Garante per la protezione dei dati personali (Italy) - 9819792

Garante per la protezione dei dati personali - 9819792

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 9(2)(a) GDPR Article 9(2)(i) GDPR Article 25 GDPR Article 32 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:
Fine:	40000 EUR
Parties:	Azienda Usl Valle d‘Aosta
National Case Number/Name:	9819792
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	garanteprivacy.it (in IT)
Initial Contributor:	elena.st02

The Italian DPA issued a €40,000 fine on the healthcare provider 'Azienda Usl Valle d‘Aosta' for removing privacy filters during the COVID-19 pandemic, allowing for unrestricted access to the system managing the health records.

English Summary

Facts

The data subject filed a complaint with the Italian DPA in which she stated that her health record had repeatedly been accessed by the controller, Azienda Usl Valle d‘Aosta, the employer of the data subject. The data subject complained neither to have received health care from the accessing healthcare provider nor to have given consent to the processing of her personal data.

Access was made several times between March and December 2021 by colleagues of the data subject, who later explained this was done out of mere curiosity. The health record of the data subject was easily accessible due to the suspension of privacy filters in the system during the COVID-19 emergency.

The Italian DPA asked the controller for further information. Among others, the controller stated that the possibility of unhinged access was based on the right to the protection of public health and safety according to Article 9(i) GDPR.

Holding

Since the data subject’s health record had not been accessed for reasons concerning her health or matters of public health and safety, the DPA found it to be unlawful. The access violated the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. The DPA further pointed out that the possibility for all staff to access health care files and communicate personal data was not only a violation of the aforementioned principles of Article 5(1)(a) GDPR but also a breach of the principle of integrity and confidentiality under Article 5(1)(f) GDPR. Moreover, there had also been a breach of the principle of purpose limitation (Article 5(b) GDPR) and of data minimization (Article 5(c) GDPR), since the accesses in question to the data subject’s personal data were not compliant with the explicit and legitimate purpose of the data processing and neither were they limited to what is necessary.

Additionally, through some examples in the health care field, the DPA mentioned that accessing a health record still required explicit consent under Article 9(2)(a) GDPR, which lacked in the present instance. Furthermore, the DPA stressed that the controller was obliged to implement appropriate technical and organisational measures to ensure a level of security, which they failed to do, resulting in a breach of Article 32 GDPR. The controller also did not take technical and organisational measures of Article 25 GDPR to aim at the implementation of data protection principles.

Considering the aforementioned breaches, the DPA issued a fine of €40,000 for the controller according to Article 83(4) and (5) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of November 28, 2022

[doc. web no. 9819792]

Injunction order against the Valle d'Aosta Local Health Authority - 10 November 2022

Register of measures
n. 371 of 10 November 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n.9107633 (hereinafter “Guarantor Regulation n. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n.1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The complaint and the investigative activity

The Authority received the complaint from Mrs. of never having received health care. The complainant also represented that she had denied consent to the processing of her personal data through the company health file.

In relation to what has been reported, for the profiles of competence in matters of protection of personal data, the Office requested information from the aforementioned Company with note dated XX (protocol no. XX), with reference to which the latter responded with the note from the 20th in which it was represented, in particular, that:

- "the complainant XX appears to have expressed NO consent to the dossier on 01/30/2019 (...). Until 03/17/2020 (when it was deemed appropriate to temporarily deactivate the dossier rules for the reasons described in the following paragraph. HEALTH DOSSIER SITUATION IN A COVID EMERGENCY, page 5) the will expressed by the patient was respected and therefore the operators involved in the treatment process could only consult the clinical data/documents generated by their respective structures (in compliance with the provisions of the Guidelines on health dossiers - 4 June 2015)";

- “following an internal investigation, the truthfulness of what was reported by the complainant emerged. Specifically, from the access logs to the dossier (...) it emerged that Mrs. XX (with an employment relationship in temporary employment at the undersigned company), belonging to the "speech therapist" profile (...), in the period from 03/15/2021 to 06/12/2021 logged in from your workstation at the Saint Pierre Clinic, (coded in the company health information system as "Rehab. Terr. ST. PIERRE"), pertaining to the Complex Structure called "Districts 1-2 ”;

- "it can certainly be stated that the operator did not view clinical documents relating to the results of the visits undertaken, having only been able to view a list of episodes already carried out or booked, from which the type of service can only be deduced";

- “This type of viewing was made possible, even though the complainant was not being treated at the Saint Pierre Clinic on the dates reported, as, starting from 03/17/2020, due to the Covid emergency, the 'The company has authorized a relaxation of the dossier visibility rules';

- "TrakCare (an ERP - Enterprise Resource Planning - type application which aims to manage all hospital and outpatient functions)" is in use at the aforementioned company "on which almost all of the data revolves and converges. In the solution used by the Valle d'Aosta Local Health Authority, territorial activities are also managed electronically by TrakCare. In addition to the aforementioned management system, the clinical information system is made up of further vertical solutions (so-called producer systems) which generate clinical documents which, after digital signature, are sent to the X1V1 Repository (intermediate archiving system between the producer systems and the actual system of digital preservation), which can also be called up from TrakCare for document consultation". “At the state of the art it was agreed that TrakCare could take on the role of dossier”;

