Garante per la protezione dei dati personali (Italy) - 9963509
From GDPRhub
| Garante per la protezione dei dati personali - 9963509 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 9(1) GDPR Article 9(2)(j) GDPR Article 9(4) GDPR Article 14 GDPR Article 35 GDPR Article 36 GDPR Article 89(1) GDPR Article 110 Codice Privacy |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | |
| Decided: | 26.10.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino |
| National Case Number/Name: | 9963509 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT) |
| Initial Contributor: | Luca Brocca |
Following a request for prior consultation under Article 36 GDPR, the Italian DPA authorised a Hospital to process the health data of deceased patients in two medical studies.
English Summary
Facts
Prior to conducting two medical research studies, the University Hospital Città della Salute e della Scienza di Torino (the controller) consulted the Italian DPA in accordance with Article 36 GDPR.
The first study, "Head and neck tumours: relapses and second tumours," is a retrospective analysis focusing on 400 deceased or uncontactable patients, for which the request for prior consultation was deemed necessary. The hospital sought a favourable opinion from the DPA, in accordance with the GDPR and Article 110 of the Italian Privacy Code, for processing personal data without obtaining consent due to practical difficulties in contacting patients. The study spanned seven years, involving pseudonymised data storage in accordance with the principles of data minimisation and storage limitation.
The second study, "Use of coronagraphy and right heart catheterisation in the pre-liver transplant cardiological work-up," is a multi-centre, observational, retrospective study analysing liver transplant candidates. In this study, the hospital also sought a favourable opinion for processing personal data without consent, emphasising the challenges posed by the high mortality incidence of the patients. This study utilised as a legal basis Article 9(2)(a) GDPR for the processing of personal data of the living patients, meanwhile it requested, similarly to the first study, the prior consultation of the DPA pursuant to Article 110 of the Italian Privacy Code for those who are deceased. Moreover, in relation to the data processing of deceased patients, the study foresaw transparency measures for the family members of the deceased, such as information published on its website and those of participating centres, aligning with Article 14 GDPR.
Holding
Following the information provided, for the first study, the DPA acknowledged the hospital's correct identification of legal bases for the data processing, including those for patients who may be deceased or unreachable. However, the DPA reminded the controller of its transparency obligations related to the processing operations pursuant to Article 5(1)(a) GDPR and Article 14(5)(b) GDPR. In that case, the DPA recommended that the information on the study be published on its website throughout the entire duration of the processing. Moreover, it positively recognised that the controller correctly applied Article 89 GDPR, providing that the data are subject to effective data minimisation techniques throughout the processing phase, as well as effective pseudonymisation and anonymisation techniques, consistent with the GDPR.
Regarding the second study, the DPA commended the controller's identification of legal bases and transparency measures in line with Article 5(1)(a) GDPR and Article 14 GDPR. However, the DPA urged the controller to ensure the continuous availability of information on its website and those of participating centres, emphasising the importance of transparency throughout the data processing. Additionally, the DPA highlighted the necessity for the controller to specify the personal data protection roles of the participating centres in compliance with Articles 24, 26, and 28 GDPR and to enhance the impact assessment by detailing risk-specific mitigation measures, aligning with Article 35 GDPR.
