General Authorisation to Process Personal Data for Scientific Research...
General Authorisation to Process Personal Data for Scientific Research Purposes - 1 March 2012 
[doc. web n. 1884019]
General Authorisation to Process Personal Data for Scientific Research Purposes - 1 March 2012
(As published in Italy´s Official Journal no. 72 dated 26 March 2012)
The Italian Data Protection Authority,
Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary General;
Having regard to legislative decree no. 196 dated 30 June 2003 (Personal Data Protection Code);
Having regard to section 99(1) of the Code, whereby the processing of personal data for scientific purposes is considered to be compatible with the purposes for which the data were collected or processed initially;
Having regard to section 110(2) of the Code, whereby personal data suitable for disclosing health may be processed for scientific research purposes in the medical, bio-medical or epidemiological sectors without the data subjects´ consent if it proves impossible to inform such data subjects on specific grounds and the research programme has obtained a reasoned favourable opinion from the geographically competent Ethics Committee along with the Garante´s authorization partly in pursuance of section 40 of the Code;
Having regard to the Garante´s Authorisation no. 2/2011 concerning the processing of data suitable for disclosing health and sex life (as available at www.garanteprivacy.it– web document no. 1822577), which was published in Italy´s Official Journal no. 162 dated 14 July 2011); having regard to, in particular, item 1.2 thereof, whereby personal data suitable for disclosing health may be processed for purposes of scientific research where the latter is aimed at protecting the data subject´s, a third party´s or the community´s health in the medical, bio-medical or epidemiological sectors, whilst reference is made to sections 106, 107 and 110 of the Code regarding the need for obtaining the data subjects´ consent;
Having regard to the provisions laid down in the Code of Ethics and Professional Practice applying to the processing of personal data for statistical and scientific purposes (dated 16 June 2004 as published in Italy´s Official Journal no. 10 of 14 August 2004 and annexed to the Code as Annex A.4 thereto; also available at www.garanteprivacy.it– web document no. 1556635), which also cover the processing of data for medical, bio-medical or epidemiological research purposes that are unrelated to health care activities as performed by health care practitioners and/or health care bodies and/or to comparable activities in terms of their significant personalized impact on data subjects (see section 11 and section 2(2) thereof);
Having regard to the decision dated 15 December 2011, whereby a public consultation procedure was launched by the Garante with regard to a document that was adopted on that day concerning a draft "authorization to process data disclosing health for retrospective observational studies", which was published along with the said decision on the Garante´s website as well as in Italy´s Official Journal no. 2 dated 3 January 2012;
Having regard to the comments and remarks received by the Garante further to the said public consultation (whose deadline was set at 31 January 2012), in particular those from Universities, organisations, research institutions and societies, researchers, health care practitioners, health care bodies, organisations representing health care practitioners and patients´ associations;
Having regard to section 2 of legislative decree no. 211 dated 24 June 2003, whereby "observational study" means a study where "drugs are prescribed in accordance with the guidance contained in the respective marketing authorization. Allocation of a patient to a specific treatment policy is not determined beforehand via a testing protocol, being rather part of standard clinical practice, and the decision to prescribe the given drug is totally independent of the decision to enroll the patient into the study. No additional diagnosis or monitoring procedure is implemented in these patients.";
Whereas a considerable number of processing operations concerning data that are suitable for disclosing health are performed by different data controllers to carry out scientific research studies in the medical, bio-medical or epidemiological sectors that do not entail any significant personalized impact on data subjects; whereas such studies rely on data that either was collected beforehand to treat the data subjects and/or carry out previous research projects or else was extracted from biological samples that had been removed beforehand to treat the data subjects and/or carry out previous research projects;
Whereas the studies in question are aimed not only at assessing safety and effectiveness of drugs and medical devices in clinical practice, but also at checking appropriateness of their prescription and/or investigating the relationships between risk factors and human health; in yet other cases they deal with health care events related to diagnosis, treatment and/or prevention or else with the use of health care and welfare facilities;
Whereas the data processed as part of the said studies are contained in the clinical records (or such other documents as may relate to the previous studies for which such data had been collected) that are kept at the participating health care centres – pursuant to the law; whereas the data in question may alternatively be extracted from biological samples that had been removed and stored in medical forensics filing systems at the said centres and/or that had been removed in connection with previous research projects;