- with “prot. note n. XX" the aforementioned Company asked "the Intersystems company, owner of the TrakCare product, to implement the information visibility rules as per the indications of the 2015 Guarantor's Guidelines. The procedure described below was therefore carried out: a) the The managed operational flow involves in the first instance, upon recalling any of the patient's records, the verification of the presence or absence of consent to the creation of the dossier and, in the event that the patient has not yet expressed it, its collection. b) based on the profiling of the operators and on the basis of the context (patient being treated or not, episode with request for redaction, etc...), the system applies the necessary filters that define whether the information should be displayed or not. c) in TrakCare each operator is assigned to a "group/profile". The "group/profile" he is part of determines what he can "do" and what he can "see". When the privacy filters are active, based on a matrix of rules, TrakCare allows the operator to see and possibly operate only on episodes pertaining to the profile. The expression of consent to the dossier and whether the patient is "under treatment" (i.e. there is an "open/current" episode) for the operator's specialty are also taken into consideration." “Furthermore, to manage possible emergencies or particular cases, a function called “Break The Glass” has been implemented which can only be activated by doctors, which cancels all the filters allowing you to view all the information present in the system provided that the reason for the use”;

- "Precisely this partial visibility of the "speech therapist" profile prevented the operator who carried out improper access from being able to consult the reports of the services carried out by the complainant even in a situation where the dossier rules were deactivated, allowing him only a view on lists of episodes booked or carried out, but without the possibility of entering the individual episodes and viewing the clinical documentation produced";

- “All data viewing actions (access logs) are tracked and can only be extracted by some authorized operators”;

- "From a clinical point of view, the emergency context forced (and still forces) the hospital to merge almost all of the non-COVID departments and to create dedicated COVID departments" "with all the resulting managerial, clinical and organizational consequences" “It was therefore necessary to allow access, according to the needs of the moment, to TrakCare health information. In fact, according to the rigid rules of the dossier previously in force, the healthcare professionals mentioned above, doctors and other healthcare workers belonging to different structures and/or specialist disciplines, would not have been able, in fact, to access the medical records and healthcare data of hospitalized patients. in COVID departments (formally assigned to the Pneumology department) or in multi-specialist non-COVID departments and therefore would not have been able to adequately assist patients";

- “In relation to the medical staff, in the initial phase it was recommended to use the “Break the glass” (…) to make up for the impossibility of viewing the complete data of the current and historical situation of the patients for whom they were not authorized. The use of this function, however, entailed a considerable burden in operations (this function must be activated for each individual episode and search with indication of the reason), so in order to allow adequate usability for the management of the ongoing pandemic, with note Prot . n.XX of the XX (see All.XX), the Company Health Director has authorized the disabling of the Health dossier until the end of the state of emergency";

- “In this regard, we believe it is necessary to underline how the relaxation of the rules on the dossier found its legal basis initially in the art. 14 of the Legislative Decree 14/2020, and subsequently in the art. 17 bis (Provisions on the processing of personal data in the emergency context) of the legislative decree of 17 March 2020, n. 18 converted into law 24 April 2020, n. 27, the effectiveness of which was ultimately extended until 03/31/2022 (date of cessation of the state of emergency) by the Table Annex A (point 3), referred to in the art. 16 paragraph 1 of the legislative decree of 24 December 2021, n. 221, converted with amendments into law 18 February 2022, n. 11”;

- “Since, in the version of the TrakCare application installed at the Aosta hospital (TrakCare T2014), the parameter that governs the application of the dossier filters is system (this means that it is either active or not), in In the current version it is not possible to select the activation of filters with respect to Departments, Clinics/Services (therefore it is not possible to make a distinction between hospital services and local services). When the filters are deactivated, the TrakCare software is no longer able to apply the visibility rules indicated at patient level, with the consequent situation being displayed temporarily, i.e. limited to the duration of the state of emergency, even the information of those who have denied consent to the dossier, upon termination of which the previously set visibility limitations will be restored". “This technical limit will be resolved in the new version, which will be installed during 2022 with the Consens manager which will allow you to separately manage • consent to the establishment of the DSE; • consensus linked to the single event (obscuring and deobscuring of DCEs); • a document access policy manager (Privacy manager)” “This decision took shape with Management Determination no. 710 of 08/09/2021 concerning "Awarding of the "telematic procedure for the assignment of design, development and re-engineering services, application maintenance and support, management of the operation of the health information systems in use by the Local Health Authority of the Valley d'Aosta through a specific contract within the framework of the Framework Agreement for application services for public administrations stipulated by Consip - id 1881 - Lot 1 CIG: 861432805" in favor of the RTI competitor Accenture S.p.a., Accenture Technology Solutions S.r.l., Gpi S.p.a., Pricewaterhousecoopers Public Sector s.r.l.” and with the signing of the relevant contract on 01/18/2022, which formally began in the month of February approximately. and whose implementation is expected within 8 months of taking charge";

