g-docweb-display Portlet

Guidelines on Processing Personal Data to Perform Customer Satisfaction Surveys in the Health Care Sector

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

versione italiana versione italiana


[doc. web n. 3853781]

5 May 2011 (Published in Italy´s Official Journal No. 120 of 25 May 2011)

Table of Contents

1. General

2. Customer Satisfaction Surveys

3. Scope of the Surveys, Mechanisms for Administering Questionnaires, and Sample Selection

4. Preparing the Customer Satisfaction Survey

4.1. Questionnaires Entailing the Processing of Anonymous Data

4.2. Questionnaires Entailing the Processing of Personal Data

5. What Data May Be Used

6. Lawful and Indispensable Processing of Personal Data

7. Entities Involved

8. Information Notice

9. Data Storage and Dissemination of Findings

Annex 1


1. General

Several initiatives are in progress at many health care bodies as part of an action to improve private and public health care; they are aimed at assessing the quality of care as perceived by users in order to re-organize the services and more effectively meet citizens´ expectations.

Against this background account should also be taken of customer satisfaction surveys, which play a key strategic role in that they allow gauging effectiveness and efficiency of the services as perceived by users with a view to enhancing performance.

More specifically, it has been found that customer satisfaction activities with regard to quality of the services made available by health care bodies (booking of medical examinations, hospitalization, outpatient services, etc.) foster the patients´ involvement and participation and ultimately strengthen trust between citizens and administration; they can also contribute to the design of new and/or improved service provision arrangements so as to customize them to users´ needs and expectations.

1.1. The Regulatory Framework

Customer satisfaction activities are included among the measures envisaged as part of the "consolidation and enhancement of the mechanisms and tools to monitor and assess costs, performance and outcomes of public administrative bodies pursuant to Section 11 of Act No. 59 of 15 March 1997." The latter measures provide, in particular, that national and local public services be delivered in such a manner as to foster their improved quality and ensure citizens´ and users´ protection along with their involvement in the procedures for assessing and determining quality standards (Section 11(1) of legislative decree No. 286 of 30 July 1999). Quality assessment mechanisms have taken on considerable importance especially following recent legislation whereby public bodies are required to implement methods and tools to gauge and assess their performance so as to achieve top quality and cost-effectiveness.

Accordingly, providers of public health care services (including licensees of and/or contractors for the national health care service) are required to implement methods guaranteeing quality of their services based on quality markers as well as on the adoption of a "Charter of Services"; the underlying principles must be equality, impartiality, continuity, freedom of choice, participation, effectiveness and efficiency.

In particular, the aforementioned principle whereby citizens should participate in the provision of public services makes it necessary for every health care body to implement initiatives such as to foster the interaction between the public body providing those services and users; this may also include a customer satisfaction assessment system based on administration of a questionnaire to health care recipients.

It should also be pointed out that the assessment of health care quality as performed by health care bodies in the National Health Service and/or by other public health care bodies is aimed at purposes that are of "substantial public interest" under Section 85(1) of the Code.

Collecting the information that is relevant to assess customer satisfaction may entail the processing of personal data relating to service recipients. This is why this DPA considers it appropriate to lay down a consolidated set of safeguards to ensure compliance with data protection legislation in this specific context.

2. Customer Satisfaction Surveys

To assess the satisfaction of health care recipients several methods can be used including the structured monitoring of users´ complaints, reports, recommendations or suggestions, interviews, focus groups, customer satisfaction surveys, and other ad-hoc surveys.

Systematic customer satisfaction surveys are aimed at collecting information both on user expectations regarding health care services and on the perceived quality of health care. Such surveys often rely on the administration of questionnaires to gauge service quality as perceived by recipients; they include several questions in order to gather the information to be surveyed.

3. Scope of the Surveys, Mechanisms for Administering Questionnaires, and Sample Selection

Since the quality features to be assessed in the health care sector have to do with overall hospitalization conditions, health care services and activities, the contents of the relevant questionnaires must not address medical treatment-related clinical aspects.

Based on the documents gathered so far, several mechanisms are relied upon to administer such questionnaires. In some cases the questionnaire is filled out by the interviewer asking questions in person or during a phone call; in other cases this is done directly by users, perhaps via an online form as available on the health care body´s website; in yet other cases the questionnaire is mailed or emailed.

