UPMC Hillman Cancer Center Villa Maria Patient Privacy Disclosure (Long Text)

Dear Patient,

We would like to provide you with some information on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("Regulation") on how UPMC Hillman Cancer Center Villa Maria collects and utilizes your information¹.

WHAT IS UPMC HILLMAN CANCER CENTER VILLA MARIA AND WHY WILL MY DATA BE TRANSFERRED ABROAD?

UPMC Italy (hereinafter "UPMC") manages the UPMC Hillman Cancer Center Villa Maria (hereinafter "Center") that offers oncology patients innovative radiotherapy treatments and advanced care protocols, such as image-guided radiation therapy and intensity-modulated radiation therapy (IGRT/IMRT), and stereotactic radiosurgery.

The Center's excellence is guaranteed by a multidisciplinary approach to cancer treatment, by considerable investments in research and innovation but, above all, by the daily interaction with the University of Pittsburgh, UPMC (University of Pittsburgh Medical Center), and UPMC Cancer Centers (over 60 centers in United States, Ireland, and Italy, collectively referred to as the "UPMC Oncology Network"). In its day-to-day operations, the Center also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence, patients referring to the Center are asked to authorize the transfer of their data, including sensitive data², to the UPMC Group in the United States of America. Due to the fact that legislation in the U.S.A. does not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses for Data Transfers Between EU and non-EU Countries, the UPMC Group commits to enforce safety measures for patient personal data protection. A copy of these contractual clauses can be obtained contacting the Data Protection Officer (DPO) at the addresses indicated below.

WHAT DATA WILL BE COLLECTED AND HOW?

The Center will ask you or third parties (e.g., your family doctor) to provide your personal data (name, address, etc.), information on your health status (diseases, pregnancy, any disability, test results, diagnostic tests, ongoing therapies) and, if required, information on your sex life or social and psychological scope. Furthermore, your images may be collected both for safety reasons (for improved patient identification) and to obtain, also by means of telemedicine, consults by external experts and evaluate your state of health during your treatment, if necessary.

WHY ARE MY DATA PROCESSED?

1. In order for me to receive clinical services and for administrative purposes

Your personal data will be collected and processed so that you can receive the necessary care, and also to fulfill the necessary administration and accounting requirements. In addition, if necessary, we will e-mail you information on how to prepare for your tests. The legal basis for data processing is art. 6.1(b) of the Regulation ("processing is necessary for the performance of a contract to which the data subject is party') and, as regards the exemption from the prohibition on the processing of special categories of personal data, of art. 9.2(h) of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care systems and services pursuant to contract with a health professional”).

To this extent, your data may be shared with the following:

• family doctors;
• social security and welfare institutions, insurance companies covering third-party civil liability of the Center, and professionals involved in defending the Center and its staff;
• the NHS for reimbursement of medical services, and other medical institutions monitoring and auditing the provision of clinical services;
• institutions and supervisory bodies and agencies to verify the provision of patient care services (e.g. [Italian] Provincial Health Authority, a.k.a. "ASP"); certifying bodies (e.g., JCI) for relevant certifications, and third parties auditing the quality and appropriateness of patient care delivered to promote quality improvement of services and care.

For the communication of data to the local health authority ("ASL"), the legal basis of data processing is art. 6.1(b) of the Regulation ("processing is necessary for the performance of a contract to which the data subject is party") and, as regards the exemption from the prohibition on the processing of special categories of personal data, of art. 9.2(i) of the Regulation ("processing is necessary for reasons of public interest in the area of public health"); for the communication of data to persons authorized by the patient, to physicians treating the patient and to insurance companies, the legal basis is art. 6.1(a) of the Regulation and, as regards the exemption from the prohibition on the processing of special categories of personal data, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing").

