Back

Data protection and health in Italy: how will the amended Privacy Code be applied in the health sector?

21/09/2018
Silvia Stefanelli

With regard to data protection, the major innovation in the Italian healthcare sector is the fact that consent will not required anymore when data is processed for diagnostic and treatment purposes. There is a shift from a system focused on consent, towards one that is centred on the purpose of processing, in order to identify what is the legal base of such processing.

Legislative Decree n. 101, which came into force on 19 September 2018, adapts the Italian data protection system to the new EU Reg. 2016/679 (so-called GDPR). This is the result of a very complex process - that brings the Italian system, which was so far regulated by Dir 95/46/EEC and by the Privacy Code, to compliance with the new legal structure defined by the GDPR, thus establishing which provisions remain in force and which ones are repealed.

The Decree modifies the Privacy Code in a “surgical” manner (creating a somewhat fragmented and difficult to read text) and also introduces specific articles to define time frames and procedures for amending the legal instruments (authorizations, provisions, codes of ethics, etc.) issued in implementation of the Privacy Code.

Therefore, the legal framework now consists of: the GDPR, the amended Privacy Code and the articles of Legislative Decree 101/2018 that indicate how to proceed with regard to the remaining provisions.

As mentioned above, consent is not required any longer for purposes of diagnosis and treatment (Article 2-septies of the amended Privacy Code in combined reading with Article 9 of GDPR). Thus the health sector shifts from a system where consent was required for everything, to a system in which it is first of all necessary to identify the purpose of processing. It can be for diagnosis and treatment, research, monitoring, access to records, management of databases, controls, administrative and certification activities, etc.). Then, in light of the identified purpose, the legal base of the data processing has to be established.

So it is a less bureaucratic framework (since consent is not needed), but it is conceptually more complex, because it requires subjects to analyze the processing activities in order to understand their structure and legal basis. In fact, instead of a bureaucratic obligation, there is a much more substantial requirement to choose which technical and organizational measures are best in terms of efficacy (the so-called accountability, referred to in Art. 5 GDPR).

The data subject is central in the data protection system. By receiving proper and complete information, the principle of transparency is observed (Art. 12 GDPR) and the data subject is able to intervene, if he/she decides to do so.

There are some other aspects that need to be highlighted for a quick analysis (that will certainly be studied in greater detail in the coming months).

  • The processing of genetic, biometric and health-related data must comply with the guarantee measures that will be established every two years by the Data Protection Authority. The provision that adopts these measures will be subject to public consultation for not less than 60 days allowing social partners to participate in the process (Article 2 septies paragraph 3 of the amended Privacy Code)

  • the general authorizations of the Data Protection Authority for the processing of sensitive data issued under the old Privacy Code will be updated by the Data Protection Authority with a provision that will be subject to public consultation (Article 21 of Legislative Decree 101/2018 - amending decree)

  • the provisions of the Data Protection Authority continue to apply, but only if compatible (Article 22 par. 4 of Legislative Decree 101/2018). This could give rise to some issues, because the data controller will have to evaluate on its own whether the provisions issued in the past years by the Guarantor are compliant with the new legal framework, and assume responsibility for it.

  • the Data Protection Authority also acquires the power to introduce simplification mechanisms for micro, small and medium enterprises, with reference to the obligations of the data controller (Art. 154-bis paragraph 4 of the amended Privacy Code); 

On the issue of the application of sanctions (which are economically very significant) there is no extension (nor could there be any). However, it is stated that this application will have to take into account, for the first eight months from the date of application of the decree (therefore until January 2019) that we are in an initial phase of application of the new data protection framework (Article 22 paragraph 13 of Legislative Decree 101/2018 ).

The regulatory framework is now complete, even if its application is likely to be complex. What professionals need to do, is to study and understand how to implement it best.

Share