Garante per la protezione dei dati personali (Italy) - 9682641

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9682641
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 9 GDPR
Codice in materia di protezione dei dati personali
Linee guida in materia di Dossier sanitario - 4 giugno 2015
Type: Investigation
Outcome: Violation found
Started:
Decided: 27.05.2021
Published:
Fine: 150.000 EUR
Parties: Trento health authority
National Case Number/Name: 9682641
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) fined the Trento health authority €150,000 for unlawful disclosure of patient health data in violation of Articles 5 and 9 GDPR.

English Summary

Facts

By a technical mistake, the Trento health authority shared with general practitioners a total of 293 health documents referring to 175 interested parties (including 2 minors) although the interested parties had exercised their right to obscure these documents.

Holding

The Italian DPA considered that the personal data had been shared in violation of art. 75 of the Italian “Codice in materia di protezione dei dati personali” and of Article 9 GDPR as well as the principles of lawfulness, integrity and confidentiality of the processing as per Article 5 GDPR.

In fact, according to Article 9 GDPR, health data may only be disclosed to the person concerned and may only be disclosed to third parties on the basis of an appropriate legal base or on the basis of written authorization by the data subject. In the case under examination, the data subjects explicitly requested not to share their data with their general practitioners, and the DPA therefore found that Article 9 had been violated.

The DPA also referred to specific health data guidelines published by the Italian DPA itself (“Linee guida in materia di Dossier sanitario - 4 giugno 2015”) and to Article 75 of the Italian Data Protection Code. According to these guidelines, an important guarantee to protect the confidentiality of the interested party consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through the Health Dossier. Since the parties specifically exercised this right, the DPA deemed that these Guidelines, and therefore article 75 of the Italian Code, were also violated.

With the power conferred by Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of €150,000 on the Trento health authority.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
















SEE ALSO Newsletter of 20 July 2021



[doc. web n. 9682641]

Injunction order against the Provincial Health Services Agency of Trento - May 27, 2021

Record of measures
n. 212 of May 27, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Speaker prof. Pasquale Stanzione;

WHEREAS

1. The violation of personal data.

The Provincial Health Services Agency of Trento (hereinafter the Company) has notified the Guarantor of a breach of personal data pursuant to art. 33 of the Regulation in relation to the making available to general practitioners (GPs) of 293 health documents (of which 163 relating to data of subjects with greater protection of anonymity) referring to 175 interested parties (of which 2 minors, 24 deceased and 19 currently outside the Province), although the interested parties had exercised the right of obscuration with regard to the aforementioned documents (notification of 13.11.2019, prot. No. 173499, and of 13.12.2019, prot. No. 192546).

In particular, in the aforementioned notification of violation, the Company stated that:

- "On 25/10/2019 an interested party contacted the Public Relations Office by e-mail, stating that her General Practitioner (hereinafter" GP ") had become aware of health data relating to 'voluntary termination of the pregnancy of the same (hereinafter "IVG"), despite the patient declares to have denied, upon acceptance at the time of admission on 30 May 2018, the consent to the communication of such data to her GP " ;

- "due to an IT error in the publication routine (IT procedure), some documents in digital format containing a summary of the clinical diary relating to the Day Hospital activities were made available for telematic notification to the GPs of the patients, as the" Report publication system "did not associate the obscuration, correctly entered by health professionals in the Hospital Information System (HIS), but applied the value of general consent - which allowed the sending and notification of the health documents of the interested parties to their respective GPs - previously expressed by the interested parties ";

- the facts concerned “293 summary documents, of which 24 referring to assistants who have died to date and 19 refer to people who have now emigrated outside the Autonomous Province of Trento; of the 293 summary documents, 163 relate to events containing data subject to greater protection of anonymity referring to 153 patients ";

- "following the report of the interested party, the procedures for verifying and reconstructing the sequence of events involving the Hospital Information System application (hereinafter" SIO "), the report publication system and the Ampere system for the interface towards the GP / PLS folders. These activities required a few days of work as the events occurred over a period of time in which various transition phases took place for the adaptation of consent management to the provisions on electronic health records and electronic health records ";