- “The Director of the SC Districts 1-2 Dr. XX (to whom the Saint Pierre Consultancy which concerns the case we are dealing with belongs) with note prot. XX of the XX (see XX) communicated that it had collected, with the support of the SC Sistemi Informativi e Telecommunications, the data relating to the accesses made by Mrs. XX on the dates indicated and that it had requested the reasons for this behavior from her ( …). With subsequent note prot. XX of the XX (v...) communicated that it had verbally reminded the aforementioned XX to comply with the current regulation regarding privacy and that it had simultaneously taken steps, with note Prot. n. XX of the XX (...), to report what has happened to the Human Resources Development SC, for possible disciplinary measures. In order to avoid the recurrence of similar situations, Dr. XX also declared that she had taken the opportunity to raise awareness of all the staff belonging to Districts 1 and 2 on the topic";

In annex 7 to the note replying to the request for information, called "Reasons XX", on which Ms. XX's handwritten signature is affixed, it is reported that she accessed the dossier of the complainant, as well as her colleague, for " mere curiosity."

In the aforementioned note from the medical director of the aforementioned XX Company it was indicated that "In relation to the object, it is communicated that the art. 14 of the Legislative Decree 14/2020, provided, among other things, indications regarding the processing of particular and judicial data in the current emergency moment. The provision, essentially, aims to balance the right to the protection of personal data with the more general right to the protection of public health and safety, introducing an exceptional regime which allows certain subjects to carry out the processing of health data, including the their communication. In this context, the entities operating in the civil protection system (State, Regions, Autonomous Provinces of Trento and Bolzano, local authorities), their implementing entities, the public and private structures of the National Health Service may, for reasons of public interest and for the diagnosis and assistance of the infected, communicate the personal data of the interested parties to each other. In the hospital context, this provision can translate into the possibility, for all doctors and nurses, of accessing the Trackare application for consultation and communication between them of the personal data of patients admitted to the 3 hospital facilities, provided that there are reasons of public interest and to ensure the diagnosis and healthcare of the infected in the emergency context resulting from COVID 19, provided for by the law". The note also continues by highlighting that "Substantially and operationally: from 1pm today, 17/03/2020, we are in a position to disable the Privacy functions that manage, for the entire TrakCare site (therefore user profiles Doctors, Nurses, Administrative etc...), the concepts linked to the visibility of information. Ultimately, the visibility of the data will therefore be complete/general and no longer filtered based on expertise".

In the aforementioned note for the removal of the "privacy filters", the Company recalled "the need for correct and responsible use of the free access method, of which only the personnel concerned must be informed" and recalled "that the minimum measures must in any case be observed safety issues that have been the subject of corporate communications several times";

In relation to the results of the aforementioned preliminary investigation, the Office, with act n.XX of the XX, notified the Valle d'Aosta Local Health Authority (hereinafter the Company), pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981).

In particular, in the aforementioned note the Office highlighted that the regulations dictated by art. 17-bis of the legislative decree n. 18/2020, referred to by the Company in the documentation sent, did not and could not have derogated from the data protection regulations which, as is known, is based on a European Regulation, but rather provided for some simplifications in the processing and communication of data personal data between different data controllers only if they are indispensable for carrying out activities related to the management of the ongoing health emergency and in any case in compliance with the principles referred to in Article 5 of the Regulation, adopting appropriate measures to protect the rights and of the freedoms of the interested parties.

In this regard, the Office also represented how the Authority has repeatedly highlighted the need to evaluate the applicability of the regulations referred to in the aforementioned art. 17-bis of the legislative decree n. 18 of 2020 on a case-by-case basis, drawing the attention of data controllers, including those operating in the healthcare sector, to the fact that not all processing and communications of health data can be traced back to this provision (see among many, note of 9 June 2020, web doc. no. 9429175). The Office therefore found that art. 17-bis d.l. n. 18 of 2020, cited by the Company as a provision legitimizing the "possibility, for all doctors and nurses, to access the Trackare application for consultation and communication between them of the personal data of patients admitted to the 3 hospital units, provided that reasons of public interest and to ensure the diagnosis and healthcare of the infected in the emergency context resulting from COVID 19, provided for by the law", cannot be considered as a rule derogating from the obligation to obtain the interested party's consent in the specific case , nor respect for the principles of lawfulness, correctness and transparency and integrity and security.

It was then noted that with reference to the processing of personal data under examination, it does not concern healthcare services provided in an emergency, does not concern an interested party who has received healthcare services related to Covid-19 and was not carried out by an operator for ensure health interventions related to the aforementioned pandemic, but rather out of "mere curiosity".

Given this, the Office contested that the configuration of the health dossier chosen by the Company following the Covid-19 health emergency was carried out in violation of the basic principles of treatment referred to in the articles. 5, par. 1, letter. a) and f), and articles. 9, 25 and 32 of the Regulation. Violation of the aforementioned provisions makes the administrative sanction provided for by the art applicable. 83, par. 4, letter. a) and par. 5, letter. a) of the Regulation.

