General Authorisation No. 8/2014 for the Processing of Genetic Data
[doc. web n. 3831387]
General Authorisation No. 8/2014 for the Processing of Genetic Data
Published in Italy's Official Journal No. 301 of 30 December 2014
The Italian Data Protection Authority
Having convened today, with the participation of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;
Having regard to legislative decree no. 196 dated 30 June 2003, containing the Personal Data Protection Code (hereinafter the "Code");
Having regard to, in particular, section 90(1) of the aforementioned Code, whereby the processing of genetic data by whomsoever shall only be allowed in the cases set out in an ad-hoc authorisation to be issued by the Garante after consulting with the Minister of Health, who shall act on the opinion handed down, to that end, by the Consiglio Superiore di Sanità [Higher Council for Health Care];
Having regard to section 90(2) of the Code, whereby the authorisation shall also specify the additional items to be included in the information notice pursuant to section 13, with particular regard to the purposes sought and the results that may be achieved also in respect of such unexpected findings as may be disclosed following the processing of data in question as well as in respect of the right to object to the said processing on legitimate grounds;
Having regard to the Garante's general authorisation no. 2/2005 which expressly refers (point 1.4) to authorisation no. 2/2002 (point 2, letter b) ) concerning the processing of data suitable for disclosing health and sex life, whereby any genetic data that is processed for the purposes of prevention, diagnosis and/or treatment in respect of the data subject, or else for scientific research purposes, "may be used exclusively for the said purposes or in order to allow the data subject to make a free, informed decision, or else for the purpose of providing evidence in civil and/or criminal proceedings pursuant to the law";
Having regard to the authorisation for the processing of genetic data issued by the Garante on 22 February 2007 in pursuance of Article 90 of the Code, which replaced the instructions that had been given via the aforementioned general authorisation as referred to in the authorisation No. 2/2005, after hearing the Minister of Health, who had sought an opinion from the Consiglio Superiore di Sanità;
Whereas it is necessary to ensure a high level of protection for fundamental rights and freedoms as well as for human dignity in regulating the processing of personal data, with particular regard to the right to the protection of personal data set forth in section 1 of the Code; whereas in doing so, one has also to minimise the risk of harmful and/or dangerous consequences as evaluated on the basis of the recommendations adopted by the Council of Europe with regard to medical data, in particular Recommendation No. R(97)5; whereas the latter provides that genetic data is all data, of whatever type, concerning the hereditary characteristics of an individual or concerning the pattern of inheritance of such characteristics within a related group of individuals (article 1), and such data, within the framework of the broader category of "medical data", may only be processed under certain conditions (article 1);
Whereas Council of Europe's Recommendation No. R(92)3 on genetic testing and screening for health care purposes provides (principle no. 8) that the collection and storage of substances and of samples, and the processing of information derived therefrom, must be in conformity with the Council of Europe's basic principles of data protection and data security laid down in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, No. 108 of 28 January 1981, and the relevant Recommendations of the Committee of Ministers in this field;
Whereas other important principles applying to the processing of genetic data can be found in some international and Community instruments including
a. the Convention on Human Rights and Biomedicine, done in Oviedo on 4 April 1997, which prohibits any form of discrimination against a person on grounds of his or her genetic heritage (article 11) and allows for the performance of predictive genetic tests exclusively for health purposes or for scientific research linked to health purposes subject to appropriate genetic counselling (article 12);
b. UNESCO's Universal Declaration on the Human Genome and Human Rights of 11 November 1997, which provides that everyone has the right to respect for their dignity and rights regardless of their genetic characteristics (article 2) and prohibits any discrimination based on genetic characteristics that is intended to infringe or has the effect of infringing human rights, fundamental freedoms and human dignity (article 6)
c. The Charter of Fundamental Rights of the European Union, proclaimed at Nice on 7 December 2000, which prohibits any form of discrimination based, in particular, on genetic features (article 21);
d. Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004, as transposed into domestic legislation via legislative decree No. 191 of 6 November 2007, which requires that all necessary measures be taken to protect data, including genetic data, and additional safeguards be implemented with regard to information gathered in connection with donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells intended for human applications and of manufactured products derived from human tissues and cells intended for human applications (article 14).
