Privacy, that’s why the Guarantor beats three Friulian local health authorities

Privacy, that's why the Guarantor beats three Friulian local health authorities

Three Friulian Local Health Authorities have been sanctioned by the Privacy Guarantor for having classified, through the use of algorithms, the assisted in relation to the risk of having or not having complications in the event of an infection with Covid-19. All the details

The Privacy Guarantor has sanctioned three Friulian Local Health Authorities, which, through the use of algorithms, had classified the patients in relation to the risk of having or not having complications in the event of a Covid-19 infection. But this is not an entirely isolated case.


The three fined Friulian Local Health Authorities ( the Western Friuli University Company , the Central Friuli University Company and the Giuliano Isontina University Company ) had processed the data present in the company databases in order to activate appropriate self-initiated medical interventions for the patients and identify in time the most suitable diagnostic and therapeutic pathways.


During the investigation by the Privacy Guarantor, which acted after a report from a doctor, it in fact emerged that the data of the clients had been processed in the absence of an appropriate regulatory basis, without providing the interested parties with all the necessary information ( in particular on the methods and purposes of the processing) and without having previously carried out the impact assessment required by the EU Regulation on data protection.


The Authority reiterated that the profiling of the user of the health service, whether regional or national, determining an automated processing of personal data aimed at analyzing and predicting the evolution of the health situation of the individual patient and any correlation with other elements of clinical risk, can only be carried out in the presence of a suitable regulatory prerequisite, in compliance with specific requirements and adequate guarantees for the rights and freedoms of the interested parties, lacking in the present case.


Having therefore ascertained the violations and assessed that in the specific case the operations, through the use of algorithms, had involved data on the health of a large number of patients, the Guarantor ordered each of the three companies to pay the fine of 55,000 euros and proceed with the deletion of the processed data.


But a similar situation is also occurring with the Veneto Region, on which the Guarantor last week launched an investigation to verify the compliance with the privacy legislation of a resolution, on the basis of which general practitioners would no longer be able to choose the priority class of the performance required for the patient, but a system based on artificial intelligence .

Basically, explains the Guarantor, an algorithm would establish the waiting times for the prescribed services.

Within 20 days, the Veneto Region will have to communicate to the Authority every element useful for the assessment of the case, specifying in particular whether the attribution of the priority class of health services (urgent, brief, deferred, scheduled) is actually carried out in automated form, through algorithms. Furthermore, the indication of the priority class cannot be modified by the doctor.

The Region will have to indicate the legal rule on which the treatment is based, the type of algorithm used, the databases and the types of information and clinical documents that would be processed. It will also have to specify the methods used to inform the beneficiaries of the initiative, provide elements on the impact assessment carried out and indicate the number of patients involved in the treatment.

This is a machine translation from Italian language of a post published on Start Magazine at the URL on Tue, 24 Jan 2023 14:26:26 +0000.