Authorisation no. 2/2002 Concerning Processing of Data Disclosing Health...
Authorisation no. 2/2002 Concerning Processing of Data Disclosing Health or Sex Life
Authorisation no. 2/2002 Concerning Processing of Data Disclosing Health or Sex Life
The Garante per la protezione dei dati personali
On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;
Having regard to, in particular, Section 22(1) of said Act, in which "sensitive" data are referred to;
Whereas private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ consent in writing;
Having regard to Section 22(3) and (3-bis) and to Section 23 of Act no. 675/1996;
Having regard to Section 17 of legislative decree no. 135 of 11.05.99, including subsequent amendments and additions, and Provision no. 1/P/2000 by the Garante, of 30.12.99-13-01.00, as published on the Official Journal of the Italian Republic no. 26 of 2 February 2000, setting out the substantive instances of the public interest which are referred to in Section 22(3) of Act no. 675/1996;
Having regard to Section 23(1-bis) of Act no. 675/1996, under which simplified arrangements for providing the information referred to in Section 10 of said Act and obtaining data subjects´ consent are laid down; whereas similar simplified arrangements are set out in Section 17(3) of legislative decree no. 135/1999;
Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;
Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31st of January 2002 by streamlining their provisions in the light of the experience gathered so far;
Whereas Section 17(5) of legislative decree no. 135 of 11.05.99 as supplemented and amended by Section 16 of legislative decree no. 281 of 30.07.99 provides that the processing of genetic data by any entity whatsoever is only permitted in the cases referred to in an ad hoc authorisation; whereas the processing of genetic data can be continued in pursuance of the provisions made in this authorisation until the above authorisation is granted;
Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;
Whereas it is necessary to ensure compliance with certain principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity - especially with regard to privacy and personal identity - such principles being also considered in the light of the relevant Council of Europe Recommendations, and in particular Recommendation No. R (97) 5 according to which medical data must be processed, in principle, exclusively within the scope of health care or else on the basis of equally effective confidentiality rules;
Whereas the processing of data disclosing health or sex life is carried out, to a considerable extent, for treatment and prevention purposes, for managing health care services, for the purpose of scientific research or the provision of assistance, goods or services to data subjects;
Having regard to Section 35 of Act no. 675/1996;
Having regard to the regulations including provisions on the minimum security measures as adopted by Presidential decree no. 318 of 28.07.99;
Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;
Having regard to official documents;
Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the rules of procedure for the Garante no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan,
a) health care professionals to process data disclosing health, whenever these data and processing operations are required to safeguard bodily integrity and health either of a third party or of the community as a whole, and the data subject has not given his/her consent or cannot give it on account of his/her being nowhere to be found;
b) private health care institutions and any other private entity to process data disclosing health and sex life with the data subject´s consent;
c) public health care institutions, even when set up at an University, including public bodies in their capacity of health care authorities, to process data disclosing health also with a view to the substantive instances of the public interest served by the processing as laid down in Section 17(1) of legislative decree no. 135/1999, or else in Provision no. 1/P/2000 by the Garante of 30.12.99/13.01.00, or in another provision adopted likewise by this Authority in pursuance of Section 22(3-bis) of Act no. 675/1996, whenever the following conditions apply simultaneously:
1) the processing is aimed at protecting bodily integrity and health either of a third party or of the community as a whole;
2) consent is lacking (pursuant to Section 23(1), final period, of Act no. 675/1996), as the data subject has not given it or cannot give it on account of his/her being nowhere to be found;
3) the processing is not provided for by a law specifying which data categories may be processed, which operations may be performed and the substantive instance of the public interest served by the processing, pursuant to Section 22(3) of Act no. 675/1996 as amended by Section 5 of legislative decree no. 135/1999.
d) entities other than those mentioned under a), b) and c) to process data disclosing health and sex life if the processing is necessary to protect the data subject´s and/or a third party´s life or bodily integrity and the data subject cannot give his/her consent because he/she is physically unable to do so, legally incapacitated or unable to distinguish right and wrong.
Where the data subject´s consent is required, it shall be acquired also in accordance with the provisions included in Section 23(1-bis) and (1-quater) of Act no. 675/1996 and Section 17(3) of legislative decree no. 135/1999 as subsequently amended and supplemented.
1) Scope and purpose(s) of the processing
1.1. This authorisation shall be granted:
a) to physicians, chemists, dental surgeons, psychologists and all other health care professionals who are included in the relevant rolls or registers;
b) to nursing, engineering and rehabilitation staff in the health care sector where such staff operate as self-employed workers;
c) to private health care institutions and organisations, even if they do not operate under contract with the National Health Service.