Having regard to the ad-hoc authorisations granted by this Authority under section 110(1) (final paragraph) and section 41 of the Code, which enabled the conduction of studies that did not entail any significant personalized impact on data subjects also without such data subjects´ consent insofar as those studies were performed by way of data that had been collected beforehand for health care purposes in respect of the said data subjects and/or had been extracted from biological samples that had been removed beforehand for the same purposes; the said authorisations were granted because evidence was brought to support the alleged impossibility of providing the said data subjects with information notices about the planned data processing on specific grounds, whilst the geographically competent ethics committees had issued favourable opinions in respect of the applicable research projects;
Whereas processing of the data at issue may be authorized by the Garante also ex officio via general provisions applying to specific categories of data controller and/or processing (under section 40 of the Code);
Whereas it is accordingly appropriate, in the light of the experience gathered so far, to grant a general authorization under the terms of section 40 of the Code as applying to the processing of data that are suitable for disclosing health for scientific research purposes, also without the data subjects´ consent, where such processing is aimed at conducting studies that do not entail any significant personalized impact on data subjects and rely on data that was collected beforehand for health care purposes in respect of the said data subjects and/or was extracted from biological samples removed beforehand for the same purposes; this will allow streamlining the specific requirements already made via the individual ad-hoc authorisations granted in the past;
Whereas it is additionally appropriate, pursuant to section 110 of the Code (final paragraph), for the scope of this authorization to include processing operations for scientific research purposes that are aimed at conducting studies that have received reasoned favourable opinions by the geographically competent ethics committees, as silent assent is not enough for the above purposes once such a study has been notified to the competent committee;
Whereas Article 11 of the aforementioned code of practice for the processing of personal data for statistical and scientific purposes provides that consent is unnecessary where it proves impossible – under the terms of section 110 of the Code – to inform data subjects on "ethical grounds", "methodological grounds" or else "because it is organizationally unfeasible";
Whereas the impossibility to inform data subjects was found to be accounted for either on "ethical grounds" or "because […] organizationally unfeasible" in the authorisation requests considered so far by this Authority;
Whereas it is accordingly appropriate, based on the experience gathered so far, for the processing of data suitable for disclosing health for scientific research purposes that is aimed at conducting studies in the medical, bio-medical or epidemiological sectors to be authorized ad hoc by the Garante, where the impossibility to inform data subjects is accounted for on "methodological grounds" in such studies;
Whereas general authorisations have proven suitable for laying down harmonized safeguards to protect data subjects and make it unnecessary for several data controllers to lodge ad-hoc authorization requests, thereby substantially simplifying compliance with the obligations related to processing operations for purposes of medical, bio-medical or epidemiological research;
Whereas the processing operations considered in this Authorisation should also be subject to the safeguards laid down in the Garante´s general authorization no. 2/2011 as well as in the code of practice referred to above; whereas this applies, in particular, to the standards to be implemented in order to prevent data subjects from being identified in the study phases following data extraction as well as to the rules of conduct data processors and persons tasked with data processing should abide by;
Noting that the collection and storage of biological samples as well as the processing of any data resulting therefrom should be compliant with the fundamental data protection and security principles (see Council of Europe´s Recommendation R(92)3 on genetic tests and genetic screening for health care purposes; Working Document on Genetic Data by the Article 29 Working Party, WP91/2004);
Whereas the use of biological samples in scientific researches entailing the extraction of genetic data must be compliant with the limitations and conditions set forth in the general Authorisation granted by the Garante to process genetic data as issued on 24 June 2011 pursuant to section 90 of the Code (published in Italy´s Official Journal no. 159 dated 11 July 2011 – Available at www.garanteprivacy.it, Web Document no. 1822650);
Having also regard to Council of Europe´s Recommendation R(2006)4, which lays down the conditions and limitations applying to the use of biological materials for research purposes, as also related to deceased individuals, where such materials are removed for purposes other than their storage for research use, including materials removed for a previous research project; whereas the said Recommendation provides that biological material removed for a purpose other than its storage for research use may be made available for research activities only with the data subject´s consent and that, to that end, every reasonable effort should be made to contact the data subject whilst, if contacting proves impossible, the biological material may be used for research activities only subject to the fulfillment of specific conditions (see Articles 10, 12, 21 and 22);