- it was decided to proceed with the "implementation of a single routine management system for the calculation of consent / blackout. Historically, the report publication system was created for the sharing of patients' health documents with their respective General Practitioners / Free Choice Pediatricians (hereinafter "GP / PLS") through the AMPERE system, subject to the consent of the interested parties. Subsequently, all the other company health professionals or affiliated with a system other than AMPERE were also enabled to access this information, again only with the consent of the interested parties. and the "implementation of a new tool that will be developed and provided by the Company to GPs within the first quarter of 2020 which will allow for the deletion of any documents communicated by human error from the medical record applications of GPs";

- "the interested party who reported the violation of personal data on 25/10/2019 was heard shortly by the Data Protection Officer and invited to the Company headquarters for a meeting scheduled for 16/12/2019 . This meeting is aimed at providing the results of the checks carried out by the owner following the report. After this meeting, a formal communication will be sent to the interested party ";

- “with reference to the other no. 174 interested parties, the owner has decided not to proceed with the communication, as it is considered unlikely that the violation could result in high risks for the rights and freedoms of the interested parties ".

2. The preliminary activity.

In relation to what was communicated by the Company, the Office, with deed no. 4264 of 3.2.2020, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements acquired and the facts that emerged as a result of the investigation, the Company carried out, through the integration of the SIO Systems, the one for the publication of reports and the Ampere system, the communication of 293 summary documents (also relating to cases of termination of pregnancy) relating to 175 interested in the relative general practitioners without a suitable legal basis and in contrast with the explicit request for blackout made by interested, in violation of art. 75 of the Code, of art. 9 of the Regulation and of the principles of lawfulness, integrity and confidentiality of the processing (Article 5 of the Regulation).

With a note dated February 28, 2020 (prot. No. 35590), the Company sent its defense briefs, in which additional elements were represented and in particular that:

- "the incident, which occurred in the period between March 4, 2017 and October 29, 2019, as already highlighted in the supplementary data breach communication notified to this Ill.ma Authority, was allowed by the particular complexity of the architecture of the above systems described and, consequently, is exclusively attributable to an accidental cause which occurred during the development activity which took place in a phase of complex and important revision and restructuring of the information systems ";

- "The 293 Reports sent to the GP were all associated with a contact with NO_invio (correctly entered by the ward health workers), of which 163 also with MTA Blanking active";

- "The 293 documents were visible to the GP, because the Ampere notification table was updated directly by the automatic procedure, which, in verifying the consent given by the patient, instead of referring to the GP obscuration entered by the healthcare operator at the time of performance used that of the so-called consent of general visibility ";

- "As a result, a Yes_send flag referred to the so-called consent was mistakenly entered in the Ampere notification table for this type of Report. of general visibility expressed by each individual patient and not at the GP Darkening ";

- "During the checks carried out, the Company was able to ascertain that the visibility erroneously associated with the type of document in question was limited in time as the reports subsequently produced as part of the patient's care path corrected the error , restoring the correct flag and, therefore, the MMG Darkening. More precisely, the updating procedures between the various systems automatically remedied the consent error in the Ampere notification table when any document subsequent to the update was loaded, within the same episode of care (Day Hospital ). In most cases, this was the time between the time the document was generated by the system (3 am) and the time of receiving a subsequent laboratory test or discharge letter (within the same morning). ). This event, restoring the correct blackout value, made it impossible for GPs to download the documents to their personal computer, thus preventing their visibility ";

- "As soon as it became aware of the event, the Company took various initiatives (...). First of all, the Company's Technology Department, promptly involved by the Owner, immediately activated the necessary checks and resolved the cause of the computer error, making changes to the calculation routine that caused the accident, as well as implementing and planning the following measures to reduce the risk of future errors:

implementation of a single routine management system for calculating MMG Obscuration by eliminating two independent paths, in order to avoid possible inconsistencies and errors in alignment with the visibility / obscuring rules of individual documents; measure implemented by 31/3/2020.

