Italy: Garante's crackdown on patient health data protection
The Italian data protection authority (‘Garante’) announced, on 6 March 2020, that it had reached an agreement with Consip S.p.a. regarding modifications rules regarding calls for tenders concerning the purchase of medical equipment and devices, aimed at making the same compliant with data protection legislation. This entails the need for a Data Protection Impact Assessment (‘DPIA’) when drafting a tender or evaluating whether or not to take part in a call for tenders.
Garante recently announced new and specific measures designed to protect the health data of patients in relation to calls for tenders for the purchase of medical equipment and devices by the Public Administration. This is the result of a fruitful collaboration between the Garante and Consip (the Italian publicly-owned stock company that acts as the central purchasing body on behalf of the State). The impetus for that cooperation stems from a decision issued by the Garante in September 2019 sanctioning a public healthcare institution that unlawfully disclosed patients’ data to a company supplying medical equipment for diagnostic purposes.
As a result of the agreement between Consip and the Garante, the following measures have been implemented in calls for public tenders:
- clear identification, under a data protection point of view, of the supplier’s characteristics and role;
- a Privacy by Design approach;
- Privacy by Default and data minimisation; and
- data security measures.
Clearly determined data protection structure
Garante stated that the supplier shall act as ‘data processor’ for patients’ health data, within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), and, therefore, a data processing agreement shall be included in the contract drafted for the tender. Therefore, the supplier shall evaluate the obligations listed in the data processing agreement pursuant to Article 28 of the GDPR, and, if awarded, sign the agreement. On the one hand, this evaluation should be carried out by the supplier in a thorough manner, and it must take into consideration its effective ability to meet the obligations. On the other hand, the controller should carry out specific audits to verify the effectiveness and accuracy of the supplier’s declaration of compliance with the requirements; indeed, the latter is not sufficient either on its own or in combination with the mere representations and warranties provided by the supplier per se.
This provision entails that, from a data protection point of view, the tender shall set out both the actual role that the supplier will have in the relationship to the public healthcare institution and the requirements that it shall meet. This is necessary in order to enable the supplier to become aware of the conditions underlying the call for tenders in their entirety and to evaluate them. To date, little importance has been given to the data protection aspects of contracts in public tenders: for the most part, tenders did not specify the obligations of the supplier from a data protection standpoint, nor did they lay out its role. As a consequence, all data protection legal aspects were handled at the end of the public tender procedure, once the tender was awarded and the contract executed.
Privacy by Design approach
Although the obligation to provide Privacy by Design under Article 25 of the GDPR is borne by controllers, not data processors, Garante makes explicit reference to the Privacy by Design principle with regard to the measures to be taken by the supplier (the data processor in this case) when designing the devices. Indeed, Consip shall initiate discussions with the entities interested in procurement on how to embed features in their equipment and devices to ensure that data protection principles are respected, especially with regard to remote services and maintenance of the equipment. This approach is consistent with prominent commentators’ interpretation of Article 25 of the GDPR: although it may not be immediately apparent that the Privacy by Design principle applies to the supplier designated as data processor, it becomes clear that that is the case when we consider that the controller (the public healthcare institution in this case) is always required to select equipment and devices with data protection measures embedded when determining the means of processing. Accordingly, the supplier should build a system that is both mechanically efficient and compliant with GDPR requirements; otherwise it will be held responsible in case of unlawful processing of personal data, along with the controller.
In addition to the above, under Article 28(3) of the GDPR, the data processor shall immediately inform the controller if an instruction received infringes upon the data protection provisions. It follows that if the public healthcare institution (as data controller) orders the designated supplier (as data processor) to use the equipment or medical device to process health data, the supplier will have to assess the compliance with the GDPR of such processing. That said, the supplier shall also support the data controller in carefully evaluating the need for a DPIA under Article 35 of the GDPR and, if necessary, shall support its execution before the processing.
Data minimisation and Privacy by Default
As regards the Privacy by Default principle, the public healthcare institution shall ensure that only health data that is necessary for the specific purpose is processed. That means that the data processor shall not process data that is not essential. In this respect, the Garante explicitly mentioned the Privacy by Default approach for remote services and maintenance of equipment: the supplier, acting as data processor, shall not have direct access to the patients’ personal data contained in the diagnostic images. In order to comply with this provision, the public healthcare institution should anonymise or pseudonymise the personal data provided to the supplier, unless that information is necessary for the purpose of processing and/or the economic effort to do so is disproportionate. Concerning the ongoing calls for tenders, Consip has already made modifications to include appropriate modalities for suppliers to obtain anonymised diagnostic images needed to demonstrate that the technical-functional requirements are met.
Data security procedures
Among the measures to be implemented to protect patients’ health data, a major role is played by the procedures aimed at ensuring the security of processing. Indeed, the Garante recently sanctioned a public healthcare institution following a data breach due to unlawful access to patients’ health data by internal personnel; moreover, the inspection activity carried out by the Garante during the first half of 2020 is also focused on data breaches. Consequently, the implementation of appropriate technical and organizational security measures should be a priority for both public healthcare institutions and suppliers.
Lessons learned and practical implications
Following this crackdown, both healthcare institutions and providers should take into account appropriately the data protection implications of calls for tenders.
When publishing a call for tenders, a public healthcare institution shall:
- determine the characteristics and the role of the supplier, including from a data protection point of view;
- draft a data processing agreement with the supplier acting as data processor; and
- audit the supplier to verify compliance with the obligations undertaken as data processor.
The supplier shall:
- assess the obligations listed in the data processing agreement and implement the necessary measures and/or procedures;
- design the equipment or the medical devices, embedding the data protection measures to comply with GDPR principles; and
- support the data controller in carrying out a DPIA on the envisaged processing operations, if required.
- follow a Data by Default approach, especially for remote services and maintenance of the equipment, for instance, by means of data pseudonymisation or anonymisation; and
- implement appropriate technical and organisational security measures, in particular to prevent or mitigate the risk of data breaches.
Generally speaking, we believe these measures should be intended as useful guidelines whenever a private entity acting as a data controller is going to enter into an agreement with a third-party supplier acting as a data processor.
 Decision available, only in Italian, https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9269852
 F. Bravo, L’“architettura” del trattamento e la sicurezza dei dati e dei sistemi, in V. Cuffaro, R. D’Orazio, V. Ricciuto (eds.), I dati personali nel diritto europeo, Turin, 2019, 835–36.
 Decision available, only in Italian, at: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9269629