e. The Convention on Human Rights and Biomedicine (article 10), the Universal Declaration on the Human Genome and Human Rights (article 5, letter c) ), and UNESCO's International Declaration on Human Genetic Data (article 10), which set forth, with regard to the respective scope of application, everyone's right to decide whether or not to be informed about the results of genetic examinations and their consequences (or else about the results of medical and scientific research where the genetic data, human proteomic data or biological samples are used for such purposes);
f. The Code of Practice of the International Labour Organisation on the protection of workers' personal data (November 1996), under which genetic screening of workers should be prohibited or limited to specific cases as expressly authorised by domestic legislation (article 6.12);
g. The World Medical Association's Helsinki Declaration (of June 1964, as subsequently amended and supplemented), under which it is necessary to obtain the assent of a legally incompetent person, in addition to the assent of the legally authorised representative, where the said person is able to give assent to participation in research (paragraph 29);
h. The Working Document on Genetic Data adopted on 17 March 2004 by the Article 29 Working Party (WP91), which refers to the need to also take into consideration and regulate the legal status of biological samples, which are also liable to be sources of personal data, among the necessary safeguards to be afforded in respect of genetic data;
i. UNESCO's Universal Declaration on Human Genome and Human Rights of 11 November 1997 (article 5, letter e.), the Additional Protocol to the Convention on Human Rights and Biomedicine Relating to Biomedical Research of 25 January 2005 (article 15), UNESCO's Universal Declaration on Bio-Ethics and Human Rights of 19 October 2005 (article 7), and the Additional Protocol to the Convention on Human Rights and Biomedicine Relating to Genetic Testing for Medical Purposes of 27 November 2008 (article 10 et seq.), which lay down specific safeguards in respect of genetic research involving individuals that are unable to give their consent thereto;
j. UNESCO's International Declaration on Human Genetic data (article 18) and Council of Europe's Recommendation no. R(2006)4 on research on biological materials of human origin (principle no. 16), which highlight the need for regulating cross-border transfers of biological materials and the relevant personal data by ensuring that the recipient countries afford adequate protection;
Having regard to EU Regulation No. 536 of 16 April 2014, legislative decree no. 211 dated 24 June 2003 as subsequently amended and supplemented, decree no. 200 dated 6 November 2007, and the Ministerial decrees concerning clinical drug trials – in particular, the Ministerial decree dated 21 December 2007 on "Arrangements to lodge the authorisation request with the competent Authority, notify substantial amendments, and declare completion of the clinical trial as well as to request an opinion from the ethics committee";
Having regard to Act no. 40 of 19 February 2004 on "Provisions Applying to Medically Assisted Reproduction";
Having regard to the Agreement reached on 15 July 2004 among the Minister of Health, Regions, and the Trento and Bolzano autonomous Provinces with regard to the document containing "Guidelines for Medical Genetics Activities" (published in the Official Journal no. 224 of 23.09.2004);
Having regard to Act no. 52 dated 6 March 2001 on "Recognition of the Italian National Register of Bone Marrow Donors";
Having regard to Act no. 219 of 21 October 2005, regulating blood transfusion and the national production of blood derivatives, as well as to the order by the Minister of Health dated 26 February 2009 concerning "Provisions on Preservation of Stem Cells from Umbilical Cord Blood" (as published in the Official Journal no. 57 dated 10 March 2009), the Ministerial decree dated 18 November 2009 concerning "Provisions on Preservation of Stem Cells from Umbilical Cord Blood for Autologous – Dedicated Use", and the Ministerial decree dated 10 October 2012 concerning "Arrangements for Exporting or Importing Human Tissue, Cells and Reproductive Cells Intended for Human Applications";
Having regard to legislative decree no. 16 dated 25 January 2010, which transposed EU legislation implementing Directive 2004/23/EC concerning technical requirements for the donation, procurement and testing of human tissue and cells as well as with regard to the requirements for traceability, serious adverse event reporting and certain technical requirements for coding, processing, preservation, storage and distribution of human tissue and cells;
Having regard to legislative decree no. 261 dated 20 December 2007, which revised legislative decree no. 191 of 19 August 2005, implementing directive no. 2002/98/EC, which sets quality and security standards for the collection, testing, processing, storage and distribution and human blood and blood components;
Having regard to legislative decree no. 28 dated 4 March 2010 including subsequent amendments and additions, implementing section 60 of Act no. 69 dated 18 June 2009 on mediation for the purpose of settling civil and commercial disputes, and to the Ministerial decree no. 180 dated 18 October 2010 including subsequent amendments and additions, which was issued pursuant to section 16 of the foregoing legislative decree;
Whereas mediation procedures may entail the processing of genetic data relating to the parties to the mediation procedure as well as to other individuals involved in the said procedure as provided for by the law (e.g. in the case of mediation procedures concerning medical malpractice damages);
Whereas it is accordingly necessary to authorise the entities referred to in section 1(1) of legislative decree no. 28/2010 to process genetic data if this is absolutely indispensable to perform the activities related to mediation for the purpose of settling civil and commercial disputes, providing the said activities are in pursuance of the law as well as in accordance with the instructions already set out in respect of private and public bodies in the general authorisation to process sensitive data in mediation activities granted by the Italian DPA on 21 April 2011 and in the decision issued by the Italian DPA on the same date to list the data categories and operations that may be performed in connection with substantial public interest purposes as per section 71(1)b. of the Code, respectively;
Whereas under sections 76 and 81 of the Code, health care professionals and public health care bodies may process personal data suitable for disclosing health in order to protect the data subject's health and/or bodily integrity exclusively with the data subject's consent, and they may process the said data also without the data subject's consent, upon the Garante's prior authorisation, if it is necessary to protect health and/or bodily integrity of either a third party or the social community;
Whereas sections 77, 78 and 79 of the Code lay down simplified arrangements in order for health care professionals and public health care bodies to provide the information referred to in section 13 thereof;
Having regard to the Garante's decision dated 19 July 2006 (www.garanteprivacy.it, no. 1318699) setting forth the essential items of information general practitioners and paediatricians are required to include in the information notices to be provided to data subjects with regard to the processing of personal data, in pursuance of section 78(3) and section 13(3) of the Code;
Having regard to the "Guidelines for the Processing of Personal Data within the Framework of Clinical Drug Trials" as adopted by the Italian DPA by resolution no. 52 dated 24 July 2008;
Whereas under sections 23 and 26 of the Code, private bodies and profit-seeking public bodies may only process sensitive data upon the Garante's prior authorisation and – where required – with the data subject's written consent;
Whereas a considerable number of processing operations concerning genetic data are performed for the purposes of prevention, diagnosis and/or therapy in respect of data subjects, as well as for scientific research purposes;
