Authorisation no. 2/2008 Concerning Processing of Data Suitable for...
Authorisation no. 2/2008 Concerning Processing of Data Suitable for Disclosing Health or Sex Life - 19 june 2008 
[doc. web n. 1642045]
Authorisation no. 2/2008 Concerning Processing of Data Suitable for Disclosing Health or Sex Life - 19 june 2008
The Garante per la protezione dei dati personali
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 76 of the Code, under which health care professionals and public health care organisations may process personal data suitable for disclosing health without the data subject’s consent, also within the framework of an activity carrying a substantial public interest as per Section 85 of the Code, subject to the Garante’s authorisation, if the processing concerns data and operations that are indispensable for the purpose of protecting a third party’s and/or the community’s health or bodily integrity;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down harmonized safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on June 30, 2008 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for an eighteen-month term;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code, said principles being taken into account by having also regard to the recommendations adopted by the Council of Europe in connection with medical data, in particular to Recommendation No. R(97)5 providing that medical data should be processed, as a rule, only within the framework of health care or else on the basis of the same confidentiality and effectiveness rules as apply to the health care sector;
Whereas a considerable number of processing operations suitable for disclosing health and sex life are performed for prevention and/or treatment purposes, the management of social and health care services, scientific research purposes, or the provisions of services, goods or benefits to data subjects;
Having regard to Section 167 of the Code;
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 41 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Prof. Francesco Pizzetti;
a) health care professionals to process data suitable for disclosing health, whenever said data and processing operations are indispensable to safeguard bodily integrity and health either of a third party or of the community as a whole, and the data subject has not given his/her consent or cannot give it on account of his/her being nowhere to be found;
b) private health care organisations and any other private entity to process data suitable for disclosing health and sex life with the data subject´s consent;
c) public health care bodies, also when set up at an University, including public bodies acting in their capacity as health care authorities, to process data suitable for disclosing health whenever all of the following conditions are fulfilled:
1) the processing is aimed at protecting bodily integrity and health either of a third party or of the community as a whole;
2) consent is missing (pursuant to Section 76(1), letter b), of the Code), as the data subject has not given it or cannot give it on account of his/her being nowhere to be found;
3) no administrative activities are involved as related to prevention, diagnosis, treatment, and rehabilitation in pursuance of Section 85, paragraphs 1 and 2, of the Code;
d) entities other than those mentioned under a), b) and c) to process data suitable for disclosing health and sex life if the processing is necessary to protect a third party’s life or bodily integrity. If the latter purpose is sought in respect of the data subject and the latter cannot give his/her consent because he/she is physically unable to do so, legally incapacitated, or unable to distinguish right and wrong, the relevant consent shall be given either by an entity legally representing the data subject or by a next of kin, a family member, a person cohabiting with the data subject, or, failing these, the manager of the institution where the data subject is resident.
The requirements laid down in Sections 13, 23, 26, and 75 to 82 of the Code shall also apply to the provision of information to data subjects as well as to obtaining their consent, if necessary.
1) Scope of Application and Purpose(s) of the Processing
1.1. This authorisation shall be granted:
a) to physicians, chemists, dental surgeons, psychologists, and all other health care professionals who are included in the relevant rolls or registers;
b) to nursing, engineering and rehabilitation staff in the health care sector where such staff operate as self-employed professionals;
c) to private health care institutions and organisations, even if they do not operate under contract with the National Health Service.
In the above cases, the authorisation shall be granted also to allow the relevant addressees to comply or enforce compliance with specific obligations or else to discharge specific tasks as provided for by laws, Community legislation or regulations, with particular regard to public health care and hygiene, occupational disease and accident prevention, medical treatment and diagnosis, including organ and tissue transplantation, rehabilitation of the physically and mentally disabled or incapacitated, preventive treatment of infectious and endemic diseases, mental health protection, pharmaceutical assistance, health care in connection with schools, health care in respect of sports activities, and investigations - pursuant to law - into the offences that are referred to in the legislation applying to sports. Processing may also concern the drafting of medical records, certifications and other medical documents, or else of other documents relating to administrative management whenever this is required for the aforementioned purposes.
