POLICY BRIEF
15 maggio 2024
4 Update
Chiara D’Elia – Stefano Tramacere – Andrea Blatti
SECONDARY USE OF HEALTH DATA
2° VERSION 06/05/24 CONSIDERING THE AMENDMENTS UNDER THE ITALIAN ACT 56/2024
Secondary use of health data – 2° Version 06/05/24 considering the amendments under the Italian Act 56/2024
BACKGROUND AND FIELD OF APPLICATION
Consent is the first legal basis for the processing of special categories of data, including health data, and must be free, specific, informed, and
unambiguous. This concept is quite different from the informed consent to participate in a study. Statistics and scientific research purposes, however, are promoted under article 9, §2, sub j) and article 89 GDPR, as data processing activities are considered lawful ones per se, if specific conditions are met (e.g.
pseudonymization and encryption of data flows). Regarding the secondary use for scientific purposes, an interpretative issue may arise, considering that: to inform the data subject is in any case a pillar of the research compliance activities. Moreover, article 5 GDPR states that scientific research is per se a compatible purpose of secondary use of data under the conditions stated in article 89 GDPR.
– Is the consent of the data subject required to allow secondary use of the data collected and processed for a purpose different from the initial one?
– For instance, if a clinical center collects data for healthcare purposes, may a research center reuse those data for scientific research? Which are the conditions to lawfully process data?
RELEVANT INTERPRETATIONS BY THE EU
According to an EU law interpretation by the European Data Protection Board (EDPB), the mere consent is not an appropriate legal basis for the processing of data relating to scientific research when there is a power imbalance between the data subject and the data controller, as indicated in EDPB Opinion 3/2019, CTR & GDPR . Furthermore, these interpretative perspectives are also supported by EDPB Guidelines 05/2020 , which emphasize that the GDPR does not
allow data controllers to ignore the crucial principle of explicitly stating the purposes for which the data subject’s consent is required. Therefore, in cases where data processing is performed for scientific research, consent to data processing cannot be fully specified, data controllers must seek alternative approaches to ensure the core requirements of consent (listed above) are effectively fulfilled.
RELEVANT INTERPRETATIONS BY THE ITALIAN DATA PROTECTION AUTHORITY (IDPA)
The IDPA recently issued a significant opinion on consent and secondary use of health data . The case concerned a hospital that had considered secondary use to be lawful based on the initial consent, deeming it compatible with the initial purpose and therefore legitimate, only receiving subsequent approval from the ethics committee. Indeed, the Italian Privacy Code provides that data processing activities for scientific research purposes may be carried out without the consent of all the patients in two cases. The first case is when, for special reasons of an objective nature, it would be impossible to ask for consent. The second case is when this operation (meaning asking for the data subjects’ consent) would involve a disproportionate effort or would risk making it impossible or seriously undermine the attainment of the research aims. In both cases, the data controller shall (1) submit the research project to the competent ethic committee and obtain a positive opinion; and (2) will have to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the data subject. In this regard, the Law (56/2024) converting the PNRR Decree amended article 110 of the Italian Privacy Code removing the mandatory requirement for prior authorization to be request from IDPA. The amendment, however, appropriately mentions article 106, para. 2, let. d, which states that the IDPA shall indicate the deontological safeguards to be observed in cases where the consent of the person concerned may be disregarded. Pursuant to article 110 bis, the reuse of data for research purposes may follow an IDPA authorization, unless the data controller is an IRCSS (Istituti di Ricoveri e Cura a Carattere Scientifico which translates loosely to ‘Scientific Hospitals and Care Institutions’). In this regard, concerning sensitive data processing, such as health data, the IDPA stated that if a healthcare institution or research institute intended to carry out a study in which individually inform and obtain consent from all patients due to organizational constraints would not be feasible, it would be nevertheless obliged to make reasonable efforts to contact them (e.g., by verifying their status, consulting clinical records, etc.). Additionally, the IDPA explicitly ruled out the compatibility of this case’s secondary use purpose with the original one. It stated that data subjects should have the ability to grant consent only within specific areas of research, in accordance with the intended purpose. The principle of consent’s specificity and granularity cannot be bypassed or compromised. On this subject, the IDPA has emphasized the importance of defined purposes for any further processing. This ensures that a solid legal basis for the processing of data for scientific research purposes can be progressively established. Hence, the need to develop a new concept of consent that moves in a dynamic perspective, which aims to simplify existing obligations in data processing.
SUGGESTIONS
- Instead of contacting individual data subjects separately, the data controller could create legally valid and comprehensive information templates applicable to various purposes.
- The controller would only need to contact users again if the subsequent data processing deviates from the general guidelines specified in the initial information notice.
- In the case of a data controller being a public entity responsible for personal care, specialized channels for data reuse could be established for scientific research purposes. This would allow individual users to observe how their data are processed for research on dedicated websites, using specific digitized systems to track the complex flow of their data.