In the above cases, the authorisation shall be granted to allow the entities concerned to comply or enforce compliance with specific obligations or else to discharge specific functions as provided for by laws, Community legislation or regulations, in particular as regards public health care, occupational disease and accident prevention, medical treatment and diagnosis, including organ and tissue transplantation, rehabilitation of the invalid or physically and mentally disabled, preventive treatment of infectious and endemic diseases, mental health protection, pharmaceutical and health care in respect of sports activities or investigations - pursuant to law - into the offences which are referred to in the legislation applying to the sports sector. Processing may also concern the entering of data into medical records, certifications and other medical documents as well as into other documents relating to administrative management whenever this is required for the abovementioned purposes.
If organisational or administrative management functions are to be discharged for achieving the above purposes, the addressees of this authorisation shall require the processors and the persons in charge of the processing who have been committed said functions to abide by the same confidentiality rules which are incumbent on themselves, in accordance with the provisions included in Section 17(3) of legislative decree no. 135/1999.
1.2. This authorisation shall also be granted:
a) to natural or legal persons, bodies, associations and other private entities for scientific research purposes, including statistical purposes, if the research is aimed at protecting the health of the data subject, third parties or the community as a whole in the medical, biomedical or epidemiological field, whenever the relationships between risk factors and human health are to be assessed or investigations are scheduled concerning diagnostic, therapeutic or preventive medicine activities or else the utilisation of health care facilities, and the availability of exclusively anonymous data with regard to population samples does not allow achieving the purposes of said research. In these cases the data subjects´ consent shall be required (without prejudice to Section 23(1), final period, of Act no. 675/1996 and to Section 5(1) of legislative decree no. 282 of 30.07.99) and the data, once collected, shall be processed in such a way as to prevent data subjects from being identified even indirectly, unless research data are matched with identification data only on a temporary basis and this is fundamental for the research purposes and the underlying reasons are detailed in writing. Research findings may only be disclosed in anonymous form. The provisions included in legislative decrees no. 281 and no. 282 of 30.07.99 concerning scientific, medical and epidemiological research are hereby left unprejudiced;
b) to voluntary or assistance organisations with regard to such data and operations as are necessary for specific, legitimate purposes laid down, in particular, in the relevant by-laws;
c) to rehabilitation and support centres, nursing homes and specialised clinics, with regard to such data and operations as are necessary for specific, legitimate purposes laid down, in particular, in the relevant regulations;
d) to recognised religious bodies, associations and organisations, including religious denominations and communities, with regard to such data and operations as are necessary for specific, legitimate purposes which must be laid down in the relevant by-laws, if any, without prejudice to Section 22(1-bis) of Act no. 675/1996;
e) to natural and legal persons, businesses, bodies, associations and other entities with regard to such data - including, where necessary, those concerning sex life - and operations as are required to fulfil obligations, including pre-contractual obligations, resulting from a relationship which entails the supply of goods or services to the data subject. Where said relationship concerns credit institutions, insurance companies or anyhow movables, only such data and operations shall be considered to be necessary as are required to supply specific products or services pursuant to a request by the data subject. The relationship may also concern the supply of visual, hearing or deambulation aids;
f) to natural and legal persons, bodies, associations and other entities running sports facilities or centres, with regard to the data and operations required to assess fitness for participation in sports or competitive activities;
g) to natural and legal persons and other bodies as regards the data of recipients and donors and the operations that are necessary for performing organ and tissue transplantation and blood donations.
1.3. This authorisation shall also be granted in respect of the processing of data disclosing health and sex life whenever said processing is required to carry out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or else to establish or defend a legal claim even by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is of an equal level compared with the data subject´s one and the data are processed exclusively for said purposes and for no longer than is absolutely necessary therefor.
2) Categories of processed data
Processing shall concern data that are closely relevant to the obligations, tasks or purposes referred to under 1), where they cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind, and may include the information relating to medical history.
