Authorisation no. 2/2004 Concerning Processing of Data Suitable for...
Authorisation no. 2/2004 Concerning Processing of Data Suitable for Disclosing Health or Sex Life - 30 giugno 2004 
[doc. web. n. 1115285]
[ doc. web. n. 1037043]
Authorisation no. 2/2004 Concerning Processing of Data Suitable for Disclosing Health or Sex Life
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
As of this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 76 of the Code, under which health care professionals and public health care organisations may process personal data suitable for disclosing health without the data subject’s consent, also within the framework of an activity carrying a substantial public interest as per Section 85 of the Code, subject to the Garante’s authorisation, if the processing concerns data and operations that are indispensable for the purpose of protecting a third party’s and/or the community’s health or bodily integrity;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas after entry into force of the Code it is appropriate to grant new general authorisations replacing those due to expire on June 30, 2004 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term by having regard to the initial implementing phase of the new provisions contained in the Code;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code, said principles being taken into account by having also regard to the recommendations adopted by the Council of Europe in connection with medical data, in particular to Recommendation No. R(97)5 providing that medical data should be processed, as a rule, only within the framework of health care or else on the basis of the same confidentiality and effectiveness rules as apply to the health care sector;
Whereas a considerable number of processing operations suitable for disclosing health and sex life are performed for prevention and/or treatment purposes, the management of social and health care services, scientific research purposes, or the provisions of services, goods or benefits to data subjects;
Having regard to Section 41 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Prof. Stefano Rodotà;
a) health care professionals to process data suitable for disclosing health, whenever said data and processing operations are indispensable to safeguard bodily integrity and health either of a third party or of the community as a whole, and the data subject has not given his/her consent or cannot give it on account of his/her being nowhere to be found;
b) private health care organisations and any other private entity to process data suitable for disclosing health and sex life with the data subject´s consent;
c) public health care bodies, also when set up at an University, including public bodies in their capacity of health care authorities, to process data suitable for disclosing health whenever all of the following conditions are fulfilled:
- the processing is aimed at protecting bodily integrity and health either of a third party or of the community as a whole;
- consent is lacking (pursuant to Section 76(1), letter b), of the Code), as the data subject has not given it or cannot give it on account of his/her being nowhere to be found;
- no administrative activities are involved as related to prevention, diagnosis, treatment, and rehabilitation in pursuance to Section 85, paragraphs 1 and 2, of the Code;
d) entities other than those mentioned under a), b) and c) to process data suitable for disclosing health and sex life if the processing is necessary to protect a third party’s life or bodily integrity. If the latter purpose is sought in respect of the data subject and the latter cannot give his/her consent because he/she is physically unable to do so, legally incapacitated, or unable to distinguish right and wrong, the relevant consent shall be given by either any entity legally representing the data subject or a next of kin, a family member, a person cohabiting with the data subject, or, failing these, the manager of the institution where the data subject is hosted.
The requirements laid down in Sections 13, 23, 26, and 75 to 82 of the Code shall also apply to the provision of information to data subjects as well as to obtaining their consent, if necessary.
1) Scope of Application and Purpose(s) of the Processing
1.1. This authorisation shall be granted:
a) to physicians, chemists, dental surgeons, psychologists, and all other health care professionals who are included in the relevant rolls or registers;
b) to nursing, engineering and rehabilitation staff in the health care sector where such staff operate as self-employed professionals;
c) to private health care institutions and organisations, even if they do not operate under contract with the National Health Service.
In the above cases, the authorisation shall be granted also to allow the relevant addressees to comply or enforce compliance with specific obligations or else to discharge specific tasks as provided for by laws, Community legislation or regulations, with particular regard to public health care and hygiene, occupational disease and accident prevention, medical treatment and diagnosis, including organ and tissue transplantation, rehabilitation of the invalid or physically and mentally disabled, preventive treatment of infectious and endemic diseases, mental health protection, pharmaceutical and health care assistance in respect of sports activities, and investigations - pursuant to law - into the offences that are referred to in the legislation applying to sports. Processing may also concern the drafting of medical records, certifications and other medical documents, or else of other documents relating to administrative management whenever this is required for the aforementioned purposes.