With a note dated XX, the Company sent defensive writings and asked to be heard, reiterating what was already represented in the documents and highlighting, in particular, that:

- "the partial suspension of privacy filters was immediately balanced by the maintenance of two distinct profiles (nurse/doctor) which allowed a very different depth of access from each other";

- "the Owner became aware well before the event which is the subject of this proceeding of the aforementioned technical limitations and, therefore, by preventively starting a complex process of technological adaptation, he took action to overcome the critical issues of the TrakCare T2014 version (system parameter which governs the application of the Dossier filters) by inserting technical specifications in the tender for the new health information systems aimed at overcoming the limits of the current version";

- "The AUSL would like to reiterate how the choice to suspend the privacy filters has become indispensable to organize and deliver - in a necessarily very short time - the activity in the new Covid departments";

- “The healthcare personnel (doctors and nurses) who found themselves rotating in all the COVID and non-COVID departments (which became multi-specialist and/or multi-surgical departments), where patients assigned to different specialist facilities were hospitalized (e.g. Vascular Surgery + Pneumology + Neurology), would no longer have had the possibility, in light of the assigned structure profile (and, as mentioned, connected to the department to which it belongs), to access, according to the needs of the moment, the health information of TrakCare, nor, on the other hand, given the very high turnover of staff in the COVID departments, was it conceivable to update the profiling in real time so that it was consistent with the carrying out of the activity for the benefit of patients";

- “with reference to the interpretation and scope of the art. 17-bis, the AUSL believes that, if the Legislator with the aforementioned rule, in the spirit of "simplification" has allowed various data controllers to be facilitated in the communication of data, it does not seem wrong to deduce that even more so the same and single Data Controller (AUSL) could consider itself legitimately authorized to simplify the "consultation" of the data of which it was, in fact, owner by the AUSL operators involved in the management of the health emergency";

- "furthermore, starting from the assumption that the exceptions introduced by art. 17 bis were valid for the carrying out of "activities connected to emergency management", the AUSL believes it is necessary to ask itself which activity can be considered more "connected to emergency management" if not the specific one of caring for COVID patients";

- the "Company believes that the aforementioned list of reservations cannot be considered data relating to health, at least not in the strict sense";

- "access to the Dossier was voluntary, i.e. the operator - despite the precise instructions from the Management which accompanied the temporary loosening of the filters - deliberately carried out unjustified access";

- “On closer inspection, the sole purpose which in this case motivated the undersigned AUSL (i.e. the protection of public health) seems reasonably to be traced back to the hypotheses of fulfillment of a duty, exercise of a legitimate faculty and/or state of necessity referred to in the articles. 4, Law no. 689/1981".

On the 20th, via remote video conference, it took place, pursuant to art. 166, paragraphs 6 and 7 of the Code, the hearing of the Company, during which it reiterated what had already been declared in documents and represented, in particular, that:

- “With the Covid-19 pandemic, the approach relating to the processing of personal data envisaged for the company health file constituted an obstacle to the carrying out of care activities, especially with reference to the analytical profiling of the roles of healthcare workers. In particular, in the early stages of the emergency (March/April 2020) it was necessary to create new departments dedicated to the treatment of Covid-19 (almost ¾ of the hospital departments), as well as convert both medical and surgical staff to the service of these departments also in consideration of the absence of healthcare personnel due to Covid-19 itself. This situation has led the health and administrative departments of the Company to deem it necessary to eliminate the access filters to the health file, in order to guarantee the treatment of Covid-19 patients. This management was also maintained with subsequent waves. This choice was made with a view to balancing the needs of care and protection of personal data with reference to the state of emergency in progress at the time";

- "During this period, the Company nevertheless made the operators aware of the need to limit access to the dossier exclusively if involved in the process of caring for the interested parties, relying on their duties of confidentiality and service";

- "From 22 April 2022, the process of restoring the health dossier management system according to the pre-pandemic rules was started and ended on 10 May 2022. This process made it necessary to verify the correct profiling of users";

- “The facts which are the subject of the proceedings occurred in a clinic belonging to the Company, to which the ownership of the processing can be traced back. In this clinic, treatment was also provided for patients who had had Covid-19, although the case in question refers to a non-Covid-19 patient";

- “The operator who logged in was an operator of a supply agency, to whom the facts which were the subject of the proceeding were reported. Subsequently, the contract of the aforementioned operator was not renewed. The Company is not aware of any complaints to the Public Prosecutor's Office regarding the facts which are the subject of the proceedings".

During the aforementioned hearing which took place via video link, the Company shared the screen in order to be able to show the health dossier application in use by the same, illustrating the functions present with the settings envisaged in the pre-pandemic period and those in force at time of the facts in question, accessing with a profile similar to that of the aforementioned speech therapist to a health dossier referring to a non-existent patient (test environment). As reported in the minutes of the hearing in the documents, this presentation highlighted that with the application of the original "privacy filters" the operator (with a speech therapist profile) can only access the health services in which he is involved, while with the removal of the aforementioned filters could view the list of all the services - with the indication of some details (not reports) relating to them (type of clinic, hospitalization, health conditions) - or even those with reference to which he was not involved in the treatment process treatment.