In both cases, the DPA granted a favourable opinion and underscored the controller's adherence to GDPR principles, emphasising the importance of continuous transparency, effective pseudonymisation, and risk-specific mitigation measures in processing personal data for medical research.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9963509]
Provision of 26 October 2023
Register of measures
n. 499 of 26 October 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza, member, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter “Regulation”);
GIVEN, in particular, the articles. 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and to the prior consultation of the Authority;
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”);
GIVEN the art. 110, paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”;
GIVEN the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4 of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter "Ethical rules");
GIVEN the provisions relating to the processing of personal data carried out for scientific research purposes, annex no. 5 to the Provision which identifies the provisions contained in the General Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 for adaptation of the Code, of 5 June 2019 (web doc. 9124510, hereinafter "Requirements");
GIVEN the request for prior consultation presented, pursuant to articles. 110 of the Code and 36 of the Regulation, by the University Hospital Città della Salute e della Scienza of Turin, S.C. Otolaryngology with registered office in Corso Bramante 88/90 – 10126 Turin (hereinafter Company), for the realization of a retrospective, non-profit and monocentric study called “Head and neck tumors: recurrences and second tumors” (hereinafter “ Study”) (note dated 18 May 2022, prot. no. 62304);
GIVEN the request for prior consultation presented, pursuant to articles. 110 of the Code and 36 of the Regulation, by the University Hospital Città della Salute e della Scienza of Turin, for the implementation of the multicentre, observational, retrospective, non-profit, non-pharmacological study entitled "Use of coronagraphy and right heart catheterization in the pre-liver transplant cardiological work-up" (hereinafter Study), promoted by the S.S.D. (Simple Departmental Structures) Company Liver Failure and Liver Transplant (note dated 5 June 2023);
NOTING that the Città della Salute e della Scienza University Hospital of Turin plays the role of promoter and data controller in both studies and that the main processing operations carried out for the implementation of the studies are carried out in a similar context, through the same information system, applying the same technical and organizational measures and similar data pseudonymisation and anonymisation techniques;
NOTING that the Office of the Guarantor has therefore decided to order the joining of the proceedings relating to the aforementioned requests (note dated 30 August 2023, protocol no. 122540), consequently providing for the adoption of this single opinion (art. 10, paragraph 4 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, of 4 April 2019, web doc. no. 9107633);
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the Secretary General, pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;
Speaker Prof. Pasquale Stanzione;
PREMISE
1. The request for preventive consultation advanced for the implementation of the study "Head and neck tumors: relapses and second tumors"
The Città della Salute e della Scienza University Hospital of Turin, S.C. Otolaryngology, with registered office in Corso Bramante 88/90 – 10126 Turin (hereinafter Company), has presented a request for prior consultation, pursuant to articles. 110 of the Code and 36 of the Regulation, for the implementation of a retrospective, non-profit and monocentric study called "Head and neck tumors: relapses and second tumors" (note dated 18 May 2022, protocol no. 62304), expected that it also includes data referring to deceased subjects, transmitting in documents the relevant protocol, the impact assessment (VIP), carried out pursuant to art. 35 of the Regulation, information on the processing of personal data together with the expression of consent and the opinion of the territorially competent Intercompany Ethics Committee of 27 January 2023 (note of 18 May 2023, protocol 62304).
The Office of the Guarantor has started an in-depth investigation in relation to the request received with a note dated 16 June 2023, protocol. n. 94139.
From the documentation in the documents, as acquired and modified during the investigation, also in light of the findings formulated by the Office, it emerges that the Study has the primary objective of "evaluating the incidence of relapses and second synchronous or metachronous tumors in cases of malignant neoplasm of the head and neck and, as secondary purposes, the correlation with clinical data, the analysis of the therapeutic strategies adopted in case of recurrence or second tumor and the survival analysis".
In the protocol, in the illustration of the rationale of the Study, it is indicated in particular that "follow up after surgical or chemotherapy treatment for head and neck tumors is essential to identify any recurrences or second tumors" [...]. The 5-year overall survival has not increased and is around 40-50%. Although locoregional and distant recurrences contribute to poor survival, the development of second tumors represents a significant factor. [...] In the cervical-cephalic oncology field, relapses occur more frequently in the first 2-3 years after treatment, while second tumors are more often the cause of long-term morbidity and mortality. There are few studies in the literature that analyze the relationship between relapses, second and metachronous tumors and mortality".
The Study, which will last 2 years, involves the enrollment of all subjects over the age of 18 suffering from non-thyroid malignant tumors of the head and neck, diagnosed and operated on in S.C. Otorhinolaryngology of the Company, from 2010 to today, for a total of approximately 500-600 patients. For each patient, a unique personal identifier, sex, age, "smoking habit, alcohol intake" and "pathological history" are collected.
Living patients will be enrolled on a voluntary basis, during outpatient visits at the S.C. Otorhinolaryngology of the Company, after having read the information also on the processing of personal data, for which an independent and specific consent is acquired.
Given the long period of observation of the data of the patients to be enrolled (starting from 2010) and the incidence of mortality of the pathology (survival <50% at 5 years), the Study cannot fail to also include data referring to deceased subjects, under penalty of incompleteness and poor representativeness of the sample which would also seriously jeopardize the achievement of the objectives of the same. With reference to this category of interested parties, prior consultation with the Guarantor and information on data processing was therefore necessary, pursuant to art. 14, par. 5, letter. b) of the Regulation, which will be provided through its publication on the Company's institutional website.