Whereas under section 40 of the Code, general authorisations applying to specific categories of data controller and/or processing may be issued and such authorisations have proved suitable so far in order to lay down unified measures aimed at safeguarding data subjects;
Having regard to the specific authorisation envisaged in section 90 of the Code as granted by the Italian DPA on 22 February 2007, whose effectiveness was last extended to 30 June 2011;
Having regard to the new authorisation granted on 24 June 2011 under Section 90 of the Code to replace the one that was due to expire on 30 June 2011 as well as in order to streamline the provisions already set forth in the light of the experience gathered so far as well as of the considerations submitted by qualified experts with particular regard to the following: updating of the definitions; processing operations performed to protect family members' health without the data subject's consent; scientific research involving children and/or other vulnerable individuals that has no direct beneficial impact on them; and the communication to family members of genetic data that are indispensable to spare them serious medical harm;
Whereas the said new authorisation – which was granted anew over subsequent years - proved to be an appropriate tool to lay down consistent measures for the protection of data subjects and also made it unnecessary for several data controllers to apply for ad-hoc authorisations;
Whereas it is appropriate to grant a new authorisation, which should be similar to and replace the preceding one, due to expire on 31 December 2014;
Whereas it is appropriate for this new authorisation to be also provisional and time-limited in nature under section 41(5) of the Code; whereas it is appropriate, in particular, for it to be effective for twelve months;
Whereas it is appropriate to issue a separate provision in order to take account of the processing of genetic data that is carried out by the categories of public body mentioned in Titles I, II and III of Part II of the Code subject to section 16 of Act No. 85 dated 30 June 2009 with regard to the regulations on the national DNA database set up for detecting and suppressing criminal offences;
Whereas the wording contained in this authorisation as for establishing judicial claims (see point 2 "Scope" and point 3 "Purposes of the Processing") shall be construed to relate to defence counsel, their collaborators, the parties to the judicial proceeding, and any other entities that process the data to establish or defend a judicial claim; whereas this is based on the implementing experience gathered from recent litigations;
Whereas any other processing operations concerning genetic data that are not referred to herein shall be regarded as unlawful, except for those mentioned above, including employers' activities aimed at establishing employees' and/or job candidates' professional eligibility, irrespective of whether such activities are grounded in the data subjects' consent, and the activities carried out by insurance companies;
Whereas it is appropriate for this new authorisation to be also granted on a time-limited basis subject to whatever decisions concerning additions and/or amendments thereto partly in the light of the rapid pace of development of genetics research and technologies as well as of knowledge developments in this area;
Having regard to section 11(2) of the Code, which provides that any data that is processed in breach of the relevant personal data protection legislation may not be used;
Having regard to section 31 et seq. of the Code and to the technical specifications contained in Annex B thereto, containing provisions and rules in respect of security measures;
Having regard to sections 41 and 167 of the Code;
Having regard to official records;
Having regard to the considerations submitted by the Secretary General in pursuance of article 15 of the Garante's Rules of Procedure no. 1/2000;
Acting on the report submitted by Prof. Licia Califano;
the processing of genetic data by the entities specified hereinafter in accordance with the requirements set forth below pursuant to Sections 26, 40, 41 and 90 of the Code.
Before commencing and/or continuing the processing, information systems and software shall be configured by minimising the use of personal and/or identification data so as to rule out their processing if the purposes sought in the individual cases can be achieved by means of anonymous data and/or appropriate arrangements allowing data subjects to be only identified where necessary, respectively, as per Section 3 of the Code.
For the purposes of this authorisation,
a. "genetic data" shall mean the result of genetic tests and/or any other information that, regardless of its type, identifies an individual's genotypic characteristics that can be inherited within a related group of individuals;
b. "biological sample" shall mean any sample of biological material from which an individual's genetic data can be extracted;
c. "genetic test" shall mean the analysis, for clinical purposes, of a specific gene, or of a product and/or function thereof or of other DNA constituents and/or a chromosome, in order to carry out a diagnosis or confirm a clinical suspicion in an individual already affected by disease (diagnostic test), or else in order to detect or rule out a mutation associated with a genetic disease that might develop in a healthy individual (pre-symptomatic test), or in order to assess an individual's liability to develop multi-factor diseases (predictive or susceptibility test);
d. "pharmacogenetic test" shall mean a genetic test aimed at detecting specific DNA-sequence variations that can predict "individual" response to drugs in terms of effectiveness and relative risk of adverse effects;
e. "pharmacogenomic test" shall mean a genetic test aimed at the overall analysis of variations in genome and/or genome products as related to the discovery of new drugs and the further characterization of marketable drugs;
f. "individual variability test" shall mean any genetic tests including consanguinity tests; ancestral tests aimed at establishing an individual's relation to one of his/her ancestors or a given population, or else what portion of that individual's genome was inherited from ancestors belonging with a specific geographic area and/or ethnic group; and genetic identification tests aimed at determining the likelihood for a DNA sample and/or trace taken/retrieved from a given thing or any other material to belong to a specific individual;
g. "genetic screening" shall mean any genetic test that is carried out on a given population or group – including family tests aimed at detecting (via "cascade screening") individuals that are potentially at risk of developing a given genetic disorder - in order to assess their common genetic characteristics or else to timely detect individuals that are affected by and/or carriers of genetic diseases and/or other hereditary characteristics;
h. "genetic counselling" shall mean a communication process whereby an individual or family affected by a genetic disease is assisted in understanding medical information including the diagnosis and foreseeable course thereof, the available treatments, the contribution of inheritance to occurrence of the disease, the risk of re-occurrence for both the individual in question and other family members and the advisability of informing the latter, and all the available options in coping with the disease risk along with the impact such risk may have on reproductive choices; when performing genetic tests, the counselling in question shall also include information on the meaning, limitations, reliability and specificity of the tests plus the implications of their results; as well as a physician and/or biologist specialising in medical genetics, other professionals skilled in the management of psychological and social issues related to genetics shall participate in the aforementioned process;
i. "genetic information" shall mean the activities aimed at providing information on the specific features of genetic screening.