With a subsequent note of the XX, the Company sent a video certifying the aforementioned different methods of access to the dossier shown during the hearing and a note from the company Synergie (Personnel Administration Agency) relating to the actions taken against the person in charge of the access to the dossier in question (disciplinary complaint and written disciplinary warning).

2. Outcome of the preliminary investigation.

2.1. Legal framework of reference.

At the outset, it is stated that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data and, in particular, with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”) and Legislative Decree no. 196 of 30 June 2003 (Code regarding the protection of personal data - hereinafter, the "Code").

With particular reference to the issue in question, it is highlighted that personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, correctness and transparency" and "in a manner that guarantees adequate security (...), including the protection, through adequate technical and organizational measures, from unauthorized or illicit processing (principle of “integrity and confidentiality”)” (art. 5, par. 1, letters a) and f) of the Regulation).

The Regulation then requires the data controller to implement "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 of the Regulation).

Taking into account inter alia the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons constituted by the processing, both when determining the means of processing and at the time of processing itself, the data controller must then implement adequate technical and organizational measures, aimed at effectively implementing data protection principles, such as minimization and ensuring that they are processed, by default default, only the personal data necessary for each specific purpose of the processing (art. 25 of the Regulation).

With reference to the treatments which are the subject of the aforementioned complaint, the Guarantor has adopted the "Guidelines regarding the health dossier - 4 June 2015" (Provision of 4.6.2015, published in Official Journal 164 of 17 July 2015, available on www.gpdp.it web doc no. 4084632), in which a first framework of precautions have been identified, in order to outline specific guarantees and responsibilities, as well as necessary and appropriate measures and precautions to be put in place to guarantee citizens, in relation to the processing of health data that concern, which, like the other provisions of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with it (art. 22, paragraph 4, Legislative Decree no. 101/2018).

In the aforementioned 2015 guidelines, the Guarantor specified that the health dossier, constituting the set of personal data generated by present and past clinical events concerning the interested party, constitutes a specific and additional processing of personal data compared to that carried out by the healthcare professional with the information acquired during the treatment of the single clinical event. As such, therefore, it is configured as an optional treatment. In fact, the interested party must be allowed to choose, in complete freedom, whether or not the clinical information concerning him or her is treated in a health dossier, also guaranteeing him or her the possibility that the health data remains available only to the healthcare professional who drew it up. , without their necessary inclusion in this instrument. This means that if the interested party does not express his consent to the processing of personal data through the health dossier, the professional who takes care of him will only have at his disposal the information provided at that moment by the interested party himself (e.g. collection of the medical history, information relating to the examination of the diagnostic documentation produced) and those relating to previous services provided by the same professional. Similarly, in this circumstance, the ward/outpatient health personnel will only have access to the information relating to the episode for which the interested party went to that facility and to other information relating to any health services provided in the past to that subject by that department/clinic (so-called access to departmental vertical applications).

Following the full application of the Regulation (May 2018), with the provision of 7 March 2019, the Guarantor identified - by way of example - some treatments in the healthcare sector for which it is still necessary to request the explicit consent of the interested party (art. 9, par. 2, letter a) of the Regulation), among which those carried out through the health dossier were also included (web doc. no. 9091942).

In the aforementioned Guidelines, the Guarantor, in order to avoid the risk of access to the information processed through the health dossier by unauthorized parties or communication of health data to third parties by persons authorized to do so, specifically asked the holders of the processing to pay particular attention in the identification of the authorization profiles and in the training of authorized subjects, access to the dossier must be limited only to healthcare personnel who intervene in the patient care process and technical methods of authentication of the dossier must be adopted which reflect the cases of access to this tool specific to each healthcare facility. To this end, in the aforementioned Guidelines, the Guarantor has indicated to the data controllers to carry out monitoring of the cases in which the relevant healthcare personnel may need to consult the healthcare dossier, for purposes of treatment of the interested party and, based on this reconnaissance, identify the different access authorization profiles.

It is also stated that in the aforementioned Guidelines the Authority considered that "the data controller must implement systems to control access also to the database and for the detection of any anomalies that may constitute illicit processing, through the use of anomaly indicators (so-called alerts) useful for guiding subsequent audit interventions. The owner must therefore prefigure the activation of specific alerts that identify anomalous or risky behavior relating to the operations carried out by those in charge of processing (e.g. relating to the number of accesses performed, the type or time frame of the same)".

Since the declaration of the state of emergency resolved by the Council of Ministers on 31 January 2020, many emergency regulatory acts have been adopted, which also contain provisions relating to the processing of health data carried out as part of the interventions relating to the aforementioned health emergency . The emergency provisions provide for emergency interventions which involve the processing of data and which are the result of a delicate balance between the needs of public health and those relating to the protection of personal data, in compliance with what is dictated by the European Regulation for the pursuit of reasons of public interest in the public health sector (see art. 9, par. 2, letter i) of the Regulation).

With specific reference to the regulations dictated by art. 17-bis of the legislative decree n. 18/2020, referred to by the Company in the documents in the documents, it is reiterated that this provision, within the limits permitted by the current legal framework, has provided for some "simplifications" in the processing and communication of personal data between different data controllers only if the same are indispensable for the purposes of carrying out activities related to the management of the ongoing health emergency and in any case in compliance with the principles set out in the art. 5 of the Regulation, adopting appropriate measures to protect the rights and freedoms of the interested parties. As reiterated several times by the Guarantor, this provision does not and could not derogate from the provisions set out in the European Regulation to protect the fundamental rights of the interested party.

