Skip to content
French data protection authority (CNIL) publishes reference methods for health data processing

French data protection authority (CNIL) publishes reference methods for health data processing

Blog Post
16 August 2018
Author
Image of Laurie-Ann Ancenys
Laurie-Anne Ancenys

Counsel

Paris

Browse this blog post

Related news and insights

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

News: 09 February 2024

Allen & Overy advises Sartorius group on EUR1.4bn equity raising

Blog Post: 14 September 2023

France CNIL calls for comments on its draft recommendation on security of critical data processing operations

Blog Post: 28 November 2022

Webinar - EU developments in pricing and reimbursement

On 16 July 2018, the French Data Protection Authority (CNIL) published revised and new reference methods (MRs) regarding data processing in health research to adapt the existing framework to the EU General Data Protection Regulation (GDPR) and the national health data system (SNDS).

Specifically, the CNIL updated:

  • MR-001 on interventional research.
  • MR-003 on non-interventional research.

It also issued a new:

  • MR-004 concerning non-human research, health studies or evaluations and research that reuses data that has already been collected.
  • MR-005 regarding access to the programme for the medicalisation of information systems (PMSI), an SNDS component which simplifies access to hospital data, by healthcare facilities and hospital associations.
  • MR-006 regarding access to PMSI data by research laboratories or consulting firms on behalf of the industry.

The CNIL also indicated that it intends to update MR-002 regarding non-interventional studies on in vitro diagnostic medical devices by the end of 2018.

The recently published MRs, in particular:

  • Oblige the data controller to appoint a Data Protection Officer (DPO) and inform the data subject when collecting personal data in order to comply with the GDPR.
  • Cover non-interventional research under minimum risks for which information can be collective, subject to a favourable opinion of the ethics committee (MR-003).
  • No longer require written consent for the examination of genetic characteristics, under certain conditions (prior information, opposition right) (MR-003, MR-004).
  • Do not apply to processing requiring access to national health-administrative databases (for example, SNDS and SNIIIRAM), with a few exceptions.
  • Clarify that subcontractors may use directly identifying data under certain conditions. However, the processing of directly identifying data and health data by the same subcontractor remains excluded from the MRs.

Data controllers conducting research pursuant to the MRs do not require CNIL's prior authorisation provided they have lodged a compliance undertaking (engagement de conformité) with CNIL. The processing of data that does not comply with the MRs requires: (i) CNIL's prior authorisation for interventional human research; or (ii) the submission of a dossier to the national health data institute (INDS) (for non-interventional human research).

A prior version of this post was originally published by the same authors in Practical Law – Life Sciences, July 2018 Issue (Thomson Reuters).

Related expertise

Related blog topics