Can the Italian healthcare system process sensitive personal data without explicit patient consent?

On 27 March 2018, a draft of the legislative decree (Draft Decree) that is expected to replace the Italian Privacy Code following the entry into force of the EU General Data Protection Regulation (GDPR) was published.  The Draft Decree anticipates important novelties regarding the way in which medical facilities will have to handle the processing of health data of patients undergoing medical treatment, and suggests that patient consent will only be required for the processing of genetic data and not in relation to other kinds of sensitive health-related information.

On 25 May 2018, the GDPR will replace the current EU Data Protection Directive and will be directly applicable in all member states.  However, there are a number of areas in which the GDPR calls on national legislators to harmonise domestic legislation to reflect the GDPR. In Italy, the Draft Decree will serve this purpose.  Once adopted, the Draft Decree will replace and repeal the current Italian Privacy Code (Legislative Decree 196/2006).

One of the areas affected by the Draft Decree is the protection of health data.

Article 8 of the Draft Decree provides that sensitive health data must be processed in compliance with Article 9(2) of the GDPR and in accordance with guarantee measures to be imposed by the Italian Data Protection Authority after having submitted them for public consultation for a period of at least 60 days (the Guarantee Measures).  In particular, Article 8 sets out that the Guarantee Measures must be updated by the Data Protection Authority every two years and must take into account:

• guidelines and recommendations published by the European Data Protection Committee and best practices on sensitive data protection;
• scientific and technological developments in data protection/processing;
• the interest to free data circulation within the EU;
• the specific purpose of the processing (e.g., diagnosis and treatment).

With respect to the processing of genetic data, in compliance with Article 9(4) of the GDPR, Article 8(6) the Draft Decree provides that the relevant Guarantee Measures may require consent to the processing of sensitive data, alongside other specific procedures.

On the basis of Article 8 of the Draft Decree, it appears that patient consent may only be required for the processing of genetic data and not in relation to other kinds of sensitive health-related information. This seems to be a reasonable choice by the legislator since, according to the current Italian framework, patient consent is already required before any medical treatment. Once the patient has consented to undergo a medical treatment, requiring a separate consent for the processing of sensitive health data, which is instrumental to/part of the treatment itself, would seem like an unnecessary burden.

In the context of the Draft Decree, the Data Protection Authority will retain significant discretion on how to define the Guarantee Measures and this can strongly affect the way in which medical facilities will have to handle the processing of health data. The specific modalities of implementation of the Draft Decree, therefore, remain to be seen and, as always, the devil will be in the detail.