On this point it is further specified that, in consideration of the aforementioned incidence of mortality of the pathology, it is expected that "out of a sample of approximately 600 patients approximately 400 are deceased, 60 are not contactable and 140 are not deceased and contactable for recruitment". [...] “For the purposes of the study, the subjects will be considered uncontactable after 5 telephone attempts on 5 different days of the week and at different times, using the mobile phone number issued by the patient and entered into the company IT system [.. .] for clinical reasons. In consideration of the lack of funding foreseen for this research (which is carried out by university and hospital medical personnel in parallel with clinical and healthcare activities) and of the time necessary to carry out more than 5 telephone attempts per patient (considering 3 minutes necessary for each attempt for 60 patients, it will take 15 hours), a greater number of attempts would represent a disproportionate effort. To verify the status of life, it will be carried out by consulting the clinical data held by the Company and with the use of telephone numbers". The protocol also indicates that "all patients participating in the study will be identified by a unique [progressive] personal code in order to make all the data collected anonymous" and that "the resulting data as well as the clinical data will be stored in a database built specifically for hoc for this study, kept in compliance with the legislation in force regarding the processing of personal data".
In this regard, in the VIP it is indicated that "the data will be stored for a maximum of 5 years from the end of the enrollment, since the enrollment will last 2 years, the data will be stored for a total of 7 years, in de-identified form, while the backup database that allows the correspondence between code and patient identifier - stored separately - will be processed for the time necessary to complete data collection, 2 years, and immediately eliminated in order to allow deidentification".
The Company has further clarified that "the retention time of the data relating to the study [...], indicated as a total of 7 years, corresponds to the sum of the 2 years of retention for the database containing the correspondence link between the unique code and name of the patient (this period corresponds to the patient enrollment time, at the end of which this database will be eliminated) and a further 5 years for the information database only containing the data in de-identified form in order to allow the completion of the survival calculations and for checking the adequacy of the data collected".
It was further specified that "the study file in which the protocolled documentation relating to the study is kept (for example: initial application from the scientific director, approval issued by the territorially competent Ethics Committee) without personal data relating to the patients, will be kept for years 5 from the conclusion of the study at the central company archive [...] and subsequently disposed of".
With regard to the anonymisation of the data, it was stated in the VIP that "after having carried out the de-identification operations, the anonymisation of the data will be obtained through multiple methodologies aimed at minimizing the risk of re-identification of the subjects involved in the study. In particular, the measures envisaged are, in order of application:
- on the pseudo-anonymous information database:
- insertion of categorical variables in numerical form into the pseudo-anonymous database: only the experimenters will know the correspondence between number and meaning (masking);
- addition of 3 databases with summary data to the database containing the real data. The summary databases will be obtained with the variational autoencoders technique, will have identical dimensions to the original database and will be concatenated along the horizontal axis to the original database. In this way, a potential attacker who obtains the data will be able to acquire new certain information on the subjects involved with greater difficulty, having 4 possible choices for each variable. Only the investigators of the sponsoring and owner center will be aware of which columns contain the real data to allow the denosingin of the database
- the column name will be deleted
- a random integer between 2 and 4 will be added to each column (noise addition). Only the investigators of the promoting center and owner of the data will know the sequence of integer numbers added to the database (to allow denoising)”.
In this regard, it was further clarified that "These minimization/pseudonymization techniques, which allow, albeit exclusively to legitimated subjects, to trace the semantics of the columns subject to masking, will be implemented, after 7 years, by anonymization techniques, as described in the following:
- the equivalence classes will be redefined in order to guarantee a minimum number for each of them in the dataset being published.
- in consideration of the number of variables being aggregated, the number of aggregate statistics to be made recognizable in order to avoid the risk of reconstructing data referable to individuals will be significantly lower than the number of variables considered
- any singularity will be removed if, by any means, it becomes known in a phase subsequent to the application of the anonymisation techniques and a trace of such events will be kept in order to repeat the assessment of the risk of re-identification upon reaching the '1% of singularities identified out of the total records included in the dataset.
The number of statistics disseminated will be significantly lower than the number of variables intended to be disclosed."
In relation to the security of the data processed, the VIP specifies that "the operations of collection, recording, storage and modification of personal data will take place through manual tools (clinical records) and IT tools (Trakcare computer system used at the S.C. Otolaryngology U, A.O.U. City of Health and Science of Turin) with logic strictly related to the purposes indicated above" and furthermore that "the hard disk containing the personal data base (identifier-code) will be encrypted, protected by a password and stored in a cabinet protected by a key in a locked room [...]”;
The VIP continues by indicating specific security and organizational measures as well as measures aimed at ensuring the minimization of the data processed. In particular, the VIP indicates that "the operations of collection, recording, storage and modification of personal data will take place through manual tools (clinical records) and IT tools (Trackcare IT system used at the S.C. Otolaryngology Department" of the Company.