The surveys can be carried out on the total population of the users of the service(s) whose quality is to be assessed (full surveys), or else on a sample of patients (sample surveys) that are selected as eligible on the basis of pre-defined criteria (such as sex, age range, admission/release in a given timeframe, or presence of specific diseases).

4. Preparing the Customer Satisfaction Survey

4.1. Questionnaires Entailing the Processing of Anonymous Data

In the initial preparatory phase of the customer satisfaction survey – when the survey´s scope and objectives are set out – the health care body will have to determine specifically whether the purposes of the survey can be achieved by minimizing the processing of users´ personal and/or identification data in connection with the questionnaire to be administered; this is in line with the data minimization principle. This  means that no personal data should be processed if the purposes in question can be achieved by using anonymous data or else mechanisms enabling identification of a data subject only where necessary (see Sections 3 and 4(1), letter b), of the Code).

As a rule, customer satisfaction surveys should not require collecting information that relates to identified or identifiable individuals. Thus, a data subject´s name or family name and any other personally identifiable information should not be collected, except where the purposes of the survey cannot be achieved otherwise and the information in question is accordingly indispensable – for instance, if the health care body relies on phone interviews and/or on postal or telephone reminders to urge respondents and obtain as many  replies as possible.

If the decision to use an anonymity-friendly questionnaire is made following the above considerations, the processing of the relevant information does not fall under the scope of application of personal data protection legislation; accordingly, these guidelines are not applicable either.

4.2. Questionnaires Entailing the Processing of Personal Data

The survey is sometimes designed so as to obtain as many replies as possible, in that the questionnaire is administered via telephone interviews or else postal or telephone reminders are used. In such cases one has to collect information to contact the respondents at a later stage, i.e. the respondents must be identifiable.

In other cases it may prove fundamental to also collect specific information on data subjects – for instance, because such information may be related to the respondents´ appreciation of the quality of service – or else on the features of the services at issue, in order for the survey to be successful given its purposes and scope.

Collecting the above information may ultimately enable identification of the users even if it does not entail the disclosure of the respondents´ census data, especially if the survey is limited in scope and by taking account of possible interactions. This may also be the case if the questionnaire includes open-ended questions, i.e. if the replies are not pre-defined, or else free-text fields to enter additional remarks, suggestions or comments that might make it easier to identify a respondent (e.g. by way of his or her signature).

Given the specific health care context of such surveys, each item of the above information as well as the whole set of such information, or even the combination of that information with data held by the health care body possibly for different (e.g. administrative) purposes – such as filing systems containing patients´ names or other sources of information containing users´ identification data along with information collected via the questionnaire, or else other non-name-based filing systems providing additional information on top of what can be gathered from the questionnaire – may make the data subjects identifiable under certain circumstances.

At all events, the subsequent processing and storage of collected data should not allow identifying data subjects, not even indirectly, by reference to any other item of information (see Section 11(1), letter e), of the Code).

Additionally, selecting the sample of respondent users (paragraph 5) may entail the (transient) identification of the data subjects if the survey  concerns a specific set of patients on the basis of pre-defined criteria – e.g. when selecting patients admitted to a specific ward over a specific period.

In all the above situations performing the survey entails the processing of personal data, which must be in compliance with data relevance and minimization principles (Section 11(1), letter d), of the Code) as well as with such other arrangements as are laid down in data protection legislation and described in these guidelines.

5. What Data May Be Used

As already pointed out, sector-specific legislation provides that the quality of health care services should not be assessed by addressing the medical issues relating to the care provided and/or received as those issues pertain basically to the relationships with health care professionals. Rather, the assessment should focus exclusively on the qualitative features of the health care services with particular regard to timeline, user-friendliness of the procedures, information received on the given medical treatment, orientation and accommodation arrangements, comfort level in the health care facility, and human and social interactions.

