Legal Area: Physician can process patients’ data for healthcare purposes without consent. Clarifications from the italian DPA.

Key-words: GDPR - privacy - DPO - data-processing - healthcare services

In order to promote an unambiguous interpretation of the new GDPR regulation about healthcare and to support medical operators in its proper application, the Italian Data Protection Authority (DPA) explained that healthcare professionals, bound to observe professional secrecy, are no more required to ask patients’ consent to the processing of personal data which are strictly required for healthcare service. The consent is required, instead, when data processing, even if done by medical professionals, is not closely related to health service but rather to promotional or commercial purposes: examples are health data processed for medical “Apps” and online services or data processed for customer loyalty programmes. The privacy policy has to be brief, clear, intelligible and easily accessible; written in plain and clear language. Moreover, compared to pre-GDPR policy, it needs to include more information in order to safeguard involved people, e.g. info regarding data storage time which, if not specified by sectoral rules, it needs to be identified by the data controller (physician, hospital, etc.), anyway. A section of the Authority’s provision is dedicated to Data Protection Officer (DPO). Public bodies, as well as private operators, who perform large-scale healthcare processing of personal data are required to appoint a DPO. On the contrary, self-employed medical professionals and private operators who do not perform large-scale treatments (e.g. pharmacies) are exempted. Finally, the DPA clarifies that every healthcare operator is required to keep a record of patients’ data processing in a register: this document is an essential element in the “data-processing government” and it is useful for the effective identification of those activities representing the greatest risk in order to demonstrate the compliance with the accountability principle stated in GDPR

Source: Garante Privacy



To read the PDF click here.