Having regard to the Medical Ethics Code dated 16 December 2006, which imposes a professional secrecy obligation on physicians as also related to deceased patients (Article 10);
Whereas this authorization considers the residual cases envisaged by the Code (see section 110 thereof) in which the data subjects´ consent as required to process their personal data for scientific research purposes in the medical, bio-medical or epidemiological sectors was not collected beforehand by the data controllers; there are specific, well-grounded circumstances making it impossible to inform data subjects; and the research may not be implemented by processing either anonymous data or data relating to individuals that can be contacted and provided with the information mentioned in section 13 of the Code;
Noting that, pursuant to the principles set forth in section 2(2) of the Code, whereby the mechanisms for data subjects to exercise their rights and data controllers to fulfill the relevant obligations should be simplified, harmonized and made more effective, it is desirable for the information notice on processing operations for scientific research purposes as related to data suitable for disclosing health to be provided to data subjects jointly with the notice informing them about processing of their data for health care purposes, which is especially appropriate if a data controller pursues scientific research purposes alongside the provision of hospitalization and health care;
Whereas the information notice to be provided to data subjects as per the above paragraph should clearly distinguish processing operations for scientific research purposes from health care-oriented processing operations by highlighting, in particular, that participation in the given research is voluntary; this will enable data subjects to give their informed, free, and specific consent vis-à-vis the different purposes that are pursued (see sections 13, 23, 78(5) and 105(2) of the Code);
Noting that it is appropriate for this general authorization to be provisional and time-limited under the terms of section 41(5) of the Code and that, in particular, it should be effective through 31 December 2012;
Having regard to section 11(2) of the Code, whereby any data that is processed in breach of the relevant personal data protection legislation may not be used;
Having regard to section 31 et seq. of the Code as well as to the technical specifications contained in Annex B to the Code, concerning minimum security measures;
Having regard to sections 20, 26, 40, 41, 98, 107 and 110 of the Code;
Having regard to sections 167(2) and 170 of the Code, which punish any unlawful processing of personal data as well as non-compliance with the measures imposed by the Garante;
Having regard to official records;
Having regard to the considerations submitted by the Secretary General on behalf of the Office under Article 15 of the Garante´s rules of procedure no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan;
The processing of personal data suitable for disclosing data subjects´ health, also without their informed consent, for scientific research purposes in the medical, bio-medical or epidemiological sectors subject to compliance with the limitations and conditions laid down hereinafter.
This authorization shall be granted :
a. To universities, other research bodies or institutions and scientific societies as well as to the researchers working within the framework of the said universities, research bodies or institutions, and to the members of the said scientific societies;
b. To health care practitioners and health care bodies under the terms of Article 2(2) of the Code of ethics and professional practice concerning the processing of personal data for statistical and scientific purposes (Annex A.4 to the Code).
The data processing operations covered by this Authorisation may also be performed by natural or legal persons, bodies, associations and private organisations as well as by persons specifically entrusted with the said processing such as persons tasked with processing personal data and/or data processors (researchers, monitors, expert committees, contract research organisations, analysis labs, etc.) (see section 4(1)f. and sections 28-30 of the Code).
2. Purposes of the Processing: Scientific Research in the Medical, Bio-Medical or Epidemiological Sectors
1. This Authorisation shall be granted if:
- the processing of data that are suitable for disclosing health for scientific research purposes in the medical, bio-medical or epidemiological sectors is necessary to conduct studies that do not entail any significant personalized impact on data subjects and rely on data that was collected beforehand for health care purposes and/or to implement prior research projects and/or on data that was extracted from biological samples removed beforehand for health care purposes and/or to implement prior research projects; and
- the research is performed on the basis of a project that received a reasoned favourable opinion from the geographically competent ethics committee in accordance with the terms set forth in Article 3 of the Code of ethics and professional practice applying to the processing of personal data for statistical and scientific purposes (Annex A.4 to the Code).
