The effects of the amendment to Article 110 of the Privacy Code
Many professionals had highlighted critical issues arising from the difficulties of applying Article 110. Therefore, with a view to encouraging research and secondary use of data, the legislature intervened with Law No. 56 of 29 April 2024, which eliminated from the text of paragraph 1 the reference to necessary prior consultation with the Garante.
For the field of retrospective medical research, this amendment significantly reduces red tape. But, it is not liberated entirely, and it will still have to comply with specific safeguards. The provision entrusts the identification of these safeguards to the Garante (data protection authority), pursuant to Article 106(2)(d) of the Code, within the framework of the ethical rules, pursuant to article 2-quarter and article 106 of the Code, and in accordance with article 89 of the GDPR.
With the 9 May 2024 regulatory measure, the Garante identified the first safeguards to be adopted when processing the personal data of deceased or non-contactable patients for medical, biomedical and epidemiological research purposes. It also established a procedure for the adoption of new ethical rules concerning data processing for statistical or scientific research purposes, pursuant to article 2-quarter and article 106 of the Code. In accordance with the principle of representativeness, it invited notifications from all interested public and private entities that considered themselves eligible to sign up to the ethical rules, as well as stakeholders intending to participate in the work.
Pending approval of the new ethical rules, the data controller is subject to compliance with the ethical rules already in force regarding processing health data for statistical or scientific research purposes, and these are are set out in Annex A5 of the Code. And so, with respect to subjects who have died, or subjects who cannot be contacted for ethical or organisational reasons, when it comes to processing their health data for the purpose of medical, biomedical and epidemiological research, the data controller must:
– take appropriate measures to protect the rights, freedoms and legitimate interests of data subjects;
– obtain a favourable opinion by the competent ethics committee;
– document and explain in the research project why there are ethical or organisational reasons that informing the data subjects, and thus acquiring their consent, is impossible or would require disproportionate effort, or that there is a risk that the objectives of the research would otherwise be impossible to achieve or seriously jeopardised.
– carry out an impact assessment and publish it;
– notify the Garante about its publication.
This regulatory measure was followed by a series of FAQs published on the website of the Garante about the legal bases that allow the IRCCS (Scientific Institute for Research, Hospitalization, and Healthcare) to process personal data, collected for healthcare purposes, for the purpose of further research, and the legal requirements that apply.
It must be emphasised that IRCCSs are hospitals of excellence pursuing research in the biomedical field and for the organisation of health services. Therefore, pursuant to Article 110 bis, paragraph 4, of the Privacy Code, personal data collected for clinical activities can also be processed for research purposes. That does not constitute further processing by third parties because the healthcare activity carried out by these institutes is instrumental for their research.
The Garante clarified that the obligation to publish an impact assessment applies also to the IRCCS. But, if they have obtained the consent of the data subjects, they don’t have to publish the impact assessment.
In the event that the impact assessment indicates that there might be a high risk associated with the data processing, and that no measures have been taken by the data controller to mitigate that risk, then in accorance with Article 36 of the GDPR, prior consultation with the Guarante is mandatory.
Section 110 bis, paragraph 4 of the Code, does not define to which types of medical research these rules apply. As such, the Garante has emphasised that the provision applies to all types of medical, biomedical, epidemiological, prospective and retrospective research promoted by IRCCSs. And that includes multicentre studies carried out within the research networks of the IRCCSs as well as multicentre studies promoted by these institutes that involve the participation of organisations that do not have this kind of recognition.
From analysis of the 9 May regulatory measure and the FAQs, it transpires that the principle of accountability is central. The data controller, as part of the research activities, will have to identify the correct legal basis for the data processing and will have to evaluate the measures intended to address risks to the rights and freedoms of the data subjects. Where these risks are not mitigated, the Garante must be consulted.
It is also important to highlight the role of researchers and ethics committees. Researchers are responsible for explaining in the research project the ethical and organisational reasons why obtaining consent is impossible. This is set out in Provision no. 146 of 5 June 2019 on the subject of requirements relating to the processing of personal data carried out for scientific research purposes, and in the various regulatory measures issued by the Garante pursuant to Article 110. Ethics committees are responsible for assessing the existence and validity of these reasons.
Conclusions
The regulatory change was created to facilitate research development. Unfortunately, initial analysis reveals ongoing practical problems. In particular, it appears that the new law continues to bind research to a consent-oriented perspective as it does not allow the legal grounds of public interest, as do other European countries (such as Spain), and as suggested in the guidelines of the European Data Protection Board[1].
Without the consent of patients, there are very heavy burdens on health providers (public or private) carrying out research activities. To protect patients, they are required to activate and document the privacy impact assessment process, which involves intensive compliance activities and responsibilities also for researchers. In addition, to carry out the privacy impact assessment, it is necessary to have a multidisciplinary team composed of doctors, organisational experts, lawyers and computer scientists. A multi-disciplinary approach is necessary, and required by the European regulation, in order to guarantee that the personal data of patients enrolled in clinical trials is protected.
Image: Photo by Louis Reed on Unsplash
[1]Opinion 3/2019 concerning the questions and answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) of 23/01/2019