This authorisation shall be granted:
a. to health care practitioners, in particular medical genetics experts, with regard to such data and operations as are indispensable exclusively for health care purposes in respect of the data subject and/or a third party belonging to the same genetic line as the data subject;
b. to public and private health care bodies, in particular clinical facilities for medical genetics, with regard to such data and operations as are indispensable exclusively for health care purposes in respect of the data subject and/or a third party belonging to the same genetic line as the data subject;
c. to medical genetics laboratories with regard to such operations as are indispensable in respect of indispensable data that are intended to be processed exclusively for the purposes of prevention and genetic diagnosis concerning the data subject, or that are intended to be used exclusively for the purposes of carrying out investigations by defence counsel, establishing or defending a judicial claim, also concerning a third party, or establishing consanguinity of non-EU nationals, stateless persons, and refugees exclusively with a view to family reunion;
d. to natural and legal persons, research bodies and/or institutions, associations and other public or private bodies that pursue research purposes with regard to such data and operations as are indispensable exclusively for the purposes of scientific research, including statistics, that is aimed at protecting the data subjects', third parties' and/or the community's health in the medical, biomedical, and epidemiological sectors within the framework of the activities falling under the scope of medical genetics as well as for scientific research purposes aimed at developing genetic analysis techniques;
e. to psychologists, technical consultants and their assistants within the framework of multi-disciplinary genetic counselling, with regard to such data and operations as are indispensable exclusively for the purpose of providing advisory services to the data subject and/or his/her family members;
f. to pharmacists with regard to such data and operations as are indispensable exclusively for the purpose of fulfilling obligations arising out of the provision of drugs to the data subjects;
g. to defence counsel including their alternates, technical consultants and authorised private detectives with regard to such data and operations as are indispensable exclusively for the purpose of carrying out the investigations by defence counsel referred to in Act no. 397 of 7 December 2000; the authorisation shall be also granted in order to establish or defend a judicial claim, also concerning a third party, providing the claim in question is not overridden by the data subject's one and the data are only processed for the said purposes and for no longer than is absolutely necessary therefor;
h. to public and private mediation bodies with regard to such data and operations as are indispensable exclusively for the discharge of mediation-related tasks aimed at settling civil and commercial disputes in pursuance of legislative decree no. 28 dated 4 March 2010 as amended and supplemented subsequently, whereby compliance with the law shall be ensured and the provisions contained in the general authorisation no. 5 for the processing of sensitive data by various categories of data controller shall be abided by as regards private entities and those laid down in the Garante's decision of 21 April 2011 setting forth the data categories and the processing operations that may be performed for the substantial public interest purpose that is mentioned in section 71(1)b. of the Code shall be abided by as regards public organisations, respectively;
i. to the international bodies considered to be eligible by the Ministry for Home Affairs and to diplomatic and/or consular representations with a view to issuing the required certifications – which are currently set out in section 52 of legislative decree No. 71 of 3 February 2011 – exclusively for the purpose of family reunion and only if a data subject is unable to provide unquestionable proof of consanguinity by way of certifications and/or declarations issued by competent foreign authorities because of the lack of a recognised authority, or if there is reason to believe that the aforementioned documents are untrue.
3. Purposes of the Processing
3.1. Such genetic data may be processed and such biological samples may be used as are closely relevant to the purposes mentioned below, where these purposes may not be achieved, on a case by case basis, by processing either anonymous data / samples or non-genetic personal data:
a. health care, with particular regard to genetic diseases and protection of the data subject's genetic identity, with the data subject's consent, except for the provisions made in sections 26 and 82 of the Code for the case where a data subject is unable to provide his/her consent because legally incapable, physically impaired, or mentally disabled;
b. health care, with particular regard to genetic diseases and protection of the genetic identity of a third party belonging to the same genetic line as the data subject, with the data subject's consent; where consent has not been or may not be provided because of legal incapacity and/or physical impairment or mental disability, or else because the data subject is nowhere to be found, the processing in question may be performed by having regard to such genetic data as is available if this is indispensable to allow the third party in question to make informed reproductive choices or if it is justified by the need for the said third party to undergo preventive care and/or treatment. Where the data subject has deceased, the processing may also include genetic data retrieved from the analysis of the deceased individual's biological samples, providing this is indispensable to enable the third party in question to make informed reproductive choices or if it is justified by the need for the said third party to undergo preventive care and/or treatment;
c. scientific and statistical research with a view to protecting the data subject's, third parties' and/or the community's health in the medical, biomedical and epidemiological sectors, including clinical drug trials, or scientific research aimed at developing genetic analysis techniques (providing the availability of exclusively anonymous data on population samples does not allow the research purposes to be achieved), whereby the said research shall be carried out with the data subject's consent except for the statistical surveys and/or scientific researches provided for by law as well as in the other cases referred to in paragraph 8.1 hereof.
