UPMC Hillman Cancer Center Villa Maria Patient Privacy Disclosure (Long Text)

Dear Patient,

We would like to provide you with some information on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("Regulation") on how UPMC Hillman Cancer Center Villa Maria collects and utilizes your information^[1].

WHAT IS UPMC HILLMAN CANCER CENTER VILLA MARIA AND WHY WILL MY DATA BE TRANSFERRED ABROAD?

UPMC Hillman Cancer Center Villa Maria (hereinafter, "Villa Maria") provides innovative radiotherapy treatments and advanced care protocols such as image-guided radiation therapy and intensity-modulated radiation therapy (IGRT/IMRT), and stereotactic radiosurgery (SRS).

The Center is accredited by Joint Commission International (JCI), an international body that certifies excellence of health care organizations, and their compliance with high standards of quality and safety recognized by the international scientific community. The Center's excellence is also guaranteed by a multidisciplinary approach to cancer treatment, by large investments in research and innovation, but above all by the daily interaction with the University of Pittsburgh, the University of Pittsburgh Medical Center (UPMC) and the network of UPMC's cancer centers (over 60 centers in the United States, Ireland and Italy, collectively referred to as the "UPMC Oncology Network"). In its day-to-day operations, the Center also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence, patients referring to the Center are asked to authorize the transfer of their data, including sensitive data^[2] (such as health-related data), to the UPMC Group in the United States of America. Due to the fact that legislation in the U.S.A. does not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses for Data Transfers Between EU and non-EU Countries available at https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32021D0914&from=IT the UPMC Group commits to enforce safety measures for patient personal data protection. A copy of these contractual clauses can be obtained contacting the Data Protection Officer (DPO) at the addresses indicated below.

WHAT DATA WILL BE COLLECTED AND HOW?

The Center will ask you or third parties (e.g., your family doctor or other medical specialists), to provide personal information (e.g., name, last name, contact information) as well as health-related data (medical conditions, pregnancy status, disabilities, test results, diagnostic assessments, and ongoing treatments) and, if necessary for the provision of clinical services, the Center may also collect genetic data (only from external medical reports) and information regarding your sex life or social and psychological scope. Furthermore, your images may be collected both for safety reasons (for improved patient identification) and to obtain, also by means of telemedicine, consults by external experts and evaluate your state of health during your treatment, if necessary.

WHY ARE MY DATA PROCESSED?

1. This is done so that you can access clinical services and for administrative purposes.

Your personal data will be collected and processed so that you can receive the necessary care, and also to fulfill the necessary administration and accounting requirements. In addition, if necessary, we will e-mail you information on how to prepare for your tests. The legal basis for data processing is art. 6.1.b of the Regulation ("processing is necessary for the performance of a contract to which the data subject is party') and, as regards the exemption from the prohibition on the processing of special categories of personal data, of art. 9.2.h of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care systems and services pursuant to contract with a health professional”).

To this extent, your data may be shared with the following:

• family doctors;
• social security and welfare institutions, insurance companies covering third-party civil liability of the Center, and professionals involved in defending the Center and its staff;
• the NHS for reimbursement of medical services, and other medical institutions monitoring and auditing the provision of clinical services;
• institutions and supervisory bodies and agencies to verify the provision of patient care services (e.g. [Italian] Provincial Health Authority, a.k.a. "ASP"); certifying bodies (e.g., JCI) for relevant certifications, and third parties auditing the quality and appropriateness of patient care delivered to promote quality improvement of services and care.

For the communication of data to the local health authority ("ASL"), the legal basis of data processing is art. 6.1(b) of the Regulation ("processing is necessary for the performance of a contract to which the data subject is party") and, as regards the exemption from the prohibition on the processing of special categories of personal data, of art. 9.2(i) of the Regulation ("processing is necessary for reasons of public interest in the area of public health"); for the communication of data to persons authorized by the patient, to physicians treating the patient and to insurance companies, the legal basis is consent (art. 6.1(a) of the Regulation and, as regards the exemption from the prohibition on the processing of special categories of personal data, art. 9.2(a) of the Regulation.

2. Data retention to conduct scientific studies and research projects (CONSENT #1)

The Center participates in research projects to improve its clinical services and contribute to the advancement of medical knowledge. In particular, the Center conducts scientific research on innovative radiotherapy techniques, including studies funded under legal provisions. If you provide consent (CONSENT #1), the data collected during your treatment (including genetic data) will be retained for future retrospective studies (these studies will not affect your medical care and will require no additional tests or treatments). Specifically, if your data is used for research mandated by legal provisions, no specific consent is required, as such research is authorized by law. In this case, the legal basis for processing is art. 6.1(e) of the Regulation "performance of a task carried out in the public interest", and the exemption from the prohibition on processing special categories of data is provided by art. 9.2(j) of the Regulation "scientific research pursuant to the provisions of law".

Otherwise, your data (including genetic data) may only be used after obtaining a specific consent. In this case, the legal basis for processing are articles 6.1(a) and 9.2(a) of the Regulation, which require the data subject’s explicit consent.

If you consent to the retention of your data for future research, you will be asked to provide your contact details so that we may reach out to you if a new research study requires your consent (you will receive a specific information note beforehand).

To protect patient confidentiality, all medical data used in these studies are deprived of the patient's identification data and replaced by an alphanumeric code that prevents direct identification of the patient. The list that allows to associate this code with the patient's personal data is in the possession exclusively of the principal investigator and filed as confidential documentation.

Access to data directly ascribable to a patient may only take place when extracting data from the original clinical documents or during potential monitoring activity (i.e. checking for correspondence of data used for research with those contained in the outpatient clinic records), or should this be necessary to update the research data. Data is stored for a period of at least seven years after the completion of the research project or for a longer period in compliance with the applicable laws or agreements between the participating centers. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the data subjects.

3. To request consults by external professionals, also electronically (CONSENT #2)

If you consent, the Center will process your data (including genetic data) to request consults from external professionals in order to assess your state of health during treatment, also using telecommunication links with facilities outside the UPMC Oncology Network. For this purpose, the legal basis of the processing is represented by the consent, art. 6.1(a) of the Regulation, and as regards the exemption from the prohibition of processing special categories of personal data, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing").

4. To receive information materials (CONSENT #3)

If you provide consent we will send you (by email, mail or SMS) information on the Center's projects and services, information campaigns, donations, and fundraising initiatives (e.g., 5x1000 tax share). For this purpose, the legal basis of the processing is represented by the consent (art. 6.1.a) of the Regulation and, as regards the exemption from the prohibition of processing particular data, art. 9.2.a of the Regulation - "explicit consent of the data subject"). In this case, data will be stored for 24 months. If you do not provide consent we will not be able to send you this information.

5. To verify the quality of patient care and treatments and to schedule the clinical activity

Your data will also be used for monitoring and evaluating the effectiveness of the medical care provided, the appropriateness and quality of the care, as well as health risk factors as provided by law (for which no consent is required from the patient), and also in additional to the law. In particular, the goal of the Center is to assess and compare the appropriateness, efficacy, effectiveness, and efficiency of care delivered to different population groups or in different facilities, also with reference to specific diseases or health issues. In order to use patients' personal data for these purposes, it is not necessary to obtain patient consent, as "the processing is necessary for the pursuit of the legitimate interest of the data controller or a third party", see art. 6.1(f) of the Regulation. In this case, you may object at any time to the processing for reasons related to your particular situation, and UPMC will be required to cease further use of the data, unless it can demonstrate the existence of compelling legitimate grounds to continue processing.

The Center intends to support the monitoring systems and registers provided by law. For the use of data as part of these activities it is not necessary to collect the consent of patients as, in fact, provided for by the law, art. 6.1(c) of the Regulation ("processing is necessary for compliance with a legal obligation") and, for exemption from the prohibition of the processing special categories of personal data, art. 9.2(i) of the Regulation ("processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices").

HOW WILL MY DATA BE PROCESSED?

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

WHO WILL ACCESS MY PERSONAL DATA?

Your personal data will be processed by the clinical and administrative staff of the Center that received specific instructions on the purposes and methods of data processing, and are obliged to comply with professional secrecy and privacy. For training purposes, clinical treatments may be performed in the presence of observers. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.

Your data may also be communicated to third parties appointed data processors or persons tasked with the processing and providing ancillary services to the Center, such as:

• external consultants;
• volunteer patient care associations;
• other subjects providing services instrumental to the Center's operations.

Your data may also be communicated to independent data controllers in fulfillment of governing law or for the protection of their rights in judgment (e.g., national health service, institutions, municipalities, registers of sick leave, insurance companies).

The updated list of hospitals of the UPMC Group, to which data may be transferred, data processors, and other third parties to whom your data may be disclosed is available from the DPO, who can be contacted at the addresses listed below.

WHO WILL BE INFORMED OF MY HEALTH STATUS?

Information regarding your health status will only be provided to your relatives and friends, without prejudice to the provisions of law.

HOW LONG WILL MY DATA BE STORED?

In addition to the above, we inform you that your personal data will be stored for a period of 13 years as required by law (art. 4 of Ministerial Decree of 14 February 1997). Further information can be obtained by contacting the DPO at the addresses listed below.

WHAT ARE MY RIGHTS ACCORDING TO LAW?

Articles 15 and following of the Regulation establish your right to obtain:

• confirmation that the paper and electronic archives of the Center do not contain personal data that concern you, to obtain a copy on paper or electronic media, and obtain information on data processing (purposes, categories of data, recipients, period of storage etc.);
• data correction or integration;
• deletion of data in the event of consent withdrawal in the absence of legal basis for data processing;
• should this satisfy the assumptions, a copy of your personal data in a structured format.
• Please note you may withdraw your consents at any time.

The dedicated form is available in the "Forms" section on the website of the Italian Data Protection Authority (www.garanteprivacy.it). 

Data subjects deeming the processing of their personal data violates the provisions of the Regulation have the right to file a complaint with the Italian Data Protection Authority ("Garante") using the form available in the "Forms" section of the website www.garanteprivacy.it), as provided under art. 77 of the Regulation. Alternatively, legal action may be pursued before the competent court, as provided under art. 79 of the Regulation.

If you have provided consent to using your data for research purposes, you may:

• withdraw your consent at any time for the processing of your data for research purposes, and this will not affect your treatment;
• ask to modify and integrate data: in this case the requests for modifications will be noted without modifying the data, when these operations fail to produce significant effects on the research outcome;
• obtain information about the research projects in which your data has been used.

HOW CAN I EXERCISE MY RIGHTS?

Your rights can be exercised by simply making a request to the DPO of the Center by writing to: UPMC Hillman Cancer Center Villa Maria - Responsabile della Protezione dei dati personali, Via Cassia 600, Rome, or emailing DPO@upmcvillamaria.it.

DATA CONTROLLER

The data controller is UPMC Italy S.r.l., with registered office in Discesa dei Giudici 4, 90133 Palermo, Italy.

---

[1] Specific information notes are provided to patients in case of particular processing of their data (e.g., in case of genetic data collection or enrollment in clinical trials).

[2] The Regulation defines "sensitive data" as information able to disclose a person's racial or ethnic origins, political opinions, religious or philosophical beliefs, memberships in trade unions, as well as genetic and biometric data aimed at identifying an individual, and data concerning that person's health, sexual life or sexual orientation.