implementation of a new notification service through which GPs are requested to cancel the Reports from their personal computers (the configuration of the service by the Company will take place by 31/3/2020, while the actual implementation will depend on the timing of implementation by the supplier of the various medical records of GPs). - - - (...) ":

- "The Company, as soon as it received the report from the interested party, promptly took action to collect the information necessary to provide adequate support to the same, as well as to verify the reasons for the accident in order to remedy it immediately";

- "the number of Reports (293) is numerically reduced when compared to the overall volume of documents sent annually to GPs / PLS (over 4 million in 2019). The small incidence of the cases on a numerical level and the occurrence of events in an extremely limited period of time (about 8 hours) meant that the problem was not easily detectable by computer tests ";

- In addition, it should in any case be reiterated that the subjects to whom the visibility of the Reports has been erroneously enabled (ie the patients' trusted doctors) are directly recipients of an obligation of confidentiality imposed on them by the code of medical ethics, which includes the duties of the respect for the dignity of the person without any discrimination and the obligation - moreover sanctioned at a disciplinary level - to keep the secrecy of all that he is aware of by reason of his professional activity. The recipients of the data are therefore qualified subjects operating organically within the provincial health service, not being able to objectively communicate the health data to the general practitioner of the patient, even if not due in this case, to be considered comparable by gravity. to the provision of the same to a subject not equally subject to such stringent professional rules and operating outside the doctor-patient fiduciary relationship ".

3. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that:

1. in the health field - information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or on the indication of the interested party himself after the latter's written delegation (art. 9 Regulation and art.83 of the Code in conjunction with art.22, paragraph 11, legislative decree 10 August 2018, n.101);

2. the Code provides that "the processing of personal data carried out for the purpose of protecting the health and physical safety of the interested party (...) must be carried out (...) in compliance with the specific sector provisions" (Article 75-Specific conditions in health area of the Code). With reference to the present case, the specific sector indications indicated by the Guarantor in the "Guidelines on the subject of the Health Dossier - 4 June 2015" must be kept in mind (Provision of 4.6.2015, published in GU 164 of 17 July 2015, available for consultation on www.gpdp.it doc web n.4084632), which, like the other provisions of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with it (Article 22, paragraph 4, d .lgs n. 101/2018). An important guarantee to protect the confidentiality of the interested party identified in the aforementioned Guidelines consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through this tool. This, in analogy to what happens in the patient-doctor treating relationship, in which the first can come to a conscious determination not to inform the second of some health events that concern him. It should be noted that this guarantee has also been reaffirmed by the legislator also with reference to the electronic health record (see art. 12, d.l. 18 October 2012, n. 179 and art. 8 dPCM n. 178/2015). In this regard, the provisions of art. 12 of the d.l. n. 179/2012 which provided for the establishment of the electronic health record, the implementation of which is currently regulated by Prime Ministerial Decree no. 178/2015 (Regulation on electronic health records - ESF), on which the Authority expressed its opinion (Opinion of 22/5/2014, web doc. No. 3230826). The aforementioned implementing regulation defined "Data subject to greater protection of anonymity" the information and health and social and health documents governed by the regulatory provisions also protecting women who undergo voluntary termination of pregnancy (Article 5). These types of data can be made visible through the ESF "only with the explicit consent of the client". The aforementioned regulation provides that it is "the responsibility of the professionals or health workers who provide the service to acquire the explicit consent of the client" (art. 5, paragraph 2). The aforementioned regulation also established that "the assisted person has the right to request the obscuring of health and socio-health data and documents both before feeding the ESF and subsequently, ensuring that they can only be consulted by the assisted person and holders who generated them "(art. 8);

3. the failure to obscure 293 documents, relating to 175 patients, which were placed at the disposal of the respective general practitioners of the interested parties, despite the same having expressed the right to obscure them, led to a communication of data relating to the health of the interested parties lacking a suitable legal basis and in contrast with an explicit request for blackout made by the same;

4. 163 of the aforementioned documents made available to the general practitioners of the interested parties also contain information subject to greater protection of anonymity referable to 153 patients, or, specifically, data relating to the voluntary termination of pregnancy.

