Garante per la protezione dei dati personali (Italy) - 9529527

From GDPRhub
Garante per la protezione dei dati personali - 9529527
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 14 GDPR
Article 28 GDPR
Article 30 GDPR
Article 35 GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.12.2020
Published: 27.01.2021
Fine: 100000 EUR
Parties: Azienda Unità Sanitaria Locale Toscana Sud Est
National Case Number/Name: 9529527
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei DaGarante per la Protezione dei Dati Personaliti Personali (in IT)
Initial Contributor: AS

The Italian DPA (Garante) imposed a fine of € 100,000 on a local public health body amid the violation of several GDPR provisions. The data processing involved the sharing of patients’ data across several health care stakeholders.

English Summary

Facts

The case involves the processing of citizens’ health data by Azienda Unità Sanitaria Locale Toscana Sud Est (hereafter simply ‘USL’), a local public health body, as part of a broader initiative from Tuscany Region related to the monitoring of chronic diseases in the population. The facts – as emerged from an initial notice received from a general practitioner (hereafter ‘GP’), the following investigation from the Italian DPA, and the information provided by the public body – read as follows.

In the context of the above-mentioned public health approach, health data was shared among several public healthcare stakeholders, including general practitioners (GPs) and public clinics, coordinated by the USL. Initially, GPs sent to the USL only aggregated data pertaining to specific diseases. Until 2018, however, the USL asked GPs to fill in an Excel file with the names of the patients and their pathologies. After having gathered patients’ consent, GPs filled in the file, embedded it in a password-protected zip archive, and shared it with ‘district physicians’ via a USB drive stick. The file was then copied on the district physician’s PC and sent via email to a district physician who is competent for the whole area, who eventually sent it via the same mean to an administrative body named ‘ESTAR’. ESTAR is a data processor which manages a ‘data warehouse’ and makes data form the program available to the USL, for monitoring purposes, via a ‘data mart’. Before entering the data warehouse, data were pseudonymised using an existing regional identifier.

Dispute

Holding

As a result of the investigation, the Garante found several violations of the GDPR.

Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between the adoption of the GDPR and its coming into force.

Secondly, the legal designation of ESTAR as data processor was not clear and detailed enough to be compliant with Article 28 GDPR (nor with 29 of the Italian ‘Privacy Code’ implementing the Data Protection Directive, which was in force at the time of the initial designation).

Thirdly, the process for the collection of data from GPs did not provide for sufficient technical and organisational measures, and was not designed following a risk-based approach. According to the Garante, the means used to gather and share data across the different stakeholders did not follow the security principles as per Article 5(1)(f) GDPR (ed.: the decision actually reads 5(2)(f)), highlighting ‘the absence of an assessment of the risks related to the data processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out’.

Moreover, the information given to data subjects was lacking ‘some of the essential elements required by the regulation’ as per Articles 13 and 14 of the GDPR, such as: data retention periods, information about data subjects’ rights, contact data of data controller and data processor, a clear description of the data processing and the legal basis for the data processing. Again, the Italian DPA stressed that such requirements preceded the entry into force of the GDPR.

Finally, the Garante found that, despite the nature of the data processed and the number of data subjects involved, no DPIA was carried out for the data processing, and that this is to be considered particularly critical as ‘some evident shortcomings concerning the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed.’

The Italian DPA then declared the processing carried out by the USL unlawful ‘on the ground that it infringes Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.’

Since the beginning of the investigation, the USL proceeded to correct the violations of articles 13, 14, 28, and 30. Given this, and the fact that it also went back to gather only anonymous data from GPs, the Garante found that ‘the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met’. The Authority then imposed an administrative fine to the USL as per Articles 83(5)(b) and 83(4)(a) GDPR.

The elements considered to determine the amount of the fine are the following: the fact that the Garante only received one report about the infringement, and that no data breach was reported; the fact that the data processing involved health data; the lack of risk-assessment, security measures, and records of processing activities, which are part of the accountability principle as per Article 5(2) GDPR; the fact that the USL showed ‘a high degree of cooperation’; the fact that regional authorities initiated a process to properly regulate the whole health care initiative. For these reasons, the Garante found an administrative fine of 100,000 Euros to be effective, proportionate, and dissuasive. Finally, the DPA stated that ‘in quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.’

Interestingly, despite having found violations of several articles, the Garante stated that the fine was due to the violation of ‘Articles 13 and 28 GDPR.’

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9529527]

Injunction order against the Local Health Unit of Tuscany South East - 17 December 2020

Record of measures
n. 278 of December 17, 2020

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in G.U. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Professor Ginevra Cerrina Feroni will be the speaker;

WHEREAS

1. The violation of personal data and the preliminary investigation

As part of the investigation carried out with reference to a report from a general practitioner on the initiative health care model adopted by the USL Toscana Sud Est (hereinafter the Company) and in the light of the information provided by the same at the request of the Office (note dated 13.7.2018, prot.no.21012, reply dated 24.8.2018), on 27 November 2018 an inspection was carried out at the aforementioned company aimed at verifying compliance with the rules on data protection personal data, with particular reference to the processing of particular categories of data carried out in the context of the cd “Initiative health care”.

During the aforementioned inspection, it was found that:

- the model of care approach of the so-called "Healthcare initiative", followed throughout Tuscany, is based on the anticipation of services to certain categories of patients, in order to prevent morbid events. This model sees the participation of various actors of the regional health service and in particular general practitioners (GPs) and the clinics of local health companies (integrated clinical networks), who operate as independent data controllers, under organizational coordination. of the territorially competent health authority. The model is realized through the impulse of the GP, who, in the so-called "Enrollment phase", selects, among its clients, those affected by chronic diseases identified at the regional level (eg. Diabetes, heart failure) and offers them Individual Assistance Plans (PAI), characterized by the offer of a performance calendar strictly connected to the pathologies suffered by the client. If the patient decides not to adhere to this plan, he will still be able to take advantage of the services offered by the regional health service, as well as access the prevention campaigns;

- the initiative healthcare model promoted by the Company has had a different articulation over time. In a first phase, which ended in 2017, the GPs sent the company only the total number of patients enrolled in relation to the various chronic conditions indicated (eg diabetes). If the total number of patients enrolled had diverged significantly from the regional average (verification of the plausible number as prevalence), the Company would carry out random checks, as part of the supervisory functions assigned to it. Starting from 2018, it was decided instead to expand the range of information that GPs had to send to the Company as part of the initiative health care model promoted by the same. To this end, the Company sent the GPs the updated list of their clients on an Excel table (in zip format with password to open the file). Subject to the acquisition of a specific informed consent from the interested parties (in deeds), the GPs have sent the aforementioned list to the Company, after having reported, next to the name of each patient, the possible presence of one or more of the conditions morbid for which it was intended to enlist the same;

- the sending of such data by the GPs was considered a condition for the recognition to the doctor of a portion of the funding provided for by the collective agreements (compliance with prevalence targets);

- the legal basis for the communication of particular categories of personal data from GPs to the Company has been identified in the consent of the interested party and in form no. 7, annex B) to the Regulation for the processing of sensitive and judicial data of the Tuscany Region;

- for the purposes of the aforementioned recruitment, the GPs proceeded, by querying their database, selecting individual patients affected by the pathologies indicated by the Company. Once the patients to be enrolled had been identified, the GP proposed to the patients, at the first contact, or with an active recall, an individual assistance plan (PAI);

- until 2018, the GP only communicated to the Company the total number of activated PAIs and the global number of specialist services that the same Company would subsequently have to guarantee according to the activated PAIs;

- a new procedure was subsequently adopted which provided, differently from the past, for the sending of the nominative data of the patients enrolled (and no more than the total number). According to this new procedure, the GPs saved the aforementioned Excel table with the data of the patients enrolled on a removable media owned by them (pen drive) and delivered the aforementioned support to the district doctor, who in turn saved the Excel file on his own pc and returned the removable media to the doctor. The district doctor then proceeded to send the file, via e-mail, to the district doctor referring to the provincial area. Subsequently, this doctor forwarded, again via e-mail to the Regional Administrative Technical Support Body (ESTAR), the Excel files he had received from the various district doctors, attaching them, in zip format with password for opening (message in documents ). No loss or theft of the aforementioned removable media used by GPs for communicating the data of enrolled patients to the Company has been reported;

- ESTAR is designated by the Healthcare Company as the external data processor in 2016 (Prot. 0142457 of 03/10/2016 in deeds). At the time of the inspections, the Health Authority, in the context of the regional privacy table in which the representatives of the other health companies of the Tuscany Region participate, was proceeding with the revision of this designation, in order to comply with the new provisions dictated by the Regulation ;

- ESTAR, after receiving the aforementioned Excel files from the referring district doctors for provincial areas, consolidated this information and entered it in a company data warehouse. ESTAR then made available to the Company a data collector (data mart) relating to the progress of the enrollment process, by pathology and by doctor, which allowed the Company to perform the aforementioned prevalence calculation (verification of the plausible as prevalence);

- at the time of data entry into the data warehouse by ESTAR, the acquired information was deprived of directly identifying data (name and surname) by associating, to each enlisted client, the unique regional code also used to fulfill the information debts towards the Region and the Ministry of Health. The monitoring, evaluation, management and control activities carried out by the Company on the aforementioned data warehouse refer to those described in form no. 39, attachment B) to the Tuscany Region Regulations for the processing of sensitive and judicial data. The Company employees authorized to do so could access the aforementioned data warehouse, through specific authentication credentials;

- the data described above have not been transmitted to the Tuscany Region;

- with regard to the treatments described above, the health company has not carried out an impact assessment pursuant to art. 35 of the Regulation;

- Furthermore, the retention time of the data collected through the aforementioned initiative health projects by doctors and the Company has not been defined;

- as of the date of the inspections (27 November 2018), the Register of processing activities referred to in art. 30 of the Regulation, which was still in a working version.

With an e-mail dated December 3, 2018, the Healthcare Company supplemented the documentation acquired during the aforementioned assessment, sending a copy of the register of processing activities adopted on November 30, 2018, pursuant to art. 30 of the Regulation.

In relation to the results of the aforementioned investigation, the Office, with deed no. 10618 of 27 March 2019, notified the South East Tuscany Local Health Authority, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that:

- in our legal system there is no specific definition and discipline of the so-called "Healthcare / initiative medicine". Despite this, this term is present in numerous policy and planning acts of the Ministry of Health and the Regions. From the analysis of these documents, it is highlighted that "initiative medicine" means a care model oriented to the "active promotion" of the health of the individual, especially if suffering from chronic diseases or disabilities, and to empowering people in their own path care (source Ministry of Health http://www.salute.gov.it/portale/temi/p2_6.jsp?id= 496 & area = Primary care% 20 & menu = care, see, among many references, Ministry of Health, General Assembly of the Superior Council of Health, "Telemedicine - national guidelines", 10 July 2012, see par. 2.3.2, Decree 02 April 2015, n. 70 - Regulation defining the relative qualitative, structural, technological and quantitative standards to hospital care, Agreement between the Government, the Regions and the Autonomous Provinces of Trento and Bolzano on the project lines for the use by the Regions of the restricted resources pursuant to Article 1, paragraphs 34 and 34 bis, of Law 23 december 1996, n. 662 for the achievement of the objectives of a priority nature and of national importance for the year 2014);

- as highlighted in the report of the operations carried out, on the basis of an initiative promoted by the Company, the GPs selected, from among their patients, those affected by certain chronic diseases identified at the regional level (eg Diabetes, heart failure) (so-called Enrollment phase) and offered them individual assistance plans (PAI), characterized by the offer of a personalized service calendar, according to the pathologies suffered. Initially, the aforementioned doctors communicated to the Company only the total number of patients enrolled. Starting from 2018, on the other hand, the GPs, on the advice of the Company, compiled an Excel file containing the details of the patients enrolled with each doctor, highlighting, only for the patients enrolled, the presence of one or more of the morbid conditions for which it was intended to offer them a PAI (data in the table: name, surname, date of birth and tax code of the client);

- the adoption of this procedure led to the collection and processing of health data, in order to create, with reference to specific pathologies, a health risk profile of the person concerned and therefore configured a treatment by the GP independent from the main one aimed at the care of the assisted person based, at the time of the facts, on informed consent) and, since 2018, by the Company, a processing of personal data on the health of patients, based on the consent of the interested party acquired through the model called "European Regulation for the protection of individuals with regard to the processing of personal data (n. 2016/679 RGPD) - Information pursuant to art. 13 and 14 of the Regulations "(in deeds), created by the Company, as data controller, and provided to GPs to be returned to the patient upon enrollment;

- in light of the nature of the data processed and the number of interested parties, the processing described above, carried out by the Company since 2018, falls within the cases in which the owner cannot ignore an impact assessment on data protection, pursuant to the provisions of the RGPD and the criteria identified by the Group art. 29 in the Guidelines concerning "The impact assessment on data protection as well as the criteria for establishing whether a treatment" may present a high risk "pursuant to Regulation 2016/679" (No. 248 adopted in amended form on 4.10.2017 ; on this point see also the software - free and freely downloadable from the website www.cnil.fr (https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la -cnil) which offers a guided path to the realization of the DPIA, according to a sequence in compliance with the indications provided by WP29 in the Guidelines on the DPIA). In this regard, it was acknowledged that the aforementioned assessment had not been carried out in consideration of the fact that the project had been started before the date of full application of the European Regulation;

- the processing object of the investigation, not being strictly necessary for the treatment purposes pursued by the various data controllers involved, was correctly carried out after obtaining the informed consent of the interested party (articles 9, paragraph 2 read. a) and h), 13 and 14 of the Regulation). The informed consent model, acquired as part of the inspection assessment and relating to the processing activities carried out by the Company with reference to the health care initiative, was, however, lacking some of the information elements required by the aforementioned articles 13 and 14 of the Regulation, such as: the retention period of personal data, the rights recognized by the Regulation to the interested parties, the right to lodge a complaint with the Supervisory Authority and the contact details of the data controllers and the data protection officer. Furthermore, the aforementioned information model did not provide clear indications regarding the processing carried out by the Regional Health Agency "for purposes of monitoring and assessing the quality of care", with particular reference to the indications relating to the legal basis of the processing;

- at the time of the inspection, the Company had not yet adopted a register of the processing activities carried out by the same (pursuant to Article 30 of the RGPD), which was only formalized subsequently on 30 November 2018;

- with specific reference to the procedure for sending the nominative data of the patients enrolled by the GPs, adopted starting from 2018, the Company should have put in place adequate technical and organizational measures to ensure a level of safety proportionate to the risk, which may include, among others, pseudonymisation, encryption of personal data and measures capable of ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services. The methods of treatment detected during the inspection (GPs save the Excel table on a removable media -pen drive- owned by them, delivery of the material to the district doctor, save the Excel file on the PC of the district and sending it - attached to an e-mail - to the referring district doctor for the provincial area, subsequent sending by the latter of the files received from all district doctors to ESTAR, attaching them - in zip format with password for opening - to an e-mail message) do not respect the principle of integrity and confidentiality and do not guarantee the security of the processing (articles 5, paragraph 2, letter f) and 32 of the Regulation);

- the designation of the ESTAR company as data processor, exhibited at the time of the inspection (Prot. 0142457 of 03/10/2016) and relating to all the processing activities carried out by the aforementioned Body on behalf of the Healthcare Company, is found to be unsuitable with respect to the provisions of art. 28 of the Regulation as it did not indicate, in an analytical way, the specific tasks assigned and did not provide timely instructions in relation to the multiple treatments carried out by the Body, including those relating to proprietary medicine.

In the aforementioned deed of 12 March 2019, the Office therefore found that the Company has processed the personal data of the interested parties who have adhered to the "health initiative" model in violation:

- the right of the interested parties to receive - at the time of data collection - all the information referred to in Articles 13 and 14 of the Regulations;

- the obligations of the owner, with regard to the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation;

- the obligations of the owner, in order to comply with the basic principles of processing referred to in art. 5, par. f) of the Regulations and the security of the processing referred to in art. 32 of the Regulation;

and more generally, with reference to the complex of treatments carried out by the Company, in violation:

- the obligation to keep the register of processing activities pursuant to art. 30 of the Regulation;

- the obligations of the owner regarding the correct designation of ESTAR as data processor pursuant to art. 28 of the Regulations, promptly identifying the tasks and instructions with reference to the multiple processing activities carried out by the Entity on behalf of the Company.

With a note dated May 22, 2019, the Company asked to be heard by the Authority and sent its defense briefs, in which, in particular, it was represented that:

a) "in the months following July 2018, there were no further transmissions by the GPs to this Company of lists with personal data of the patients enrolled in 2018 (with the exception of only the territorial area of Siena, in which some data were transmitted on 4 September, due to the absence of the district doctor of reference) and that to date the new data collection procedure for 2019 has not yet been started ";

b) it was established that "for 2019, GPs will communicate the data in an aggregate and anonymous form, indicating only the total number of patients enrolled in relation to the various chronic conditions identified, without their names or any other personal data";

c) it was decided to "start the activities for the adoption, also at ESTAR, of specific organizational, technical and security measures (...) aimed at limiting any form of use or processing of personal data relating to enrolled patients referred to in lists acquired in 2018 ";

d) to want to "start the activities necessary for the cancellation of the copies of the aforementioned personal data held by the district doctors of this Company";

e) with specific reference to the information to be provided to the interested party, "following the inspection (...) (have been prepared) the new information and consent forms relating to the processing of personal data of patients who intend to confirm or carry out the adherence to the Initiative Healthcare model for the year 2019 (...) and will soon be made available to GP's doctors with the communication relating to the operating instructions that will be given by this Company for carrying out the Initiative Healthcare activities for the 2019. In these instructions it will also be provided that the participating doctors will have to communicate to the Company only the aggregate data relating to the total number of patients enrolled for each of the paths identified ". “In this period of transition from the old to the new regime, as is well known, the previous provisions of Legislative Decree no. 196/2003 on the subject of information, as well as consent and other conditions of lawfulness of the processing, both general and specific with regard to the health sector (...), so it seems reasonable to believe that, also considering the framework of regulatory uncertainty, the information and consent forms prepared in the first months of 2018 may still not be fully aligned with the new provisions of the Regulation ";

f) with specific reference to keeping the register of processing activities, "at the time of the inspection on November 27, 2018 (...) this Company was in possession of a version of the processing register still in progress, concerning the processing common to companies territorial and hospital, the result of the work carried out within the "Regional / Bodies and companies of the regional health service", and had then completed and formally adopted the final version of this register, with the integration of further treatments pertaining to the 'Company, the following 30 November ";

g) with specific reference to the designation of ESTAR as data processor, the "Company had in any case attributed to ESTAR the designation and obligations of data processor pursuant to the previous art. 29 of the Privacy Code, according to the scheme prepared by the Tuscany Region, which already contained various elements corresponding, in substance, to those provided for by art. 28 of the Regulation "and" on 13 November 2018 (ie before the inspection), this Company had already resolved to proceed with the signing of the new scheme which was then formalized at the end of the year (in any case prior to the notification of the alleged violation) ";

h) with specific reference to the drafting of an impact assessment, the "Company did not consider at the time to proceed with an impact assessment, as the personal data processing activity in question had in any case been configured and started before the application of the Regulation ". The "Company had indicated its intention to proceed instead with an impact assessment with regard to the possible technological developments of the procedure for sending the data in question through a platform technically managed by ESTAR, also in light of the provision published in that period by this Authority concerning the list of types of processing subject to the impact assessment requirement pursuant to art. 35, par. 4, of the Regulations ";

i) with specific reference to the obligations of the owner with regard to security criteria, the "remarks made in relation to the procedure followed in 2018 are currently to be considered overcome in light of (...) (of) the decision of this Company to provide for a communication by GPs only of aggregated and anonymous data referring to the total number of patients enrolled for the indicated paths and to adopt some specific measures aimed at making the previously collected data unusable "and that" there are also no losses or thefts or in any case, security incidents resulting from the operation described above which, in the limited period of time in which it was implemented, although it can certainly be perfected in order to raise security levels ";

On February 3, 2020, the Company withdrew from the hearing and integrated the documentation relating to the treatment in question, representing the additional activities carried out under the so-called "Health care initiative", highlighting, in particular, that:

a) it was established that "each GP, as data controller, at the time of the first contact with the patient for the confirmation of adherence or for a new enrollment in the" Healthcare initiative "assistance model (therefore, both for patients already enrolled in 2018, both for those enrolled in 2019), issue the information to the interested party and acquire their consent on the basis of the new forms prepared by the Company ";

b) it was established that "communications from GPs participating in the Healthcare initiative to the Company concern only the total number of patients enrolled in relation to the various chronic conditions identified, without their names or any other personal data" ;

c) "with regard to the nominative data of the enrolled patients referred to in the lists transmitted by the GPs in 2018 and kept by the district doctors employed by the Company, this Company has in any case acquired from the latter also a formal written attestation of the cancellation of each copy of the same data, confirming what is indicated in point 2, second paragraph, third line, of the defense briefs. In this regard, it should be noted that the certificates received are kept in the records of this Company and that they can be made available to this Office, if deemed necessary ";

d) “the Tuscany Region, in consideration of the relevance of the healthcare model called" Healthcare initiative ", has activated the institutional process for the integration into the regional legislation of a complete discipline of this innovative assistance modality".

2. Outcome of the investigation.

The investigation carried out by the Office and the subsequent preliminary activity concerned the processing of personal data carried out by the Azienda USL Toscana Sud Est within the scope of the so-called "Sanità di iniziativa" care model.

Although this model is not regulated by any national legislation, since 2009 it has constituted a reference organisational-assistance model at regional level, which has had - over time - different forms and application names (e.g. chronic care model). These models have been created in order to favour "a methodological approach to the taking charge of and the process of caring for the patient" which translates into an "active and periodic recall of the patient in order to subject him or her to educational and clinical care activities aimed at correcting lifestyles, empowermenting, and early diagnosis" (statements in the documents on file). The care model described in the documents on file foresees the involvement of different holders of the treatment, who intervene at different times and for the achievement of specific aims. A central role is attributed to the GP, who is called to carry out the phase of enrolment of the patients and that of monitoring the individual patient regarding the adherence to the proposed care model.

This organisational model of care has been promoted, at a regional level, with some resolutions of the Region of Tuscany (cf. DGRT nos. 650/2016 and 930/2017), but each health authority has started it operationally, on its own initiative in the territorial area of competence, since 2017, coordinating the activities of the GPs and providing them with organisational indications on the procedures and the timing of the proposed model of care.

In this context, the local health authority also created the models containing the information to be provided to the interested parties, for the processing of personal data carried out by the same in the context of initiative healthcare, providing that the GPs would submit them to the patients to be enrolled.

The preliminary investigation carried out by the Office concerned the activities carried out by the Company within the framework of the processing carried out through the implementation of the care model described above. From what emerged during the preliminary investigation, in the first phase, the Health Authority, in carrying out the aforementioned coordination activities, did not process personal data of the patients who adhered to the aforementioned model of initiative-based healthcare. From the beginning of 2018 and until September of the same year, due to the change in the way in which the activities connected to the implementation of this healthcare model were carried out, the Health Authority, on the basis of the consent of the data subject, instead processed personal data of the patients enrolled in its capacity as data controller for the purposes of monitoring, evaluation and quality of the care provided through the "initiative healthcare" healthcare model (see Model Information Notice in the file).

As a result of the preliminary investigation carried out by the Office and of the critical points that emerged, the Company declared that, in order to achieve the aforementioned purposes, in future it would only use aggregated and anonymous information on patients that was provided by the GPs.

Having taken note of what has been represented by the Company in the documents on file and in the defence briefs, it is noted that:

1. at the time of the inspection, the Company had not yet adopted, for all the processing operations carried out by it, the register of processing activities required by Article 30 of the Regulation, which was adopted only on 30 November 2018. The keeping of the register is an essential element for the governance of processing operations and for the effective identification of those at greater risk. The Company was obliged to adopt the aforementioned register on the date of full application of the Regulation (25 May 2018), since the exemption from keeping the register provided for by the Regulation does not apply in the presence of even just one of the elements indicated in Article 30(5) (processing that presents a risk for the rights and freedoms of the data subject, processing that is not occasional, processing that includes special categories of data referred to in Article 9 or data relating to criminal convictions and offences), which are undoubtedly present in the case under consideration. It must also be borne in mind that the provisions of the Regulation had already been in force since 25 May 2016 and that the two years that elapsed before their full application were to be used by data controllers to adapt their processing to the provisions of the Regulation;

2. the appointment of ESTAR as data controller, made by act of 3 October 2016 with reference to the complexity of the processing operations carried out by that body on behalf of the Company, was unsuitable with regard to the provisions of Article 28 of the Regulation but also with regard to the provisions of Article 29 of the Code, in force at the time of the adoption of the appointment. The act, in fact, does not indicate in detail the tasks assigned to ESTAR in relation to the many treatments carried out by the body, including those relating to initiative medicine (processing of personal data of patients in Excel files compiled by district doctors referring to provincial areas, consolidation of such information, inclusion of the same in a company data warehouse and creation of a data mart relating to the progress of the enrolment process by pathology and by doctor, which allowed the Company to carry out the above-mentioned prevalence calculation) and, consequently, does not include specific instructions, in relation to the multiplicity of treatments carried out by ESTAR on behalf of the Health Company (art. 29 of the Code, in force at the time of the designation and Article 28 of the Regulation, in force at the time of the inspection). The Company renewed ESTAR's designation as data controller by deed dated 27 December 2018;

3. with reference to the procedure, adopted as of 2018, for sending the named data of enrolled patients by GPs to the Company, the Company has not put in place adequate technical and organisational measures to ensure a level of security proportionate to the risk. The methods described above, ascertained in the course of the inspection, (saving by the GPs of the Excel table on a removable support (pen drive) owned by them, delivery of the support to the district doctor, saving of the file on the district doctor's PC and sending of the same - attached to an e-mail - to the district doctor responsible for the provincial area, subsequent sending by the latter to ESTAR of the files received from all the district doctors, attaching them - in zip format with a password for opening - to an e-mail message) do not in fact comply with the principles and criteria of security described by Articles. 5(2)(f) and 32 of the Regulation. These methods of processing highlight the absence of a risk assessment of the processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out;

4. the information model called "European Regulation for the protection of individuals with regard to the processing of personal data (No 2016/679 GDPR) - Information pursuant to Art. 13 and 14 of the Regulation" produced by the Company, in its capacity as data controller for the purposes of monitoring, evaluation and quality of the care provided through the "Health initiative care model", and provided to GPs so that it could be made available to patients at the time of enrolment, lacks some of the essential elements required by the regulations in force at the time of enrolment, such as: the period of retention of personal data, the rights recognised by the Regulation to data subjects, the right to lodge a complaint with the Supervisory Authority and the contact details of the data controllers and the data protection officer. Moreover, the above-mentioned model information notice did not provide clear indications concerning the processing carried out by the Regional Health Agency 'for purposes of monitoring and evaluating the quality of care', with specific reference to the indication of the legal basis of the processing. Although these models were prepared by the Regional Health Agency prior to the date of full application of the Regulation, they refer to a collection of data that took place during the period of application of the European discipline, which, moreover, is mentioned in the header of the model. It should also be pointed out that these models are also devoid of some of the essential elements that were already provided for by the previous regulation (art. 13 of the Code), such as: the rights of the data subjects and precise indications on the role of the Regional Health Agency. Moreover, it should be noted that the above-mentioned model did not make any reference to other sources (e.g. websites of the various owners involved) for the acquisition of the missing information;

5. in light of the nature of the data processed and the number of data subjects, the processing carried out by the Company in 2018, with reference to the health initiative, falls within the cases for which the data controller cannot disregard a data protection impact assessment. In this respect, however, it was ascertained that the Company had not carried out the required impact assessment pursuant to Article 35 of the Regulation. In this respect, it should be noted that, although the processing operations started before the full application of the Regulation, the impact assessment was in any case necessary since they were carried out also during the period of full application of the Regulation. As stated above, some obvious shortcomings relating to the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed. In this regard, it is noted that in future the transmission of data to the Company by the GPs will concern exclusively anonymous information.

Finally, with specific reference to the processing of personal data carried out in the context of the so-called initiative medicine models, it should be noted that the Garante recently issued an opinion to the Council of State stating that such models are often linked to a profiling of the patients (so-called "stratification" activity) which is often carried out by means of a system of data processing. activity of "stratification") that requires an adequate legal basis that has the characteristics required by the European Regulation (art. 6, par. 3) (Opinion to the Council of State on the new methods of distribution of the health fund between the regions proposed by the Ministry of Health and based on population stratification - 5 March 2020, doc web n. 9304455).

Lastly, the Garante also gave its opinion on a draft law of the Autonomous Province of Trento which also contained provisions on own-initiative medicine (opinion of 8 May 2020, doc web no. 9344635). In this respect, the Authority pointed out the need to revise the legislation in order to take into account the principles of lawfulness, fairness, purpose limitation, minimisation and security of the Regulation, since processing operations carried out for statistical purposes, administrative purposes and health care purposes are lumped together without the necessary distinctions. The Garante then recalled the specific constraints, in terms of data protection and transparency, that must be respected in the event that initiative medicine is based on the profiling of patients through the use of an algorithm, referring to what has recently been represented, in this regard, by the Council of State (Cons. St., sez. VI, 13 December 2019, no. 8472). In this context, it has been pointed out that the collection and processing of health data in order to create, with reference to specific pathologies, a health risk profile of the data subject is an autonomous treatment with respect to the main one aimed at the treatment of the assisted person, which must therefore be carried out on the basis of the consent of the data subject, since it is an automated treatment not strictly necessary for the purposes of the treatment of the data subject (Articles 9(2)(h) and 22 of the Regulation). These considerations were also reiterated in the opinion rendered by the Authority on an outline of regulations relating to the implementing provisions of the aforementioned provincial law for initiative medicine in the Trentino provincial health service (opinion of 1 October 2020).

4. Conclusions.

In light of the above assessments, taking into account the statements made by the data controller and data processors during the ˗ investigation and considering that, unless the act constitutes a more serious offence, whoever, in proceedings before the Garante, falsely declares or attests information or circumstances or produces false acts or documents is liable under art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the pleadings do not allow to overcome the findings notified by the Office with the act of initiation of proceedings, not occurring, moreover, any of the cases provided for in Article 11 of the Regulation of the Guarantor No 1/2019.

For these reasons, the processing of personal data carried out by the Azienda Unità Sanitaria Locale Toscana Sud Est is unlawful, in the terms set out in the grounds, for breach of Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.

In this context, considering, in any event, that the conduct has exhausted its effects, given that the Azienda has declared that it has coordinated the amendment of the models containing the information to be provided to the interested parties pursuant to Articles. 13 and 14 of the Regulation, that it has renewed the appointment of ESTAR as the person responsible for the processing operations carried out by the Body on behalf of the Company, that in future - for the model of own-initiative healthcare - only anonymous information will be transmitted to the Company by the GPs and that a register of the processing operations carried out by the Company has been adopted, the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of articles 5, paragraph 2, letter f), 13, 14, 28, 30, 32, 35 of the Regulation, caused by the conduct of the Azienda Unità Sanitaria Locale Toscana Sud Est, is subject to the application of the pecuniary administrative sanction pursuant to, respectively, article 83, paragraph 5, letter b) and paragraph 4, letter a) of the Regulation.

In this case - also considering the reference contained in Article 166, paragraph 2, of the Code - the breach of the aforementioned provisions is subject to the application of the same administrative fine provided for by Article 83, paragraph 5, of the GDPR, which therefore applies to this case.

It should be noted that the Garante, pursuant to Articles 58(2)(i) and 83 of the Regulation, as well as Art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Art. 16, paragraph 1, of the Guarantor's Regulation No. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, should be determined in its amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83(1) of the Regulation, in light of the elements provided for in Article 85(2) of the Regulation in relation to which it is noted that:

- the Authority has received only one report from a GP on the data processing carried out by the Health Authority with reference to the initiative health model, and no thefts, losses of data or unlawful processing by the different subjects involved in the data processing have been reported (Article 83(2)(a) and (h) of the Regulation);

- the data processing carried out by the Company, through the initiative health model, concerns data capable of collecting information on the health of a large number of data subjects, i.e. all the patients of the Company itself (Article 4(1), no. 15 of the Regulation and Article 83(2)(a) and (g) of the Regulation);

- the Company, also as a consequence of a lack of risk assessment, had not adopted adequate security measures in relation to the methods of data processing carried out by the doctors and had not adopted (at the time of the inspection) either the register of processing activities, requirements which are an expression of the principle of accountability enshrined in the Regulation (Article 5(2) of the Regulation);

- the Company has shown a high degree of cooperation, by modifying the model of initiative medicine, by providing, for the future, that only anonymous information will be transmitted to the same and by taking an active part in the creation of a new model for the information to be provided to the persons concerned (Article 83, par. 2, letters c), d) and f) of the Regulation);

- the institutional process has been started for the integration into the regional legislation of a complete regulation of the healthcare model of initiative-based healthcare.

On account of the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of Legislative Decree 10/08/2018, no. 101, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by art. 83, par. 4, lett. a) and par. 5, lett. b) of the Regulation, in the amount of euro 100,000.00 (one hundred thousand) for the violation of Articles 13 and 28 of the Regulation as a pecuniary administrative sanction considered, pursuant to Article 83, par. 1, of the Regulation, effective, proportionate and dissuasive. In quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.

It is also considered that the ancillary sanction of the publication of this measure on the website of the Garante, as provided for by Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should be applied, also in view of the potential number of data subjects and the type of personal data subject to unlawful processing.

Finally, it should be noted that the prerequisites set out in Article 17 of Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at performing the tasks and exercising the powers delegated to the Supervisor, are met.

ALL THE FOREGOING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Azienda Unità Sanitaria Locale Toscana Sud Est, for breach of Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation in the terms set out in the grounds.

ORDER

Pursuant to articles 58, paragraph 2, letter i) and 83 of the Regulation, as well as article 166 of the Code, to Azienda Unità Sanitaria Locale Toscana Sud Est, with registered office in Arezzo (AR), Via Curtatone, 54 - C.F./P. IVA 02236310518, in the person of its pro-tempore legal representative, to pay the sum of € 100,000.00 (one hundred thousand) as a pecuniary administrative sanction for the violations indicated in this measure, according to the methods indicated in the annex, within 30 days from the notification in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

PLEASE NOTE

the aforesaid Company to pay the sum of €100,000.00 (one hundred thousand), in accordance with the methods indicated in the annex, within 30 days of the notification of this measure, failing which the consequent executive measures pursuant to art. 27 of law no. 689/1981 shall be adopted. In this regard, it is reminded that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - an amount equal to half of the penalty imposed, within 30 days from the date of notification of this measure, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of the legislative decree no. 150 of 1 September 2011);

ORDER

pursuant to Section 166(7) of the Code, the publication of this provision in its entirety on the website of the Garante and deems that the conditions set out in Section 17 of Regulation 1/2019 concerning internal procedures of external relevance, aimed at performing the tasks and exercising the powers delegated to the Garante, are met.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, 17 December 2020

THE PRESIDENT
Stanzione

THE REPORTER
Cerrina Feroni

THE SECRETARY GENERAL
Mattei