From 25 May 2018 any processing of health data starts from a prohibition and rests on a single derogation under Article 9(2) of Regulation (EU) 2016/679. Which derogation you pick is not a formality for the privacy notice: it decides who is authorised to read the record, under which duty of secrecy, how far you may transfer it, and when a clinical dataset must stay separate from a research one. It is an architectural decision, taken in the language of law.

Context

The GDPR applies directly across all Member States from 25 May 2018, with no national transposing act required. In Italy the existing data-protection code (Legislative Decree 196/2003) remains formally in force pending an adaptation decree still in parliamentary passage. The Regulation applies regardless, and with it Article 9, which places data concerning health among the special categories of personal data โ€” alongside genetic data (Art. 4(13)) and biometric data used for identification (Art. 4(14)).

The definition of health data in Art. 4(15) is broad: all data relating to physical or mental health, including the provision of care, that reveal information about a personโ€™s health status. Recital 35 widens the perimeter to identifiers assigned for health purposes, results of tests on body parts or biological substances, and information on illness, disability, disease risk and medical history. For anyone designing a system this means the boundary of health data does not coincide with explicitly diagnostic fields: a patient identifier or an access timestamp to a service falls inside it too.

The problem: ten derogations, not one

Article 9(1) prohibits processing. Article 9(2) lists ten exhaustive exceptions. For healthcare four points weigh most, and each carries different technical constraints.

Point (h) โ€” preventive medicine, diagnosis, care or treatment, management of health systems โ€” is the ordinary basis for care. Paragraph 3 of the article conditions it: processing must be carried out by, or under the responsibility of, a professional bound by professional secrecy. In practice this becomes an access control that ties reading the data to an identified clinical role, not to a generic system account.

Point (i) โ€” public interest in public health, epidemiological surveillance, pharmacovigilance โ€” underpins disease registries and surveillance systems, and requires a legal basis in Union or Member State law.

Point (j) โ€” scientific research, archiving in the public interest, statistical purposes โ€” is the basis for observational studies and research databases. Article 89(1) requires appropriate safeguards: minimisation and, where possible, pseudonymisation.

Point (a) โ€” explicit consent โ€” remains available but fragile in a care setting. The power imbalance between patient and provider weakens the requirement of freely given consent; the WP29 advises against using it as the primary basis for clinical processing and reserves it for further, distinct purposes.

In concrete terms, the same clinical record read to treat a patient sits under (h); read for a retrospective study it sits under (j). These are two different processing operations โ€” different legal bases, access perimeters and documentary obligations โ€” over the same underlying data.

The critical point: separating care from research

The sharpest architectural consequence comes from the intersection of the derogations with the minimisation principle in Art. 5(1)(c): process only the data necessary for the stated purpose. If care and research coexist in the same datastore with the same access rights, minimisation is breached from the start: the researcher sees more than the purpose requires, the clinician works on a dataset enriched by research processing.

Separation runs through pseudonymisation, defined in Art. 4(5): processing data so they can no longer be attributed to a subject without additional information, kept separately and protected. Pseudonymised data remain personal data and stay within the GDPR โ€” pseudonymisation is a mitigation the Regulation recognises, not an exit from its scope. Technically it requires a mapping table held elsewhere than the research dataset, with an access boundary the system enforces rather than leaving to operator discipline.

Anonymisation is another matter. The GDPR does not define it; the reference is WP29 Opinion 05/2014 on anonymisation techniques, which sets a demanding threshold: data are anonymous only if they do not permit identification by means reasonably likely to be used, neither alone nor combined with other datasets. Truly anonymous data fall outside the GDPR. In health data that threshold is hard to reach: age, postcode, a rare diagnosis and admission dates, put together, can re-identify a person even without a name. The Opinion analyses the limits of k-anonymity, l-diversity and noise addition, and the operational conclusion is that robust anonymisation must be assessed case by case and is rarely achieved by stripping direct identifiers alone.

Operational implications

Organisationally, the obligations that weigh most on healthcare providers are familiar and, for 2018, still largely to be implemented. A Data Protection Officer (DPO) is mandatory (Art. 37); the WP29 WP243 guidelines make clear that processing patient data is a core activity of a hospital and amounts to large-scale processing, above the threshold that triggers the DPO. A Data Protection Impact Assessment (DPIA, Art. 35) is due for systematic large-scale processing of special categories, presumed high-risk. The record of processing activities (Art. 30) documents each operation with its legal basis: this is where the choice between (h), (i) and (j) becomes traceable and auditable.

Technically, Art. 25 โ€” data protection by design and by default โ€” moves the constraint upstream, into the default configuration of systems. Breach notification (Art. 33-34) requires logging and detection capability within 72 hours. For cloud infrastructure, Chapter V (Art. 44-50) on transfers to third countries matters: as of May 2018 the EU-US Privacy Shield, adopted in July 2016, is the operative mechanism for US providers, though already under legal challenge with an uncertain outcome.

Limits

Article 9(4) leaves Member States room to maintain or introduce further conditions, including limitations, on genetic, biometric and health data. In Italy that room will be taken up by the awaited adaptation decree, with safeguard measures to be set by the supervisory authority. Until that framework closes, some choices โ€” which processing still requires consent, which specific safeguards apply to genetic data โ€” remain suspended between an applicable Regulation and national law in transition. Architectures designed now should be built to absorb national constraints not yet published, not to photograph the state on 25 May.


Cover image: The buildings of the Court of Justice of the European Union in Kirchberg, Luxembourg, with a row of EU member-state flags in theโ€ฆ โ€” photo by Cedric Puisney, CC BY 2.0 โ€” https://commons.wikimedia.org/wiki/File:European_Court_of_Justice_(ECJ)_in_Luxembourg_with_flags_0017_(1674479483).jpg