Within the framework of the purposes mentioned under a. and b. above, this authorisation shall also be granted exclusively for the purpose of allowing the authorised entities to fulfil specific obligations and/or ensure that such obligations are fulfilled, or to discharge specific tasks set out in Community legislation, laws and/or regulations with particular regard to public health and hygiene, prevention of occupational diseases, diagnosis and treatment including blood transfusions and organ, tissue and hematopoietic stem cells transplantation, rehabilitation from physical and mental disability and/or impairment, protection of mental health, and pharmaceutical assistance pursuant to the law. The processing operations may also concern the filling out of health records, certifications and other health care documents.
Processing of genetic data and use of biological samples to perform pre-symptomatic and susceptibility tests are only permitted in order to achieve health care purposes, including informed reproductive choices and health care-related research purposes.
3.2. This authorisation shall also be granted if the processing of genetic data is indispensable:
a. for defence counsel to carry out the investigations referred to in Act no. 397 of 7 December 2000, also by the agency of alternates, technical experts and/or authorised private detectives, or else to establish or defend a judicial claim, whether related to a third party or not, also without the data subject's consent – except where the processing requires the performance of genetic tests. The foregoing provisions shall apply on condition the claim to be established or defended is not overridden by the data subject's one, or if it consists in a personal right or another fundamental, inviolable right or freedom, and if the data are only processed for those purposes and for no longer than is absolutely necessary to achieve such purposes. The processing must be carried out in compliance with the general authorisations issued by the Garante for the processing of sensitive data by self-employed professionals and private detectives (authorisation no. 4/2014 and no. 6/2014, respectively). The processing may also concern the information related to medical history and/or the data subject's family members.
b. To fulfil specific obligations or ensure that specific obligations are fulfilled, or to discharge specific tasks as set forth expressly in Community instruments, laws and/or regulations applying to social security and welfare, occupational and/or population safety and hygiene, also without the data subject's consent, in compliance with the limitations laid down in the Garante's general authorisation for the processing of sensitive data in the employment context (authorisation no. 1/2014) and without prejudice to the provisions contained in the code of practice referred to in section 111 of the Code. The processing may also concern the information related to medical history and/or the data subject's family members.
c. To establish consanguinity with a view to family reunion in respect of non-EU nationals, stateless persons, and refugees pursuant to legislative decree no. 286 of 25 July 1998. In particular, the processing of genetic data shall not be regarded as indispensable if it is carried out in spite of the availability of alternative procedures that do not entail processing of such data.
4. Processing Mechanisms
The addressees of this Authorisation shall configure the collection and use of biological samples as well as the processing of genetic data in such a manner as to prevent infringements of the data subjects' rights, fundamental freedoms, and dignity. The said activities shall be carried out lawfully and fairly for specific purposes to be set out in pursuance hereof and notified to data subjects in accordance with the mechanisms specified under paragraph 5 below.
Specific measures shall be laid down to unambiguously identify the individual that undergoes the collection of the biological materials required to perform the relevant analysis (section 11(1), letter c), of the Code).
The processing of genetic data shall only be carried out by means of such operations, logical arrangements, and data organisation mechanisms as are absolutely indispensable with regard to the aforementioned obligations, tasks and/or purposes.
The obligations arising out of the rules of practice applying to the individual professional categories mentioned herein shall be left unprejudiced.
4.1. Collection and Storage
The collection of genetic data for performing genetic tests and screening shall be limited to the personal and family information that is absolutely indispensable for performing the analysis in question (section 11(1), letter d), of the Code).
In particular, no data concerning health or any other features related to data subjects – apart from their sex – shall be collected in connection with processing operations that are carried out via individual variability tests. Samples shall be taken by persons entrusted with this task by a medical genetics laboratory, or else by a physician to be designated by the latter laboratory; as for family reunion cases, the samples shall be taken by health care professionals entrusted with this specific task by diplomatic and/or consular representations and/or by international bodies regarded as eligible by the Ministry for Foreign Affairs.
4.2. Scientific and Statistical Research
Any scientific and/or statistical research for whose performance it is permitted to process genetic data and make use of biological samples shall be carried out, in addition, on the basis of a project to be drawn up pursuant to the relevant sector-related standards, also in order to give proof that the data are processed and the biological samples used actually for suitable scientific purposes. To that end, such data and biological samples may be used as are closely relevant to the purposes sought, by having regard to the available data and the processing operations already carried out by the same data controller as well as to the existence of other arrangements that can allow achieving the research purposes by means of personal data other than identification and/or genetic data, or that do not entail the taking of biological samples.
The project in question shall specify the measures to be taken in processing personal data with a view to ensuring compliance with both this authorisation and personal data protection legislation, also with regard to preservation and security of the data and biological samples; the data processors, if any, shall also be referred to (see sections 29, 31, 33, 34, and 35 of the Code, and Annex B thereto). In particular, where the research envisages the collection and/or use of biological samples, the project shall specify source, nature and mechanisms for the taking and preservation of the samples as well as the measures adopted to ensure that the data subjects have voluntarily provided the biological materials in question.
The project shall be kept by the data controller under confidentiality arrangements for at least one year as from conclusion of the research. The data controller shall provide the information contained in the project to any data subject requesting it.
Where the purposes of the research may not be achieved without identifying data subjects, also on a temporary basis, the data controller shall take specific measures to keep identification data separate from biological materials and genetic information ever since collection – unless this proves impossible on account of the peculiarities of the processing or requires an effort that is manifestly disproportionate.
4.3. Security Measures
The following precautions shall have to be taken in connection with preservation and security of genetic data and/or biological samples.