4. Conclusions.

In light of the aforementioned assessments, taking into account the statements made by the data controller and data processors during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed initiation of the procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by the Provincial Agency for Health Services of Trento under the terms set out in the motivation, for violation of Articles 5, par. 2, lett. a) and f) and 9 of the Regulations, as well as art. 75 of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company has declared that the procedure for resolving the problem that generated the aforementioned event has been completed in such a way as to exclude the replicability of the itself and that the visibility erroneously associated with the type of document in question has been limited over time, the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of articles 5, par. 2, lett. a) and f), and 9 of the Regulations and 75 of the Code, caused by the conduct put in place by the Provincial Health Services Agency of Trento, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, paragraph 5, of the Regulation also pursuant to art. 166, paragraph 2 of the Code (see letter a) with reference to the violation of articles 5 and 9 of the Regulation).

In the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation, which therefore applies to the present case.

It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

- the Authority became aware of the event following the notification of personal data breach made by the same owner and no complaints or reports were received to the Guarantor on the incident (Article 83, paragraph 2, letter h) of the Regulation );

- the processing of data carried out by the Company concerns data suitable for detecting information on the health - also relating to the termination of pregnancy - of 175 interested parties, including 2 minors (art. 83, par. 2, lett. a) and g) of the Regulations);

- the violations, even if due to a software error, have resulted in a communication, not episodic, of particular data subject to particular protection, despite the interested parties having expressly expressed, in the foreseen forms, the will that their data were not visible to third parties in your electronic health record (right of blackout);

- the absence of voluntary elements on the part of the Company in the causation of the event (Article 83, paragraph 2, letter b) of the Regulations);

- the event was immediately taken over by the Company which was followed by the identification of corrective and resolving solutions (Article 83, paragraph 2, letters c) and d) of the Regulations);

- the Company immediately demonstrated a high degree of cooperation (Article 83, paragraph 2, letter f) of the Regulation);

- the Company has already been the recipient of a sanctioning procedure relating to the processing of personal data carried out through the company health dossier (provision of 21 April 2021, no.155) (Article 83, paragraph 2, letter i) of the Regulation ).

Due to the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, it is believed to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, lett. a) of the Regulations, to the extent of € 150,000 (one hundred and fifty thousand) for the violation of Articles 5, par. 1, lett. a) and f) and 9 of the Regulations and Article 75 of the Code as a deemed administrative fine, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Provincial Agency for Health Services of Trento, for the violation of art. 5, par. 1, lett. a) and f) and 9 of the Regulations and art. 75 of the Code in the terms set out in the motivation.

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Provincial Health Services Agency of Trento, based in Trento, Tax Code / VAT number no. 01429410226, in the person of the pro-tempore legal representative, to pay the sum of € 150,000 (one hundred and fifty thousand) as a pecuniary administrative sanction for the violations indicated in this provision, according to the methods indicated in the annex, within 30 days from the notification of motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 150,000 (one hundred and fifty thousand) in the manner indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, May 27, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }






SEE ALSO Newsletter of 20 July 2021



[doc. web n. 9682641]

Injunction order against the Provincial Health Services Agency of Trento - May 27, 2021

Record of measures
n. 212 of May 27, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Speaker prof. Pasquale Stanzione;

WHEREAS

1. The violation of personal data.

The Provincial Health Services Agency of Trento (hereinafter the Company) has notified the Guarantor of a breach of personal data pursuant to art. 33 of the Regulation in relation to the making available to general practitioners (GPs) of 293 health documents (of which 163 relating to data of subjects with greater protection of anonymity) referring to 175 interested parties (of which 2 minors, 24 deceased and 19 currently outside the Province), although the interested parties had exercised the right of obscuration with regard to the aforementioned documents (notification of 13.11.2019, prot. No. 173499, and of 13.12.2019, prot. No. 192546).

