On 7 July 2020 the Data Protection Authority updated its FAQs regarding personal data processing in the face of the COVID-19 emergency, providing some important clarifications on contact tracing and medical data processing based on mobile app technology more generally.
'Contact tracing' is a strategy for the prevention of new contagions which involves:
- identifying persons who may have come into contact with other people who subsequently tested positive for COVID-19; and
- collecting information about these contacts with the aim of isolating any possible outbreaks.
As is evident, the implementation of this strategy implies and requires a major data processing operation relating to particularly sensitive personal information: in addition to identifying the personal data and location of people traced, a contact tracing system operates by processing health information.
Therefore, in order to undertake this type of data processing in compliance with the EU General Data Protection Regulation (2016/679) (GDPR), the contact tracing app must meet the requirements of Article 9 of the GDPR, which refers to the "processing of special categories of personal data" (eg, health data).
Contact tracing apps at national and regional levels
On the basis of Article 9 of the GDPR (strengthening in this sense the provisions referred to in Paragraphs 2(i) and 2(j) about the legitimacy of processing health-related data)(1) the legislature has adopted the following provisions through Legislative Decree 28/2020 (enacted, as amended, by Law 70 of 25 June 2020) and provided for the creation of a special contact tracing app (called Immuni) suitable for installing on various mobile devices.
The new FAQs underline that Immuni is the only contact tracing tool presently authorised and may be installed on a voluntary basis only, meaning that people who decide not to make use of it will face no prejudicial consequences (other than not receiving an automatic warning if there is a contact risk).(2)
If Italy's regions consider developing their own contact tracing apps for travel within their territories, they will need to ensure that their use is voluntary and have no prejudicial aspects. The Data Protection Authority has reiterated that any regional law which requires the use of a contact tracing app to enter a region would potentially violate the Constitution and data protection protections. The right to freedom of movement is a fundamental right granted by the Constitution and may be contravened only by law for health or security reasons (Article 16 of the Constitution).
The COVID-19 health emergency has also affected the management of relationships between patients and health personnel in respect of medical examinations to be carried out and social distancing to be ensured within health facilities.
To solve these problems, various health facilities have considered using telemedicine tools (mobile apps for tele-diagnosis, teleconsultation, tele-assistance and telemonitoring used by medical staff). In the new FAQs, the Data Protection Authority has clarified that when these tools are used to carry out remote diagnoses or therapies, specific and further consent from the person concerned is unnecessary, since this is a different way of maintaining a regular doctor-patient relationship (see in particular Article 9(2)(h) and Paragraph 3 of the GDPR). However, before proceeding with such processing (precisely in consideration of the quality and quantity of the data involved), healthcare facilities will first do a data protection impact assessment (Article 35 of the GDPR) and will subsequently inform patients of the data processing which will be carried out through the aforementioned application, pursuant to Article 13 of the GDPR.
Since the national health service must guarantee healthcare to those who cannot install telemedicine apps, their use cannot be made obligatory.
Conversely, other applications in the medical field other than telemedicine (eg, mobile apps for the collection of information on the state of health of populations in a given territory) which also involve personal data processing may be used only with people's consent.(3)
Company mobile apps of other kinds
Some companies, especially larger ones, have enquired about using contact tracing tools for employees only in order to verify the spread of the virus at a company level. However, the Data Protection Authority's position in this regard is strict: for now, the possibility of using any such system – and consequently to process the relevant personal data in accordance with the law – is exclusively provided by Legislative Decree 28/2020 (ie, the Immuni app).
Conversely, in the FAQs, the Data Protection Authority reiterated the possibility of using contagion risk reduction systems that require no personal data collection for their operation. For example, it is possible to install turnstiles that limit access to a plant or conference room to a greater number of people than the maximum allowed to guarantee social distancing, or other barriers to entry equipped with optical detectors which do not allow access to certain places without adequate personal protection equipment (eg, masks).
Such tools are undoubtedly legitimate and involve no GDPR compliance issues, since they do not process data referring to identified or identifiable subjects; however, it is understood that it will be up to data controllers to verify the extent to which the chosen systems are reliable, also taking countermeasures in case of malfunctioning or false positives.
Endnotes
(1) Paragraphs 2(i) and 2(j) state that:
processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… [and for] archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
(2) See also the Opinion of the Italian Data Protection Authority 9356568 of 1 June 2020.
(3) See also the provision of the Data Protection Authority of 7 March 2019.