Access to the relevant premises shall be controlled by security staff and/or electronic devices envisaging specific identification procedures, also based on biometrics. Any person admitted after closing time, on whatever grounds, shall have to be identified and their data recorded.
Preservation, use, and transportation of biological samples shall be carried out in such a manner as to also ensure their quality, integrity, availability and traceability.
Genetic data shall be transmitted electronically by certified electronic mail after encrypting and digitally signing the information to be transmitted. Web application-based communication channels may be used if they rely on secure communication protocols and it has been established that they can guarantee the digital identity of the server providing the service as well as of the client station from which the data are accessed by means of digital certificates issued by a certification authority in pursuance of the law.
Electronically processed genetic data may be accessed providing authentication systems are in place that rely on the joint use of information known to the persons in charge thereof and of tokens/devices held by the said persons, including biometric tokens/devices.
Genetic data and biological samples contained in lists, registers and/or databases shall be processed with the help of encryption techniques and/or by means of identification codes or any other techniques that can make them provisionally unintelligible also to the persons authorised to access them; to that end, account shall be taken of the amount of the processed data and samples. Additionally, data subjects shall have to be only identifiable when necessary, in order to minimise the risks of accidental disclosure and/or unlawful/unauthorised access. Where the said lists, registers and/or databases are kept with the help of electronic tools and also contain information concerning data subjects' genealogy and/or health, the aforementioned techniques must also allow genetic and medical data to be processed separately from any other personal data that can identify the data subjects directly. All the other obligations set forth in sections 11, 14, 22, 31 et seq. of the Code shall be left unprejudiced along with the technical arrangements concerning minimum security measures that are laid down in the technical specifications attached to the Code; this also applies to storage and transportation of the data outside secured premises and to the mechanisms ensuring restricted access to such premises. The obligations in question shall have to be abided by also with regard to biological samples.
5. Information Notices
Except for the processing of genetic data carried out in a non-systematic fashion by general practitioners and/or family paediatricians within the framework of their standard relationships with data subjects as aimed at protecting their health and bodily integrity, information notices shall include the following items in addition to those referred to in sections 13, 77, and 78 of the Code:
a. a detailed list of all the specific purposes to be achieved;
b. the possible findings, also with regard to unexpected findings that might be disclosed on account of the processing of the genetic data;
c. the data subject's right to object, on legitimate grounds, to the processing of his/her genetic data;
d. whether the data subject is allowed to limit the scope of communication of his/her genetic data and the transfer of biological samples, including their possible use for additional purposes;
e. the retention period of genetic data and biological samples.
Where it is envisaged that genetic data and samples may be also transferred to non-EU countries, the notice must specify whether such countries do not ensure adequate protection in pursuance of sections 43-45 of the Code; the notice must also contain information to identify the recipients of the data and samples in question so as to actually afford data subjects the opportunity to check the data and samples concerning them.
Once the data subject becomes of age, the information notice shall be provided to him/her also in order to obtain his/her consent anew whenever this is necessary (section 82(4) of the Code).
As regards processing operations for scientific and statistical research purposes, the information notice shall also specify the following:
a. that the consent must be given freely and may be withdrawn at any time without this being in any manner detrimental and/or prejudicial to the data subject, except where the data and biological samples do not allow the data subject in question to be identified any longer whether from the start or because of their processing;
b. what arrangements have been made to ensure that data subjects are only identifiable for no longer than necessary for the purposes of data collection and/or for the subsequent processing (section 11(1), letter e) of the Code);
c. whether the data and/or biological samples may be retained and used for other scientific and statistical research purposes, to the extent this is known, whereby such purposes shall be specified appropriately also with regard to the categories of entity the data may be communicated and/or the samples transferred;
d. how data subjects can access the information contained in the research project, where they request to do so.
As regards processing operations performed via genetic tests and screening for health care purposes, or for research and/or family reunion purposes, specific, clear-cut information shall be provided to data subjects, also in writing, prior to collecting their biological samples – or prior to using such samples where collection has already taken place – irrespective of whether the processing is carried out by health care professionals and/or public or private health care bodies that have already informed the data subjects in question by resorting to the simplified mechanisms mentioned in sections 77-79 of the Code.
Processing operations aimed at the performance of investigations by defence counsel and/or the establishment of a judicial claim may only be carried out via genetic tests if the data subject has been informed thereof in the manner specified above.
5.1. Genetic Counselling and Information Activities
With regard to processing operations carried out via genetic tests for health care and/or family reunion purposes, genetic counselling shall be provided to data subjects both before and after performing the tests. Prior to introducing genetic screening for health care purposes, health care bodies shall take appropriate measures to ensure that the public is informed about availability and voluntary nature of the tests performed, their specific features and consequences – also within the framework of institutional publications and by means of electronic communications networks.
The genetic counsellor shall help data subjects make – in a fully autonomous manner – the decisions they consider to be most appropriate by having regard to genetic risk, family expectations, and their ethical and religious principles. The counsellor shall help them in pursuing a line of conduct that is consistent with the decisions made as well as in adjusting themselves to disease and/or the disease recurrence risk in the best possible manner.
Suitable precautions shall be taken to prevent genetic counselling from being provided in privacy-unfriendly situations either because of the specific arrangements made or on account of the premises where the counselling takes place; such precautions shall also be aimed at preventing third parties from getting to know genetic information and/or data suitable for disclosing health.
Where the individual variability test is aimed at establishing paternity and/or maternity, data subjects shall also be informed about the legislation on lineage; the possible psychological and social consequences of the test shall be highlighted.