Therefore, it is reiterated that the processing of personal data connected to the management of the aforementioned health emergency must be carried out in compliance with the current legislation on the protection of personal data and, in particular, in compliance with the principles and limits applicable to the processing, referred to in 'art. 5 of the Regulation, according to which the data must be processed in a lawful, correct and transparent manner towards the interested party ("lawfulness, correctness and transparency"), "collected for specific, explicit and legitimate purposes" ("purpose limitation") and, in any case, "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (data minimization principle).

Compliance with these principles in the processing of personal data carried out in the aforementioned Covid -19 health emergency has moreover been repeatedly recalled and evaluated by the Authority in the numerous opinions rendered on the regulatory acts regulating the information systems created urgently for the detection of Covid-19 infections, for the booking and registration of vaccinations, for the national contact tracing system (Immuni App) and for the generation and control of Covid-19 green certifications.

Finally, it is noted that, in light of the Regulation, "data relating to health" are considered to be: personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health. health (art. 4, par. 1, no. 15 of the Regulation). Recital no. 35 of the Regulation specifies in fact that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services"; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”.

2.1 Scope of processing and nature of the data processed.

As a preliminary matter, it is noted that, as indicated by the Company itself in documents, the treatments in question, which took place in a company clinic, can be traced back to the ownership of the same.

In light of what emerged in the preliminary documents, the Company intentionally chose to adopt an administrative act with which to arrange for the "removal of privacy filters" in the information system that manages the company health file, in the belief that this measure would simplify the management of patients during the pandemic.

The removal of the aforementioned filters resulted in:

- the activation of the health dossier for all patients of the Company, which coincide with those of the Region, even if they have expressly denied consent to the use of the dossier or have never given it;

- the possibility that the dossier was consulted, albeit with different depths of access, by all company healthcare workers regardless of their involvement in the treatment process of the interested party.

It is also noted that although the aforementioned company choice was made in relation to the Covid-19 emergency, the removal of the aforementioned filters did not only concern patients suffering from this pathology, but all those relating to the Company and its branches ( such as the structure where the access in question was made) and was not limited only to health services provided in an emergency, but to all those provided by the Company from March 2020 to May 2022.

Given this, it is noted that the choice made by the Company effectively allowed Ms. XX to access information relating to the health services provided to the complainant (colleague of Ms. XX) to which she would not have had access if she had not been the removal of the aforementioned "privacy filters", as the complainant had not consented to the use of the company health file and the aforementioned operator was not involved in the treatment process of the interested party.

In light of the above, the information relating to the complainant to which Ms XX had access qualifies as health data. In fact, although the presence of some filters allowed the aforementioned healthcare worker to only see the list of episodes already carried out or booked by the interested party with the indication of the type of service, and not also to "consult the reports", this information is still pertaining to the complainant's health and therefore can be classified as data on the complainant's health.

With the profile of the aforementioned operator it was in fact possible to access information relating to the type of service provided, the clinic providing it, any hospitalization and elements relating to the health conditions of any patient of the Company regardless of the will of the person to whom they referred (denial of consent to the dossier or absence of consent) and the actual involvement in the operator's treatment process.

Therefore, it is noted that the choice made by the Company has effectively made the health files of all its patients accessible, which, as stated in the documents, coincide with those of the Region (the Company is the only one present in Valle d 'Aosta), regardless of their will, the involvement of the healthcare worker in the treatment process and the circumstance that the healthcare service was actually provided to a Covid-19 patient.

2.2 The consent of the interested party and principles of lawfulness, correctness and transparency and data protection from design and by default.

As highlighted above, with the provision of 7 March 2019 and in the subsequent provisions, including sanctions, adopted on the matter, the Guarantor found that the legal basis of the processing of personal data carried out through the health dossier is the explicit and informed consent of the interested party (art. 9, par. 2, letter a) of the Regulation).

From the examination of the documents in the documents it emerges that the aforementioned "removal of privacy filters" on the company health dossier has determined, for each company/regional patient, the creation and accessibility of the health dossier regardless of the will expressed by the interested parties and even contrary to to an explicit demonstration of denial of the same, as in the case of the complainant.

In this regard, it is important to highlight that the legislative interventions adopted during the pandemic to facilitate its management have confirmed the need for the interested party's consent also with reference to specific emergency treatments such as that relating to the online reporting of tests for Covid- 19 (DM 2 November 2020 which recalls the Prime Ministerial Decree of 8 August 2013) or to the consultation for treatment purposes of the electronic health record, a tool that has similar purposes to the health dossier (see art. 12 Legislative Decree no. 179/2012 in relation to the changes made by art. 11, legislative decree no. 34 of 2020).

