DATA PROTECTION
Italian Data Protection Authority: Compendium on the processing of personal data through platforms aimed at connecting patients with healthcare professionals accessible via web and app.
The decalogue of the Italian Data Protection Authority on the processing of personal data carried out through web and mobile electronic platforms aimed at putting patients in contact with healthcare professionals presents in some of its parts aspects of considerable practical interest: (1) the practical reconstruction of the data protection relations between the various subjects (managers/owners of the platforms; doctors users of platform services and patients); (2) the indication of specific mandatory information content in addition to the normal content of the Notice (e.g. information on AI algorithms for drawing up the order of appearance of recommended doctors; criteria for patients' judgements on doctors, etc); (3) the indication of a specific list of security measures that platform managers must adopt (e.g: verification of professional titles via OTO and PEC; multi-factor authentication; measures to avoid homonymy/homocode; automatisms for the verification of abusive accesses; etc); (4) the reference to the limitations in the use of "real world data - RWD" for further profiling purposes, according to the conclusions of the fundamental measure that the Authority adopted on 1 June 2023 (5) the recalled need to coordinate processing on these platforms with reference to the legislation on online reports (the 2013 dpcm) and electronic prescriptions also for the purpose of identifying the most appropriate technical and organisational measures to reduce the specific risks of processing. The provision is full of references to other provisions useful for processing in the sector. It is curious that among these the Authority did not refer to the recent provision 593/2023 ("Guidelines Cryptographic Functions Password Storage") and that on cross-border flows related to the provision of platforms from abroad it referred almost exclusively to EU providers, making a quick reference in style to Chapter V of the GDPR for non-EU providers.