Posts

Health data: new Council of Europe guidelines

Lawyer Vincenzo Colarocco

The Council of Europe, with a recommendation adopted on last 27 March (hereinafter referred to as the “Recommendation”), has provided a set of guidelines for the Member States with the aim of guiding them in the proper processing of health data.

The clear intention of the above European body is to ensure, in law and in practice, that the processing of such special categories of data under Article 9 of EU Regulation 679/2016 (“GDPR” or “Regulation”) will be implemented in full respect of human rights, at a particular historical time when the use of new technologies is quickly increasing[1]. This assumption implies the need to set up the treatment considering the cornerstones set at the basis of the Regulation:  privacy by design and privacy by default as regulated by art. 32 of the GDPR. Therefore, the technical and organisational measures to be implemented should be incorporated from the design phase of any system that processes health data. In addition, in order to further implement these principles, the Recommendation specifies that compliance with these provisions should be regularly reviewed throughout the entire life cycle of the processing and that the Controller must carry out, before starting the processing and at regular intervals, an assessment of the potential impact in terms of data protection and respect for privacy, including an evaluation  about measures to mitigate the risk.

The Recommendation also sets out some interesting clarifications on the legal basis that could legitimize the processing of health data. Established that the basis of said treatment consists in the informed consent of the data subject (according to Art. 9 of the GDPR), Recommendation also provides, alternatively, two further circumstances which would seem to exclude the prior collection of a consent:

  1. when the processing is necessary for the execution of a contract concluded by the data subject with a health care worker submitted to conditions defined by law, including the obligation of secrecy;
  2. when such data have been made public by the data subject himself.

With reference to the timing of storage (“retention”) to be applied to the category of health data, the Recommendation provides that, if adequate security measures are in place, the retention may be extended[2] when processing is envisaged for purposes of storage in the public interest or for scientific or historical purposes or, again, for research and statistics. In this latter case, the data should, in principle, be rendered anonymous as soon as research, archiving or statistical studies allow; if this is not possible, pseudonymisation could be used to safeguard the fundamental rights and freedoms of the data subjects.

In conclusion, it is clear that the Recommendation follows almost blindly the requirements of the GDPR, but in any case it must be pointed the importance and relevance of these provisions in light of the increasing digitization, that, necessarily, also involves the processing of personal data. This phenomenon evidently leads to an improvement in medical care and patient care, but inevitably causes an exponential increase in the amount of health data submitted to processing operations and, as a result, it determines the necessity to apply legal and technical measures that allow effective protection of each individual.

 

 

[1] The Recommendation also outlines indications regarding the processing of health data collected through mobile devices which, whether implanted in the individual or not, may reveal information about his physical or mental state, or which have, as their object, any information concerning health care and social care benefits.

[2] Therefore, by exceeding the storage periods strictly necessary for the purpose of patient’s caring.

Media: any information that can identify a victim of sexual violence, even indirectly, is prohibited

Lawyer Vincenzo Colarocco

The Italian Data Protection Authority has reiterated, with some recent decisions (see inter alia No. 906580790657829065800 in Italian language) the principle that prohibits the media to publish information that can make identifiable, even indirectly, a victim of sexual violence.

Article. 137 of the Privacy Code provided -and still provide in the new text of Article 12, paragraph 1(c) of Legislative Decree 101/2018– that in the event of disclosure or communication of personal data for journalistic purposes the limitations imposed on freedom of the press, to protect the rights and freedoms of persons, shall be left unprejudiced, and, in particular, the limit of materiality of the information with regard to facts of public interest.

The Authority stated that this limit must be interpreted with particular strictness when are considered data suitable for identifying victims of crimes, even more so with reference to news concerning episodes of sexual violence, given the special protection afforded by the law to the confidentiality of the persons injured by such crimes.

The diffusion within an article of information suitable to make identifiable, even if indirectly, the victim, is in contrast with the requirements of protection of the dignity of the same, also according to the Article 8, paragraph 1, of the code of practice concerning the processing of personal data in the exercise of journalistic activities.

The Authority reminded that in the event of non-compliance with the prohibition, the data controller, in this case the publisher, may also incur the new administrative sanctions introduced by the GDPR, in Article 83, paragraph 5(e), which can reach up to 20 million of euro or 4% of the total annual turnover in the previous year.

Guidelines on the territorial scope of the GDPR

Lawyer Vincenzo Colarocco

The guidelines 3/2018 clarify some aspects of article 3 of the GDPR which, as known, requires many big players in the digital world to comply with the EU data legislation.

In the specific case, for instance, how can establish when an Asian company is required to comply with the GDPR? What about those who market their products through an e-commerce portal: the opening of an office in Italy is considered as an establishment?

EU Data Protection Authorities intervened to answer these and other more or less complex questions in order to facilitate the understanding and, therefore, the application of the legal provision. Article 3 of the GDPR lays down two main criteria: the “establishment” and the “object of processing of personal data”. If one of these two criteria is met, the relevant provisions of the GDPR will apply. Moreover, paragraph 3 settles the application of the current legislation in the case of processing of personal data by a data controller that is not established in the European Union but in a region subject to the law of a Member State under international public law.

Clearly, these Guidelines will have the effect to produce strong consequences both on institutions and on european and foreign companies. This is exactly why the European Data Protection Board has submitted the text for public consultation before its final approval.

Therefore, it is expected the final text that will surely be useful in order to guarantee a proper interpretation of the EU regulation.