If organisational or administrative management tasks are to be discharged for achieving the above purposes, the addressees of this authorisation shall require the processors and the persons in charge of the processing who have been entrusted with said tasks to abide by the same confidentiality rules incumbent on themselves, as also provided for by Section 83(1) of the Code.
1.2. This authorisation shall also be granted:
a) to natural or legal persons, bodies, associations and other private entities for scientific research purposes, including statistical purposes, if the research is aimed at protecting the health of the data subject, third parties or the community as a whole in the medical, biomedical or epidemiological field, whenever the relationships between risk factors and human health are to be assessed or investigations are scheduled concerning diagnostic, therapeutic or preventive medicine activities or else with regard to the utilisation of health care facilities, and the availability of exclusively anonymous data concerning population samples does not allow achieving the purposes of said research. In these cases the data subjects´ consent shall be required as per Sections 106, 107, and 110 of the Code and the data, once collected, shall be processed in such a way as to prevent data subjects from being identified even indirectly, unless research data are matched with identification data only on a temporary basis and this is fundamental for the research purposes and the underlying reasons are detailed in writing. Research findings may only be disclosed in anonymous form. The provisions set out in Section 98 of the Code are hereby left unprejudiced;
b) to voluntary or assistance organisations with regard to such data and operations as are indispensable for specific, legitimate purposes laid down, in particular, in the relevant by-laws;
c) to rehabilitation and support centres, nursing homes, and specialised clinics with regard to such data and operations as are indispensable for specific, legitimate purposes laid down, in particular, in the relevant by-laws;
d) to recognised religious bodies, associations, and organisations with regard to such data and operations as are indispensable for specific, legitimate purposes in compliance with Section 26(4), letter a), of the Code and without prejudice to the provisions set out in Section 26(3), letter a) and Section 181(6) of the Code in respect of religious confessions;
e) to natural and legal persons, businesses, bodies, associations and other entities with regard to such data - including, if necessary, those concerning sex life - and operations as are indispensable to fulfil obligations, including pre-contractual obligations, resulting from a relationship that entails the supply of goods and/or services to the data subject. Where said relationship concerns credit institutions and/or insurance companies, or if it has to do with current assets, only such data and operations shall be considered to be indispensable as are required to supply specific products or services pursuant to a request by the data subject. The relationship may also concern the supply of visual, hearing or deambulation aids;
f) to natural and legal persons, bodies, associations and other entities running sports facilities or centres with regard to the data and operations that are indispensable to assess fitness for participation in sports or competitive activities;
g) to natural and legal persons and other bodies as regards the data of recipients and donors and the operations that are indispensable for performing organ and tissue transplantation and/or blood donations.
1.3. This authorisation shall also be granted in case the processing of data suitable for disclosing health and sex life is necessary
a) to carry out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or else to establish or defend a legal claim also by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim either is of an equal level compared with the data subject´s one or consists in a personal right or any other fundamental, inviolable right or freedom and the data are processed exclusively for said purposes and for no longer than is absolutely necessary therefor;
b) to fulfil or enforce fulfilment of specific obligations, or else to discharge specific tasks as provided for by Community legislation, laws, regulations or collective agreements for the management of employer-employee relationships, as well as by the legislation related to social security and assistance and occupational or population hygiene and safety, to the extent that this is provided for in the Garante’s general authorisation no. 1/2004, subject to the requirements laid down in the code of conduct and professional practice referred to in Section 111 of the Code.
1.3. Pending entry into force of the ad-hoc authorisation applying to the processing of genetic data that is referred to in Section 90 of the Code, processing of genetic data shall be authorised further exclusively in compliance with the terms and conditions contained in point 2, letter b), of Authorisation no. 2/2002.
2) Categories of Processed Data
Prior to starting and/or continuing the processing, information systems and software shall be configured by minimising the use of personal and/or identification data in such a way as to prevent their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable mechanisms to allow identifying data subjects exclusively when necessary - as provided for in Section 3 of the Code.
