The issue of initiative medicine – in short, a healthcare model for the management of chronic diseases that aims at prevention through the analysis of mass data and the use of artificial intelligence – was addressed by the Italian Protection Authority last May in its opinion on a draft law. On that occasion, the Italian Protection Authority thought that the article of the legislative decree, with which the province intended to introduce a normative basis to allow the processing of health data for initiative medicine, presented numerous criticisms. 

The provision of the legislative decree sought to pursue a number of purposes (statistical, curative and administrative) that were based on different assumptions of lawfulness and, as it was formulated, did not allow the specific guarantees that the law guaranteed for the individual to be respected. The criticisms raised by the Italian Protection Authority are set out in the regulation. Moreover, the failure to send the Italian Protection Authority the necessary “impact assessment” on the basis of which the Province would have identified the procedures for carrying out operations on health data, including by using an algorithm, is prejudicial to a full assessment of the Regulation by the Authority. 

The draft regulation also provides for the acquisition of data on addictions, voluntary interruption of pregnancy, maternity and cancer registers. Information to which the regulation gives greater protection, in particular data on abortion, anonymous birth, HIV and artificial insemination. The same applies to the use of data relating to legal medical examinations and those carried out by the competent doctor on workers, which are regulated by rules limiting their availability.

The Authority has therefore requested the Province to process the data in accordance with the reference standards. The Authority then asked the Administration to refine the regulation by clarifying the logic and methods by which it intends to carry out the processing, with particular reference to the identification of risk subjects through the use of an algorithm for the analysis of large data.

Furthermore, the regulation should specify either that the data may be disclosed only in anonymous form or in a form which does not allow the identity of the subjects concerned to be traced.

Finally, the Authority has given specific indications to ensure that the Technical Regulation annexed to the Regulation complies with data protection rules and guarantees. SOURCE: FEDERPRIVACY