Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Italy: Garante reprimands local health authority Roma 1 in abortion-related data mishandling case
The Italian data protection authority (Garante) announced, on June 22, 2023, in its monthly newsletter, its decision No. 165, as issued on April 27, 2023, in which it imposed a reprimand on the Local Health Authority Roma 1, for violations of the General Data Protection Regulation (GDPR), in conjunction with two additional decisions imposed on AMA S.p.A. and the Municipality of Roma Capitale.
Background to the decision
The Garante explained that the investigation was launched further to reports in the media, according to which at the Flaminio cemetery of Roma Capitale, managed by AMA, there were hundreds of white crosses over graves where fetuses had been buried, and labels had been affixed disclosing the data of women who had undergone a termination of pregnancy.
Findings of the Garante
At the end of its investigation, the Garante found that the Local Health Authority had transmitted to AMA the documentation with the women's identification data, which had then been reported in the cemetery registers, potentially leading to the risk of extraction of the personal data of all the women who had undergone a termination of pregnancy in all the hospitals of the area. Moreover, the women's personal information had also been affixed on the crosses, despite the fact that the legislation provides that, for affixing plaques on gravestones, the information to be indicated is only that of the deceased.
As such, the Garante held that the conduct of the Local Health Authority gave rise to the disclosure to AMA of health data which could directly identify women who had undergone a termination of pregnancy (whether spontaneous or voluntary). In light of the foregoing, the Garante found the Local Health Authority in breach of Articles 5(1)(c) and 5(1)(f) of the GDPR.
Outcomes
In conclusion, the Garante imposed on the Local Health Authority a reprimand and ordered the same to implement, within 60 days, certain technical and/or organizational measures, such as obscuring the women's identification data, pseudonymizing or encrypting the data, that would ensure that fetuses and their place of burial could be identified by AMA without allowing the direct identification of the women's identity by third parties.
You can read the newsletter here and the decision here, both only available in Italian.