Italian Data Protection Authority (Garante della privacy) has been involved in the assessment of data processing for scientific purposes.
Data processing for scientific purposes may involve only data collected for scientific purposes; including biological data. However, in the event biological data also constitute genetic data, the processing is forbidden. In such context, processing health – together with sexual orientation, racial or ethnic data – shall only be allowed when this is considerate indispensable to achieve research objectives.
DATA CONTROLLERS AND PROCESSORS
In the context of scientific research data processing, we may experience many varieties of data controllers and processors:
– Universities, Scientific Institutes and scientific companies, Researchers;
– Health profession operators;
– Legal or natural person, Private research foundations
Processing personal data for medical, biomedical and epidemiological purposes is allowed under two circumstances:
– Data processing in necessary to conduct previous studies based on previously collected data;
– Data processing is indispensable to conduct studies on people that, due to their clinical condition, are not able to provide their consent for data processing.
Data subject consent is not necessary in the event the research is conducted under legislations, regulation or EU law.
Data subject shall be informed about the legal ground on which data processing is based. However, in certain circumstances, data subject shall not be informed. More in particular, the data subject does not need to be inform when
– Such information is impossible or it involves a disproportionate effort;
– Such information risks endangering the purposes and objectives of the scientific research.
In such context, organisational and technical measures shall be paramount. Encryption and pseudonymisation techniques are strongly suggested when processing involves health and biologic data. Moreover, according to data minimisation principle, health data processing for medical and biomedical purposes is allowed only if necessary for the achievement of research objectives.
Personal data shall not be retained for longer that you may need. You can retain personal data for longer only under public interest archiving, scientific, historical or statistical purposes.