Although a customer satisfaction survey is not intended, in principle, to directly gather information on customers´ health (Section 4(1), letter d), of the Code), the data used to carry out such a survey may be suitable for disclosing health on account of the specific (health care-related) context; as such, the data in question may fall under the concept of sensitive data pursuant to Section 4(1), letter d), of the Code depending on the criteria used in selecting the users´ sample and/or administering the questionnaire as well as on the type of information collected via the questionnaire.

Reference can be made, for instance, to the inclusion of questions aimed at obtaining information that can disclose specific medical conditions – such as specifying the ward where the respondent was treated,  the type of care  and/or service received (hospitalization, surgical operation, diagnostic exams, vaccinations, etc.), or the medical sector applying to the caregivers (cardiology, neurology, obstetrics & gynecology, oncology, etc.), or even whether certain medical facilities were provided such as diapers, prostheses, bladder catheters, shoe implants, etc. .

At all events, the information suitable for disclosing the users´ health may only be collected as part of a customer satisfaction survey concerning health care services if, as recalled in the foregoing paragraphs, the processing of anonymous data does not allow the survey to achieve the respective purpose(s) and the medical data are indispensable to achieve such purpose(s) (see Sections 22(3) and (5) and 26(1) of the Code; see the Garante´s General Authorisation No. 5/2014 on the processing of sensitive data by several categories of data controller, and the Garante´s General Authorisation No. 2/2014 on the processing of data suitable for disclosing health and sex life).

It is anyhow prohibited to use data suitable for disclosing the data subjects´ sex life in connection with  customer satisfaction surveys (see the aforementioned General Authorisation No. 5/2014 and the Model Regulations on the processing of sensitive and judicial data by Regions, Autonomous Provinces and Health Care Bodies, Form No. 39, Annex B, as approved by the Italian DPA via a favourable opinion rendered on 13 April 2006).

6. Lawful and Indispensable Processing of Personal Data

Personal data, including data that is suitable for disclosing health, may be collected via customer satisfaction surveys on different legal grounds depending on whether or not such surveys are initiated as part of the tasks committed to the National Health Service or other public health care bodies.

At all events, participation by respondents is voluntary. Thus, users have full discretion in providing the data requested from them irrespective of the mechanisms used by the health care body to administer the questionnaire.

As part of the tasks conferred on the National Health Service, public health care bodies may carry out surveys to assess the quality of health care also by the agency of private (health care) contractors without the users´ consent: this is so because the use of customer satisfaction questionnaires can be traced back to institutional purposes in the substantial public interest that have to do with the adoption of mechanisms and tools to monitor and assess costs, performance and outcomes of health care bodies´ activities (see Sections 18 and 85 of the Code, and Section 11(1) of legislative decree No. 286/1999 along with Sections 10 and 14 of legislative decree No. 502/1992). Such surveys must be performed at all events in compliance with the regulatory instruments adopted by the competent regional bodies as for the processing of sensitive and judicial data, which should be based on the model regulations approved by the DPA (Section 20 of the Code; see the aforementioned Model Regulations). Under the said regulatory instruments, personal data disclosing health may be lawfully processed in connection with customer satisfaction surveys aimed at monitoring and assessing health care quality, since the activities in question are part of the administrative tasks related to the caregiving activities of the National Health Service that address purposes of substantial public interest (Section 85(1), letter b), of the Code; Model Regulations quoted above).

Furthermore, it should be pointed out that any other public health care body providing health care may perform the activities in question without users´ consent; conversely, private health care bodies other than those meeting the conditions referred to above must obtain the respondent users´ informed consent beforehand. This consent may also be obtained at the time the consent required to process personal data for medical treatment and related administrative purposes is obtained. Compliance with the measures laid down in the DPA´s general authorisations No. 2/2014 and 5/2014 is also necessary pursuant to Section 26(1) of the Code.

It was highlighted in the foregoing paragraphs that medical data may happen to be processed in connection with health care quality surveys; if so, consent by users to the collection of this information must be given, as a rule, in writing. Written consent is considered to also consist in flagging specific symbols on check-boxes displayed beside an online information notice, providing unambiguous identification of the data subject can be achieved via suitable mechanisms – e.g. by entering identification information after a registration procedure. This is the case, for instance, of customer satisfaction questionnaires posted on the official website of a health care body as forms that can be filled out remotely and then transmitted by users.