The following data shall also fall within the scope of application of this authorisation:
a) information concerning unborn children, which must be regarded as personal data in pursuance of aforesaid Council of Europe Recommendation No. R(97) 5;
b) genetic data with regard to the information and operations that are necessary to safeguard bodily integrity and health of the data subject, a third party or the community as a whole, based on the consent given as per Sections 22 and 23 of Act no. 675/1996. Failing such consent, the processing may only be started or continued upon specific authorisation by the Garante if it is aimed at protecting bodily integrity and health of a third party or the community as a whole. Genetic data may not be processed by the entities referred to under 1.2, subheadings c), d), e) and f). The information to be provided to the data subject pursuant to Section 10 of Act no. 675/1996 shall especially point out the data subject´s right to object, on legitimate grounds, to the processing of personal data concerning him/her. Pending entry into force of the relevant authorisation for the processing of genetic data, which is referred to in Section 17(5) of legislative decree no. 135/1999, as subsequently amended and supplemented, genetic data that are processed for the purpose of preventive treatment, diagnosis or medical treatment of the data subject, or else for scientific research purposes, may only be used for these purposes or else to allow the data subject to take a free and informed decision, or to provide evidence in criminal or civil proceedings pursuant to law.
3) Processing arrangements
Without prejudice to the obligations laid down in Sections 9, 15 and 17 of Act no. 675/1996 and in Presidential decree no. 318/1999, processing of sensitive data shall only be carried out in accordance with such logic and organisational arrangements as are closely related to the obligations, tasks and purposes referred to above.
This authorisation shall be without prejudice to the requirement of obtaining the data subject´s consent and informing him/her as per Sections 10, 22 and 23 of Act no. 675/1996. As to data concerning unborn children, consent shall be given by the expectant mother.
4) Data retention
In compliance with the obligation referred to in Section 9(1), subheading e), of Act no. 675/1996, the data shall be kept for no longer than is necessary to fulfil the obligations or discharge the functions mentioned under 3), or else to achieve the purposes mentioned therein. To that end it shall be determined, also by way of regular controls, whether the data are relevant and not excessive with regard to the existing, planned or terminated relationship, performance or tasks - including the data supplied on the data subject´s own initiative. The data that are found by said controls to be either excessive or irrelevant or unnecessary may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained. Special attention shall be paid to relevance of the data concerning entities that are not immediately related to fulfilment of the abovementioned obligations and/or tasks.
5) Data communication and dissemination
Data disclosing health and sex life may only be disseminated if this is necessary for the prevention, detection or suppression of criminal offences in compliance with the relevant provisions, as laid down in Section 23(4) of Act no. 675/1996.
No data disclosing sex life shall be disseminated unless dissemination concerns data which were manifestly made public by the data subject and the data subject did not subsequently object on legitimate grounds to said dissemination.
Data disclosing health, other than genetic data, may be communicated - exclusively with regard to the obligations, tasks and purposes referred to under 1) - to public and private bodies including health care Funds, businesses carrying out activities that are closely related either to the exercise of health care professions or to the supply of goods and services for the data subject, credit institutions and insurance companies, voluntary associations or organisations and the data subject´s family members.
6) Requests for authorisation
Where the processing falls within the scope of this authorisation, no application for authorisation shall have to be filed with the Garante by the relevant controller, on condition that the proposed processing is in line with the above provisions.
Any requests for authorisation which have already been received, or which will be received following the adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.
No requests to authorise processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation - e.g., whenever obtaining the data subject´s consent would involve a manifestly disproportionate effort with regard, in particular, to the number of persons concerned.
7) Final provisions
Any laws, regulations or Community rules imposing stricter prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, especially as regards:
a) Section 5(2) of Act no. 135 of 05.06.90, under which the statistical assessment of HIV-related infections is to be carried out in such a way as not to allow identification of the persons concerned;
b) Section 11 of Act no. 194 of 22.05.78, under which hospitals, specialised clinics or out-patient clinics where medical abortions are performed must provide the physician competent for the provincial district with a statement omitting any reference to the woman´s identity;
c) Section 734-bis of the Criminal Code, which prohibits disclosure of particulars or images relating to a person who has been the victim of sexual violence without the person´s consent.
Further, this authorisation shall be without prejudice to the prohibition to disclose, on no legitimate grounds, and utilise, with a view to gain for oneself or another, information to which professional secrecy applies; the professional duties which are laid down, in particular, in the Code of medical ethics adopted by the National Federation of the Rolls of Physicians and Dental Surgeons shall further apply.
Finally, the possibility to disclose anonymous data, whether aggregated or not, and include them into publications for scientific, educational, preventive or information purposes shall also remain unprejudiced.
8) Effectiveness and Transitional Provisions
This authorisation shall be effective as of 1 February 2002 until 30 June 2003.
If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 2/2000, the data controller shall have to bring it into line with said provisions by the 31st May 2002.
This authorisation shall be published on the Official Journal of the Italian Republic.
Done in Rome, this 31st day of January 2002.