The Company has sent in documents an information text on the processing of personal data updated in light of the findings made by the Office, with particular reference to the correct indication of the rights of the interested parties and the retention times.
2. The request for preventive consultation advanced for the implementation of the Study "Use of coronagraphy and right heart catheterization in the pre-liver transplant cardiological work-up"
With a note dated 5 June 2023 (prot. no. 98987), the Company presented another request for preventive consultation, pursuant to articles. 110 of the Code and 36 of the Regulation, for the implementation of the multicentre, observational, retrospective, non-profit, non-pharmacological study entitled "use of coronagraphy and right heart catheterization in the pre-liver transplant cardiological work-up", transmitting in documents the Study protocol, the impact assessment (VIP), integrated with the opinion of the Data Protection Officer, the information for the processing of personal data and the opinions issued by the competent inter-company ethics committee (opinions of 07/11/ 2022 and 26/04/2023).
Also in relation to this request, the Office of the Guarantor has started an in-depth investigation (note dated 26 June 2023, protocol no. 98987).
From the documentation in the documents, as acquired, modified and integrated during the preliminary investigation, also in light of the findings formulated by the Office, it emerges that the objective of the Study is to "evaluate the use of invasive cardiological diagnostic techniques [...] in "diagnostic-therapeutic process of the cirrhotic patient being evaluated for liver transplant, with the aim of improving the current clinical situation".
The Study - which based on the most recent substantial amendment ("presented on 18 May 2023 and approved by the Intercompany Ethics Committee with note prot. no. 0069506 of 06/06/2023") involves 20 participating centers - has a duration of 6 months, involves the enrollment of patients (alive and contactable or deceased) aged 18 years or older suffering from liver cirrhosis who underwent coronagraphy during the pre-liver transplant evaluation.
In this regard, it was clarified that "each transplant center has the list of patients in the budget/transplanted at its center and knows their outcome alive or dead. The expected mortality percentage of the patient on the transplant list is around 6% and post-transplant varies depending on the transplant centers (1st year survival of the transplanted patient variable between 88 and 95 and at 5 years variable between 69% and 87%, Turin 95% at 1 year and 87% at 5 years).
The enrollment period runs from 1 January 2018 to 30 June 2022 and involves the collection, in addition to personal data, of health data relating to the pathology and healthcare treatment of the patients.
Finally, the protocol precisely describes the statistical-mathematical methodologies that will be applied for the comparison between the different groups of patients established for this purpose and to test the "predictors" of events in the time intervals considered, also specifying that for this For this purpose, specific R software will be used (R Core team 2020).
Further elements regarding the processing of the data necessary for the implementation of the Study are learned from the VIP in which it is indicated, in particular, that as a whole it involves approximately 150 patients.
The legal basis of the treatments was indicated in the consent of the patients who were alive and contactable, pursuant to art. 9, par. 1, letter. a) of the Regulation, and in the request for prior consultation in question, pursuant to art. 110 of the Code, for those who are deceased. In this regard, it was specified that it is not possible to do without the data referring to the latter patients, as this would lead to significant consequences for the Study in terms of alteration of the relative results.
According to what is specifically indicated in the documentation in the documents, for the pseudonymisation and anonymisation of the data collected for the implementation of the Study, the same measures envisaged for the data processed as part of the Study "Head and neck cancers: relapses and second tumors" will be applied. ”, referred to above (see paragraph 1).
In relation to the duration of the processing, it is indicated that "the data will be kept only for the time [...] necessary to pursue the purposes of the study for which they were collected and processed, without prejudice to the longer time necessary to fulfill conservation obligations which the owner is required due to the nature of the data or document or for reasons of public interest or in execution of specific legal obligations [...]. In particular, the data and the back up database - stored separately - will be kept for a maximum of 7 years starting from the start date of the study, in pseudonymized form". Similar wording is reported in the information prepared for interested parties.