Having said this, we reiterate what was already noted in the note of the XX, namely that the art. 17-bis of the legislative decree n. 18 of 2020, cited by the Company as a provision legitimizing the "possibility, for all doctors and nurses, to access the Trackare application for consultation and communication between them of the personal data of patients admitted to the 3 hospital units, provided that reasons of public interest and to ensure the diagnosis and healthcare of the infected in the emergency context resulting from COVID 19, provided for by the law", cannot be considered as a rule derogating from the obligation to obtain the interested party's consent.

The aforementioned emergency regulations have in fact provided for some simplifications (e.g. in relation to the information to be provided pursuant to art. 13 of the Regulation or the authorizations referred to in art. 2-quaterdecies of the Code), reiterating the need to respect the principles set out to the art. 5 of Regulation (EU) 2016/679, including that of lawfulness, i.e. identifying the correct legal basis for the processing, and adopting appropriate measures to protect the rights and freedoms of the interested parties.

The removal of the so-called "privacy filters" carried out by the Company resulted in a violation of the aforementioned principles and in particular those of lawfulness, correctness and transparency, as the company health files of the entire regional population assisted were:

- carried out even against the will of the interested parties or in the absence of their explicit consent;

- made accessible by default also to healthcare personnel not involved in the treatment process of the interested party, without the patients themselves having ever been informed.

The violation of the principle of correctness and the related principle of proportionality of the processing is also evident with reference to the circumstance that the removal of the so-called "privacy filters", did not only concern the healthcare services provided in emergencies or the dossiers of the interested parties to whom healthcare services related to Covid-19 should be provided, but rather to all patients belonging to the Company - even those currently not being treated - and with reference to any treatment path undertaken by them.

From this it can be seen that the Company consciously, on the occasion of the aforementioned health emergency, removed the measures, also required by the aforementioned Guarantor Guidelines, which limited access to the dossier only to healthcare personnel treating the interested party. This choice effectively allowed Ms XX, not involved in the provision of emergency healthcare services linked to the aforementioned virus, to make repeated access to the dossier of a patient, as well as colleague, without a suitable assumption of lawfulness, but only to reasons of "mere curiosity" (accesses occurred from March 2021 to December 2021).

The case in question demonstrates that the aforementioned changes to the configuration of the company dossier made it possible for a healthcare professional working at the Company to access the healthcare dossier even of interested parties who were not at that time being treated at the Company or in any case at the owner of the user and who had never given consent to the dossier (or, as in the present case, consent to the dossier had even been expressly denied) in violation of the basic principles of processing pursuant to articles. 5, par. 1, letter. a) and f) and 9 of the Regulation, as well as the principle of data protection from design (privacy by design) and by default (privacy by default) (art. 25 of the Regulation.

2.3 Authorization profiles for access to the health file and alert systems.

As a preliminary matter, it is stated that the rules regarding the accessibility of the dossier adopted by the Company in the pre-pandemic era, according to which "doctors and other healthcare workers belonging to different structures and/or specialist disciplines, could not, in fact, access the medical records and health data of patients hospitalized in COVID departments (formally assigned to the Pneumology department) or in multi-specialist non-COVID departments and therefore would not have been able to adequately assist the patients" are the result of a choice of the same Agency. On this point, the Authority has in fact repeatedly recalled the need to limit access to the dossier only to healthcare personnel who actually intervene in the patient care process regardless of the department to which the patient is assigned, calling on the owner to adopt technical methods of authentication to the dossier which reflect the cases of access to this tool specific to each healthcare facility.

It is also stated that the problem described by the Company, according to which when the aforementioned filters were deactivated, "the TrakCare software is no longer able to apply the visibility rules indicated at patient level, with the consequent situation also temporarily display, i.e. for a limited period until the state of emergency persists, the information of those who have denied consent to the dossier", once this has ceased, the previously set visibility limitations will be restored", does not depend on the "rigidity" of the protection regulations of personal data, but rather by the characteristics of the system chosen by the Company itself. The system update has in fact allowed the Company to overcome this difficulty.

The choice made by the Company to "disable the Privacy functions that manage, for the entire TrakCare site (therefore Doctors, Nurses, Administrative etc. user profiles), the concepts linked to the visibility of information. Basically, the visibility of the data will therefore be complete/general and no longer filtered on the basis of competence", not only does it have no basis, as already represented, in the aforementioned art. 17-bis of the legislative decree 18 of 2020, but was operated in such a way as to allow access to the health dossier also by health workers not involved in the health emergency and with reference to all health services and not just emergency ones.

As already highlighted, the configuration of the health dossier envisaged by the Company in the emergency period effectively provided for a single access profile (albeit with different access depths), therefore allowing all healthcare personnel to consult the health dossiers of any patient had been treated at the Company regardless of the circumstance that the person accessing it is involved in the treatment process of the interested party and that the latter has expressed his/her consent to the processing of data carried out through the dossier.

In derogating from the limitations relating to access to the health file dictated by the application of the regulations on the protection of personal data, the Company, while declaring that "the visibility of the data will therefore be complete/general and no longer filtered based on competence", it has not even adopted a system for the detection of any anomalies that could constitute illicit processing, or the use of anomaly indicators (so-called alerts) aimed at identifying anomalous or risky behavior relating to the operations carried out by the subjects authorized to process (e.g. number of accesses performed, type or temporal scope of the same), useful for orienting subsequent audit interventions, in violation of the principles of integrity and confidentiality of personal data (art. 5, par. 1, letter f), of the Regulation).

