Genetic data, biometric data, data concerning health…

By | Saturday October 31st, 2015

 The General Data Protection Regulation (the text of June 2015) follows the contents already present in the Dlgs 196/03 regarding sensitive data and data concerning health and does it in:

 article 4 – Definitions

(12) ‘data concerning health’ means data related to the physical or mental health of an individual, which reveals information about his or her health status;

 and also in

 Article 9 – Processing of special categories of personal data

 The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) will be prohibited.

 The comparison with the current definition of the Dlgs 196/03 highlights the differences and at the same time the affinities.

 Article 4 – Definitions

 For the purposes of this Code

d) ‘sensitive data’ shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;

The new definition is more detailed than the current Italian definition, introduces the concept of sensitive data, other beliefs and opens the field to significant extensions as applicable to any held convictions.

 However, the use of the term reveal remains for the identification of these categories of data. The concept of reveal or the most extended concept of suited to permit revelation contained in the Italian current legislation is radically different from the concept of related to, used by the Regulation in the case of data concerning health.

The Italian current definition of sensitive data includes in fact as a broad, not only a precise and detailed definition (such as being a member of a specific trade union), but a much more general definition (such as being a member of a union, as may be inferred from a deduction in a pay slip).

However this line wasn’t retained as regards the data concerning health,  which is in the new wording related data (the current Italian definition considers them data revealing, with all the consequences from the extensive case).

In this respect, the Regulation defines punctually a series of possible health data. In fact, in statement (26) the Regulation says:

Personal data concerning health should include (…) data pertaining to the health status of a data subject which reveals information relating to the past, current or future physical or mental health of the data subject; including information about the registration of the individual for the provision of health services (…); a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; (…) information derived from the testing or examination of a body part or bodily substance, including genetic data and biological samples; (…) or any information on for example a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as for example from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.

 In addition, the Regulation introduces the definition of two new categories of data that were not mentioned in the Dlgs. 196/03:

 (10) ‘genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, (…) which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question;


(11) ‘biometric data’ means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data;

 The Garante per la protezione dei dati personali had intervened on this issue; in particular as regards the “genetic data” :

General Authorisation for the Processing of Genetic Data – 22 February 2007 [1395420]

“genetic data” shall mean any data that, regardless of its type, concerns an individual’s genotypic characteristics, or the pattern of inheritance of such characteristics within a related group of individuals;

and as regards biometric data:

 General Application Order Concerning Biometrics – 12 november 2014

 Consistently with the opinions rendered by the WP29, biometric samples, biometric templates, biometric references and any other data that is derived from biometric traits via computerized processing and can be traced back to an identified or identifiable individual, including via links to other databases, are considered to be biometric data in this document

 A great attention must be paid to the interpretation of the new definitions to correctly identify its scope of reference.

Category: Legal framework Tags: , ,

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.