In this regard, during the preliminary investigation it was further clarified that "the personal data base will be kept only for the time necessary to complete the data verification (three years) and will subsequently be eliminated as a further security measure. At the A.O.U., thus as in each participating center, the database containing the pseudonymised (informative) data of the patients belonging to the individual structure will be kept for the time necessary to complete the analysis and guarantee the replicability control of the results obtained (4 years)" [... ]. In this regard, the principal investigator clarified that “the first 3 years will be necessary to enroll patients and collect data. The following 4 years will be dedicated to evaluating the adequacy of the data collected from the various transplants and updating the transplant follow-up". The VIP then indicates that at the end of this period the data will be "anonymized".
From another perspective, the VIP reports that "The study file in which the registered documentation relating to the study is kept (for example: initial application by the scientific director, approval issued by the territorially competent Ethics Committee), devoid of personal data referring to the patients, will be kept for 5 years from the conclusion of the study in the company archives and subsequently disposed of".
In the VIP it is then indicated that the processing operations are carried out both with manual and IT tools by trained and authorized personnel "with logic strictly related to the purposes indicated above".
The document, in particular, represents that "The identification data of the enrolled subject will be subjected to pseudonymisation with a randomly generated unique code (information database), the study data will be collected in a password-protected database and stored in a PC. At the same time, a further personal data spreadsheet (personal data database) will be created which will contain the correspondence between the unique code and the subject's identification data, which will be protected by a password, encrypted and stored on a hard disk external to the PC containing the pseudonymized database and stored in closed cabinet allocated at each data holding center. Each center will therefore use the same data collection and storage methods. [...] At the end of the collection, the pseudonymized data will be sent by the Participating Centers to the Promoter via encrypted email".
On this point in the VIP it is further indicated that "The supplier of the information system, with which the clinical activity is carried out daily for all company specialties, as regards the Promoting Company, HIS TrakCare, InterSystem, and is appointed external manager of processing" and that "the company server farm implements a set of physical/infrastructural and IT measures that make the possibility of interference by unauthorized parties or the possibility of failures that lead to the loss or compromise of the integrity of the information in it negligible memorized".
In relation to the principle of transparency, it has been provided for deceased patients, for the benefit of the beneficiaries, pursuant to art. 2-terdecies of the Code, that the information on the processing of personal data will be published on the company website pursuant to art. 14 of the Regulation.
The VIP continues with the indication of the further technical and organizational measures implemented not only to give effective application to the principles regarding the protection of personal data, to ensure the security of the data processed but also to guarantee in general terms that the risks related to the processing necessary for the implementation of the Study are reduced to an acceptable level.
3. The applicable legislation
The processing of personal data for scientific research purposes must be carried out in compliance with the Regulation, the Code, the Provisions as well as the ethical rules which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5 of Legislative Decree 10 August 2018, no. 101).
With specific reference to the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields, it is highlighted that they are permitted subject to obtaining the consent of the interested party. This requirement is not necessary "[...] when, due to particular reasons, informing interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethics committee at territorial level and must be subjected to prior consultation of the Guarantor pursuant to article 36 of the Regulation” (art. 110 of the Code, art. 9, par. 2, letter j) and par. 4 of the Regulation);
The art. 89, par. 1 of the Regulation provides, in particular, that "Processing for scientific research purposes is subject to adequate guarantees for the rights and freedoms of the interested party, in accordance with this regulation. These guarantees ensure that technical and organizational measures have been put in place, in particular to ensure compliance with the principle of data minimisation. Such measures may include pseudonymisation, provided that the purposes in question can be achieved in this way [...]”.
Personal data must be processed in compliance with the principles applicable to processing established in art. 5 of the Regulation, among which it is worth highlighting here that of accountability, according to which "the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation" (articles 5, par. 2, 24 and of the Regulation). Connected to it is another duty placed on the data controller, namely that of ensuring that the law and regulations regarding the protection of the personal data of interested parties are protected and applied from the design stage and by default (privacy by design and by default, art. 25 of the Regulation).
According to the Regulation "when a type of processing involves in particular the use of new technologies, considering the nature, object, context and purposes of the processing, it may present a high risk for the rights and freedoms of natural persons , the data controller carries out, before proceeding with the processing, an assessment of the impact of the envisaged treatments on the protection of personal data" [...] "The data controller, before proceeding with the processing, consults the supervisory authority if the data protection impact assessment, pursuant to Article 35 of the Regulation, indicates that the processing presents a high risk in the absence of measures adopted by the owner to mitigate the risk". However, prior consultation with the Guarantor is necessary if provided for by a specific regulatory basis (articles 35 and 36 of the Regulation and Guidelines concerning the impact assessment on data protection as well as the criteria for establishing whether a processing "may present a high risk " pursuant to Regulation 2016/679 - WP248rev.01 adopted on 4 April 2017 as amended and last adopted on 4 October 2017).
