The storage of personal medical data in cloud databases is becoming increasingly common, but this practice raises significant privacy issues. The Data Protection Authority has previously issued Guidelines on Electronic Health Records and Files and the Guidelines on Online Examination Records, which impose considerable restrictions on the use and management of such information. Among other things, the guidelines address the types of personal data that may be processed and purposes for which they may be processed, emphasising that this may not be purely at the processor's discretion. They also address:

  • the information to be provided to patients;
  • the consent to be obtained from them; and
  • the security measures to be adopted in order to prevent the corruption of data when it is remotely stored in a cloud database (regardless of whether the data is uploaded by healthcare institutions or by patients themselves).

The principles reflect those issued by the Data Protection Working Party - an EU advisory body - on electronic health records, which are applicable throughout the European Union. However, new legislative changes have refocused attention on the privacy and data protection safeguards in Italy's healthcare industry.

Parliament is about to ratify a new legislative decree on electronic health records, online examination records and the use of information technology in the medical sector in general. This major change provides for the adoption of electronic management of medical files through the use of electronic health records and the implementation of online booking systems for appointments. A potentially even more significant provision states that the Ministry of Health will issue decrees on the use of mobile devices for the collection of medical data, as well as their distribution to medical practitioners, researchers and patients themselves.

The decree represents a key opportunity for providers of cloud computing services that are affiliates of pharmaceutical companies, but also companies - such as Google - that are active in other sectors, but whose services could be adapted to the needs of the medical sector. However, the processing of personal medical data (and, in some cases, genetic data) using such technologies will require a careful review of the relevant privacy-related issues. The impact of such privacy safeguards may be even greater if the collected data is to be stored outside the European Union. Entities that are likely to be affected by the changes may wish to liaise with the Ministry of Health on the implementing decree, in an effort to ensure that the data protection obligations are not unduly onerous.

For further information on this topic please contact Giulio Coraggio at DLA Piper Italy by telephone (+39 02 80 61 81), fax (+39 02 80 61 82 01) or email ([email protected]).