Italian Data Protection Authority publishes FAQs for the Scientific Institutes for Research, Hospitalisation and Healthcare

On 6 June 2024, the Italian Data Protection Authority published FAQs on “Legal requirements and main obligations for the processing of personal data collected for health care purposes for further research purposes by IRCCS”.

The FAQs provide clarifications for the processing of data by the Scientific Institutes for Research, Hospitalisation and Healthcare (IRCCS), which, according to the definition set forth in art. 1 of Legislative Decree No. 288/2003, are “entities of the National Health Service of national importance having autonomy and legal personality that, according to standards of excellence, pursue research purposes, mainly clinical and translational, in the biomedical field and in that of the organisation and management of health services and perform hospitalisation and care services of high specialisation.”

Legal requirements for processing

Specifically, the Italian Data Protection Authority's document explains the legal requirements for the processing of personal data collected for the treatment of patients for further research purposes and the requirements that IRCCS are required to comply with.

The IRCCS shall identify an appropriate legal basis for legitimate processing and an appropriate exception to the general prohibition on processing health and genetic data.

The Italian Data Protection Authority clarifies that public and private IRCCS may identify as the legal basis for processing personal data:
(i) the consent of the research participants; or 
(ii) article 110-bis, paragraph 4 of Legislative Decree No. 196/2003 (Italian Privacy Code) according to which the processing of personal data collected for clinical activity for research purposes does not constitute further processing because of the instrumental nature of the healthcare activity carried out by the aforementioned institutions.

Impact assessments

In the event that the processing is based on article 110-bis, paragraph 4 of the Italian Privacy Code, IRCCS are required to carry out the Data Protection Impact Assessment (DPIA), as required by Article 110 of the Italian Privacy Code for such cases where the research is conducted according to statutory provisions and publish it on its website. However, the FAQs have clarified that if publishing the whole DPIA may affect intellectual property rights, trade secrets, or otherwise, IRCCS may publish it only in part.

If the DPIA reveals that the processing presents a high risk and in the absence of adopted measures to mitigate it, then IRCCS must carry out prior consultation with the Italian Data Protection Authority under article 36 of the GDPR.

Informing research participants

The FAQs dedicates a separate section to the different ways of informing research participants depending on whether the data are collected from data subjects, from internal databases within the institute, or other participating centres.

In conclusion, the Italian Data Protection Authority specifies that article 110-bis, Paragraph 4, applies to all types of medical, biomedical, epidemiological, prospective and retrospective research promoted by IRCCS, including multicentre studies, whether carried out within the research networks of IRCCS as well as in those promoted by such institutes with the participation of entities that do not have such recognition.

Osborne Clarke comment

The FAQs of the Italian Data Protection Authority set out the obligation of the data controller to publish the whole DPIA with the only exemption provided in cases where its publication may infringe intellectual property rights, trade secrets or, in general, other rights.  

At a first glance, the FAQs seem to conflict with the guidelines of the European Data Protection Board on "DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679". Those guidelines state that the published DPIA does not need to contain the whole assessment and that the published version could consist of just a summary of the DPIA’s main findings, or even just a statement that a DPIA has been carried out.

However, considering that: 
(i)    according to Article 35(7) and Recitals 84 and 90 of the GDPR, the DPIA shall include, among the minimum content, at least an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address such risks;
(ii)    publishing a DPIA is not a legal requirement under the GDPR but is prescribed by Italian law in the cases provided for by the Article 110 of the Italian Privacy Code only; 
we deem that the FAQs discussed above shall necessarily be interpreted in a manner consistent with the guidelines of the EDPB.

The FAQs, in interpreting the obligation provided for by Article 110 discussed above, allow a publication by extract not only to protect IP rights but also trade secrets and "other" rights and legitimate interests. Those may include commercial confidential information (for example, the type of trial conducted), as well as the need to avoid a full disclosure of the risks envisaged and the security measures adopted to address them, which may affect the level of protection that the DPIA should guarantee.

We believe that, consistently with the solution adopted by the EDPB guidelines, a publication by extract may be viable and in line with the FAQs – being justified by security reasons – in those cases where a limited disclosure of the DPIA would not negatively impact the protection of the rights and freedom of the data subject, while a full disclosure might. What is important is that in cases where it is decided to publish the DPIA in extract, a proper reasoning and justification in light of the FAQs is conducted and recorded.