The studies covered by this Authorisation may also concern the relationships between risk factors and human health, be aimed at assessing safety and effectiveness of drugs and medical devices in clinical practice and/or checking their appropriate prescription, or deal with health care events related to diagnosis, treatment or prevention or else with the use of welfare and health care facilities.
2. This Authorisation shall not apply to research purposes that can be achieved, in the specific case, by way of
- Processing anonymous data;
- Processing data relating to data subjects that can be contacted in order to provide them with the relevant information and obtain their consent.
3. Categories of Processed Data
Prior to starting or carrying on the processing, information systems and computer software shall be configured by minimizing the use of personal data and identifying information so as to rule out their processing if the purposes pursued in the individual cases can be achieved by relying on anonymous data and by implementing suitable mechanisms that only allow identifying data subjects where necessary, respectively, in accordance with section 3 of the Code.
Processing may only concern such personal data as is closely relevant for the aforementioned purposes including such data as is extracted from biological samples, except where the data in question is a "genetic data" as per the authorization dated 24 June 2011 that was granted by the Italian DPA under section 90 of the Code (available at www.garanteprivacy.it- Web document no. 1822650).
Processing of genetic data shall only be authorized in compliance with the terms and limitations set forth in the said authorization.
4. Impossibility to Inform Data Subjects
This Authorisation applies to the processing of data subjects´ data to be included in the scope of a research where contacting such data subjects to provide them with information on the processing of their data proves impossible on any one of the grounds mentioned below, which should be regarded as utterly particular or exceptional and must be documented in the research project:
1. Ethical grounds that have to do with the fact that the data subject is unaware of the respective health condition. This applies to any research if providing information to data subjects on processing of their data entails the disclosure of information on the specific study being carried out, which information might cause tangible or mental harm to the said data subjects – e.g. in the case of an epidemiological study on distribution of a (possibly) predictive factor of a disease for which no known treatment is available.
2. Organisational grounds that have to do with the fact that the failure to include the data relating to the estimated number of data subjects that cannot be contacted in order to be informed, when compared to the total number of research subjects, would impact significantly on the study by altering the relevant findings; account shall be taken in this connection especially of the inclusion criteria applied in the study, the enrolment mechanisms, the statistical size of the sample to be considered, and the time elapsed since the information relating to the data subject was first collected – e.g. if the study concerns data subjects affected by high-death-rate diseases or terminal-phase diseases, or else elderly patients in poor health.
Regarding the aforementioned organizational grounds, it shall be permitted to process the data relating to any individual that - following all reasonable efforts made to contact them such as by checking whether they are still alive, browsing through their clinical records, contacting such telephone numbers as may be available, or obtaining contact information from population and/or health care registers – are found to be either deceased or past contact at the time of their enrolment for the given study.
The above shall be without prejudice to the obligation to obtain informed consent to process the research subjects´ data if it proves possible to provide adequate information to and obtain consent from such data subjects in the course of the study – in particular where the said research subjects apply to a treatment centre perhaps to undergo control examinations.
5. Processing Arrangements
The processing of personal data covered by this Authorisation shall be performed in compliance with the provisions contained in the Code of Ethics and Professional Practice applying to the processing of personal data for statistical and scientific purposes (Annex A.4 to the Code) by only implementing such operations as are absolutely indispensable to conduct the given study.
If the research cannot achieve its objectives without identifying data subjects, also transiently, in the processing operations performed after retrospectively collecting the relevant data, encryption techniques shall be implemented or ID codes used or any other solutions shall be implemented that – by having regard to the number of cases considered – prevent the data in question from being traced back directly to the data subjects and only allow them to be identified where necessary. In such cases, the codes to be used may not be derived from the personal data identifying data subjects - except where this proves impossible on account of the specific features of the processing or requires clearly disproportionate efforts, whereupon the relevant grounds must be specified in writing in the research project.
Furthermore, matching a data subject´s identifying information with research materials shall be accounted for in writing, provided such matching is temporary and indispensable to achieve the objectives pursued by the research.