If organisational or administrative management tasks are to be discharged for achieving the above purposes, the addressees of this authorisation shall require the processors and the persons in charge of the processing who have been entrusted with said tasks to abide by the same confidentiality rules as are incumbent on themselves, also in accordance with Section 83(1) of the Code.
1.2. This authorisation shall also be granted:
a) to natural or legal persons, bodies, associations and other private entities for scientific research purposes, including statistical purposes, if the research is aimed at protecting the health of the data subject, third parties or the community as a whole in the medical, biomedical or epidemiological field, whenever the relationships between risk factors and human health are to be assessed also in connection with clinical drug trials on humans or investigations are scheduled concerning diagnostic, therapeutic or preventive medicine activities or else with regard to the utilisation of health care facilities, and the availability of exclusively anonymous data concerning population samples does not allow achieving the purposes of said research. In these cases the data subjects´ consent shall be required as per Sections 106, 107, and 110 of the Code and the data, once collected, shall be processed in such a way as to prevent data subjects from being identified even indirectly, unless matching of the research data with the data subjects’ identification data is performed on a temporary basis, is fundamental for the research purposes, and is accounted for in writing. Research findings may only be disclosed in anonymous form.
The provisions set out in Section 98 of the Code are hereby left unprejudiced;
b) to voluntary or assistance organisations with regard to such data and operations as are indispensable for specific, legitimate purposes laid down, in particular, in the relevant by-laws;
c) to rehabilitation and support centres, nursing homes, and specialised clinics with regard to such data and operations as are indispensable for specific, legitimate purposes laid down, in particular, in the relevant by-laws;
d) to recognised religious bodies, associations, and organisations with regard to such data and operations as are indispensable for specific, legitimate purposes in compliance with Section 26(4), letter a), of the Code, subject to the provisions set out in Section 26(3), letter a) and Section 181(6) of the Code concerning religious denominations, as well as with Authorisation no. 3/2008;
e) to natural and legal persons, businesses, bodies, associations and other entities with regard to such data – including, if necessary, those concerning sex life – and operations as are indispensable to fulfil obligations, including pre-contractual obligations, resulting from a relationship that entails the supply of goods and/or services to the data subject. Where the said relationship concerns credit institutions and/or insurance companies, or if it has to do with securities, only such data and operations shall be considered to be indispensable as are required to supply specific products or services pursuant to a request by the data subject. The relationship may also concern the supply of visual, hearing or walking aids;
f) to natural and legal persons, bodies, associations and other entities running sports facilities or centres with regard to the data and operations that are indispensable to assess fitness for participation in sports or competitive activities;
g) to natural and legal persons and other bodies as regards the data of recipients and donors and the operations that are indispensable for performing organ and tissue transplantation and/or blood donations.
1.3. This authorisation shall also be granted in case the processing of data suitable for disclosing health and sex life is necessary
a) to carry out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or else to establish or defend a legal claim also by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases referred to in laws, Community legislation, regulations or collective agreements, providing the said claim either is of an equal level compared with the data subject´s one or consists in a personal right or another fundamental, inviolable right or freedom and the data are processed exclusively for said purposes and for no longer than is absolutely necessary therefor;
b) to fulfil or enforce fulfilment of specific obligations, or else to discharge specific tasks as provided for by Community legislation, laws, regulations or collective agreements for the management of employer-employee relationships, as well as by the legislation related to social security and welfare and occupational or population hygiene and safety, to the extent this is provided for in the Garante’s general authorisation no. 1/2008, subject to the requirements laid down in the code of conduct and professional practice referred to in Section 111 of the Code.
1.4. Processing of genetic data shall be authorised further in compliance with the terms and conditions referred to in the Authorisation dated 22 February 2007 as published in the Official Journal no. 65 of 19 March 2007.
