Reducing the distances imposed by the measures for containment of contagion in order to regularly provide patients with healthcare services: this is the reason for the growing interest of the world of health - including the Ministry of Health - in telemedicine and related applications and tools.
The pharmaceutical industry is not new to this type of initiative. Indeed, even before the pandemic, many pharmaceutical companies had funded or directly developed technological solutions to be used by organisations or healthcare professionals to provide telemedicine services to patients, with a view to improving patient engagement or, overall, making the patient journey more immediate and efficient.
The areas of application of such technological solutions as well as the types of services provided through them, are very different: from remote monitoring of the health status of patients suffering from chronic diseases to the assessment of the effectiveness of treatments to routine healthcare practice.
Besides the intrinsic differences between one technological solution and another, they all share some basic issues of concern, which are primarily related to the allocation of responsibilities for the personal data processing carried out through them.
Roles and responsibilities relating to personal data processing
As is known, Regulation (EU) 2016/679 ("GDPR") assigns different responsibilities depending on the role each person plays in the processing. In general, under the GDPR, a person can act as a data subject, a data controller, a data processor or a person authorised (by the data controller or processor) to process.
As is known, data subject means the natural person to whom the personal data refer.
Controller means “the natural or legal person, public authority, agency or other body which ... determines the purposes and means of the processing of personal data".
Processor means “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
Finally, person authorised to process means “the person who, under the direct authority of the controller or processor, is authorised to process personal data”.
The design, planning, development, and subsequent management of technology solutions of the type described above typically involve patients, healthcare organisations and professionals, developers or, in any event, IT service providers as well as pharmaceutical companies.
Among the many contractual schemes that can theoretically be envisaged to regulate the relationships between the categories of subjects mentioned above, the one that is most frequently used in practice involves the pharmaceutical company funding, or entrusting a technological supplier (the “provider”) with the development and, as a rule, also the maintenance of, an application (the software and the relative IT platform) to be licensed to healthcare organizations (or individual healthcare professionals) for the provision of telemedicine services to patients.
With this scheme in mind, we will therefore try to reconstruct the roles provided for by the law on the protection of personal data described above.
The position of the patient
In the context of the processing of personal data carried out through the above applications, the patient is as a rule the data subject, i.e. the subject to whom the personal data being processed refer. However, it may happen that the applications (or the apps for mobile devices connected to them) give the patient the possibility to use them for personal purposes (for example, to store documents or record data that no one else can access). In such case, the processing carried out by the data subject, if remaining entirely under his or her control, will fall within the scope of activities for personal or family purposes, to which the GDPR does not apply. On the other hand, if a third party – e.g., the provider - were to carry out some processing activity (e.g., the mere storage of data) on behalf of the data subject, that party should be regarded as an autonomous data controller.
The position of healthcare organisations and professionals
For the purposes of the qualification of healthcare organizations and professionals for privacy purposes, it is appropriate to distinguish the case in which a healthcare professional uses the applications as an independent professional from the case in which he/she uses them as an employee or collaborator of a healthcare organization.
The controller of the personal data processing carried out through the applications (rectius, of the processing carried out for healthcare purposes) would be, respectively, in the first case, the individual health care professional and, in the second case, the health care organisation (and the health care professionals bound to the same by a contract of employment or collaboration would act as persons authorised to process). Health care professionals who, for the purposes of the registration and use of applications, enter their personal data in them, also act as data subjects.
The position of the provider
The position of the provider is more complex.
Insofar as the provider, besides the design, engineering, and development of the application, also provides technical support and (corrective, adaptive, or evolutionary) maintenance services, the provider certainly acts in the context of personal data processing carried out by health care organisations and professionals for health care purposes, as data processor for such organizations or health care professionals.
The processing activities that a provider carries out, however, may not, and generally do not, end there. Data is indeed processed not only for health care purposes but also to allow users to register with an application and ensure its operation and, as often happens, to conduct statistical surveys or market research.
In such case, the qualification for privacy purposes of the provider is linked to that of the pharmaceutical company commissioning the application. If one might indeed absolutely exclude the involvement of the pharmaceutical company in the processing of personal data carried out through the application, then the provider would assume, in relation to these processing, a role as an (exclusive) controller of the processing. If, on the contrary, the pharmaceutical company were to be qualified as a data controller, then the provider might play, depending on the contents of the agreement reached with the pharmaceutical company, either a role as a processor of the same or as a joint data controller.
The position of the pharmaceutical company
Concerning the position of the pharmaceutical company in relation to the processing operations mentioned above, the verification of its potential qualification as a data controller must be carried out in accordance with the definition of data controller under Article 3 (1) (7) GDPR and with the criteria set out by the European Data Protection Board (hereinafter the “EDPB”) by the “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” adopted on 2 September 2020 (hereinafter the “Guidelines”).
The Guidelines break down and analyse separately the individual elements that contribute to defining the concept of controller.
For what is of interest here, it is worth dwelling on what is meant by the fact that a data controller is such in that “determines the purposes and means of the processing of personal data”.
The expression “determines” relates the intensity of the powers exercised by the controller as to the purposes and means of the processing. What emerges from the Guidelines is that the power of a controller is typically an absolute power, not subject to limitations or conditions and, therefore, capable of determining, alone, why and how the processing must be carried out. In order to assess the extent of the power exercised by the controller, where not determined by the law, reference can be made to how the parties to a contract have defined their respective roles and responsibilities. The Guidelines specify, however, that the qualification of an entity as a data controller does not exempt the other from the obligations under the GDPR for data controllers, where the factual circumstances show that it is the latter that has determined the “why” and “how” (i.e. purposes and means) of processing.
Purposes and means of the processing constitute precisely the scope of the power exercised by the controller. The Guidelines, besides providing that a controller must decide on both purposes and means and not only on one of such aspects, introduce a distinction between essential means (e.g., the type of personal data to be processed, the duration of the processing, the categories of recipients, the categories of data subjects, etc.) and non-essential means (e.g., detailed security measures), in this way admitting that persons other than the controller – may contribute to determine the means (though non-essential means only) of the processing without this implying playing a role as a controller.
Finally, the Guidelines take a position in respect of some cases that may give rise to interpretative doubts as to the role of the subjects who entrust a third party with the collection and subsequent processing of personal data for research or statistical purposes, without ever having access to or otherwise processing the personal data collected, receiving from the service provider only anonymous data. In such case, the principal - in the opinion of the EDPB - still remains the controller, having determined the purposes and means of the processing. In this regard, we would like to stress that one should not take the position emerging from the Guidelines uncritically but do it on a case-by-case basis, each time assessing the extent to which purposes and means are actually determined by the principal or not. For example, where the client merely finances the collection by entrusting it to a third party (e.g. an institute of hospitalisation and care of a scientific nature), leaving to that third party the determination, if not of the purposes, of at least the essential means of the processing to be carried out, for the purposes of the subsequent anonymisation of the personal data collected and then of its transmission in an anonymised form to the principal, well, in such cases one may conclude that the client does cannot be considered as a data controller, a role that will remain with the third party.
On the contrary, one may conclude that if the pharmaceutical company funds the development of the application and interferes in the determination of the essential means, the pharmaceutical company should be considered as a controller of the processing carried out for purposes other than those related to health care, which are usually related to research, the development or promotion of its drugs or, in general, of its business activities. News
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Paolo Gallarati and Giulio Uras