/EC to the Gdpr, the indicators for assessing when data can be considered anonymous have changed significantly.
In fact, Recital 26 of Directive 95/46/EC stated that “the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”.
The Gdpr, on the other hand, probably due to the development of technology and to the potential of data processing and big data, provides a legal definition of "pseudonymisation" as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;” (Article 4(5)). The Regulation then clarifies the criteria for determining whether data is anonymous. In essence, the new formulation states that:
- when the natural person is "identified" or "identifiable" the Gdpr must be applied to all information relating to that person;
- pseudonymised data should only be considered as information about an identifiable natural person (and therefore within the scope of the Gdpr) when there is the possibility of it being related to a natural person through the use of additional information (if this possibility does not exist, the pseudonymised data is considered anonymous);
- the assessment of whether a person is identifiable must consider all means reasonably available to the controller or a third party to identify that natural person directly or indirectly;
- in order to establish the reasonable likelihood of the means of identifying the natural person being used, account should be taken of all objective factors, including the costs and time required for identification, considering both the technologies available at the time of processing and technological development.
The criteria suggested by the EU legislator were collected and further elaborated by the Italian Data Protection Authority in the recent decision "Deontological rules for processing for statistical purposes or scientific research published pursuant to art. 20, paragraph 4, of Legislative Decree no. 101 of 10 August 2018” (in Italian “Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica pubblicate ai sensi dell’art. 20, comma 4, del d.lgs. 10 agosto 2018, n. 101”)– of 19 December 2018 (Published on 14 January 2019 in the Official Gazette no. 11).
Art. 4 states that '(b) the means reasonably available to identify a data subject regard, in particular, the following categories: economic resources; time resources; archives containing named references or other sources of information containing identification data together with a subset of variables subject to communication or dissemination; archives, even if not containing named references, that provide further information beyond the information that is subject to communication or dissemination; hardware and software needed to carry out the necessary processing to connect non-nominative information to an identified subject, also considering the effective possibility of unlawfully identifying him/her in relation to the security systems and control software adopted; knowledge of the procedures for sample extraction, imputation, correction and statistical protection adopted when producing the data". Moreover, Article 5 provides the criteria to be considered when assessing the risk of identification.
It is clear that the new regulatory framework gives specific indications on cases in which data is considered anonymous (outside the scope of the Gdpr).
The situation is much more complex when the data is considered personal and it is processed for scientific research purposes.
In fact, the Gdpr introduces a very broad definition of "scientific research" by stating in Recital 157 that "by coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population ...". Recital 159 adds that: "the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area."
The Gdpr also establishes that the processing basis for scientific research purposes is art. 9 let. j), in compliance with the provisions of Article 89 of the same Gdpr.
Despite the fact that the EU legislator has chosen to introduce a single framework for all processing operations taking place for scientific research purposes, the Italian legislator, when adapting the Privacy Code to the Gdpr, has made the picture very complicated by distinguishing between "scientific research" (Article 89 of the Gdpr), 106 and 107 of the Privacy Code) and "medical, biomedical and epidemiological research" (articles 110 and 110-bis of the Privacy Code). Both concepts are further regulated in the aforementioned "Rules of conduct for processing for statistical or scientific research purposes" and in "Requirements relating to the processing of personal data carried out for purposes of scientific research.”
Italy, therefore, has now three regulatory levels - EU, national and soft law - which should be mutually integrated but which at times appear to contradict each other; and two distinct types of processing purposes: "scientific research" and "medical, biomedical and epidemiological research", their differences being - in practice - often difficult to identify.
This will presumably pose a significant problem for the pharma industry in Italy in terms of interpretation and application of the data protection legal framework.