In particular, in the aforementioned notification of violation, the Company stated that:

- "On 25/10/2019 an interested party contacted the Public Relations Office by e-mail, stating that her General Practitioner (hereinafter" GP ") had become aware of health data relating to 'voluntary termination of the pregnancy of the same (hereinafter "IVG"), despite the patient declares to have denied, upon acceptance at the time of admission on 30 May 2018, the consent to the communication of such data to her GP " ;

- "due to an IT error in the publication routine (IT procedure), some documents in digital format containing a summary of the clinical diary relating to the Day Hospital activities were made available for telematic notification to the GPs of the patients, as the" Report publication system "did not associate the obscuration, correctly entered by health professionals in the Hospital Information System (HIS), but applied the value of general consent - which allowed the sending and notification of the health documents of the interested parties to their respective GPs - previously expressed by the interested parties ";

- the facts concerned “293 summary documents, of which 24 referring to assistants who have died to date and 19 refer to people who have now emigrated outside the Autonomous Province of Trento; of the 293 summary documents, 163 relate to events containing data subject to greater protection of anonymity referring to 153 patients ";

- "following the report of the interested party, the procedures for verifying and reconstructing the sequence of events involving the Hospital Information System application (hereinafter" SIO "), the report publication system and the Ampere system for the interface towards the GP / PLS folders. These activities required a few days of work as the events occurred over a period of time in which various transition phases took place for the adaptation of consent management to the provisions on electronic health records and electronic health records ";

- it was decided to proceed with the "implementation of a single routine management system for the calculation of consent / blackout. Historically, the report publication system was created for the sharing of patients' health documents with their respective General Practitioners / Free Choice Pediatricians (hereinafter "GP / PLS") through the AMPERE system, subject to the consent of the interested parties. Subsequently, all the other company health professionals or affiliated with a system other than AMPERE were also enabled to access this information, again only with the consent of the interested parties. and the "implementation of a new tool that will be developed and provided by the Company to GPs within the first quarter of 2020 which will allow for the deletion of any documents communicated by human error from the medical record applications of GPs";

- "the interested party who reported the violation of personal data on 25/10/2019 was heard shortly by the Data Protection Officer and invited to the Company headquarters for a meeting scheduled for 16/12/2019 . This meeting is aimed at providing the results of the checks carried out by the owner following the report. After this meeting, a formal communication will be sent to the interested party ";

- “with reference to the other no. 174 interested parties, the owner has decided not to proceed with the communication, as it is considered unlikely that the violation could result in high risks for the rights and freedoms of the interested parties ".

2. The preliminary activity.

In relation to what was communicated by the Company, the Office, with deed no. 4264 of 3.2.2020, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements acquired and the facts that emerged as a result of the investigation, the Company carried out, through the integration of the SIO Systems, the one for the publication of reports and the Ampere system, the communication of 293 summary documents (also relating to cases of termination of pregnancy) relating to 175 interested in the relative general practitioners without a suitable legal basis and in contrast with the explicit request for blackout made by interested, in violation of art. 75 of the Code, of art. 9 of the Regulation and of the principles of lawfulness, integrity and confidentiality of the processing (Article 5 of the Regulation).

With a note dated February 28, 2020 (prot. No. 35590), the Company sent its defense briefs, in which additional elements were represented and in particular that:

- "the incident, which occurred in the period between March 4, 2017 and October 29, 2019, as already highlighted in the supplementary data breach communication notified to this Ill.ma Authority, was allowed by the particular complexity of the architecture of the above systems described and, consequently, is exclusively attributable to an accidental cause which occurred during the development activity which took place in a phase of complex and important revision and restructuring of the information systems ";

- "The 293 Reports sent to the GP were all associated with a contact with NO_invio (correctly entered by the ward health workers), of which 163 also with MTA Blanking active";

- "The 293 documents were visible to the GP, because the Ampere notification table was updated directly by the automatic procedure, which, in verifying the consent given by the patient, instead of referring to the GP obscuration entered by the healthcare operator at the time of performance used that of the so-called consent of general visibility ";

- "As a result, a Yes_send flag referred to the so-called consent was mistakenly entered in the Ampere notification table for this type of Report. of general visibility expressed by each individual patient and not at the GP Darkening ";

