Kristof Van Quathem, Laura Somaini, and Max Jermanof Covington and Burling write:
On October 12, 2023 the Italian Data Protection Authority (“Garante”) published guidance on the use of AI in healthcare services (“Guidance”). The document builds on principles enshrined in the GPDR, national and EU case-law. Although the Guidance focuses on Italian national healthcare services, it offers considerations relevant to the use of AI in the healthcare space more broadly.
We provide below an overview of key takeaways.
Lawfulness of processing
The “substantial public interest” derogation for the processing of health data (Article 9(2)(g) of GDPR) must be grounded in EU or in specific provisions of national law. Moreover, when relying on that ground, profiling and automated decision making may only take place if expressly provided by law.
Accountability, definition of roles and privacy by design and by default
The Garante stresses the importance of the principles of privacy by design and by default, connected with accountability. Controllers should carefully consider the design of systems and appropriate data protection safeguards throughout the entire AI cycle. Additionally, the roles of each stakeholder involved should be determined appropriately.
Read more at Inside Privacy.