On 12 October 2020, the Italian DPA (“Garante”) published frequently asked questions on handling online medical reports (“FAQs”).
In essence, Garante highlighted the following aspects:
- secure communication protocols (https) and strong authentication systems must be implemented;
- medical reports shall be made available by online methods to the data subjects only for a maximum time frame of 45 days;
- data subject shall be provided with the possibility to delete the medical reports concerning him/her, either overall or selectively;
- to the extent the medical report is provided by e-mail, the report should be sent as an attachment to the e-mail and not as a text included in the e-mail’s body. The file containing the report must be protected, for example, with a password;
- medical reports related to genetic investigations or HIV cannot be provided via online methods;
- data subject must express his/her consent to the online medical report service.
The FAQs are available here (only in Italian).