February 25, 2021

Italian Data Protection Authority approved the first code of conduct in the public sector regulating the use of health data for educational and scientific publication purposes

The Italian Data Protection Authority (“Garante”) approved the first code of conduct (Decision No. 7 of January 24, 2021, doc. Web 9535354) on how to use personal data concerning health for educational and scientific publication purposes; the code of conduct was submitted by the Veneto Region (“Code of Conduct”). This could open up new possibilities in relation to the re-use of health data for scientific research purposes.

By way of background, Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) states that bodies representing categories of controllers or processors may draft codes of conduct to govern the processing of personal data. Such a code shall be submitted to the appropriate supervisory authority, which shall provide an opinion on whether the draft fulfills the requirements of the GDPR and, if so, approve it.

On this basis, Local Healthcare Establishment ULSS 9 Scaligera and the Veneto Region (together, the “Applicants”) submitted a draft of the Code of Conduct to the Garante, which first provided some comments in September 2020 and then carried out informal discussions with the Applicants. In light of these exchanges, the Applicants submitted an updated version of the draft in November 2020, and that draft was formally approved by the Garante.

The Code of Conduct aims to help the GDPR be applied properly, particularly in the healthcare sector, by regulating the processing of health data for educational and scientific publication purposes. Such data, originally collected for diagnostic, treatment, and prevention purposes, may be processed to develop scientific knowledge and expertise and improve the quality of services offered, provided that specific measures and guarantees for the rights and freedoms of data subjects are in place.

In particular, the Code of Conduct is designed to:

  • ensure, sector-wide, the effective, consistent, and uniform application of the GDPR, identifying a set of concrete rules and a proper balancing of interests between the subjects involved in the processing;
  • identify the appropriate guarantees and processing methods;
  • allow other bodies belonging to the National Healthcare Service to adhere to the Code of Conduct and use it as an element to demonstrate their compliance with data protection provisions.

That said, from a practical point of view, the Code of Conduct establishes, firstly, that healthcare professionals working within the organizational structure of the data controller may use personal data for educational and scientific publication only after specific anonymization or pseudonymization measures have been adopted. The main difference is that while anonymized data are no longer personal data—so, once the data is anonymized, its processing is not subject to data protection provisions—pseudonymized data are still considered personal data and their processing must comply with data protection provisions.

Annex 1 of the Code of Conduct describes in details anonymization and pseudonymization techniques, which are based on Article 29 Working Party’s Opinion 05/2014 on “Anonymization Techniques,” and highlights the relevant risks. These provisions may represent a significant benchmark for the processing of personal data in the healthcare sector. Furthermore, Annex 1 clarifies at the outset that no methodology described therein meets the criteria for effective anonymization per se, as there are inherent limitations and contextual conditions that must be considered on a case-by-case basis.

Secondly, whenever a healthcare professional intends to use health data for the purposes mentioned above, they must send a request to the DataSet Processing Center (Centro Elaborazione DataSet) established as part of the Local Healthcare Establishment’s management, using the specific form in Annex 3 to the Code of Conduct. The DataSet Processing Center will then make the information available following anonymization or pseudonymization, as appropriate.

In addition, if it is not possible to proceed with the anonymization of the data, the data controller must obtain the specific consent of the data subject, after which the data will in any case be pseudonymized. In this regard, the Code of Conduct includes both a model privacy notice (Annex 4) and the consent form to be used in case of pseudonymization (Annex 5).

In light of the above, the Garante judged that the Code of Conduct offered adequate guarantees for the protection of data subjects and, therefore, approved the draft. The approval of the Code of Conduct is surely an important step toward the possibility of a standard process for the re-use of health data for scientific research purposes. Notwithstanding this, however, there is a compelling need—on the part of Italian researchers—for shared standards and practices at a national and international level, in order to boost scientific progress and effectiveness and the usefulness of health data collected for medical reasons.

< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the Life Sciences-Healthcare industry.
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and Venture Capital transactions.

October 6, 2023
CBD products: the Administrative Court suspended until October 24 the recent Decree of the Italian Ministry of Health listing cannabidiol for oral use among narcotic drugs, due to the lack o...
October 4, 2023
The Guidelines for regulating contractual relations between universities and research institutes and private sponsors were adopted by the relevant Italian Ministries following the amendment ...
September 21, 2023
CBS products: from September 20th, compositions for oral administration of cannabidiol obtained from Cannabis sativa extracts shall be considered as narcotic drugs in Italy, as they have bee...
July 27, 2023
Payback on medical devices: Italian government announces extension of payment deadline to October 30, 2023
July 21, 2023
On July 21, 2023, the Italian Ministry of Health published new guidelines on health advertising of self-medication drugs (OTC) and non-prescription drugs (SOP), including advertising on new ...
Search by...
Follow us on
Follow us on