Finally, the processing of personal data as part of customer satisfaction surveys must be aimed exclusively at monitoring and assessing the perceived quality of health care services. In particular, it is prohibited to use this data with a view to profiling users – possibly in order to send promotional materials on products or services that are related to those being supplied/provided (Section 11(1), letter b), of the Code; see also the DPA´s order of 7 December 2006, No. 1379101).

7. Entities Involved

The fact-finding action implemented by the DPA showed that customer satisfaction surveys regarding health care are usually carried out directly by the caregiving bodies/agencies; it sometimes happens that they are carried out on behalf of several health care bodies by way of a lead entity or else via the regional health care councilor´s office upon agreements with the health care bodies/agencies in the respective territories.

The above entities may avail themselves of external collaborators for the given survey; to that end, such external entities must be appointed as data processors in pursuance of Section 29 of the Code.

The data controllers – and the data processors, where appointed – must appoint the staff in charge of administering the questionnaire as "persons tasked with the processing" pursuant to Section 30 of the Code. In particular, the staff involved in administering the questionnaire – as well as being easily identifiable – must be trained appropriately with regard to the information to be highlighted in the privacy notice. The latter requirement is meant to ensure full compliance with the obligation to inform data subjects under Section 13 of the Code.

Regarding the possibility to carry out a survey via telephone interviews, the persons tasked with the processing must be instructed appropriately; that is, they should only mention the fact that they are calling on behalf of a health care body after establishing, insofar as possible, that their interlocutor is the data subject. This will reduce the risk of unduly disclosing the data subject´s medical information to third parties.

The competence to assess and monitor health care quality lies with regional administrations as well; they do not provide health care directly to citizens, however they do plan and supervise the introduction and use by health care bodies of tools and methods to assess the quality of health care services (see Section 10(2) of legislative decree No. 502/1992).

Where regional entities plan to survey the quality of health care as part of the said monitoring and assessment activities, such surveys may not entail the processing of information making users directly identifiable. Accordingly, as well as fostering the performance of customer satisfaction surveys at certain health care bodies, regional health care councilor´s offices may carry out those surveys directly in their capacity as data controllers or joint data controllers (Section 4(1), letter f), of the Code) – perhaps in cooperation with the health care agencies in the relevant territories; however, they may only collect anonymous data or data that does not make users directly identifiable (Section 85(1), letter b), of the Code; see also the Model Regulations quoted above).

8. Information Notice

If a health care body plans to rely on survey mechanisms that envisage the collection of data making users identifiable, also indirectly, reference should be made to the specific obligations under data protection legislation. In particular, health care bodies as well as regional organisations carrying out such initiatives in their capacity as data controllers must provide data subjects with suitable information notices beforehand (Sections 13, 79 and 80 of the Code). This is meant to enable users to make informed choices as to their involvement in customer satisfaction surveys where they can provide  their views on the quality of health care services.

The information may also be provided verbally to data subjects by the operators in charge before administering the questionnaire(s); alternatively, it may be included in the questionnaire(s).

The information should be worded clearly and concisely and include all the elements mentioned in Section 13 of the Code; in particular, it should highlight specifically that users are free to provide the data requested via the questionnaire(s) and that the data will be destroyed or anonymized immediately after being collected or, at the latest, after being recorded.

Special precautions must be taken if the questionnaire is administered via telephone interviews or if phone calls are used to remind respondents that they should reply and return the questionnaire. In particular, one should prevent entities other than the data subject from being informed unduly of the data subject´s health situation on the occasion of such calls.

If this is the case, one should ask the respondents – when providing the information notice – to specify  their contact details and the timeframe for contacting them with a view to the telephone interview. If the survey is to be carried out by way of emailed questionnaires, respondents should be asked to specify the email accounts for sending them such questionnaires.

A template is annexed to this Order (Annex 1) to facilitate the identification of the key elements to be included in the information notice. The template may be used by health care bodies, if they so wish, by adapting it to the specific survey arrangements in order to fulfil information obligations pursuant to the simplification, harmonization and effectiveness principles that underlie the Code so as to ensure a high level of protection to data subjects´ rights (Section 2 of the Code).

