HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContattoIco

Contatto
it

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.
Media Pubblicazioni Newsletter Data Protection Bites Data Protection Bites 3/2019 Privacy in healthcare

Privacy in healthcare

PrintMailRate-it
Italian Data Protection Authority, in its memo of March 7, 2019, has provided clarifications for attending to the complete definition of the regulatory framework in the health sector that will take place through the adoption of specific guarantee measures and deontological rules (articles 2-septies and 2 quarter Codice privacy).


CONSENT

Consent for processing health data is not required for:

  • Reasons of public interest based on EU or Member States laws (Article 9, paragraph 2, letter g);
  • Reasons of public interest in the area of public health (Article 9, paragraph 2, letter i);
  • Purpose of care (art. 9, par. 2, lett. H), if such processing is carried out by a professional subject to professional confidentiality or other obligation of secrecy consent is not required, unlike what happened previously (this provision applies to both employees of public or private structures and freelancers);

 

However, for processing that relate only in a broad sense to the purpose of care, but which are not strictly necessary, the consent of data subject or another specific purpose is required, arts. 6 and 9, par. 2 of GDPR.

 

The explicit consent of the data subject is requested:

  • Processing for using medical Apps
  • Processing to carry out for the purposes of customer loyalty
  • Processing carried out by private legal entities for promotional or commercial purposes
  • Processing carried out by health professionals for commercial or electoral purposes (Measure - 6 March 2014 - 5.4.2.A. Data collected as part of the activity of health protection by health professionals are not usable for purposes of electoral propaganda or related political communication; e.g. When a health professional is a candidate in an electoral competition and uses the data collected for purposes of processing for his election campaign).
  • Processing carried out with the Electronic Health Record
  • Processing carried out through the SanitaryDossier. The consent is required by guidelines issued before the application of the Regulation (Italian Data Protection Authority in the future will identify measures to ensure that such processing can be carried out without the consent of the data subject);
  • In case of online medical reporting, the consent of the interested party is required by industry regulations (D.P.C.M. 8.8.2013, art. 5).


In addition, Italian Data Protection Authority provides the following additional clarifications:


DATA PROTECTION NOTICE

Information in progressive mode

In addition, to the obligation to communicate to the interested parties the requisites referred to in Articles. 13 and 14 of the Regulation, it is recommended to provide to interested parties information progressively (e.g. provide at first to the generality of patients only information concerning the ordinary activity of providing health services; at a later time provide the information on particular processing operation relating to additional services only to patients actually interested in these services).

 

DATA RETENTION

The data subject must be informed on the period of data retention; this information may also be provided by indicating the criteria used to determine the retention period referred to above.
The many cases in which the period of data retention is determined by the industry legislation have not been modified by the privacy regulation and, therefore, remain in force.
Examples: 

  • 5 years, certificate of fitness competitive sports activity
  • Unlimited, for the preservation of medical records
  • Not less than ten years, for the radiological iconographic documentation


In cases where the storage period is not established by any regulatory provision, the owner, in accordance with the principle of accountability, must identify this time for a period not exceeding the achievement of the purposes for which the data are processed, indicating in the information notice the above period or the criteria for determining it.

 

DPO

The designation of the DPO is mandatory for all healthcare facilities, both public and private: private hospitals, nursing homes.
Only individual health professionals are exempted from this obligation, because they do not carry out large-scale processing. Even pharmacies, parapharmacies, orthopaedic and health care companies are not obliged to appoint a DPO if they do not carry out processing on a large scale.


RECORDS OF PROCESSING ACTIVITIES

All controllers who carry out processing in the health sector must have a Record of Processing Activities.

Contatti

Nadia Martini

Avvocato

Partner

+39 02 6328 841

Invia richiesta

Profilo

Contact Person Picture
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu