February 25, 2021

Italian Data Protection Authority approved the first code of conduct in the public sector regulating the use of health data for educational and scientific publication purposes

The Italian Data Protection Authority (“Garante”) approved the first code of conduct (Decision No. 7 of January 24, 2021, doc. Web 9535354) on how to use personal data concerning health for educational and scientific publication purposes; the code of conduct was submitted by the Veneto Region (“Code of Conduct”). This could open up new possibilities in relation to the re-use of health data for scientific research purposes.

By way of background, Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) states that bodies representing categories of controllers or processors may draft codes of conduct to govern the processing of personal data. Such a code shall be submitted to the appropriate supervisory authority, which shall provide an opinion on whether the draft fulfills the requirements of the GDPR and, if so, approve it.

On this basis, Local Healthcare Establishment ULSS 9 Scaligera and the Veneto Region (together, the “Applicants”) submitted a draft of the Code of Conduct to the Garante, which first provided some comments in September 2020 and then carried out informal discussions with the Applicants. In light of these exchanges, the Applicants submitted an updated version of the draft in November 2020, and that draft was formally approved by the Garante.

The Code of Conduct aims to help the GDPR be applied properly, particularly in the healthcare sector, by regulating the processing of health data for educational and scientific publication purposes. Such data, originally collected for diagnostic, treatment, and prevention purposes, may be processed to develop scientific knowledge and expertise and improve the quality of services offered, provided that specific measures and guarantees for the rights and freedoms of data subjects are in place.

In particular, the Code of Conduct is designed to:

  • ensure, sector-wide, the effective, consistent, and uniform application of the GDPR, identifying a set of concrete rules and a proper balancing of interests between the subjects involved in the processing;
  • identify the appropriate guarantees and processing methods;
  • allow other bodies belonging to the National Healthcare Service to adhere to the Code of Conduct and use it as an element to demonstrate their compliance with data protection provisions.

That said, from a practical point of view, the Code of Conduct establishes, firstly, that healthcare professionals working within the organizational structure of the data controller may use personal data for educational and scientific publication only after specific anonymization or pseudonymization measures have been adopted. The main difference is that while anonymized data are no longer personal data—so, once the data is anonymized, its processing is not subject to data protection provisions—pseudonymized data are still considered personal data and their processing must comply with data protection provisions.

Annex 1 of the Code of Conduct describes in details anonymization and pseudonymization techniques, which are based on Article 29 Working Party’s Opinion 05/2014 on “Anonymization Techniques,” and highlights the relevant risks. These provisions may represent a significant benchmark for the processing of personal data in the healthcare sector. Furthermore, Annex 1 clarifies at the outset that no methodology described therein meets the criteria for effective anonymization per se, as there are inherent limitations and contextual conditions that must be considered on a case-by-case basis.

Secondly, whenever a healthcare professional intends to use health data for the purposes mentioned above, they must send a request to the DataSet Processing Center (Centro Elaborazione DataSet) established as part of the Local Healthcare Establishment’s management, using the specific form in Annex 3 to the Code of Conduct. The DataSet Processing Center will then make the information available following anonymization or pseudonymization, as appropriate.

In addition, if it is not possible to proceed with the anonymization of the data, the data controller must obtain the specific consent of the data subject, after which the data will in any case be pseudonymized. In this regard, the Code of Conduct includes both a model privacy notice (Annex 4) and the consent form to be used in case of pseudonymization (Annex 5).

In light of the above, the Garante judged that the Code of Conduct offered adequate guarantees for the protection of data subjects and, therefore, approved the draft. The approval of the Code of Conduct is surely an important step toward the possibility of a standard process for the re-use of health data for scientific research purposes. Notwithstanding this, however, there is a compelling need—on the part of Italian researchers—for shared standards and practices at a national and international level, in order to boost scientific progress and effectiveness and the usefulness of health data collected for medical reasons.

< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the life sciences and healthcare industry.
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and venture capital transactions.

March 20, 2023
Today, Regulation (EU) 2023/607 extending the transitional provisions for the placing on the market and putting into service of certain medical devices and in vitro diagnostic medical device...
January 31, 2023
Clinical trials: Ministry of Health signed off on decrees that (i) reorganize ethics committees and coordinate their activities, (ii) determine the single tariff for the authorization proced...
December 19, 2022
On 13 December 2022, EMA, European Commission and HMA jointly adopted a recommendation paper on the introduction of decentralised elements in the conduct of Clinical Trials in the EU/EEA
September 21, 2022
Payback for medical devices: Decree quantifying the exceeding of the expenditure ceiling for medical devices at national and regional level for the years 2015, 2016, 2017 and 2018 published ...
September 1, 2022
The 2021 annual law for market and competition addressing, as to the healthcare sector, reimbursement of drugs, intermediate distribution, patent linkage and institutional accreditation of p...
Search by...
Follow us on
Follow us on