With decision of 15 April 2021, published on 19 May 2021, the Italian Data Protection Authority (“Authority“) fined a physician for having disclosed a patient’s health data through the projection of a presentation relating to a clinical case during a congress. Indeed, evidences collected by the Authority showed that, in order to draft his presentation, the physician used health data and documents recorded in the database of a Health Structure as well as photographic material prepared by the same physician during the patient’s treatment.
In its decision, the Authority considered that by disclosing the patient’s data the physician breached several provisions of the General Data Protection Regulation, including the failure to obtain the patient’s informed consent for the processing of his health data for scientific information purposes, the Health Structure’s authorization as controller of the patient’s data, and to anonymize of the data and images used in the presentation.
With regard to this last aspect, the Authority pointed out that published documents, in addition to reporting the patient’s initials, contained information relating to his age, hospitalization, medical history, and several images of the surgery that, taken together, made the patient identifiable. Lastly, the Authority recalled that, pursuant to the Italian Privacy Code, it is expressly forbidden to disseminate data that can reveal the health status of the individual concerned.