2. To conduct scientific studies and research projects (CONSENT #1)

With the purpose of improving its clinical services and to contribute to the development of general medical knowledge, the Center is involved in research projects (both internal and in collaboration with other centers, inside and outside the European Union). In particular, the Center conducts research projects on innovative radiotherapy techniques. Many of these studies can be conducted using information collected during regular patient care or in the scope of clinical studies. Participating to these research projects does not interfere in any way with regular patient care and requires no additional tests or treatments for patients. Furthermore, in order to protect confidentiality, the information and clinical data used in these studies are deprived of the patient's identification data and marked with an alphanumerical code that does not allow to trace the patient's identity. The list that allows to associate this code with the patient's personal data is in the possession exclusively of the principal investigator and filed as confidential documentation. The list of the ongoing studies at the Center is available at the Center itself. For additional information you may request a meeting with the PI or contact info@upmcvillamaria.it.

Encoded data is used during data processing and storage, and when forwarding data to the other subjects involved in the studies (the list of centers involved in the studies is available from the Data processing reference person at the addresses listed below). Access to data directly ascribable to a patient may only take place when extracting data from the original clinical documents or during potential monitoring activity (i.e. checking for correspondence of data used for research with those contained in the outpatient clinic records), or should this be necessary to update the research data. Data is stored for a period of at least seven years after the completion of the research project, or for a longer period in compliance with the applicable laws or agreements between the participating centers. Encryption is used for data storage and transfer, preventing access by unauthorized parties. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the data subjects.

In order to use a patient's health information for research purposes, the patient must give consent, as the legal basis for data processing, art. 6.1(a) of the Regulation, and as regards the exemption from the prohibition on the processing of special categories of personal data, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing"). If you wish to allow the Center (also in collaboration with centers located in non-EU countries in which an adequate level of personal data protection may not be guaranteed under EU regulations) to use your clinical information already collected or that will be collected in the future in the scope of patient care (or during other research projects you were involved in), please express your consent by ticking the appropriate boxes at the end of this document. Please remember that you are free to provide or to deny your consent. Please note you may deny or withdraw your consent to data processing at any time, and that this will not affect your treatment.

The Center intends to participate in research projects regulated by laws, in the areas indicated above. In order to use the clinical data of a patient for purposes of research, the patient must have previously expressed his or her informed consent as legal basis of data processing, art. 6.1(e) of the Regulation ("processing is necessary for the performance of a task carried out in the public interest"), as regards exemption from the prohibition on the processing of special categories of personal data, art. 9.2(j) of the Regulation ("scientific research pursuant to the provisions of law").

3. To verify the quality of patient care and treatments and to schedule the plan of care (CONSENT #2)

Should you express your consent, we will use your data to monitor and assess the effectiveness of the patient care delivered, the appropriateness and quality of care, and the risk factors as provided by law (for which no consent is required from the patient), and also in additional to the law. In particular, the goal of the Center is to assess and compare the appropriateness, efficacy, effectiveness, and efficiency of care delivered to different population groups or in different facilities, also with reference to specific diseases or health issues. In order to use patients’ personal data for such purposes, the patients must express informed consent as legal basis of data processing, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing"). If you wish to authorize the Center to process your data, also collected in the past, to conduct these important tests that could provide useful information for your treatment, please give your consent by ticking the appropriate box at the bottom of this document. If you do not express your consent we will not be able to use the data for these tests. You will however still be entitled to receive care at the Center. The Center intends to support the monitoring systems and registers provided by law. For the use of data as part of these activities it is not necessary to collect the consent of patients as, in fact, provided for by the law, art. 6.1(c) of the Regulation ("processing is necessary for compliance with a legal obligation") and, for exemption from the prohibition of the processing special categories of personal data, art. 9.2(i) of the Regulation ("processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices").

4. To request consults by external professionals, also electronically (CONSENT #3)

If you consent, the Center will process your data to request consults with external professionals to assess your state of health during treatment), also electronically with facilities not part of the UPMC Oncology Network. For this purpose, the legal basis of the processing is represented by the consent, art. 6.1(a) of the Regulation, and as regards the exemption from the prohibition of processing special categories of personal data, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing").

