On January 10, 2019, the Italian Garante per la Protezione dei Dati Personali, the Italian data protection authority, DPA, released an opinion according to which the deceased continues to enjoy the protections provided for by the data protection legislation.
In a case of alleged malpractice, an individual asked a healthcare company to allow access to the health data of a deceased patient. The health data referred to clinical audit records and to the investigations conducted by the risk manager, which contained confidential information, such as hospitalization, symptoms, medical history, diagnosis, tests carried out, some particularly invasive, therapy, drugs administered, and religion.
The DPA noted that this type of request would be considered as a “civic access request” under the applicable Italian public administration law (Law n. 241/1990), which would make the accessed personal data public. It then went on to considering that according to Whereas 27, Regulation 2016/679 (GDPR), the GDPR itself does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
Italy availed itself of the option with Legislative Decree 101/2018, which states that the rights relating to the personal data of the deceased can be exercised by those who have an interest of their own, or act to protect the interested party, or for family reasons worthy of protection. See Italian Data Protection Code expressly provides for the rights of the deceased data subject.
Therefore, the DPA considered that the data protection regulation applies to the data of the deceased. It deemed that the prohibition to disseminate health-related data, falls within one of the hypotheses of exclusion of civic access that prohibits data transfers to undetermined subjects.
In the case examined, therefore, the DPA found that the healthcare company rightfully denied access to the third party.
Doc. web n. 9084520, Parere su una istanza di accesso civico, dated January 10, 2019, Registro dei provvedimenti n. 2 del 10 gennaio 2019 is available (in Itlaian) at https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9084520
For more information on how privacy to implement privacy policies in your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.