- "During the checks carried out, the Company was able to ascertain that the visibility erroneously associated with the type of document in question was limited in time as the reports subsequently produced as part of the patient's care path corrected the error , restoring the correct flag and, therefore, the MMG Darkening. More precisely, the updating procedures between the various systems automatically remedied the consent error in the Ampere notification table when any document subsequent to the update was loaded, within the same episode of care (Day Hospital ). In most cases, this was the time between the time the document was generated by the system (3 am) and the time of receiving a subsequent laboratory test or discharge letter (within the same morning). ). This event, restoring the correct blackout value, made it impossible for GPs to download the documents to their personal computer, thus preventing their visibility ";

- "As soon as it became aware of the event, the Company took various initiatives (...). First of all, the Company's Technology Department, promptly involved by the Owner, immediately activated the necessary checks and resolved the cause of the computer error, making changes to the calculation routine that caused the accident, as well as implementing and planning the following measures to reduce the risk of future errors:

implementation of a single routine management system for calculating MMG Obscuration by eliminating two independent paths, in order to avoid possible inconsistencies and errors in alignment with the visibility / obscuring rules of individual documents; measure implemented by 31/3/2020.

implementation of a new notification service through which GPs are requested to cancel the Reports from their personal computers (the configuration of the service by the Company will take place by 31/3/2020, while the actual implementation will depend on the timing of implementation by the supplier of the various medical records of GPs). - - - (...) ":

- "The Company, as soon as it received the report from the interested party, promptly took action to collect the information necessary to provide adequate support to the same, as well as to verify the reasons for the accident in order to remedy it immediately";

- "the number of Reports (293) is numerically reduced when compared to the overall volume of documents sent annually to GPs / PLS (over 4 million in 2019). The small incidence of the cases on a numerical level and the occurrence of events in an extremely limited period of time (about 8 hours) meant that the problem was not easily detectable by computer tests ";

- In addition, it should in any case be reiterated that the subjects to whom the visibility of the Reports has been erroneously enabled (ie the patients' trusted doctors) are directly recipients of an obligation of confidentiality imposed on them by the code of medical ethics, which includes the duties of the respect for the dignity of the person without any discrimination and the obligation - moreover sanctioned at a disciplinary level - to keep the secrecy of all that he is aware of by reason of his professional activity. The recipients of the data are therefore qualified subjects operating organically within the provincial health service, not being able to objectively communicate the health data to the general practitioner of the patient, even if not due in this case, to be considered comparable by gravity. to the provision of the same to a subject not equally subject to such stringent professional rules and operating outside the doctor-patient fiduciary relationship ".

3. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that:

1. in the health field - information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or on the indication of the interested party himself after the latter's written delegation (art. 9 Regulation and art.83 of the Code in conjunction with art.22, paragraph 11, legislative decree 10 August 2018, n.101);

2. the Code provides that "the processing of personal data carried out for the purpose of protecting the health and physical safety of the interested party (...) must be carried out (...) in compliance with the specific sector provisions" (Article 75-Specific conditions in health area of the Code). With reference to the present case, the specific sector indications indicated by the Guarantor in the "Guidelines on the subject of the Health Dossier - 4 June 2015" must be kept in mind (Provision of 4.6.2015, published in GU 164 of 17 July 2015, available for consultation on www.gpdp.it doc web n.4084632), which, like the other provisions of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with it (Article 22, paragraph 4, d .lgs n. 101/2018). An important guarantee to protect the confidentiality of the interested party identified in the aforementioned Guidelines consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through this tool. This, in analogy to what happens in the patient-doctor treating relationship, in which the first can come to a conscious determination not to inform the second of some health events that concern him. It should be noted that this guarantee has also been reaffirmed by the legislator also with reference to the electronic health record (see art. 12, d.l. 18 October 2012, n. 179 and art. 8 dPCM n. 178/2015). In this regard, the provisions of art. 12 of the d.l. n. 179/2012 which provided for the establishment of the electronic health record, the implementation of which is currently regulated by Prime Ministerial Decree no. 178/2015 (Regulation on electronic health records - ESF), on which the Authority expressed its opinion (Opinion of 22/5/2014, web doc. No. 3230826). The aforementioned implementing regulation defined "Data subject to greater protection of anonymity" the information and health and social and health documents governed by the regulatory provisions also protecting women who undergo voluntary termination of pregnancy (Article 5). These types of data can be made visible through the ESF "only with the explicit consent of the client". The aforementioned regulation provides that it is "the responsibility of the professionals or health workers who provide the service to acquire the explicit consent of the client" (art. 5, paragraph 2). The aforementioned regulation also established that "the assisted person has the right to request the obscuring of health and socio-health data and documents both before feeding the ESF and subsequently, ensuring that they can only be consulted by the assisted person and holders who generated them "(art. 8);