The VIP must contain, in addition to a systematic description of the processing and the purposes of the processing, an assessment of the risks to the rights and freedoms of the interested parties and of the measures consequently envisaged to address such risks, including guarantees, security measures and mechanisms. to guarantee the protection of personal data and demonstrate compliance with the Regulation (Guidelines concerning the data protection impact assessment as well as the criteria for establishing whether a processing "may present a high risk" pursuant to Regulation 2016/679, cit .).
The measures identified by the owner must be aimed at the effective application of the principles of protection of personal data, placing the data controllers in a position to prove their suitability, also taking into account the specific risks connected, in the specific case, to the processing of data (see also Organization for Economic Co-operation and Development (OECD) privacy guidelines adopted in 1980).
Based on the renewed regulatory framework on the protection of personal data, on the basis of the aforementioned principle of accountability and the obligation to protect data from the design stage, the owner is required to make a thoughtful evaluation of all the choices connected to the processing of personal data , demonstrable on a logical level through specific reasons, aimed at identifying necessary and proportionate measures with respect to the concrete effectiveness of the principle protected from time to time.
The impact assessment constitutes the main forum in which to carry out these assessments and represent the qualitatively and quantitatively effective measures with respect to the objective. These measures must be periodically verified and designed to be, if necessary, revised in relation to any increases or reductions in risks for the interested parties (provision of 30 June 2020, web doc. no. 9357972 and of 30 July 2022 web doc. no. 9808839).
The data must also be processed in compliance with the principle of transparency (art. 5, par. 1, letter a) of the Regulation). In relation to the related information obligations, if the data is obtained from third parties, the data controller may not provide the information referred to in paragraphs 1 to 4 of the art. 14 of the Regulation, to the extent that the communication of such information is impossible or involves a disproportionate effort. This, in particular, in the context of processing carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in article 89, par. 1 of the Regulation. In such cases, the data controller is still required to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, including by making the information public (art. 14, par. 5, letter b) of the Regulation) . On this point, the art. 6, paragraph 3 of the Ethics Rules provides that "When the data are collected from third parties, or the processing carried out for statistical or scientific purposes concerns data collected for other purposes, and the information involves a disproportionate effort compared to the protected right, the owner adopts suitable forms of advertising (...)", indicating specific methods by way of example.
The principle of limitation of conservation must then be observed according to which the data must be kept only for the time necessary to pursue the purposes of the collection or if necessary defined on the basis of regulatory obligations (art. 5, par. 1 letter e ) of the Regulation).
For specific needs of transparency and allocation of responsibilities deriving from sector legislation, in the context of personal data processing operations it is necessary to correctly identify the roles of owner, joint owner (articles 4, no. 7, 24 and 26) and, if of the case, of responsible (art. 4, n. 8 and 28).
4. The Authority's assessments
4.1. Evaluations regarding the processing of personal data necessary for the implementation of the study "Head and neck tumors: relapses and second tumors"
The Guarantor believes that the Company has correctly identified the legal bases for the processing of the data necessary for the pursuit of the objectives of the Firm, adequately specifying the reasons that justify the impossibility of being able to inform the interested parties and acquire valid consent, despite the proportionate and reasonable efforts that are intended to be used for this purpose, in accordance with the provisions of point 5.3 of the Regulations. This is determined by the fact that the Study involves a very long period of observation of patient data (starting from 2010) and concerns oncological diseases for which the incidence of mortality is very high (survival <50% at 5 years). Therefore, out of a sample of 600 patients, approximately 400 have died and 60 are uncontactable, after having made 5 contact attempts considered proportionate with respect to the use of economic resources for the creation of a non-profit study such as the one in question. In this case, failure to include deceased and uncontactable patients in the sample would produce significant consequences in terms of altering the relevant results.
The firm has obtained the favorable opinion of the competent ethics committee at territorial level, an element which constitutes a condition of lawfulness and correctness of the processing of personal data for the purposes in question, where it is not possible to acquire the consent of the interested parties (see provisions of 29 October 2020, web doc. 9517401 and provision of 1 November 2021, web doc. 9731827).