Processing may concern the data that are closely relevant to the obligations, tasks or purposes referred to above, where they cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind, and may include the information relating to medical history.
Any information concerning unborn children, which must be regarded as personal data in pursuance of the aforementioned Council of Europe Recommendation No. R(97)5, shall also fall within the scope of application of this authorisation.
3) Processing Mechanisms
Without prejudice to the obligations laid down in Sections 11 and 14 of the Code, in Section 31 and following ones of the Code, and in Annex B) to the latter, processing of sensitive data shall only be carried out via such operations and on the basis of such logic and organisational data arrangements as are absolutely indispensable with regard to the obligations, tasks and purposes referred to above.
The data shall be collected, as a rule, from the data subject.
The data shall be communicated as a rule either directly to the data subject or to the latter’s delegate subject to the provisions made in Section 84(1) of the Code, by using a closed envelope; alternatively, suitable measures shall be taken in order to prevent unauthorised persons from having access to said data, including the requirement of waiting to be served at a reasonable distance.
The consent related to information on unborn children shall be given by the expectant mother. Having become of age, the data subject shall be provided with the relevant information notice also in order to obtain his/her consent anew whenever the latter is necessary (Section 82(4) of the Code).
4) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, the data may be kept for no longer than is necessary to fulfil the obligations or discharge the tasks referred to above, or else to achieve the purposes mentioned therein. To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to the existing, planned or terminated relationship, performance or tasks as also regards the data supplied on the data subject’s initiative. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping - as required by law - the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by fulfilment of the abovementioned obligations and/or tasks.
5) Data Communication and Dissemination
Data suitable for disclosing health other than genetic data may be communicated - exclusively to the extent that they are relevant to the obligations, tasks and purposes referred to under 1) - to public and private bodies including supplementary health insurance Funds, businesses carrying out activities that are closely related either to the exercise of health care professions or to the supply of goods and services to the data subject, credit institutions and insurance companies, voluntary associations or organisations, and the data subject´s family members.
Under Section 22(8) and Section 26(5) of the Code, data suitable for disclosing health may not be disseminated.
No data disclosing sex life shall be disseminated unless dissemination concerns data that have been made manifestly public by the data subject and the data subject did not object thereafter to said dissemination on legitimate grounds.
6) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation such as, for instance, the fact that obtaining consent entails an effort that is manifestly disproportionate by having regard, in particular, to the number of the individuals involved.
7) Final Provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data shall be left unprejudiced, especially as regards:
a) Section 5(2) of Act no. 135 of 05.06.90, as amended by Section 178 of the Code, under which the statistical assessment of HIV-related infections is to be carried out in such a way as not to allow identification of the persons concerned;
b) Section 11 of Act no. 194 of 22.05.78, under which hospitals, specialised clinics or out-patient clinics where medical abortions are performed must provide the physician competent for the provincial district with a statement omitting any reference to the woman´s identity;
c) Section 734-bis of the Criminal Code, which prohibits disclosure of particulars or images relating to a person who has been the victim of sexual violence without the person´s consent.
Further, this authorisation shall be without prejudice to the prohibition to disclose, on no legitimate grounds, and use, with a view to gain for oneself or another, information to which professional secrecy applies; the professional duties that are laid down, in particular, in the Code of medical ethics adopted by the National Federation of the Rolls of Physicians and Dental Surgeons shall also be left unprejudiced.
Finally, the possibility to disclose anonymous data, whether aggregated or not, and include them into publications for scientific, educational, preventive or information purposes in the medical sector shall also remain unprejudiced.
8) Effectiveness and Transitional Provisions
This authorisation shall be effective as of July 1, 2004 until June 30, 2005.
If the processing is not compliant with the provisions that were not included in Authorisation no. 2/2002 as of the date on which this authorisation is published, the data controller shall have to make the necessary adjustments by September 30, 2004.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 30th day of June 2004