Life Sciences and Healthcare

Italy | Health and data processing for research purposes: safeguards to adopt when data subject consent cannot be obtained

Published on 25th Jun 2024

A recent law has simplified procedures for conducting retrospective observational studies
Fingerprint ID on a screen

On 5 June this year, a measure of the Italian Data Protection Authority no. 298/2024) was published in the Official Gazette, which dictates the guarantees to be observed for the processing of health data for medical, biomedical and epidemiological research purposes, in cases where it is not possible to obtain the consent of the persons concerned.

The provision became necessary after the amendment of article 110 of the Personal Data Protection Code (the Privacy Code), introduced by Law no. 56/2024, converting Law Decree no. 19 of 2/03/2024 (the National Recovery and Resilience Plan - or NRRP - Decree), published in the Official Gazette on 30/04/2024 and containing further urgent provisions for the implementation of the NRRP. 
 

The NRRP Decree

The NRRP Decree, converted into Law no. 56/2024, in Chapter X on "Urgent Provisions Concerning Investments of the Ministry of Health", introduces some amendments to the Privacy Code. In particular, article 44 provides for changes in relation to health data and, specifically: 

  • paragraph 1-bis amends article 110(1) of the Privacy Code and provides that, in cases where the processing of personal data relating to health for the purposes of medical, biomedical or epidemiological scientific research is allowed without the consent of the data subject, the Data Protection Authority shall identify the safeguards to be observed (prior consultation of the Data Protection Authority pursuant to Article 36 of the GDPR no longer being necessary); 
  • paragraph 1, which amends article 2-sexies of the Privacy Code by replacing Paragraph 1-bis and adding Paragraph 1-ter, revises the rules on the processing by interconnection of pseudonymised personal data relating to health, referring, as regards the modalities of processing and the regulation of interconnection, to decrees of the Minister of Health, to be adopted after obtaining the opinion of the Data Protection Authority for the protection of personal data; 
  • paragraph 2 specifies that the costs resulting from the implementation of paragraph 1 will be covered by the resources of the NRRP allocated to the "Health" Mission. 

Amendment to article 110 of the Privacy Code

Following the amendment introduced by the NRRP Decree, converted into no. 56/2024 , article 110 (Medical, biomedical and epidemiological research) of the Privacy Code reads as follows:  

"1. The consent of the data subject for the processing of data relating to health, for the purpose of scientific research in the medical, biomedical or epidemiological field, is not necessary when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9(2)(j) of the Regulation, including the case where the research forms part of a biomedical or health research programme provided for under Article 12-bis of Legislative Decree 30 December 1992, no. 502 , and an impact assessment is conducted and made public pursuant to Articles 35 and 36 of the Regulation. Consent is also not necessary when, for particular reasons, informing the data subjects proves impossible or involves a disproportionate effort, or risks rendering impossible or seriously prejudicing the achievement of the purposes of the research. In such cases, the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research programme shall be subject to a reasoned favourable opinion of the competent ethics committee at territorial level and shall be subject to prior consultation with the Garante pursuant to Article 36 of the Regulation. In the cases referred to in this paragraph, the Garante shall identify the guarantees to be observed pursuant to Article 106(2)(d) of this Code".

The new wording of article 110 of the Privacy Code therefore eliminates the mandatory requirement of prior authorisation of the Privacy Guarantor for research programmes. This is replaced by a requirement to comply with the guarantees indicated by the Data Protection Authority in the rules of conduct for processing data for statistical purposes or scientific research purposes.  

In particular, consent of the data subject is not necessary when the search is carried out on the basis of statutory or regulatory provisions or EU law and an impact assessment is conducted and made public pursuant to articles 35 and 36 of the GDPR; ordue to particular reasons, informing the data subjects proves impossible or involves a disproportionate effort, or risks rendering impossible or seriously prejudicing the attainment of the purposes of the research. In such cases: 

  • the data controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
  • the research programme must be subject to a reasoned favourable opinion of the competent ethics committee at territorial level.
     

In all the above cases, therefore, the Data Protection Authority identifies the guarantees to be observed in the  rules of conduct  for processing data for scientific research purposes.

Rules of conduct for processing for statistical or scientific research purposes (pursuant to articles 2-quater and 106 of the Privacy Code

With Provision  no. 298 of 9/05/2024, published in the Official Gazette no. 130 of 5/06/2024, the Data Protection Authority identified the first guarantees to be adopted for the processing of personal data for medical, biomedical and epidemiological research purposes, referring to patients who have died or cannot be contacted for reasons:

  • ethical, meaning those related to the fact that the data subject is unaware of his or her condition (that is, research for which the data processing information to be disclosed to the data subjects would entail the disclosure of information concerning the study, knowledge of which could cause material or psychological harm to the data subjects); or
  • of organisational impossibility, by which is meant due to the fact that failure to collect data from untraceable subjects, compared to the total number of subjects to be enrolled in the research, would have significant consequences for the results of the research itself;  or arising from the circumstance that contacting them would imply a disproportionate effort in view of their high numbers or, alternatively, those who at the end of all reasonable efforts to contact them turn out to be deceased or non-contactable at the time of enrolment in the study. 
     

The Data Protection Authority has ruled that in all these cases, the data controller, in addition to the existing obligation to obtain the favourable opinion of the competent ethics committee at territorial level, must

  • justify and document the ethical or organisational reasons why it was unable to obtain the consent of the persons concerned; and
  • carry out and publish the impact assessment pursuant to article 35 of the GDPR, notifying the Data Protection Authority.
     

With the same provision, the Data Protection Authority promoted the launch of the procedure for the adoption of new ethical rules for processing for statistical or scientific research purposes, inviting public and private entities entitled to subscribe to the new  rules of conduct and qualified stakeholders who wish to participate in the work to notify and provide information and documentation to protocollo@pec.gpdp.it within 60 days of the publication of the measure in the Official Journal.
 

Osborne Clarke comment

The amendment of article 110 of the Privacy Code, together with the first rules of conduct dictated by the Data Protection Authority, are of fundamental importance for the simplification of procedures for retrospective observational studies. 

As these studies are based on data collected before a decision is made to undertake scientific studies, they are often hindered by the impossibility of obtaining the consent of the person concerned. The elimination of the obligation to consult with the Data Protection Authority makes the procedure easier and definitely favours scientific research in Italy. Promoters of research projects are exempted from this requirement, which used to impose a cumbersome procedure for the authorisation of retrospective observational studies (already approved by the competent Ethics Committee).

Such a change does not adversely affect the protection of personal data and the level of accountability required, subject always to the obligation of  the data controller to analyse the risks of personal data processing in an impact assessment and to define appropriate measures to mitigate them.

Share

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?