Furthermore, it is believed that the Company, taking into account that this is a single-centre study, has identified an effective measure for the fulfillment of the transparency obligations related to the processing in question, providing for the publication of the information on its website (pursuant to of articles 5, paragraph 2, letter a) 14 of the Regulation and 6, paragraph 3 of the Ethics Rules).
Nonetheless, in taking favorable note of the changes made to the text of the information during the investigation, it is noted that it does not emerge explicitly from the documentation in the documents that the Company has foreseen that the availability of the same on its institutional website is guaranteed for the entire the duration of the Study.
The Guarantor therefore deems it necessary for the Company to ensure that the information on the processing of personal data in relation to the Firm, prepared pursuant to art. 14, par. 5, letter. b) of the Regulation and art. 6, paragraph 3 of the Ethical Rules, is available on its website for the entire duration of the processing.
The Authority also believes that the Company, in the Study presented, has correctly applied the art. 89 of the Regulation, providing that the data are subject to effective minimization techniques throughout the entire processing phase, promptly described in the impact assessment and takes favorable note of the measures indicated for the pseudonymisation and anonymisation of the data, which will be arranged by the Company at the end of the data retention period indicated as 5 years starting from the conclusion of the patient enrollment phase indicated as two years. These measures take into account the indications provided by the Guarantor in previous opinions formulated on requests for prior consultation made pursuant to art. 110 of the Code and 36 of the Regulation and in particular the provision of 2 March 2023 doc. web. n. 9875254 adopted against the Company (see also provision of 1 June 2023 web doc. no. 9913795).
More precisely, with reference to the aforementioned storage times, the Guarantor believes that they are proportionate based on the technical-scientific reasons represented by the Company. In fact, the first 2 years are necessary for patient enrollment and data collection; the next five are necessary in particular to check the adequacy of the data collected.
4.2. Evaluations regarding the processing of personal data necessary for the implementation of the Study "Use of coronagraphy and right heart catheterization in the pre-liver transplant cardiological work-up"
The Company, as promoter of the Study and data controller, has correctly identified the legal bases for the processing of personal data necessary for the implementation of the multicentre, observational, retrospective, non-profit, non-pharmacological study relating to the "Use of coronagraphy and right heart catheterization in the pre-liver transplant cardiological work-up", adequately specifying the reasons that justify the impossibility of being able to inform the interested parties and acquire valid consent in accordance with the provisions of point 5.3 of the Requirements, given the high mortality incidence of patients who intend to enroll, as represented by the individual participating centers. In this case, failure to include deceased patients in the sample would produce significant consequences in terms of altering the relevant results.
Furthermore, it is noted that the Firm has obtained the favorable opinion of the competent ethical committee at territorial level, an element which constitutes a condition of lawfulness and correctness of the processing of personal data for the purposes in question, where it is not possible to acquire the consent of the interested parties (see provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827).
From another perspective, the Guarantor believes that the Company, by providing for the publication of the information on its website and on that of the participating Centers, has identified an effective measure for the fulfillment of the obligation of transparency related to the processing in question (pursuant to of articles 5, paragraph 2, letter a) and 14 of the Regulation and 6, paragraph 3 of the Ethics Rules), (see provision of 1 November 2021, web doc. no. 9731827 and of 2 March 2023 doc . web no. 9875254).
Furthermore, the Guarantor deems it necessary for the Company to ensure that the information on the processing of personal data, prepared pursuant to art. 14, par. 5, letter. b) of the Regulation and art. 6, paragraph 3 of the Ethics Rules, in relation to the study in question, is available on its website and on those of the participating centers for the entire duration of the treatment.
Furthermore, it is noted that the documentation in the documents does not reveal the personal data protection role of the owner, co-owner or data controller, pursuant to articles. 24, 26 and 28 of the Regulation, attributed to each of the twenty participating centres.
It is therefore considered necessary for the Company to integrate the information and impact assessment relating to the study in question by specifying the personal data protection role of the owner, co-owner or data controller, pursuant to articles. 24, 26 and 28 of the Regulation, attributed to the twenty participating centres.
In general terms, the Company, in the Study presented, has correctly applied the art. 89 of the Regulation, providing that the data are subject to effective minimization techniques throughout the entire processing phase, promptly described in the impact assessment. In this regard, the observations already formulated above in relation to the study "Head and neck tumors: relapses and second tumors" on the measures indicated for the pseudonymization and anonymization of data apply.