Prior to performing scientific researches on population samples, awareness-raising activities shall be carried out in respect of the community concerned also via local mass communication media and public presentations, in order to clarify the nature of the research, the purposes to be achieved, the implementing mechanisms, the financial sources, and the expected risks and/or benefits to the population concerned. The awareness-raising activities shall also point out possible discrimination and/or social stigma risks as applying to the community concerned, in addition to the risks related to the disclosure of unexpected consanguinity relationships, and describe the steps taken in order to minimise such risks.
Based on sections 23 and 26 of the Code, genetic data may be processed and biological samples used exclusively for the purposes specified herein, on condition the person concerned has provided his/her written informed consent thereto. In pursuance of section 23 of the Code, consent shall only be valid if the data subject is placed under no constraint to give it; consent may be withdrawn freely at any time. Where a data subject withdraws his/her consent to the processing of data for research purposes, the biological sample will be also destroyed providing it has been collected for such purposes – except where the sample may be related no longer to an identified and/or identifiable individual either from the very beginning or because of the processing.
As regards processing that is carried out by means of genetic tests, including screening, also for purposes of research and/or family reunion, the informed consent of the individuals that undergo the collection of the biological material required for performing such analysis shall have to be obtained. In the said cases, the data subject shall have to state whether he/she wishes to be informed of the findings of the test/research, including unexpected findings concerning him/her where such findings are factually and directly beneficial to the data subject in terms of treatment, prevention, and/or awareness of reproductive choices.
Consent with regard to the information concerning an unborn child shall be provided by the respective mother. Where the processing based on prenatal tests may also disclose genetic data related to the future occurrence of a disease affecting the child's father, the father's prior consent shall have to be also obtained.
If the processing is necessary to safeguard the data subject's life and bodily integrity, and the data subject may not provide his/her consent because of his/her being physically prevented from doing so, legally incapable, or mentally incapacitated, consent shall be provided by the legal representative or else by a next of kin, a family member, a person cohabiting with the data subject, or – failing these – the manager of the facility where the data subject is domiciled. The provisions set forth in section 82 of the Code shall apply.
The child's opinion shall be taken into consideration, insofar as this is permitted by the child's age and maturity; the child's best interests shall prevail in any case. In any other case where the data subject is legally incapable, or physically or mentally incapacitated, processing shall only be allowed if the underlying purposes are directly beneficial to the data subject; the data subject's opinion shall be taken into consideration to the extent this is possible, whereby the interest vested in a legally incapable and/or incapacitated data subject shall prevail in any case.
Data and biological samples relating to individuals that cannot provide their consent because they are legally incapable and/or incapacitated may be processed for scientific research purposes that are not directly beneficial to the said individuals if the following preconditions are all fulfilled:
a. The research is aimed at improving health of other individuals that either are in the same age group or are affected by the same disease or show the same features and the geographically competent ethics committee gave a substantiated favourable opinion to the research programme;
b. A research for similar purposes may not be carried out by processing data related to individuals that can provide their consent;
c. Consent to the processing is acquired from those that have legal authority over the data subject, or else from a next of kin, a family member, a person cohabiting with the data subject or – failing these – the person in charge of the facility where the data subject is hosted;
d. The research does not entail significant risks to the data subject's dignity, rights, and fundamental freedoms.
In the above cases, the foregoing provisions on the need to take account, insofar as this is possible, of the child's and/or incapacitated person's opinion are left unprejudiced.
Processing of data in connection with pre-symptomatic genetic tests may only be carried out on non-diseased children that are at risk of genetic diseases if it is factually likely that treatments and/or preventive measures become available prior to the children's becoming of age. Individual variability tests may not be carried out on children without both parents' consent, where parental authority is vested in both parents.
Processing of data in connection with genetic tests for the performance of investigations by defence counsel or else for the establishment of a judicial claim may only be carried out with the informed consent of the person the biological material required for the investigation(s) belongs to – except where the law or a decision issued by the judicial authority pursuant to the law provides otherwise.
7. Processing Operations in Specific Sectors
Genetic data or biological samples that are processed or collected, respectively, with a view to individual variability tests for the performance of investigations by defence counsel or in order to establish a judicial claim in a criminal proceeding may not be used for other purposes. Genetic data or biological samples that are processed or collected, respectively, with a view to the performance of genetic tests for purposes of prevention, diagnosis and/or treatment in respect of the data subject, or else for scientific or statistical research purposes, may be used for the performance of investigations by defence counsel or else to establish a judicial claim in a criminal proceeding on condition the relevant legislation is complied with.
8. Retention of Data and Samples
With regard to the obligation set forth in section 11(1), letter e), of the Code, biological samples and genetic data may be retained for no longer than is absolutely necessary to fulfil the obligations and/or discharge the tasks mentioned in point 3 hereof, or else to pursue the purposes referred to therein for which they were collected or used subsequently.
Biological samples and genetic data that have been collected and processed, respectively, to perform genetic tests and screening shall be retained for no longer than is necessary to perform the analyses and/or pursue the purposes for which they were collected or used subsequently.
Any genetic data that is processed for the purposes of family reunion shall be retained for no longer than is necessary to handle the reunion application, without prejudice to retention under the law of the instrument and/or document containing the data in question. Once the application is granted, or if it is rejected, the samples taken to establish consanguinity shall have to be destroyed (section 11(1), letter e), of the Code).