2) Categories of Processed Data
Prior to starting and/or continuing the processing, information systems and software shall be configured by minimising the use of personal and/or identification data in such a way as to prevent their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable mechanisms to allow identifying data subjects exclusively when necessary – as provided for in Section 3 of the Code.
Processing may concern the data that are closely relevant to the obligations, tasks or purposes referred to above, where they cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind, and may include the information relating to medical history.
Any information concerning unborn children, which must be regarded as personal data in pursuance of the aforementioned Council of Europe Recommendation No. R(97)5, shall also fall within the scope of application of this authorisation.
3) Processing Mechanisms
Without prejudice to the obligations laid down in Sections 11 and 14 of the Code, in Section 31 and following ones of the Code, and in Annex B) to the latter, processing of sensitive data shall only be carried out via such operations and on the basis of such logic and organisational data arrangements as are absolutely indispensable with regard to the obligations, tasks and purposes referred to above.
The data shall be collected, as a rule, from the data subject.
The data shall be communicated as a rule either directly to the data subject or to the latter’s delegate subject to the provisions made in Section 84(1) of the Code, by using a closed envelope; alternatively, suitable measures shall be taken in order to prevent unauthorised persons from having access to said data, including the requirement of waiting to be served at a reasonable distance.
The consent related to information on unborn children shall be given by the expectant mother. Having become of age, the data subject shall be provided with the relevant information notice also in order to obtain his/her consent anew whenever the latter is necessary (Section 82(4) of the Code).
4) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, the data may be kept for no longer than is necessary to fulfil the obligations or discharge the tasks referred to above, or else to achieve the purposes mentioned therein. To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to the existing, planned or terminated relationship, performance or tasks as also regards the data supplied on the data subject’s initiative. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by fulfilment of the abovementioned obligations and/or tasks.
5) Data Communication and Dissemination
Subject to the provisions made in point 9 of the aforementioned authorisation dated 22 February 2007 concerning genetic data, data suitable for disclosing health may be communicated - exclusively to the extent that they are relevant to the obligations, tasks and purposes referred to under 1) - to public and private bodies including private health insurance funds, businesses carrying out activities that are closely related either to the exercise of health care professions or to the supply of goods and services to the data subject, credit institutions and insurance companies, voluntary associations or organisations, and the data subject´s family members.
Under Section 22(8) and Section 26(5) of the Code, data suitable for disclosing health may not be disseminated.
No data suitable for disclosing sex life shall be disseminated unless dissemination concerns data that have been made manifestly public by the data subject and the data subject did not object thereafter to said dissemination on legitimate grounds.
6) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation such as, for instance, the fact that obtaining consent entails an effort that is manifestly disproportionate by having regard, in particular, to the number of the individuals involved.
7) Final Provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data shall be left unprejudiced, especially as regards:
a) Section 5(2) of Act no. 135 of 05.06.90, as amended by Section 178 of the Code, under which the statistical assessment of HIV-related infections is to be carried out in such a way as not to allow identification of the persons concerned;
b) Section 11 of Act no. 194 of 22.05.78, under which hospitals, specialised clinics or out-patient clinics where medical abortions are performed must provide the physician competent for the provincial district with a statement omitting any reference to the woman´s identity;
c) Section 734-bis of the Criminal Code, which prohibits disclosure of particulars or images relating to a person who has been the victim of sexual violence without the person´s consent.
Further, this authorisation shall be without prejudice to the prohibition to disclose, on no legitimate grounds, and use, with a view to gain for oneself or another, information to which professional secrecy applies; the professional duties that are laid down, in particular, in the Code of medical ethics adopted by the National Federation of the Rolls of Physicians and Dental Surgeons shall also be left unprejudiced.
Finally, the possibility to disclose anonymous data, whether aggregated or not, and include them into publications for scientific, educational, preventive or information purposes in the medical sector shall also be left unprejudiced.
8) Effectiveness and Transitional Provisions
This authorisation shall be effective as of July 1, 2008 until December 31, 2009 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 19th day of June 2008.