On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.
The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code. The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.
We provide below an overview of the legal framework and the safeguards identified by the Garante.
Article 110 of the Italian Privacy Code
Article 110 of the Italian Privacy Code sets out two exceptions to the general rule of consent as the legal basis for processing health data for the purposes of medical, biomedical and epidemiological research. In particular, consent is not required when:
- the research is conducted on the basis of a law, regulation or EU law, in accordance with Article 9(2)(j) of GDPR. In these cases, the controller must conduct and publish a DPIA; or
- due to particular reasons, informing data subjects proves impossible, or entails a disproportionate effort, or it risks rendering impossible or seriously impairing the achievement of the research’s objectives. In these cases, the controller must (i) adopt appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, (ii) obtain a reasoned positive opinion on the research program from the competent local ethics committee, and (iii) comply with the safeguards identified by the Garante.
Prior consultation with the Garante was previously required in the scenarios described in point 2) above. The Italian legislator has now removed this procedural step.
The Garante’s Safeguards
Following this development, the Garante issued the abovementioned safeguards, which apply in the context of processing of health data for medical research purposes in cases where the concerned subjects are (i) deceased, or (ii) unreachable due to ethical or organizational reasons.
The Garante defines the latter two categories as follows:
- “ethical” reasons relate to a situation where the individual is unaware of their condition, such that providing a privacy notice to them would entail disclosing news about the study which could cause material or psychological damage to them;
- “organizational impossibility” reasons relate to a situation where not collecting the data of unreachable individuals, considering the total number of subjects to be enrolled in the study, would have significant consequences for the quality of the study’s results, and taking into account the criteria of inclusion, modalities of enrolment, statistical numerousness of the sample, and the period of time that has passed since the original data collection. This includes situations where:
- contacting individuals would entail a disproportionate effort in view of the high number of subjects in the cohort – which should be considered only in exceptional cases; and
- after undertaking every reasonable effort to contact individuals, they appear to be deceased or unreachable at the time of inclusion in the study. The Garante clarifies that this process includes verifying whether the concerned individuals are alive, consulting the details provided in clinical documentation, using telephone contact details where provided, and collecting publicly available contact details.
In these cases, the Garante requires controllers to adopt certain safeguards. In addition to the measures illustrated in points 2(i)-(ii) above, the controller must:
- carefully explain and document, in the research project, the existence of ethical or organizational reasons, as described above;
- where applicable, also document the reasonable efforts made to attempt to contact the concerned individuals; and
- conduct and publish a DPIA, and communicate it to the Garante.
New Ethics Rules for Processing for Scientific Research Purposes
Finally, in its decision, the Garante also launched the process for the adoption of new ethics rules in the context of the processing of personal data for statistical and scientific research purposes, which will complement the safeguards outlined above.
***
Covington’s Data Privacy and Cybersecurity Team regularly advises clients in the health and scientific research space, including on the privacy aspects of clinical trials. Our team is happy to assist with any inquiries.