The Italian data protection authority publishes FAQs for access to data contained in medical records

As is well known, pursuant to Art. 15(1) of the GDPR, the data subject has the right to obtain from the data controller confirmation as to whether or not personal data relating to him are being processed and, if so, to obtain access to the personal data and the following information: 

According to paragraph 3 of the provision, the data controller, when exercising the right, is obliged to provide a copy of the personal data processed, and if the data subject makes the request by electronic means, the information must be provided in a commonly used electronic format. What does this specific obligation of the data controller translate into when the data controller is an hospital and the data subject's request concerns the documents contained in the medical record?

 

First of all, the Italian Data Protection Authority has clarified that the data subject, with his request, may access and obtain a copy of the personal data processed: only in cases where it is necessary to ensure the accuracy, completeness and intelligibility of the information requested the data controller must provide a full copy of the documents containing such data (in this sense, the Data Protection Authority cites the recent CJEU judgment 307-22 of 26 October 2023). Therefore, the data controller should assess, on a case-by-case basis, whether such a need actually exists for the data subject, in order to balance the feedback and, above all, to be able to authorise the specific management modalities (with all that this entails in operational terms).

Article 12(5) GDPR, on this point, states that if the data subject's requests are manifestly unfounded or excessive, the data controller may charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communication or taking the requested action, or directly refuse to comply with the request, demonstrating that it is manifestly unfounded or excessive. The Italian DPA, therefore, recalled in its FAQs that the data subject cannot claim to obtain a free copy of all the documents contained in the medical record: with his request for access, he is only entitled to receive a free copy of the personal data and therefore not necessarily a copy of all the documents contained in that file. Moreover, only the first copy of the data is provided free of charge, a minimum fee having to be paid for subsequent copies.

How to handle the cases where the access request is generic? The Italian DPA's FAQs refer to the EDPB's Guidelines 1/2022: since the GDPR does not provide for formal requirements for submitting requests for access to personal data under Article 15, a certain leniency is suggested to data controllers towards applicants. Clearly, if the request were completely incomprehensible and therefore could not be handled easily, the data controller would have to ask the data subject to specify the subject of the request itself, or in any case to better detail it: this hypothesis could, moreover, justify an extension of the time limit for handling the request, which would then slip by a further 30 days from the time of the interlocutory response by the data controller.

​​​

In the light of the Italian DPA’s FAQs, it is therefore suggested that healthcare centers verify and possibly update their policies on the management of data subjects' requests, as well as inform and train the human resources involved in these processes adequately, while at the same time considering the adoption of automated tools to support them.