9. Data Storage and Dissemination of Findings

In accordance with the proportionality principle (Section 11(1), letter e) of the Code), data controllers must destroy or anonymize such identifying information as they happen to collect immediately after such collection and in any case no later than when the data contained in the questionnaires are recorded (stored). The data must be recorded (stored) without delay even if a considerable number of questionnaires have been received.

Within the said timeframe both the data controller and the data processor (and/or the persons tasked with processing the data) may lawfully use the identifying information to verify that the sampled data are correct and/or truthful by contacting the respondents.

The findings of a survey may be communicated or disseminated only in anonymized or aggregated format, so that no data processed in connection with the survey may be associated with identified or identifiable data subjects (see Chapter II of the DPA´s General Authorisation No. 5/2014, and Paragraph 7 of the DPA´s General Authorisation No. 2/2014).


Refers data controllers performing customer satisfaction surveys in the health care sector to the guidelines below in order to protect data subjects under the terms set out in the foregoing paragraphs. The guidelines in question concern:

a) Minimizing the use of personal data and data identifying users by having regard to the purposes sought via the survey in accordance with the data minimization principle (paragraph 4.1.);

b) Taking precautions to prevent data subjects from being identified in the course of the subsequent storage and processing of the collected data (paragraph 4.2.);

c) Complying with the requirement whereby data suitable for disclosing health may only be used where indispensable to achieve the purposes of the survey (paragraph 5);

d) The ban on using data suitable for disclosing sex life (paragraph 5);

e) The ban on using the collected personal data to profile users also with a view to sending promotional materials concerning products or services related to those being supplied/provided (paragraph 6);

f) Regarding the health care bodies that perform customer satisfaction surveys as part of the tasks conferred on the National Health Service and any other public health care bodies providing health care services, the need to comply with the regulatory instruments adopted by the relevant regional bodies with a view to processing sensitive and judicial data as per the model regulations approved by the DPA (paragraph 6);

g) Regarding regional administrative bodies, the ban on collecting data that make users directly identifiable (paragraph 7);

h) Regarding private health care bodies (paragraph 6) and except for the cases mentioned under letter f) above,

- Obtaining users´ prior consent, possibly when the consent is obtained to process their personal data for health care and related administrative purposes

- Complying with the requirements laid down in the DPA´s general authorizations No. 2/2014 and 5/2014;

i) Appointing any external collaborators in the survey as data processors (paragraph 7);

j) Appointing the staff in charge of administering questionnaires as persons tasked with the processing and instruct them as appropriate if the survey is performed via telephone interviews (paragraph 7);

k) The obligation to provide data subjects with suitable information notices by also relying on the template annexed to these guidelines (paragraph 8);

l) Taking suitable measures as for data storage and dissemination of findings (paragraph 9).



Information Notice on the Processing of Personal Data in Customer Satisfaction Surveys

Dear Madam/Sir,

This is to inform you that this (hospital/health care body) might carry out a customer satisfaction survey by way of a questionnaire. You should be so kind as to mail it back to this address…. / deliver it in person to …./ place it in the ad-hoc mailboxes located at/in….. / reply to a telephone interview with staff specifically in charge.

You are free to decide whether to provide the data requested via the questionnaire; if you decide not to reply, this will not prevent you from receiving the required care.

The information collected via the questionnaire will only be processed statistically also with the help of electronic tools by this (hospital/health care body) or by (specify external collaborators acting as data processors) in order to assess quality of our services and/or care.

The data you provide us will not be disclosed to third parties. They will be destroyed or anonymized immediately after being collected, at the latest once they have been recorded. The findings of the survey will only be disseminated in anonymous format.

You may at any time access the information concerning you; check if this information is accurate; supplement, update, rectify this information; object to the processing of this information on legitimate grounds; exercise all the other rights concerning your personal data. To do so, please apply to (specify a contact person or an office in charge and the respective contact details).

(If a telephone interview or reminder calls are planned or if the questionnaire is to be emailed, add the passage below)

If you accept to participate in this initiative, please give us a phone number / email address….. and tell us when ….. (hours) we can contact you for the interview/to send you the questionnaire/to remind you of replying to and returning the questionnaire.