6. Communication and Dissemination
The entities mentioned in paragraph 1, when acting in their capacity as data controllers also jointly with other controllers, may communicate the personal data referred to herein to one another insofar as they are promoters, co-ordinators and/or participating centres and such communication is indispensable to perform the relevant study.
Any data suitable for disclosing data subjects´ health that is used to perform the study may not be disseminated (see section 22(8) and section 26(5) of the DP Code). Research findings may be disseminated in aggregate; alternatively, arrangements should be made so as to prevent data subjects from being identifiable even by way of indirectly identifying information - as also related to any publications.
7. Retention of Data and Samples
In line with the obligations laid down in section 11(1)e. of the DP Code, the data and biological samples used to perform a research must be retained by implementing encryption techniques and/or using identification codes or any other mechanisms that prevent such data and samples from being traced back directly to data subjects – by having regard to the number of the data and samples to be retained; they must be retained for no longer than is necessary to achieve the purposes for which they were collected or subsequently processed.
To that end, the period for which the said data and samples will be retained after completion of the given study must be specified in the research project; upon expiry of the period in question, the data and samples must be anonymized.
8. Safekeeping and Security
Whilst the obligation to adopt the minimum security measures set forth in the DP Code (see sections 33-35 and Annex B to the Code) is left unprejudiced, every data controller must implement specific technical measures and arrangements by having regard to the respective competences and roles in the data processing operations as well as to the responsibilities arising therefrom so as to enhance the security of the data that are processed to perform the given study; the guidance contained in the "Guidelines for the Processing of Personal Data in Medical Clinical Trials" shall be abided by as adopted by the Italian DPA (decision dated 24 July 2008 – Web document no. 1533155).
The above requirements apply to data storage and archiving (including the collection and preservation of biological samples, if any), to the subsequent processing of the said information as well as to the forwarding of the data in question to the promoter and/or any external entities that co-operate with the latter in conducting the study. In particular, the following measures shall have to be taken:
a. Suitable arrangements must be made to secure study data against unauthorized access, theft or partial/total loss of the storage media and/or mobile/fixed processing systems as regards data storage and archiving performed via electronic tools – e.g. by applying encryption techniques to (part of) file systems or databases or else by implementing other IT safeguards to ensure that the data are unintelligible to non-authorised entities;
b. Secure communication protocols must be implemented as based on encryption standards to electronically transmit study data to a centralized database where they will be stored and/or archived as well as to transmit such data via electronic networks to the promoter and/or any external entities that co-operate with the latter in conducting the study. If the transmission in question is performed via CD-ROMs, a person must be tasked with receiving the data at the promoter´s and the data encryption key must be disclosed on a transmission channel different from the contents transmission one;
c. Labeling techniques must be used in preserving and transmitting biological samples by relying on ID codes or any other solution that can prevent tracing the samples back to the respective data subjects – by having regard to the number of such samples – and only enable identification of data subjects when this is absolutely necessary;
d. As regards specifically the processing of any study data that is stored in a centralized database, the following requirements apply:
- Suitable authentication and authorization mechanisms must be in place for the persons tasked with processing data as a function of their roles and the respective access/processing duties; validity of the respective credentials must be limited to the study period and such credentials must be disabled upon completion of the study;
- Procedures must be in place to regularly check quality and consistency of authentication credentials and authorization profiles applying to the persons tasked with processing data;
- Log auditing systems must be deployed to check database accesses and detect anomalies.
9. Cross-Border Data Transfers
If any study data suitable for disclosing data subjects´ health must be transferred to non-EU countries because this is essential to fulfill research objectives, and the data subjects´ explicit written consent is missing (as per section 43(1)a. of the DP Code), the transfer in question shall be authorized by the Italian DPA if any of the additional preconditions listed in section 43 of the DP Code is fulfilled or else if the provisions made in sections 44 and 45 of the DP Code are complied with.
10. Authorisation Requests
No request for authorisation shall have to be lodged with the Italian DPA by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests (as per section 110, final paragraph, of the DP Code) concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Italian DPA, unless they are to be granted under Section 41 of the Code on account of circumstances and/or situations that are not referred to in this authorisation.
This authorization shall be effective as from 1 March 2012 through 31 December 2012.
This authorization shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 1st day of the month of March 2012
The Secretary General