Garante per la protezione dei dati personali (Italy) - 9988614

Garante per la protezione dei dati personali - 9988614

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 9 GDPR Article 9(2)(a) GDPR Article 13 GDPR Article 14 GDPR Article 14(5)(b) GDPR
Type:	Other
Outcome:	n/a
Started:	22.11.2022
Decided:	24.01.2024
Published:
Fine:	n/a
Parties:	Azienda Socio Sanitaria Territoriale degli Spedali Civili di Brescia
National Case Number/Name:	9988614
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	im

The DPA issued a favorable opinion after a prior consultation with a company using AI for throat cancer organ preservation research. However, at least three attempts to contact unreachable patients in the study is considered a proportionate effort.

English Summary

Facts

Azienda Socio Sanitaria Territoriale degli Spedali Civili di Brescia (‘controller’) requested a prior consultation pursuant to Article 36 GDPR as a promoter of a retrospective study called ‘Artificialintelligence for the definition of new signatures and models for the personalisation of organ preservation strategies in laryngeal and hypopharyngeal cancer – PRESERVE’ (‘study’).

The study's goal is to make a model that can predict how well a patient will respond to a certain kind of chemotherapy for throat cancer. By looking at information about the patient and their cancer, such as their medical history, test results, and genetic makeup, researcher hope to find out quickly if this chemotherapy will work. This could help keep more patients from needing surgery and improve their quality of life, while also making the treatment more cost-effective.

The study is part of a European Project on personalized medicine.

The objective scope of the request for prior consultation refers exclusively to the retrospective collection of data required for Phase 1 of the European project aimed exclusively at the "development of a predictive algorithm" which forms basis for Phase 2 in which the artificial intelligence logic will be used.

Due to the aggressiveness of the disease, most of the patients who would be enrolled for retrospective data collection are deceased or non-contactable. The company, therefore, identified Article 9(2)(j) GDPR as the legal basis for the processing of personal data relating to these individuals which allows for processing of special categories of data for archiving purposes, among others, in the public interest or scientific research purposes.

Additionally, the Company stated that in compliance with the provisions of Article 14(5)(b) GDPR, the controller, prior to the start of the study, will make public the relevant information through a specific advertisement on its corporate websites.

The controller identified different data retention periods (10 and 25 years) and hypothetical further retention of the data which is in compliance with the rules set by the Lombardy Region about maximum data discard rates approved.

The controller also provided a single document with information to be provided to the interested parties based on Article 13 GDPR and to non-contactable persons based on Article 14 GDPR. The information notice includes the right to object to the processing. It is also represented that to ensure security of data, the data will not be disseminated under any circumstances, but only in cases of scientific publications and a strictly anonymous and aggregate form.

Holding

The Garante issued a favorable opinion on the processing of personal data in relation to deceased or non-contactable persons involved in the study. However, several aspects must be considered and improved by the controller.

Firstly, the company identified the correct legal basis for the processing of data concerning deceased and non-contactable people. On this point, it is considered necessary for the controller to keep track of the contact attempts made to persons who are currently non-contactable. At least three attempts at contact constitutes a reasonable and proportionate effort. Therefore, the three unsuccessful attempts are a condition to use the legal basis under Article 9(2)(j) GDPR.

The Garante stressed the importance of having information about people who have passed away or are not reachable. Without this data, the group of people studied would not be complete, which could affect how accurate the algorithm is. To make sure everyone involved in the study is treated fairly and transparently, the company needs to share information even with those who cannot be contacted or have passed away. This includes putting information on the websites of all 20 participating centers in Italy, where the study is taking place.

Secondly, the company plans to keep the data for 10 years after the end of the study, which is correct because the researchers need that time to analyze the data and verify the results. However, a 25-year retention period, similar to rules for drug trials, did not apply here and was therefore incorrect.

Thirdly, the living data subjects involved in the study do not enjoy a right to object to how their data will be used, but they do have broader rights of revocation of consent and subsequent erasure. For this reason, the controller must delete any reference to the right to object in the information notices provided pursuant to Article 13 and 14 GDPR. Additionally, the information notice should be dived in two parts, for those who are considered interested parties and those non-contactable to ensure the information about how they use personal data is clear and easy to understand.

Fourthly, the controller also needs to be transparent about the methods and algorithms they use to process this data as per Article 5(1)(a) GDPR. This helps build trust and ensures that experts can check and verify the process. The company should publish an impact assessment pursuant to Article 35 GDPR on their website, along with a list of the mathematical and statistical models they use and how they use algorithms.