5. To receive information materials (CONSENT #4)

If you provide consent we will send you (by email, mail or SMS) information on the Center's projects and services, information campaigns, donations, and fundraising initiatives (e.g., 5x1000 tax share). For this purpose, the legal basis of the processing is represented by the consent, art. 6.1(a) of the Regulation, and as regards the exemption from the prohibition of processing special categories of personal data, art. 9.2(a) of the Regulation ("the data subject has given explicit consent to the processing"). The data will be stored for 24 months. If you do not express your informed consent we will not be able to send you this materials.

HOW WILL MY DATA BE PROCESSED?

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

WHO WILL ACCESS MY PERSONAL DATA?

Your personal data will be processed by the clinical and administrative staff of the Center that received specific instructions on the purposes and methods of data processing, and are obliged to comply with professional secrecy and privacy. For training purposes, clinical treatments may be performed in the presence of observers. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.

Your data may also be communicated, in addition to the parties listed under item 1, to third parties appointed data processors or Persons authorized to data processing providing ancillary services to the Center, such as:

• external consultants,
• volunteer patient care associations,
• other subjects providing services instrumental to the Center's operations.

Your data may also be communicated to independent data Controllers in fulfillment of governing law or for the protection of their rights in judgment (e.g., national health service, institutions, municipalities, registers of sick leave, insurance companies).

The updated list of hospitals of the UPMC Group, to which data may be transferred, data processors, and other third parties to whom your data may be communicated is available from the Data processing reference person - Office of the Director of Health Care Activities or the DPO at the addresses indicated below.

WHO WILL BE INFORMED OF MY HEALTH STATUS?

Information regarding your health status will only be provided to your relatives and friends, without prejudice to the provisions of law.

HOW LONG WILL MY DATA BE STORED?

In addition to the above, we inform you that your personal data will be stored for a period of 10 years as required by law (art. 4 of Ministerial Decree of 14 February 1997). More information may be obtained contacting the DPO at the addresses listed below.

WHAT ARE MY RIGHTS ACCORDING TO LAW?

Articles 15 and following of the Regulation establish your right to obtain:

• confirmation that the paper and electronic archives of the Center do not contain personal data that concern you, to obtain a copy on paper or electronic media, and obtain information on data processing (purposes, categories of data, recipients, period of storage etc.);
• update, correction, or integration of data;
• deletion of data in the event of consent withdrawal if the absence of legal basis for data processing;
• should this satisfy the assumptions, a copy of your personal data in a structured format.

Please note you may withdraw your consents at any time.

Should this satisfy the assumptions, you have the right to file a complaint to the Italian Data Protection Authority ("Garante") at the link https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 for personal data protection, in its capacity of supervisory authority, in accordance with the provided procedures. A form to exercise the rights is available on the Italian Data Protection Authority ("Garante") website at this link https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

If you have provided consent to using your data for research purposes, to verify the quality and appropriateness of patient care and treatments, and to schedule clinical activity will be able to:

• withdraw your consent to your data and sample processing at any time, and this will not affect your treatment;
• ask to modify and integrate data: in this case the requests for modifications will be noted without modifying the data, when these operations fail to produce significant effects on the research outcome;
• request that your data used for research purposes be transformed into anonymous form;
• obtain information on the projects in which your data have been used, and the list of the centers involved in these projects.

HOW CAN I EXERCISE MY RIGHTS?

The rights may be exercised contacting the Center's DPO at: UPMC Hillman Cancer Center Villa Maria - Località Pozzillo, 83036 Mirabella Eclano (AV), e-mail DPO@upmcvillamaria.it.

JOINT CONTROLLERS

Controllers is UPMC Italy, headquartered in Discesa dei Giudici 4, Palermo.

Last update: August 2022

---

[1] Specific information notes are provided to patients in case of particular processing of their data (e.g., in case of genetic data collection or enrollment in clinical trials).

[2] The Regulation defines "sensitive data" as information able to disclose a person's racial or ethnic origins, political opinions, religious or philosophical beliefs, memberships in trade unions, as well as genetic and biometric data aimed at identifying an individual, and data concerning that person's health, sexual life or sexual orientation.