Italian Data Protection Authority approved the first code of conduct in the public sector regulating the use of health data for educational and scientific publication purposes

By way of background, Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) states that bodies representing categories of controllers or processors may draft codes of conduct to govern the processing of personal data. Such a code shall be submitted to the appropriate supervisory authority, which shall provide an opinion on whether the draft fulfills the requirements of the GDPR and, if so, approve it.

On this basis, Local Healthcare Establishment ULSS 9 Scaligera and the Veneto Region (together, the “Applicants”) submitted a draft of the Code of Conduct to the Garante, which first provided some comments in September 2020 and then carried out informal discussions with the Applicants. In light of these exchanges, the Applicants submitted an updated version of the draft in November 2020, and that draft was formally approved by the Garante.

The Code of Conduct aims to help the GDPR be applied properly, particularly in the healthcare sector, by regulating the processing of health data for educational and scientific publication purposes. Such data, originally collected for diagnostic, treatment, and prevention purposes, may be processed to develop scientific knowledge and expertise and improve the quality of services offered, provided that specific measures and guarantees for the rights and freedoms of data subjects are in place.

In particular, the Code of Conduct is designed to:

• ensure, sector-wide, the effective, consistent, and uniform application of the GDPR, identifying a set of concrete rules and a proper balancing of interests between the subjects involved in the processing;
• identify the appropriate guarantees and processing methods;
• allow other bodies belonging to the National Healthcare Service to adhere to the Code of Conduct and use it as an element to demonstrate their compliance with data protection provisions.

That said, from a practical point of view, the Code of Conduct establishes, firstly, that healthcare professionals working within the organizational structure of the data controller may use personal data for educational and scientific publication only after specific anonymization or pseudonymization measures have been adopted. The main difference is that while anonymized data are no longer personal data—so, once the data is anonymized, its processing is not subject to data protection provisions—pseudonymized data are still considered personal data and their processing must comply with data protection provisions.

Annex 1 of the Code of Conduct describes in details anonymization and pseudonymization techniques, which are based on Article 29 Working Party’s Opinion 05/2014 on “Anonymization Techniques,” and highlights the relevant risks. These provisions may represent a significant benchmark for the processing of personal data in the healthcare sector. Furthermore, Annex 1 clarifies at the outset that no methodology described therein meets the criteria for effective anonymization per se, as there are inherent limitations and contextual conditions that must be considered on a case-by-case basis.

Secondly, whenever a healthcare professional intends to use health data for the purposes mentioned above, they must send a request to the DataSet Processing Center (Centro Elaborazione DataSet) established as part of the Local Healthcare Establishment’s management, using the specific form in Annex 3 to the Code of Conduct. The DataSet Processing Center will then make the information available following anonymization or pseudonymization, as appropriate.

In addition, if it is not possible to proceed with the anonymization of the data, the data controller must obtain the specific consent of the data subject, after which the data will in any case be pseudonymized. In this regard, the Code of Conduct includes both a model privacy notice (Annex 4) and the consent form to be used in case of pseudonymization (Annex 5).

In light of the above, the Garante judged that the Code of Conduct offered adequate guarantees for the protection of data subjects and, therefore, approved the draft. The approval of the Code of Conduct is surely an important step toward the possibility of a standard process for the re-use of health data for scientific research purposes. Notwithstanding this, however, there is a compelling need—on the part of Italian researchers—for shared standards and practices at a national and international level, in order to boost scientific progress and effectiveness and the usefulness of health data collected for medical reasons.