3. the failure to obscure 293 documents, relating to 175 patients, which were placed at the disposal of the respective general practitioners of the interested parties, despite the same having expressed the right to obscure them, led to a communication of data relating to the health of the interested parties lacking a suitable legal basis and in contrast with an explicit request for blackout made by the same;

4. 163 of the aforementioned documents made available to the general practitioners of the interested parties also contain information subject to greater protection of anonymity referable to 153 patients, or, specifically, data relating to the voluntary termination of pregnancy.

4. Conclusions.

In light of the aforementioned assessments, taking into account the statements made by the data controller and data processors during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed initiation of the procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by the Provincial Agency for Health Services of Trento under the terms set out in the motivation, for violation of Articles 5, par. 2, lett. a) and f) and 9 of the Regulations, as well as art. 75 of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company has declared that the procedure for resolving the problem that generated the aforementioned event has been completed in such a way as to exclude the replicability of the itself and that the visibility erroneously associated with the type of document in question has been limited over time, the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of articles 5, par. 2, lett. a) and f), and 9 of the Regulations and 75 of the Code, caused by the conduct put in place by the Provincial Health Services Agency of Trento, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, paragraph 5, of the Regulation also pursuant to art. 166, paragraph 2 of the Code (see letter a) with reference to the violation of articles 5 and 9 of the Regulation).

In the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation, which therefore applies to the present case.

It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

- the Authority became aware of the event following the notification of personal data breach made by the same owner and no complaints or reports were received to the Guarantor on the incident (Article 83, paragraph 2, letter h) of the Regulation );

- the processing of data carried out by the Company concerns data suitable for detecting information on the health - also relating to the termination of pregnancy - of 175 interested parties, including 2 minors (art. 83, par. 2, lett. a) and g) of the Regulations);

- the violations, even if due to a software error, have resulted in a communication, not episodic, of particular data subject to particular protection, despite the interested parties having expressly expressed, in the foreseen forms, the will that their data were not visible to third parties in your electronic health record (right of blackout);

- the absence of voluntary elements on the part of the Company in the causation of the event (Article 83, paragraph 2, letter b) of the Regulations);

- the event was immediately taken over by the Company which was followed by the identification of corrective and resolving solutions (Article 83, paragraph 2, letters c) and d) of the Regulations);

- the Company immediately demonstrated a high degree of cooperation (Article 83, paragraph 2, letter f) of the Regulation);

- the Company has already been the recipient of a sanctioning procedure relating to the processing of personal data carried out through the company health dossier (provision of 21 April 2021, no.155) (Article 83, paragraph 2, letter i) of the Regulation ).

Due to the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, it is believed to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, lett. a) of the Regulations, to the extent of € 150,000 (one hundred and fifty thousand) for the violation of Articles 5, par. 1, lett. a) and f) and 9 of the Regulations and Article 75 of the Code as a deemed administrative fine, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Provincial Agency for Health Services of Trento, for the violation of art. 5, par. 1, lett. a) and f) and 9 of the Regulations and art. 75 of the Code in the terms set out in the motivation.

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Provincial Health Services Agency of Trento, based in Trento, Tax Code / VAT number no. 01429410226, in the person of the pro-tempore legal representative, to pay the sum of € 150,000 (one hundred and fifty thousand) as a pecuniary administrative sanction for the violations indicated in this provision, according to the methods indicated in the annex, within 30 days from the notification of motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 150,000 (one hundred and fifty thousand) in the manner indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, May 27, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei