On May 19, 2021, the Italian Supervisory Authority (“Garante”) fined a physician €5,000 for publishing a patient’s medical records without obtaining that patient’s specific consent to do so.  As background, the physician downloaded medical records about a patient she treated at a local hospital from the hospital’s online archive system, including images taken during surgery.  The physician used these records for a presentation at a medical conference, and also included them as documentation supporting a scientific research paper she submitted for a competition hosted by a surgeons’ association.  The physician’s paper was ultimately selected as the winner of that competition, resulting in the publication of her work on the association’s website.

In its decision, the Garante concluded that the physician’s disclosure of patient data violated Articles 5(1)(a), 5(1)(c), 6 and 9 of the GDPR.  In particular, the Garante held the following:

  • Lack of valid consent. The patient did not consent to the processing of his health data for the specific purposes engaged in by the physician.  The Garante said that while the patient consented to the use of his data for “epidemiological investigation and scientific research” purposes, that consent did not encompass use of the data for other “scientific information” purposes.  The Garante’s narrow distinction here seems subtle and somewhat surprising, as the dissemination of research results (such as a presentation given at a medical conference) is considered by many to be an essential component of the research process.
  • Lack of authorization. The patient consented to “epidemiological investigation and scientific research” conducted by the hospital, not by the physician in question.  The Garante said the physician therefore should have requested authorization from the hospital to use the patient’s data for purposes other than medical treatment.  Instead, the physician independently acquired a copy of the records and images later used for the conference presentation and research paper.  The Garante’s decision thus underscores the importance of ensuring appropriate internal controls on access to data.
  • Failure to effectively anonymize the data. According to the Garante, the physician did not properly anonymize the patient’s data from the report she presented at the medical congress.  In particular, the published documents contained the following information: the patient’s initials, age, details of hospitalizations, medical history, and several images from the patient’s surgery (although the decision does not specify what the images reveal).  According to the Garante, all of this information – taken together – made the patient identifiable.
  • Prohibition on the open dissemination of health data under the Italian Privacy Code. The Garante further recalled that Article 2-septies, paragraph 8 and Article 166, paragraph 2, of the Italian Privacy Code expressly prohibit the open dissemination of data which may reveal the health status of an individual.  Accordingly, the 2014 Code of Medical Ethics of the National Federation of Surgeons and Dentists provides that physicians who wish to disclose data for scientific information purposes must ensure that their scientific publications or any disclosures of clinical data and studies do not reveal the identity of any of the patients concerned (e.g., are anonymized).
Print:
EmailTweetLikeLinkedIn
Giulia Romana Mele

Working on life sciences and data protection issues, Giulia Romana Mele supports pharmaceutical, food, and biotech companies in EU and Italian regulatory compliance, and assists clients in negotiating a rapidly-changing regulatory landscape affecting the use of existing and new technologies.

Giulia helps emerging…

Working on life sciences and data protection issues, Giulia Romana Mele supports pharmaceutical, food, and biotech companies in EU and Italian regulatory compliance, and assists clients in negotiating a rapidly-changing regulatory landscape affecting the use of existing and new technologies.

Giulia helps emerging and leading companies in the life sciences industry achieving their regulatory and commercial goals, identifying potential issues and developing risk-minimization solutions.

She further provides strategic advice to global companies on complying with EU, UK, and Italian data protection laws, with a focus on emerging issues in the AdTech environment.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.