According to what was declared in the documents, the system for restoring the "pre-pandemic rules" in the health dossier was started on 22 April 2022 and ended on 10 May 2022; it emerges, therefore, that the removal of the so-called "privacy filters" has been operational for over two years (50 months), having started in March 2021 and the aforementioned "technical limitations" of the information system used for the health dossier were late detected. The Company's choice "to suspend the privacy filters" as "indispensable to organize and deliver - in necessarily very short times - the activity in the new Covid departments" therefore continued beyond the first emergency phase.

3. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the data controller in the defense briefs relating to the aforementioned proceedings do not allow the notified findings to be overcome by the Office with the documents initiating the proceedings for the adoption of corrective and sanctioning measures, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, we note the illicit nature of the processing of personal data carried out by the Local Health Authority of the Aosta Valley with reference to the proceedings initiated following the complaint, in the terms set out in the motivation, in particular, for having processed personal data in violation of the articles 5, par. 1, letter. a) and f), 9, 25 and 32 of the Regulation.

In this context, considering that disciplinary measures have been adopted against the author of the access and that since May 2022 the pre-pandemic access measures to the health dossier described above have been restored, the conditions for the adoption of the corrective measures referred to in the art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 2, letter. a) and f), 9, 25 and 32 of the Regulation, caused by the conduct of the Valle d'Aosta Local Health Authority, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par.4 and 5, of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which for both procedures it is observed that:

- the Authority became aware of the event following a complaint (art. 83, par. 2, letter h) of the Regulation);

- the illicit access concerned the health dossier of a patient who was at the same time an employee of the Company by a healthcare professional who was not involved in the patient's treatment process and against whom disciplinary proceedings were initiated (art. 83, par. 2, letters a) and b) of the Regulation);

- the accesses to the complainant's health dossier carried out for reasons of "mere curiosity" took place over a period of 9 months from 03/15/2021 to 12/06/2021 by a health worker who, in addition to not being involved in the course of treatment of the interested party, it was not even employed in the provision of emergency health services related to the aforementioned virus (art. 83, par. 2, letter a) of the Regulation);

- the aforementioned accesses were possible because the removal of the aforementioned "privacy filters" effectively allowed Ms. XX, not involved in the complainant's treatment process and in the provision of emergency health services related to the aforementioned virus, to carry out repeated access to the dossier of a client, as well as a colleague, without a suitable assumption of lawfulness, but only for reasons of "mere curiosity" (art. 83, par. 2, letters a) and d) of the Regulation);

- the Company has consciously chosen to proceed with the removal of the so-called "privacy filters" for all company health files of the entire regional population assisted, determining the activation of the health file for all the Company's clients even if they have expressly denied consent to the use of the file or have never given it , as well as the possibility that the dossier was consulted, albeit with different depths of access, by all company healthcare workers regardless of their involvement in the treatment process of the interested party (art. 83, par. 2, letter b) and d) of the Regulation);

- the aforementioned company choice, although it was made in relation to the Covid-19 emergency, did not only concern patients suffering from this pathology, but all those relating to the Company and its branches (over 120,000 interested) and is not been limited only to health services provided in an emergency, but to all those provided by the Company from March 2020 to May 2022 (art. 83, par. 2, letter a), b), c) and d) of the Regulation) ;

- in derogating from the limitations relating to access to the health file dictated by the application of the regulations on the protection of personal data, the Company has not adopted a system for the detection of any anomalies that could constitute illicit processing, or the use of indicators of anomalies (so-called alerts) aimed at identifying anomalous or risky behavior relating to the operations carried out by the subjects authorized to process (e.g. number of accesses performed, type or temporal scope of the same), useful for orienting subsequent audit interventions, in violation of the principles of integrity and confidentiality of personal data (art. 83, par. 2, letter d) of the Regulation);

- in removing the aforementioned "privacy filters", the Company had recalled "the need for correct and responsible use of the free access method, of which only the personnel concerned must be informed" (art. 83, par. 2, letter c) of the Regulation);

- the system for restoring the "pre-pandemic rules" in the management of the health dossier was started on 22 April 2022 and ended on 10 May 2022 (art. 83, par. 2, letters a) and c) of the Regulation) .

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) of the Regulation, for the violation of the articles. 5, par. 1, letter. a) and f) and 9 of the Regulation in the amount of 40,000 (forty thousand) for the procedure initiated following the complaint as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out, in both procedures described, by the Valle d'Aosta Local Health Authority, for the violation of the art. 5, par. 1, letter. a) and f), 9, 25 and 32 of the Regulation within the terms set out in the justification.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Valle d'Aosta Local Health Authority, C.F. 91001750073, to pay the sum of 40,000 (forty thousand) euros as a pecuniary administrative sanction for the aforementioned violations according to the methods indicated in the annex, within 30 days of notification of reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanctions imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sums of 40,000 (forty thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 10 November 2022

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei