g-docweb-display Portlet

Guidelines on processing personal data for dissemination and publication on exclusively health-related web sites

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1879894]

versione italiana versione italiana

Guidelines on processing personal data for dissemination and publication on exclusively health-related web sites
Published in Italy´s Official Journal no. 42 dated 20 February 2012

THE ITALIAN DATA PROTECTION AUTHORITY,

Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary General;

Having regard to the Italian personal data protection Code (decree no. 196 dated 30 June 2003, hereinafter "the Code");

Whereas reliance on the web for health-related issues is increasingly widespread and concerns an ever-growing number of users, including physicians, who can exchange information and opinions and share their scientific and human experiences via the Internet;

Whereas the said exchange of information and experiences is especially helpful and important with a view to sharing not only scientific know-how, but also personal contacts, as well as in order to set up solidarity and support relations among users;

Whereas, however, the processing of sensitive data on the Net, in particular any data relating to users´ health, entails risks to fundamental rights and freedoms as well as to the users´ dignity because of the sensitiveness of the information at issue as well as on account of the features of the Internet;

Whereas it is necessary against this backdrop to raise awareness of and attention to the appropriate processing of personal and/or sensitive data;

Having regard to the considerations by the Office as submitted by the Secretary General in pursuance of Article 15 of the Garante´s Rules of Procedure no. 1/2000;

Acting on the Report submitted by Prof. Francesco Pizzetti;

RESOLVES

1. To adopt the attached document, containing "Guidelines on processing personal data for dissemination and publication on exclusively health-related web sites", which is an integral part hereof (Attachment 1);

2. To forward a copy of this Resolution to the Ministry of Justice – Ufficio leggi e decreti in order for it to be published in the Official Journal of the Italian Republic under section 143(2) of the Code.

Done in Rome, this 25th day of the month of January 2012

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Pizzetti

THE SECRETARY GENERAL
De Paoli

ITALIAN DATA PROTECTION AUTHORITY

GUIDELINES ON PROCESSING PERSONAL DATA FOR DISSEMINATION AND PUBLICATION ON EXCLUSIVELY HEALTH-RELATED WEB SITES

Table of Contents

1. Foreword

2. Scope

3. Processing of Personal Data on Exclusively Health-Related Web Sites

4. Requirements Applying to Site Managers

4.1. Web Sites Dealing Exclusively with Health-Related Issues and Requiring User Registration

4.1.1. Information Notice

4.1.2. Specific "Risk Notice"

4.1.3. Exercise of Data Protection Rights

4.1.4. Security Measures

4.2. Web Sites Dealing Exclusively with Health-Related Issues That Do Not Require User Registration

4.2.1. Specific "Risk Notice"

1. Foreword
Reliance on the web in connection with health-related issues is increasingly widespread.

The fact that information, recommendations, comments and stories are shared daily by users on health-related web sites testifies to the usefulness and value of this experience in terms both of pooling scientific knowledge and of making available an area for mutual support and help.

This is partly why it is appropriate for the processing of personally identifying and/or sensitive data relating to users on exclusively health-related web sites – where one can ask for advice, exchange information, and share comments – to be performed in compliance with personal data protection legislation - by ensuring, in particular, that the data in question are relevant and not excessive and that they are processed fairly and in good faith (see section 11 of the Code) – as well as in accordance with the specific guidance contained in this document.

With these Guidelines, the Italian DPA is providing guidance and recommendations to prevent the risks arising from the publication and dissemination of health-related data on the Internet and, in particular, to prevent the inappropriate exposure of individuals and their most intimate information on the Net. Additionally, these Guidelines are aimed at enabling users to more knowledgeably participate in these forums to exchange information and provide mutual support.

2. Scope
These Guidelines apply to the managers of web sites that deal exclusively with health-related issues (such as specific forums and blogs, specific sections in portals containing health care information, social networks dealing with health-related issues via ad-hoc profiles that may be created by private entities for raising awareness and/or exchanging views) as addressed merely in the context of disseminating knowledge of and popularizing such issues –  not only with regard to the information and comments exchanged by users, but also in respect of the recommendations and/or "medical expert" advice requested by those users.

Accordingly, these Guidelines do not apply to online health care and telemedicine services, which fall conversely within the scope of medical practice as such.

3. Processing of Personal Data on Exclusively Health-Related Web Sites
By having regard to the various web sites that deal exclusively with health-related issues, one can draw a basic distinction between the sites that require users to be registered in order to contribute/participate and those sites that do not require such registration.

a. As regards any site requiring user registration, which collects the relevant data such as the user´s name and email address, birth date, domicile, residence, or any other identifying information, the site manager is recommended to also adopt the measures described hereinafter in paragraph 4.1. on top of those imposed currently by personal data protection legislation;

b. As regards any site that does not require user registration, the site manager is recommended to in any case implement security arrangements such as to prevent the risks related to publication and dissemination on the web of data relating to users´ health, in particular by way of the risk notice mentioned in paragraph 4.2.1 below.

4. Requirements Applying to Site Managers

4.1.  Web Sites Dealing Exclusively with Health-Related Issues and Requiring User Registration

4.1.1. Information Notice (section 13 of the Code)
Under section 13 of the Code, the manager of a website that requires user registration must do the following as a data controller:

- He must inform data subjects before they fill out the respective registration forms. The relevant information notice should be available at all times via an ad-hoc page on the web site;

- He must specify for what purposes the data are being collected and how they will be processed;

- He must specify which registration data are necessary to participate in the web site´s activities and which data are conversely optional;

- He must specify for how long the personal data will be kept once collected;

- He must mention the rights set forth in section 7 of the Code and always include his contact details (or those of the data processor, if appointed) in a visible, easy-to-locate manner so as to enable data subjects to exercise the rights as per Section 7 of the Code by applying to either of them;

- He must urge users to confirm that they have read the information notice before registering, by ticking a specific box.

4.1.2. Specific "Risk Notice"
Taking account of the peculiarly sensitive nature of the personal data processed by web sites that deal exclusively with health-related issues, the manager of such web sites is required to also provide a specific "Risk Notice".

The notice in question is intended to draw the users´ attention to the risk of their being identified along with the respective disease(s) if they enter sensitive data along with their personally identifying information.  The notice is also aimed at informing users of the measures required to protect their privacy both during registration and when entering data in the web area(s) they can visit.

a. As for registration data, it is recommended that website managers should :

- Specify that users may fail to enter their first and last names upon registration if they wish to remain anonymous; in that case, they may use a nickname that should not make them identifiable;

- Specify that contact information such as an email address, to be provided in some cases at the time of registration, will not be published automatically on the website jointly with users´ comments.

b. As for the contents entered by users, it is recommended that website managers should:

- Inform users that they should consider the advisability of entering their personal data (including email addresses) along with their comments, in particular if such personal data may disclose their identity even indirectly. This may be the case of users who – in describing their experiences and/or health - include references to places, individuals, circumstances and situations that allow their identity to be traced back also indirectly;

- Inform users that they should consider the advisability of posting pictures or videos that allow individuals or places to be identified and/or become identifiable;

- Inform users that they should be especially careful when including data that can disclose third parties´ identities (directly or not) in their postings in health-related areas, e.g. as regards other individuals that are affected by the same disease and/or have gone through the same experiences and/or have been subjected to the same treatments;

- Specify the scope of access to the data entered by users, whether concerning themselves or others, in particular by clarifying whether such data may only be accessed by registered users or else by any user visiting the web site (information retrievable via internal search functions);

- Specify whether the data are indexed and can be retrieved by general-purpose search engines (such as Google, Yahoo!, etc.);

- Urge users to confirm that they have read the Risk Notice by ticking an ad-hoc box.

Users may also be directed to the Risk Notice via a clickable icon posted on the home page of the web site.

4.1.3.  Exercise of Data Protection Rights
Data subjects may exercise the rights set forth in section 7 of the Code vis-à-vis the site manager; this applies to the information requested by the manager and provided by the user/data subject.

More specifically, data subjects are entitled to erasure of the personal data they have provided at the manager´s request if they do not wish to take part any longer in the site´s activities (forums, blogs, etc.). Similarly, they may have such data updated, rectified and/or supplemented. To that end, data subjects may lodge a specific request with the site manager, who is the data controller, according to the arrangements laid down in sections 8 and 9 of the Code.

4.1.4. Security Measures
Any data that is collected by the site manager at the latter´s request must be protected via suitable security measures to minimize the risks of its destruction, (accidental) loss, unauthorized access as well as the risk that it may be processed unlawfully and/or by departing from the purposes for which it has been collected (see section 31 et seq. of the Code).

Any data that is collected by the site manager must be kept confidential (including email addresses) and may not be disclosed or disseminated to third parties.

If the service in question is provided by way of a website relying on an organization (e.g. a publishing house) where different operators may acquire personal data that are collected at the site manager´s request, the latter manager should ensure that users´ data are not used by unauthorized staff and/or for purposes that are not in line with the users´ explicit or implied intentions.

The measures set forth in Annex B to the Code (Technical Specifications Concerning Minimum Security Measures) are left unprejudiced along with those contained in the decision issued by the DPA with regard to system administrators (Measures and Arrangements Applying to the Controllers of Processing Operations Performed with the Help of Electronic Tools with a view to Committing the Task of System Administrator – Decision dated 27 November 2008, no. 1577499).

4.2.  Web Sites Dealing Exclusively with Health-Related Issues That Do Not Require User Registration.

4.2.1. Specific "Risk Notice"
Where a health-related web site does not require user registration, there is no need for managers to provide the information notices mentioned in section 13 of the Code as there is no processing of registration-related personal data. However, the contents posted in the various areas of such web sites may include especially sensitive information such as that  concerning users´ health. Accordingly, managers should provide the specific risk notice mentioned in paragraph 4.1.3 on account of the above reasons. In short, web site managers are recommended to:

- Inform users that any contact data (such as their email addresses) they enter may be posted along with the respective comments;

- Inform users that they should consider the advisability of entering their personal data (including email addresses) along with their comments, in particular if such personal data may disclose their identity even indirectly;

- Inform users that they should consider the advisability of posting pictures or videos that allow individuals or places to be identified and/or become identifiable;

- Inform users that they should be especially careful when including data that can disclose third parties´ identities (directly or not) in their postings in health-related areas, e.g. as regards other individuals that are affected by the same disease and/or have gone through the same experiences and/or have been subjected to the same treatments;

- Specify the scope of access to the data entered by users (information retrievable via internal search functions);

- Specify whether the data are indexed and can be retrieved by general-purpose search engines (such as Google, Yahoo!, etc.);

- Urge users to confirm that they have read the Risk Notice by ticking an ad-hoc box.

Users may also be directed to the Risk Notice via a clickable icon posted on the home page of the web site.