With specific reference to storage times, the Guarantor believes that they are proportionate based on the technical-scientific reasons represented by the Companies. In fact, the first three years are necessary for patient enrollment and data collection; the next four are dedicated to evaluating the adequacy of the data and analyzing them in order to pursue the objectives of the Study.
4.2.1. On impact assessment
With reference to the impact assessment, it is preliminarily noted that the Regulation, on the basis of a substantive approach, offers data controllers the flexibility to establish the structure and form of the same so that it adapts to the existing working practices in the various organisations, whether public or private, it being understood that it contains a real risk assessment that allows adequate and effective measures to be adopted to address them, as indicated in the aforementioned Group guidelines art. 29 of 4 April 2017. It is therefore required that the impact assessment is not limited to assertive declarations, having to report specific considerations supported by arguments regarding the effectiveness, in qualitative or quantitative terms, of the measures adopted with respect to the scenario considered, also based on the probability and severity of the risk considered.
The Guarantor therefore deems it appropriate to underline the importance of the impact assessment being prepared in accordance with the provisions of the art. 35 of the Regulation and on the basis of the indications provided by the Article 29 Group in the aforementioned guidelines of 4 October 2017, through the analysis and weighting of the specific risks connected to the processing, of the measures implemented to mitigate them and of the actions undertaken to ensure the effective application of the principles regarding personal data protection.
Given the above, in relation to the VIP presented by the Company on the Study "Use of coronagraphy and right heart catheterization in pre-liver transplant cardiological work-up", it is noted that the risks considered (illegitimate access to data, unwanted modifications and loss of the same) are all addressed with the implementation of the same measures, corresponding to those - technical and organizational - generally implemented for the application of the Regulation and attributable to: "Pseudonymisation, partitioning, archiving, workstation management, video surveillance, bach up, security of the hardware and company network, protected server farm infrastructure (trakcare), users and company password choice policies, data minimization, fight against malware, supervision of data protection, physical access to premises with protection systems, fire prevention systems".
This means that, through the indistinct and insufficiently motivated indication of the same set of measures with respect to the different risks detected, without therefore providing specific adequate measures modeled on each risk considered, these measures thus applied are inadequate and not relevant to the purpose of desired prevention.
In this regard, it should be noted, for example, that VIP provides for the measure of data minimization as a suitable measure to prevent the loss of personal data and indicates the fire prevention system as a measure to reduce the risk of unwanted modification of personal data.
The Guarantor therefore deems it necessary for the Company to integrate the impact assessment of the aforementioned Study, identifying, in relation to the risk scenario considered, adequate measures indicating their effectiveness, also based on the probability and severity of the scenario itself.
ALL THIS CONSIDERING THE GUARANTOR
1. pursuant to art. 110 of the Code and art. 36 of the Regulation, expresses to the A.O.U. University Hospital. Citta della Salute e della Scienza di Torino, with registered office in Corso Bramante, 88 - 10126 Turin, Tax code - VAT number: 10771180014, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of deceased or uncontactable patients enrolled in the retrospective, non-profit, single-center study called “Head and neck cancer: relapses and second tumors” provided that:
a) ensures that the information on the processing of personal data prepared pursuant to art. 14, par. 5, letter. b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics is available on its website for the entire duration of the processing (see point 4.1.);
2. pursuant to art. 110 of the Code and art. 36 of the Regulation, expresses to the A.O.U. University Hospital. Citta della Salute e della Scienza di Torino, with registered office in Corso Bramante, 88 - 10126 Turin, tax code - VAT number: 10771180014, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of deceased or uncontactable patients enrolled in the retrospective study "Use of coronagraphy and right heart catheterization in the pre-liver transplant cardiologist work-up", provided that:
a) the information on the processing of personal data, prepared pursuant to art. 14, par. 5, letter. b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics is available on its website and on those of the participating centers for the entire duration of the treatment (see point 4.2);
b) integrates the information and the impact assessment relating to the study in question by specifying the personal data protection role of the owner, co-owner or data controller, pursuant to articles. 24, 26 and 28 of the Regulation, attributed to the twenty participating centers (see point 4.2);
c) integrates the impact assessment by identifying, in relation to the risk scenario considered, adequate measures indicating their effectiveness also based on the probability and severity of the same (see point 4.2.1).
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 26 October 2023
PRESIDENT
Stanzione
THE SPEAKER
Stanzione
THE GENERAL SECRETARY
Mattei