Fifthly, the company assures that personal data from the clinical trial will not be shared at all. However, it might be shared anonymously, like in scientific publications or conferences. It is emphasized that the data will be made anonymous after processing. When sharing grouped data, there's a risk of identifying individuals through statistical analysis. To avoid this, the number of statistical groupings should be much lower than the number of variables considered. Lastly, the company should regularly check how effective their anonymization techniques are and make adjustments if needed, to prevent any chance of re-identifying individuals.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9988614]

Provision of 24 January 2024

Register of measures
n. 36 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter “Regulation”);

GIVEN, in particular, the articles. 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and the prior consultation of the Authority;

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”);

GIVEN the art. 110 paragraph 1, second period of the Code relating to the processing of personal data for medical, biomedical and epidemiological research;

GIVEN the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter "Ethical rules");

GIVEN the provisions relating to the processing of personal data carried out for scientific research purposes, annex no. 5 to the Provision which identifies the provisions contained in the General Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 for adaptation of the Code, of 5 June 2019 (web doc. no. 9124510);

GIVEN the request for prior consultation presented by the Territorial Social and Health Authority of the Spedali Civili of Brescia, pursuant to articles. 110 of the Code and 36 of the Regulation for the implementation of the retrospective observational study called "Artificial intelligence for the definition of new signatures and models for the personalization of organ preservation strategies for laryngeal and hypopharyngeal cancer - PRESERVE" (note dated 22 November 2022 );

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The request for prior consultation and the investigative activity carried out

With a note dated 22 November 2022, the Azienda Socio Sanitaria Territoriale degli Spedali Civili di Brescia (hereinafter "Company") presented a request for prior consultation, pursuant to art. 110, paragraph 1, last paragraph of the Code and art. 36 of the Regulation, as promoter of the retrospective observational study called "Artificial intelligence for the definition of new signatures and models for the personalization of organ preservation strategies for laryngeal and hypopharyngeal cancer - PRESERVE" (hereinafter "Study"), by transmitting the protocol, the impact assessment on data processing carried out pursuant to art. 35 of the Regulation (VIP), the favorable opinion of the territorially competent Ethics Committee and the privacy information to be provided to interested parties.

The aim of the Study is to "create a multimodal model capable of predicting the response to induction chemotherapy (IC) as a strategy for organ preservation in locally advanced cancer of the larynx and hypopharynx", this is because through '"analysis and integration of the clinical, radiological, genetic and biomolecular characteristics of the disease and the patient" it is possible to "preemptively identify subjects responding to organ preservation strategies including induction chemotherapy (IC), thus increasing the rate of preservation of the larynx and positively impacting the patient's quality of life and the cost-benefit ratio of the therapeutic strategy".

The Study will also “lay the foundations for a future prospective phase II study, in which the applicability and effectiveness of a personalized induction treatment will be studied”. [...] “The prospective study will also include an in-depth analysis of the quality of life of the enrolled patients, a fundamental outcome of the preservation strategy”.

The secondary objectives of the Study are: “1) To define alternative therapeutic paths to be exploited in patients who do not respond to traditional chemotherapy. 2) Develop data integration tools and predictive algorithms for response to induction chemotherapy (IC), thus defining a CDSS (clinical decision support system)”.

The Study, which is part of the larger European project entitled: “Multidisciplinary Research Projects on Personalized Medicine – Pre-/Clinical Research, Big Data and ict, Implementation and Users Perspective”, involves the enrollment of approximately n. 300 patients on the national territory, treated with induction chemotherapy (IC) in the period between 2008 and 2020, and is divided into the following five phases:

1.“Collection of clinical, biomolecular and radiological data from a retrospective cohort of patients treated with IC;

2. Integration of the transcriptomic profile with the somatic genetic profile (i.e. genetic profile of the tumor cell) and with the molecular one, highlighting any differences between the group of responders and that of non-responders to IC;

3. Radiomics analysis;

4. Design of a predictive model of response to CI;

5. Integration of the models developed in order to support a clinical decision support system".

Since it is a very aggressive tumor, the majority of patients are deceased and the exclusion of these patients "would not allow us to have a representative case history of therapeutic failures for carrying out the retrospective phase". Furthermore, since the project "envisages that an algorithm for predicting response to therapy is generated through the analysis of retrospective data [...], which will then be applied to a prospective randomized study (phase 2 of the project)", the lack of data “obtained from deceased patients, would generate a selection bias leading to an incorrect generation of the algorithm”.

The Study involves the participation of twenty centers in Italy and some European centers located in Spain, Germany and Greece. The participation of the University of Oslo, Department of Informatics P.O., which, as a "project partner, contributes through the provision and management of the electronic platform for the collection of the data necessary for statistical analysis", is also envisaged. 'duly appointed data controller pursuant to art. 28 of the Regulation. It is also represented that the Company will assume the role of promoter and "leader of the European project".

In the Study protocol it is highlighted that the “Clinical data will be retrieved from the Genomic Data Commons portal from TCGA Research Network” and that “1. We will perform bioinformatics analysis on the biomolecular data resulting from the predictive patients' samples processing from WP2. 2. Starting from our retrospective pool of treated patients, where the efficacy of the treatment has been recorded together with a rich set of omics and clinical data from WP1, WP2 and WP3, we will design predictive models, using a similar approach as described in [paragraph 1]”.

With reference to the principle of transparency and the obligation to provide information to interested parties, the Company has sent the information on the processing of personal data which will be provided to patients. With regard to deceased or unreachable patients, the Company declared that "in compliance with the provisions of art. 14, par. 5, letter. b of EU Regulation 2016/679, the Promoter, before starting the Study, will make the relevant information public through a specific advertisement on its company websites".

In relation to the duration of the Study, the request states that it will last 36 months and that the data collected will be stored for 10 years, without prejudice to the fact that "This term may be extended in order to comply with the storage terms established in the Maximum of Waste approved by the Lombardy Region currently in force and subsequent amendments. in any case not higher than those necessary for the management of possible appeals/disputes"; the impact assessment indicates a conservation period of 25 years from the conclusion of the Study (see 1_Preserve treatment sheet).

It is also represented that, to guarantee minimization, the data, in pseudonymized form, "will be inserted into the e-cfr TSD web based platform" managed by the University of Oslo and will be stored only in electronic format.

The request for prior consultation is accompanied by the impact assessment, carried out pursuant to art. 35 of the Regulation, which is made up of a "processing sheet" and 4 annexes containing respectively a description of the methodology adopted, the analysis of the general and specific risks of the processing relating to the Study and the description of the technical and organizational measures that are intended adopt to guarantee a level of safety appropriate to the risk, also providing specific safeguards for the transport of biological samples containing genetic data.

With note dated 16 December 2022 (prot. no. 82086), the Office formulated a request for information to the promoter in order to obtain specific clarifications regarding:

the correlation between the Study which is the subject of this request for prior consultation and the aforementioned European Project, the roles of the participants located in Europe and, if they have access to the personal data - albeit pseudonymised - of the Study's patients which will flow into the platform managed by the University of Oslo, the legal basis on which such access would be permitted;

the method of fulfilling the information obligations, as indicated in the art. 12 of the Regulation, given that both the information to be provided directly by the interested parties was reported in a single document, pursuant to art. 13 of the Regulation, and those to be returned to non-contactable subjects, pursuant to art. 14 of the Regulation itself, thus resulting in a very long and difficult to read document;

the storage times, given that the owner has indicated different ones (10 and 25 years), also referring to a hypothetical further storage of the data, in compliance with the terms established in the "Waste Maximum approved by the Lombardy Region currently in force and ss .mm.ii”, without however indicating the technical-scientific reasons why this term is considered necessary to achieve the purposes for which the data are collected;

the specific guarantees that are intended to be implemented to protect the rights of interested parties, considering that the data will be processed using artificial intelligence tools and with predictive logic based on machine learning systems.

With note dated January 27, 2023, the sponsor provided the requested clarifications, representing the following.

“Multidisciplinary Research Projects on Personalized Medicine – Pre-/Clinical Research, Big Data and ICT, Implementation and Users Persepective” refers to the title of the competitive public tender ERAPerMed Joint Translational Call 2020, in which ASST Spedali Civili participated as “Coordinator” ” together with other Partner entities;

the European Project involves the implementation of two clinical studies. The study which is the subject of the request for prior consultation refers exclusively to a specific phase of the aforementioned project, i.e. the retrospective study corresponding to the "Work Package/WP-1, WP-2, WP-3, WP-4, WP-5 of the recalled European Project”;

the information and consent form for the Study are therefore related to the aforementioned retrospective observational study, promoted by ASST Spedali Civili di Brescia, and are aimed at potential enrollable subjects, belonging to the Italian Centers that are not "Partners" of the European Project, but have been identified by ASST Spedali Civili in order to contribute to the selection of case studies;

the two information forms pursuant to art. 13 and 14 of the Regulation in which the role of the ASST as promoter of the Study was specified with the "elimination of the indication of the function of Testing Center" and in which only "two distinct treatments that the Data Controller will perform" were indicated carry out during the clinical trial".

In relation to the data retention times, the Company clarified that it has indicated 10 years as "At the conclusion of the European Project, it may be necessary to have available the data that determined the initial mathematical calculation (collected during the study in examination) for a suitable period of time (reasonably identified as 10 years), for a possible revision of the source data. Furthermore, even if the Promoter realizes that it is impossible to achieve the desired results, it may be necessary to verify the source data and re-analyse the data collected to understand the causes of the failure. These operations could reasonably require a long period of time for the Promoter, identified - in fact - as 10 years". Furthermore, the Company represented that as a Public Administration - it is also "obliged to respect the conservation times established by the waste maximum drawn up by the working group coordinated by the Lombardy Region for all health and social-healthcare companies present in the regional territory ", which in relation to the retention times of documents relating to clinical trials of drugs and devices for human use, indicate a period of 25 years from the conclusion of the trial.

For this reason, the Company has intended to identify the retention period as 25 years from the conclusion of the Study. Without prejudice to the fact that "if this Authority deems that said twenty-five year term is not adequate pursuant to the legislation on the protection of personal data, the ASST will proceed to reduce the data retention of the Firm's personal data to 10 years, i.e. the time period necessary to achieve the objectives of the Project".

Lastly, the Company has specified that for the conduct of the Study (of a purely retrospective nature), the personal data of the enrolled patients will be processed exclusively to create the algorithm necessary to plan the construction of the artificial intelligence "tool", which instead, it will only be applied in phase 2 of the project (pharmacological clinical study), therefore declaring that "the experiment in question does not involve the use of artificial intelligence tools, nor predictive logic based on machine learning systems".

As specific critical issues persist, with a note dated 3 March 2023 (prot. no. 38163), an investigative supplement was formulated with particular reference to the legal bases of the processing, the retention times and the relationship between the algorithm that is intended to be developed in the first phase of the Study subject to the request for prior consultation under consideration for the creation of a predictive mathematical model and the artificial intelligence tool that would be intended to be used in phase 2 of the Study.

In relation to the legal bases of the processing, the Company has confirmed that the "competitive public tender "ERAPerMed Joint Translational Call 2020" [...]" cannot be considered as a presupposition of lawfulness of the personal data of the patients who will be enrolled in the Study in word" this is also because "the aforementioned notice does not contain indications of appropriate and specific measures for the protection of the fundamental rights of the interested parties". The condition of lawfulness of the processing must therefore be found in the art. 9, par. 2, letter. j) of the Regulation and in the art. 110 of the Code (note dated 27 March 2023).

With reference to the impossibility of informing interested parties and acquiring valid consent, the Company highlighted that the study concerns the analysis of a rare tumor, laryngeal carcinoma, and that due to the aggressiveness of the disease, the majority part of the patients who were intended to be enrolled for retrospective data collection appear to be deceased; in particular, at the coordinating center 46.67% of these patients were deceased.

Furthermore, the coordinating center (with respect to its potential subjects eligible for the Study) stated that it had "attempted to contact some patients who were found to be untraceable; in particular, the center attempted to reach said patients through the contact details that they had communicated to the ASST as part of the treatment process to which they had undergone, without success [...]".

Regarding the "connections between the algorithm and the artificial intelligence tool", the Company confirmed that "Phase 1 of the Study does not involve the application and/or use of systems designed to process personal data according to logics of artificial intelligence” which will be used exclusively in Phase 2 of the Study. At present, therefore, the Company is not able to detail the characteristics that the AI systems may take on in the next phase of the Project. In any case, the Company has represented "the logic and assumptions that will lead to the identification and definition of the predictive model (algorithm) as a result of the conclusion" of phase 1 of the Study.

Specifically, "the data collected will be analyzed with statistical models [...] aimed at analyzing "radiomics and genomic characteristics with univariate methods". This will allow a “cluster” analysis that will identify groups of radiomic or gene expression features with similarities. “Subsequently, multivariate models will be applied to consider associations between variables and potential confounding effects.” The Company also highlighted that multiple analyzes will be carried out on the data: “[…] multivariate analysis (MANOVA), multivariate regression analysis (stepwise feature selection), Principal Component Analysis (PCA), Canonical Correspondence Analysis (CCA) and Partial Least Square Discriminant Analysis (PLS-DA). The performance of the algorithm will then be measured in terms of area under the "receiver operating characteristic" (ROC), with related sensitivity, specificity and precision. Following the completion of the statistical analysis, using the above statistical methods, it will be possible to define a predictive model (algorithm) capable of differentiating, based on all the variables analyzed and subjected to statistical analysis, those patients who will or will not respond to treatment. This algorithm, if it proves to be statistically significant, will be implemented/used for the implementation of Phase 2 of the Project. With regard to the operating logic of the algorithm, it was specified that "the objective is to identify in which patients enrolled in the Study there are variables (edited and visible from the analysis) which lead to hypothesizing which treatment does not work/has a better chance of working than to the pathology they are suffering from". Furthermore, with particular reference to the quality of the data and their transparency, the Company represented that "the quality of the data is confirmed with statistical processing" and that "there are methods of evaluating the quality of the data which consist - for example - in the evaluation of the number of so-called “data missing”, or in evaluating the presence of “unlikely” numerical intervals; generally following this first verification, queries are generated to the participating Centers for verification from the source data (clinical record). In light of these arguments, the Company has ultimately ruled out that Phase 1 of the Project falls within the hypotheses envisaged in the "document of the National Biosafety Committee [...] which will instead be taken into due consideration in the drafting of the clinical trial processes , as Phase 2 of the Project".

Regarding data retention times, the Company has declared that it will proceed "to reduce the data retention of the Firm's personal data to 10 (ten) years, i.e. the time period necessary to achieve the objectives of the Project".

Finally, the Company sent the new texts of the information drawn up pursuant to the articles. 13 and 14 of the Regulation "further revised in order to make them more intelligible and consistent with the regulatory provisions" within which the role of the participating Center as autonomous data controller was indicated in particular and was indicated, as above anticipated, in 10 years the data retention period.

2. The applicable legislation

The processing of personal data must take place in compliance with the applicable legislation on the protection of personal data.

According to the Regulation, personal data must be processed "in a lawful, correct and transparent manner towards the interested party" (principle of "lawfulness, correctness and transparency")" (art. 5, par. 1, letter a) of the Regulation).

With specific reference to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on the processing of such data unless one of the specific exemptions to this prohibition applies (art. 9, par. 2).

In this framework, the processing of personal data for scientific research purposes must also be carried out in compliance with the provisions and ethical rules which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree 10 August 2018, n.

Specifically, art. 110 of the Code which concerns medical, biomedical and epidemiological research and provides that "The consent of the interested party for the processing of data relating to health, for the purposes of scientific research in the medical, biomedical or epidemiological field, is not necessary when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9, paragraph 2, letter j) of the Regulation, including where the research is part of a biomedical research program or healthcare provided pursuant to article 12-bis of the legislative decree of 30 December 1992, n. 502, and an impact assessment is conducted and made public pursuant to articles 35 and 36 of the Regulation. Consent is also not necessary when, due to particular reasons, informing interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”.

In relation to the impact assessment, we highlight the "Guidelines regarding the impact assessment on data protection as well as the criteria for establishing whether a processing "may present a high risk" pursuant to regulation 2016/679" - adopted by the Group art. 29 on April 4, 2017 as last amended and adopted on October 4, 2017.

The principle of limitation of data retention requires that they be "kept in a form that allows the identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed; personal data may be stored for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), without prejudice to the implementation of technical measures and adequate organizational requirements required by this regulation to protect the rights and freedoms of the interested party” (art. 5, par. 1, letter e) of the Regulation).

Furthermore, personal data must be processed in compliance with the principle of transparency (art. 5, par. 1, letter a) of the Regulation), providing the interested parties with the information referred to in the art. 13 of the Regulation, in the case of data collected directly from them, or pursuant to art. 14, in case of data collected from third parties.

The data processed for research purposes cannot be used to take decisions or measures relating to the interested party, nor for data processing for purposes of another nature (see art. 105 of the Code and Cons. 162 of the Regulation; Cons. 27 of the EC Regulation No. 2009/223 on European statistics and, at an international level, art. 4 of the Council of Europe Recommendation No. (97) on the protection of personal data collected and processed for statistical purposes).

Having said this, the data controller, in compliance with the principle of accountability, must comply with and be able to demonstrate both compliance with the principles and obligations set out in the Regulation, and with having effectively protected the right to protection of the personal data of the interested parties since design and by default (articles 5, paragraphs 2, 24 and 25 of the Regulation).

On the basis of the renewed regulatory framework on the protection of personal data, a weighted evaluation of all choices connected to the processing of personal data is required, which can be demonstrated on a logical level through specific reasons, aimed at identifying necessary and proportionate measures. with respect to the concrete effectiveness of the principle protected from time to time. In compliance with the obligation of data protection from design, the owners must also take an active conduct in the application of the principles, aiming to obtain a real protection effect (see Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019 by the European Data Protection Committee; provision of the Guarantor of 23 January 2020, web doc. 9261093).

With reference to the fact that the data collected on the platform should subsequently be processed through algorithmic logic, with artificial intelligence tools and with predictive logic based on machine learning systems, the specific constraints are highlighted, in terms of data protection and transparency , which must be respected in this case.

Preliminarily, it is highlighted that based on art. 22 of the Regulation "The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or which similarly significantly affects his person", unless , with reference to the processing of particular categories of data, it is based on the consent of the interested parties or is carried out on the basis of a specific regulatory requirement for reasons of significant public interest and "adequate measures are in force to protect the rights, freedoms and legitimate interests of the interested party” (art. 22, par. 4 of the Regulation; see also Cons. 71).

In this regard, reference is made to the ruling of the Council of State (Cons. of St., section VI, 13 December 2019, n. 8472) according to which "three principles emerge from supranational law, to be taken into due consideration in the examination and in the use of IT tools. Firstly, the principle of knowability, whereby everyone has the right to know the existence of automated decision-making processes that concern them and in this case to receive significant information on the logic used [...] the principle of non-exclusivity of the algorithmic decision [... ]. Thirdly, from recital no. 71 of Regulation 679/2016, European law draws on a further fundamental principle of algorithmic non-discrimination, according to which it is appropriate for the data controller to use appropriate mathematical or statistical procedures for profiling, implementing adequate technical and organizational measures in order to ensure, in particular, that the factors leading to data inaccuracies are rectified and the risk of errors is minimized and in order to guarantee the security of personal data, in a manner that takes into account the potential risks existing for the interests and rights of the interested and which prevents, among other things, discriminatory effects against natural persons [...]" (see the latest ruling of the Regional Administrative Court of Campania, section III, no. 05119 of 11 November 2022).

It is also worth recalling what was expressed in the joint opinion of the European Data Protection Committee and the European Guarantor, n. 5/2021 on the proposal for a regulation of the European Parliament and of the Council establishing harmonized rules on artificial intelligence (Law on artificial intelligence, of 21 April 2021), which welcomes the risk-based approach on which it is based the proposal.

In the aforementioned joint opinion no. 5/2021, it is in fact highlighted that the risks to the fundamental rights and freedoms of interested parties deriving from the use of these tools and the implications for the protection of personal data are very relevant and it is underlined that among the high-risk AI systems those used in medical research should also be covered.

From another perspective, it is worth highlighting the amendment put forward by the European Parliament in relation to the proposed law on artificial intelligence aimed at specifying that "This regulation should contribute to supporting research and innovation and not compromise research activities and development and respects the freedom of scientific research. It is therefore necessary to exclude from its scope AI systems specifically developed for the sole purpose of scientific research and development and to ensure that the Regulation does not otherwise impact scientific research and development activities relating to AI systems. In all circumstances, any research and development activity should be carried out in accordance with the Charter, Union law as well as national law”(1).

Generating content, making predictions or adopting decisions automatically, as AI systems do, by means of machine learning techniques or logical and probabilistic inference rules is very different from the ways in which these same activities are carried out by human beings through creative or theoretical reasoning, in full awareness of the responsibility for the related consequences. If on the one hand, therefore, artificial intelligence will significantly expand the amount of predictions that can be made in many areas - starting with quantifiable correlations between data -, on the other hand, entrusting only machines with the task of making decisions based on data will pose risks to people's rights and freedoms which will affect their private lives and could harm social categories or even entire societies. In this regard, the Committee and the European Guarantor underline the centrality of the concept of human surveillance (or supervision) contained in the proposed Regulation (see Article 14), highlighting in this regard that the effective centrality of human beings should be based on supervision highly qualified and on the lawfulness of the processing, in order to ensure respect for the right not to be subject to a decision based exclusively on automated processing.
The treatments in question, subject to analysis in the light of the principles of the Regulation and the Code, will also have to comply, once defined, with the regulatory framework being formed in the context of the European Union - in the wake of the ethical guidelines (not of specific competence of this Authority) for trustworthy AI of the independent group of experts established by the European Commission - as well as the principles developed within the Council of Europe based on the design, development and application of trustworthy AI systems , respectful of the fundamental rights and freedoms of the interested parties.

In this regard, we also highlight the recent Decalogue for the creation of national health services through Artificial Intelligence systems adopted by the Guarantor on 10 October 2023, from which useful ideas can still be drawn in relation to the processing of personal data carried out through Intelligence tools artificial (web doc. n.9938038).

From another perspective, it should be highlighted that the regulations on the protection of personal data do not apply in relation to anonymous data. In this regard, "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous, also for processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014). An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference).

3. The Authority's assessments

3.1. Lawfulness and correctness of the processing of personal data

The company promoting the study and data controller, as required by art. 110 of the Code and 36 of the Regulation, presented to the Guarantor the study protocol and the impact assessment on the protection of personal data connected to the processing necessary for its implementation, carried out pursuant to art. 35 of the Regulation.

In this regard, the Guarantor believes that it has clarified the objective scope of the request for prior consultation which refers exclusively to the retrospective collection of data necessary for Phase 1 of the European project, presented in response to the tender entitled "A.I. for new signatures and models for tailored organ preservation approaches in laryngeal and hypopharyngeal cancer”

The Guarantor believes that the Company has correctly identified the legal bases for the processing of personal data relating to deceased or non-contactable subjects in the prior consultation procedure, pursuant to art. 110 of the Code, and for patients who can be contacted with the relevant consent (see also articles 9, par. 2, letter a) and 22, par. 4) of the Regulation).

The Company has also comprehensively represented the reasons justifying the impossibility of being able to inform interested parties and acquire their consent, as provided for in point 5.3 of the Requirements.

The Company, in fact, with declarations whose truthfulness is criminally liable pursuant to art. 168 of the Code, has highlighted that the impossibility of acquiring consent is related to the aggressiveness of the disease under investigation and the high incidence of mortality of the patients who intend to enroll.

The Company has in fact conducted a check on patients potentially eligible for the Study in order to evaluate the percentage of alive, deceased and ineligible patients, in order to be able to hypothesize an estimate applicable to all participating centers. Specifically, n. 60 medical records of patients suffering from locally advanced squamous cell carcinoma of the larynx and hypopharynx. The verification conducted showed that 46.67% of patients had died, 23.33% of patients should have been excluded as they were not eligible and 30% of patients were still alive.

Furthermore, with regard to living patients, objective difficulties were encountered in finding the current contact details of these patients, also given the period of time that has passed since the data relating to the interested parties were originally collected. In this regard, the Company stated that "(with respect to its potential subjects eligible for study) it attempted to contact some patients who were found to be untraceable; in particular, the center attempted to reach these patients via the contact details that they had communicated to the ASST as part of the treatment process to which they had undergone, without success.

On this point, it is considered necessary for the Company to keep track of the contact attempts made through one of the channels indicated in point 5.3 of the provisions (also through verification of the status of aliveness, consultation of the data reported in the clinical documentation, use of the contact details telephone numbers possibly provided, the acquisition of contact details from the registry office of the beneficiaries or through the Municipality Registry Office.

In this regard, it is also considered necessary for the Company to carry out at least three contact attempts as, taking into account the legal nature of the data controller and the size of the sample, they constitute a reasonable and proportionate effort.

Furthermore, in compliance with the provision referred to in the second sentence of paragraph 1 of the art. 110 of the Code, according to which the research program must be the subject of a reasoned favorable opinion from the competent ethical committee at territorial level, taking into account that the Company has produced the opinion of the Brescia ethics committee in its documents, in its definitive version of 5 March 2021, it remains understood that the participating Centers involved in the Study will be able to begin processing only after obtaining the favorable opinions of the respective territorially competent ethical committees, as a condition of lawfulness and correctness of the processing of personal data for the purposes in question , where it is not possible to acquire the consent of the interested parties (art. 110 of the Code; provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827).

Taking into account that this provision concerns only phase 1 of the project, aimed exclusively at the "development of a predictive algorithm", the Guarantor believes that the Company has identified suitable guarantees in order to ensure the quality of the data for the effective application of the principle of correctness.

From this perspective, we therefore positively evaluate, on the one hand, the justified indispensability of information also referring to deceased and uncontactable subjects, in the absence of which the selected sample would be incomplete, consequently creating, as represented, possible biases in the development of the algorithm. In fact, it is up to human intervention to intervene in the selection of the information necessary to "train" the algorithm, also taking into account that the quality of the predictive capabilities of an algorithm varies depending on a plurality of factors, starting from the number, quality and on the accuracy of the training data (profiles covered by the first phase of the Study).

On the other hand, we appreciate the precise listing of the statistical mathematical models used to process the data which, if made known, also favors, with a view to transparency of the research activity, the opening of the project to possible observations from of the scientific community, overcoming critical issues related to any opacity of the logic used (see A Preliminary Opinion on data protection and scientific research of 6 January 2020 and see below par. 3.2).

3.2 Measures aimed at guaranteeing the effectiveness of the principle of transparency towards those enrolled in the Study

In general, we favorably acknowledge the measures undertaken by the Company to guarantee the effectiveness of the principle of transparency towards the interested parties and, in particular given the findings formulated by the Office, that the latter has prepared two separate information forms to interested parties, pursuant to articles. 13 and 14 of the Regulation, the latter to be made public through a specific advertisement on the company website.

With specific regard to the methods for providing information to interested parties who cannot be contacted or are deceased (in the latter case for the benefit of the subjects referred to in art. 2-terdecies of the Code), taking into account that the Firm involves n. 20 Italian participating Centres, in order to ensure the effective application of the aforementioned principles of correctness and transparency, it is deemed necessary for the Company to make the information public, pursuant to art. 14 of the Regulation, for the entire duration of the Study also through a specific advertisement on the institutional websites of the testing centers involved in the Study, in an easily accessible section.

On the merits, it should be noted first of all that, differently from what is indicated in the aforementioned information, in relation to the processing in question, the interested parties do not enjoy the right of opposition, but the broader rights of revocation and cancellation. In fact, the right of opposition belongs to the interested parties in relation to the processing necessary for the execution of a task of public interest or connected to the exercise of public powers, or for the pursuit of a legitimate interest of the owner or of third parties, pursuant to the art. 6, par. 1, letter. e) and f), of the Regulation.

It is therefore necessary for the Company to modify the text of the information on the processing of personal data, prepared pursuant to articles. 13 and 14 of the Regulation, eliminating the reference to the right of opposition.

From another perspective, and in relation to what was observed in the previous paragraph 3.1, it is highlighted that the implementation of effective measures aimed at guaranteeing substantial transparency of the processing of personal data carried out through algorithmic logic constitutes an essential element for the development and application of these systems takes place in a manner that respects the fundamental rights and freedoms of the interested parties, contributing to the creation of the climate of trust desired by the Regulation in the development of the digital economy (cons. 7).

To this end, it is considered necessary, first of all, that in the information it is represented in simple and clear language that the research project is aimed at the implementation of an algorithm.

However, given the indisputable difficulty for the majority of interested parties to understand in detail the operating methods of these innovative data processing means, the correctness and transparency of the same also involves the transparency of the methodologies and algorithmic logics applied which allows an widespread control and verification also and above all by expert subjects (control authorities, scientific community).

It is therefore considered necessary for the Company to publish the impact assessment on its institutional website, even if only in extract, integrated with the precise list of the statistical mathematical models used to process the data above, and with the indication of the algorithmic logics used.

3.3. The roles of the subjects involved in the Study and transfer of data to third countries

The Company has declared that the subjects indicated in the documentation in documents are participating in the Study, as participating Centres, as independent data controllers, as indicated in the information provided pursuant to the articles. 13 and 14 of the Regulation. It was also declared that the University of Oslo, Department of Informatics P.O., will participate in the project and will provide the electronic platform for data collection, appointed for this purpose as data controller pursuant to art. 28 of the Regulation and that the transfer of data to the aforementioned University will take place on the basis of adequate guarantees such as the adoption of the Standard Contractual Clauses (so-called "SCC"), pursuant to art. 46, par.2, letter. c) of the Regulation).

In this regard, it is noted that the organizational structure implemented for the implementation of the Study appears such as to exclude, in abstract, that unauthorized third parties may be involved in the processing operations of health data from patients enrolled in the aforementioned Study and that the transfer of the data to the University of Oslo complies with the aforementioned provisions on the protection of personal data.

3.4 The terms of conservation and anonymization of personal data

With reference to data retention times, we favorably acknowledge that the Company there

has ultimately identified 10 years from the conclusion of the Study, exhaustively motivating the reasons why it is necessary to keep the data for this period, i.e. the time period necessary to achieve the objectives of the Project which also include the subsequent analysis phases aimed at verifying and controlling the data and research results.

In this regard, it is reiterated that the reference to the conservation of the Firm's personal data for a period of 25 years, similarly to what is foreseen for clinical trials of drugs, must be considered not only irrelevant, since in this case it is not of this type of study, but also erroneous.

Nor is the circumstance that this deadline would be provided for in the "Discard Maximum" of the Lombardy Region in relation to clinical trials of drugs, to which the Company would be subject as a public administration, relevant on this point.

On this point, from a first point of view, it is noted that the "Waste Maximum" could not in fact indicate, for the aforementioned studies, conservation times different from 25 years, as they are indicated in the specific sector legislation (art. 58 of Regulation (EU) No. 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials of medicinal products for human use and repealing Directive 2001/20/EC).

Secondly, please note that the Regulation places a general prohibition on the processing - including therefore the conservation (art. 4, n. 2) - of particular categories of data, without prejudice to the exceptions referred to in the art. 9, par. 2 of the Regulation itself.

This makes the legislation that legitimizes the use of this type of information exceptional and as such not subject to analogical or extensive interpretations.

From another perspective, it should be noted that the documentation collected at the participating centers is already preserved and archived by these bodies on the basis of sector regulations (see Circular of the Ministry of Health dated 19 December 1986, n. 61; Presidential Decree dated 30 September 1963, n. 1409; legislative decree 22/01/2004, n. 42 containing the Cultural Heritage and Landscape Code).

The Company has recently declared that the personal data subject to the clinical trial are not disclosed under any circumstances. They may possibly be disseminated in a strictly anonymous and aggregated form, for example through scientific publications, statistics and scientific conferences. In any case, it has been clarified that at the end of the processing the data will be made anonymous.
In relation to this profile, taking into account the generic reference to the data aggregation technique alone as a measure for the anonymisation of the same at the end of the processing or in case of dissemination, the Guarantor reiterates that a high number of aggregate statistics increases the identifying power of each of them, until the possible complete reconstruction of a dataset (so-called "reconstruction attack"). Therefore, in order to avoid this risk, it is necessary that the number of statistics disseminated is significantly lower than the number of variables that are intended to be disclosed. In other words, by ensuring the dissemination of a limited number of statistics, we avoid the possibility of identifying the individual subjects forming part of the sample through mathematical calculations.

Having said all this, it is considered necessary that the Company, at the end of the data retention period for carrying out the Study, and in any case in the event of data sharing with third parties, ensures that the number of aggregate statistics to be made known is significantly lower than the number of variables considered; this, in order to avoid the risk of reconstructing data referable to single individuals.

Furthermore, as part of the periodic checks that the data controller is in any case required to carry out also in reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, it is considered necessary that the Company also undertakes to remove any singularity, if, by any means, he becomes aware of it in a phase subsequent to the application of the aforementioned anonymization techniques, and to keep track of such events, and to repeat in this circumstance the assessment of the risk of re-identification in light of the causes which led to the onset of this singularity (see on this point, the Opinion of 30 June 2022, web doc. 9791886 and of 7 March 2023, web doc. no. 9875254).

3.5 The security measures implemented

Without prejudice to what has been observed above regarding the shortcomings concerning the processing of personal data through algorithmic logic, it is noted that in the impact assessment an analysis of the risks connected to the processing of personal data necessary to pursue the purpose of the research was carried out.

With specific reference to the TSD web based platform, used for data uploading and managed by the University of Oslo, access is expected to be reserved exclusively for authorized personnel who are issued personal credentials sent via two separate emails and who the data are entered into the e-cfr in a pseudonymized form, in order to guarantee compliance with the principle of minimization.

The Company also has organizational and IT security measures such as: access control and user profiling and authorization; the disaster recovery plan, antivirus/firewall; security policy also for paper documents; policy for managing incidents relating to data security (data breach); operating instructions for authorized persons; who are informed of the possibility of incurring disciplinary proceedings in the event of failure to comply with the policies regarding the processing of personal data.

The Company has also provided that "privacy by design and by default compliance is required for the purchase and/or outsourced development of information systems or services outsourced and for related updates, including releases of new versions".

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 110 of the Code and art. 36 of the Regulation, expresses to the Azienda Socio Sanitaria Territoriale degli Spedali Civili di Brescia, Piazzale Spedali Civili, 1 25123 (Brescia), VAT number 03775110988 C.F. 03775110988, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of deceased or uncontactable patients in the retrospective observational study called "Artificial intelligence for the definition of new signatures and models for the personalization of organ preservation strategies for laryngeal and hypopharyngeal cancer - PRESERVE” provided that:

a) makes at least three attempts before certifying the non-contactability of patients and keeps track of it in the Practice documentation (point 3.1);

b) modify the text of the information on the processing of personal data, prepared pursuant to articles. 13 and 14 of the Regulation, eliminating the reference to the right of opposition (par. 3.2);

c) in the information it is represented in simple and clear language that the research project is aimed at implementing an algorithm (paragraph 3.2);

d) publishes the impact assessment on its institutional website, even if only in extract, integrated with the precise list of the statistical mathematical models used to process the data and with the indication of the algorithmic logics used (paragraph 3.2.);

e) at the end of the data retention period for carrying out the Study, and in any case in the event of data sharing with third parties, ensure that the number of aggregate statistics to be made available is significantly lower than the number of variables considered (par 3.4 .);

f) removes any singularity, if, by any means, it becomes aware of it in a phase subsequent to the application of the aforementioned anonymisation techniques, and to keep track of such events, and to repeat in this circumstance the assessment of the risk of re-identification at light of the causes that determined the onset of this singularity (par. 3.4).

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 January 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

NOTE

1) See https://www.europarl.europa.eu/doceo/document/TA-9-2023-0236_IT.html