French Medical Council and data protection authority (CNIL) publish practical guide on implementation of the GDPR

In June 2018, the French Medical Council (Conseil national de l’ordre des médecins) and the French data protection authority (CNIL) published a practical guide for doctors in the context of the implementation of the general regulation on the protection of personal data (GDPR), which has been applicable since 25 May 2018. Physicians, and health care professionals in general, are directly concerned by the protection of personal data, which is to be combined with professional secrecy.

This guide aims in particular at helping doctors implement the obligations provided for in the new regulation. It proposes a pragmatic approach and thematic fact sheets as set out below:

Sheet 1 What framework applies to patient records?

• What are your obligations? The guide reminds the main obligations applying to patient records (lawful purposes, information of data subjects, data subjects’ rights, prevention of unlawful disclosure, contracts to be entered into with data processors, security measures, etc.) and provides practical recommendations in their respect for doctors.
• Do you have to comply with a particular formality with the CNIL? The guide explains how (i) since 25 May 2018, doctors must no longer provide the CNIL with compliance commitments (engagements de conformité) against the simplified norm 50 (NS-050), as previously required for the management of medical practice and (ii) doctors must keep an accountability record in compliance with the GDPR.
• Do you need to appoint a Data Protection Officer (DPO)? In principle this is not the case for individual doctors but may be relevant in case of large-scale data processing.
• What penalties do health professionals face if they do not comply with this obligation? The guide describes how the CNIL can sanction doctors in case of non-compliance.

 Sheet 2 What framework applies to making an appointment?

• What are your obligations? Doctors’ obligations are basically the same as set out above.
• What are the obligations of the third party provider managing the appointment? The guide reminds that the third party provider, whether it is an online appointment booking platform or a hotline provider, acts on behalf of the doctor; it therefore qualifies as a data processor under the GDPR. The doctor must enter into a data processing agreement with such a provider, which must include a number of specific clauses that are mandatory under the GDPR (e.g. the fact that the processor may only process the data following the doctor’s instructions). In addition, if the provider electronically hosts the information on patients' appointments, including health data, it must use an accredited or certified health data provider in compliance with French law.
• What penalties do health professionals face if they do not comply with this obligation? The guide describes how the CNIL can sanction doctors in case of non-compliance.

 Sheet 3 What framework applies to the use of email?

• What is the secure health messaging system (système de messagerie sécurisée de santé)? The secure health messaging system is a dematerialised platform that allows trustful exchange of health data between health professionals and, more broadly, between professionals in the healthcare and social sectors. It also integrates a common and certified directory listing all the authorised professionals or structures within which they practice.
• Can you use standard email services? The guide explains the security measures that must be implemented in cases where standard email services are used.

Sheet 4 What framework applies to mobile phones and tablets? 

• Can you use your mobile phone or tablet to access your patient records? Tablets or mobile phones may be used in a professional context provided that doctors comply with data security rules that are further described in the guide.
• How can you use your mobile phone or tablet as a means of communication? The guide provides practical examples of situations where such a use is acceptable (e.g. use of a mobile phone as a means of communication with patients, other health professionals or staff – provided that the doctor makes sure, during his/her travels, that his/her conversation of a professional nature is not heard by people nearby) and some other where such a use is not (e.g. oral communications, instant messaging or "chat", via internet-related and unsecured applications).

 Sheet 5 What framework applies to research?

• What are your obligations in the context of internal studies? The guide provides recommendations on the cases where data protection requirements (e.g. carrying out a privacy impact assessment) may apply.
• What are your obligations during medical research in partnership with a third party (so-called multicentric research) or requiring the collection of additional data? The guide describes the specific process that applies before undertaking such research. This process includes in particular providing the CNIL with a compliance commitment (engagement de conformité) against reference methods (méthodologie de référence).

 Sheet 6 What framework applies to telemedicine?

• Does telemedicine involve any change in relation to your obligations? The guide reminds that telemedicine is a form of remote medical practice using information and communication technologies: when a doctor does a consultation using telemedicine technologies, he/she performs a medical act; as a result, all doctors’ usual ethical obligations, and obligations regarding information sharing or disclosure, still apply.
• What are the obligations of telemedicine platforms? The guide reminds that when a doctor decides to use a telemedicine platform, he/she must ensure that the provider, which qualifies as the doctor’s data processor, complies with applicable law (see note on Sheet 2 above)

Annex 1: information notice example for the management of a medical practice

Annex 2: accountability record