Under section 11(1), letters c), d), and e) of the Code, the authorised entities shall verify regularly that the data are accurate and updated and that they are relevant, complete, non-excessive and indispensable in respect of the purposes to be achieved in the individual cases – by having also regard to such data as are provided at the data subject's initiative. No data may be used that is found to be excessive, irrelevant and/or non-indispensable, also following the said verification.
8.1. Retention for Research Purposes
Biological samples and genetic data that were collected and processed, respectively, for health care purposes may be retained and used for scientific or statistical research purposes subject to the need for obtaining the data subjects' informed consent – unless the statistical investigations and/or scientific researches are provided for by law, or if the scientific and statistical purposes are related directly to those for which the data subjects' informed consent had been obtained initially. Where it is impossible to inform data subjects on specific grounds and all reasonable efforts have been made to contact them, it shall be allowed to retain and make further use of previously collected biological samples and genetic data with a view to implementing research projects and performing statistical investigations other than the initial ones if a research for similar purposes cannot be performed by processing data relating to individuals that can or have been able to provide their informed consent, and
a. The research programme entails the use of biological samples and genetic data that either per se or following their processing do not allow identifying data subjects and there is no proof that the said data subjects had objected thereto; or
b. The research programme was authorised specifically by the Garante in pursuance of section 90 of the Code after obtaining a reasoned favourable opinion by the geographically competent ethics committee.
9. Data Communication and Dissemination
Genetic data may not be communicated and biological samples may not be made available to third parties unless this is indispensable for the purposes mentioned herein.
Genetic data and biological samples collected for scientific and statistical research purposes may be communicated or transferred to research bodies and institutions, associations, and other public or private bodies pursuing research purposes exclusively within the framework of joint projects.
Genetic data and biological samples collected for scientific and statistical research purposes may be communicated or transferred to the aforementioned entities, in the absence of joint projects, to the extent the information does not include identifiable data and this is done for scientific purposes that are directly related to those for which the said data and/or samples were initially collected, whereby the purposes in question must be clearly specified in writing in the request for the data and/or samples. In this case, the requesting entity shall undertake not to process the data and/or use the samples for purposes other than those specified in the said request as well as not to communicate or transfer the data to third parties.
Any genetic data that is collected for family reunion purposes may only be communicated to the diplomatic representations and/or consulates that are competent for evaluating the documents submitted by the data subject, or else to the international body – regarded as eligible by the Ministry for Foreign Affairs – the data subject has applied to. Biological samples that have been collected for the aforementioned purposes may only be transferred either to the laboratory in charge of performing the individual variability tests or to the international body regarded as eligible by the Ministry for Foreign Affairs.
Without prejudice to section 84 of the Code, genetic data shall be disclosed as a rule directly to the data subject; they may be disclosed to individuals other than the data subject that have been delegated in writing by the latter. All appropriate arrangements shall be made to prevent unauthorised disclosure to other entities, including those present in a given place together with the data subject. Where the data are delivered directly to a person delegated by the data subject, they shall be kept in a closed envelope.
Genetic test/screening results as well as research findings that entail factual, direct benefits to a data subject in terms of treatment, prevention and/or awareness of reproductive choices shall have to be communicated to the said data subject by also respecting his/her stated willingness to be informed or not about the aforementioned events as well as by providing appropriate genetic counselling where necessary.
Genetic test/screening results and/or research findings that entail factual, direct benefits in terms of treatment, prevention and/or awareness of reproductive choices also to the individuals belonging to the same genetic line as the data subject may be communicated to such individuals if they so request and the data subject has expressly consented thereto, or if the results/findings in question are indispensable to prevent those individuals' health from being jeopardised – including reproductive risks – and the data subject's consent is not or cannot be given because the data subject is nowhere to be found.
As regards researches carried out on isolated populations, such findings as may be relevant in terms of treatment and/or prevention with a view to protecting health of the individuals belonging to the said populations shall have to be disclosed to both the community concerned and local authorities.
No genetic data may be disseminated. Research findings may only be disseminated as aggregated information, or else in accordance with such arrangements as can prevent data subjects from being identified also by way of indirect identification data; this shall also apply to publications.
Subject to the provisions made in paragraph 5) as for informing data subjects, it shall be permitted to transfer, temporarily or not, genetic data and/or biological samples from the Italian territory to a non-EU country in accordance with Sections 43-45 of the Code.
10. Authorisation Requests
The controllers of processing operations that fall under the scope of application of this authorisation shall not be required to lodge an authorisation request with the Garante if the processing to be performed is compliant with the foregoing requirements.
Such authorisation requests as have already been or will be lodged, also following adoption of this authorisation, shall have to be regarded as granted under the terms set out herein.
No authorisation requests shall be taken into consideration by the Garante where they concern processing operations that depart from the requirements laid down herein, unless they are to be granted on account of peculiar circumstances and/or exceptional situations that are not addressed herein – e.g. whenever obtaining consent entails a clearly disproportionate effort by having regard, in particular, to the number of data subjects.
11. Final Provisions
The obligations arising out of laws, regulations and/or Community legislation that provide for bans and/or limitations on the processing of genetic data shall be left unprejudiced.
The controller of the processing of genetic data shall be under the obligation to submit a notification to the Garante prior to starting the said processing (as per sections 37 and 163 of the Code).
This authorisation shall be in force as from 1 January 2015 until 31 December 2016 subject to such amendments as the Italian data protection Authority may consider to be appropriate following major regulatory changes in this area.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 11th day of the month of December 2014.
THE SECRETARY GENERAL