Medical research and data protection: in the last days, divergent comments and positions have appeared on the web regarding the text of the new Art. 110-a of the Privacy Code introduced by the European law 20 November 2017 n. 167, which introduces changes in the area of data protection with regard to medical scientific research. We will first focus on the legal framework, and then evaluate the impact of the new law.

Privacy Code

The Legislative Decree 196/2003 (Privacy Code) establishes that health data can be processed for research purposes with the authorization of the Data Protection Authority and the consent of the patient. As regards the first requirement, the Authority has intervened over the years to issue general authorizations in the field of scientific research pursuant to Art.40, of which the last is Authorization n. 9/2016, which (point 11) will expressly remain in force until 24 May 2018 (at the date of full application of EU Reg. 2016/679).

The consent of the data subject (patient), is always required except in three cases expressly listed in Art.110: more precisely

  • when the research is foreseen by a legal provision which specifically provides for the processing;

  • when the research is part of a biomedical or health research program envisaged in accordance with Article 12-a of the Legislative Decree 30 December 1992, n. 502 (upon communication to the Guarantor pursuant to Article 39);

  • when due to particular reasons it is not possible to inform the data subjects (and there is a reasoned favorable opinion of the relevant ethics committee).

Reg. EU 2016/679

The new EU Regulation 2016/679 on data protection – which is already in force and will become fully effective from 25 May 2018 - radically transforms the preexisting regulatory framework. Article. 5(b) on the principles of processing specifically states that data processing for research purposes is compatible with the initial purpose(s) for which the data were collected (so-called secondary use), on condition that the provisions of Art.89 paragraph 1 are applied. Art.9 on consent to the processing of special categories of data (including sensitive and genetic data), establishes in paragraph 2(j) that consent is not required for data processing for scientific research, provided that the guarantees set forth in Art.89 paragraph 1 are applied. This last rule (several times referred to) establishes, in turn, that the processing for scientific research purposes must guarantee the rights and freedoms of the data subject and that such safeguards include appropriate technical and organizational measures to ensure the principle of minimization and the application of the pseudoanonymisation technique.

Until 24 May 2018, processing for research purposes is subject to the authorization of the Data Protection Authority and the consent of the data subject; after this date, the requirements of Art.89 paragraph 1 will broaden this legal framework, while the European Law 167/2017 introduces Article 110-a into our Privacy Code. This rule, entitled "Reuse of data for purposes of scientific research or for statistical purposes", thus sets out:

  1. For the purposes of scientific research or for statistical purposes, the Data Protection Authority may authorize the re-use of data (including sensitive data) except for genetic data, provided that appropriate preventive measures for the protection of data subjects are taken to minimize and anonymize the data.

  2. The Data Protection Authority shall communicate the decision taken on the request for authorization within forty-five days, after which the absence of a response shall be deemed to have been rejected. With the authorization provision or even subsequently, on the basis of any verifications carried out, the Data Protection Authority establishes the conditions and measures necessary to ensure adequate safeguards for the protection of data subjects as regards the re-use of data, also in terms of their security.

In essence, 5 months before the full application of the EU Regulation 2016/679 - which no longer provides for the authorization of the Data Protection Authority and allows the secondary use of data for research purposes without requiring specific consent - the National Legislator introduces a provision that allows research as a secondary use, except for genetic data, while retaining the obligation to request authorization from the Authority.

The questions that arise are the following: what is the motivation that drives the national legislator to take this initiative 5 months before the full effectiveness of the Reg. EU 2016/679? Are we certain that this new provision can pass a compatibility test to the Regulation, which canceled the institution of authorization from the Authority?

Lastly, would it not be better to give to the already struggling Italian research a clear legal framework, thus avoiding this confusing regulatory stratification?