Processing of health data: first implementing decree on French Personal Data Protection Act

Decree 2018-687 implementing Act 2018-493 of 20 June 2018 on the Protection of Personal Data was recently published in the French Official Journal. The decree amends Decree 2005-1309, which implemented the 1978 French Data Protection Act. In particular, it amends the provisions concerning the processing of personal health data by including operating provisions on the processing of such data, as well as on the functioning of the audit committee of the national health data system (SNDS).

The new decree states that the processing of personal health data by the bodies entrusted with the public mission of managing a health emergency can use an individual's social security number provided that it is the only way to collect the personal health data necessary to face the emergency situation. The social security number can be collected either directly or indirectly (through the person’s relatives or legal persons entitled to handle this number within the framework of their activities) and must be used solely for the duration necessary to match the data.

The decree also clarifies that the dossiers requesting authorisation to process data for research, studies and evaluations within the field of health must be signed by the person acting on behalf of the data controller. They must be submitted either to the CNIL, provided the opinion of the relevant ethics committee has been granted beforehand, or to the National Health Data Institute (INDS), in which case they must be transferred within seven days to the expert committee for research, studies and evaluations within the field of health for an opinion.

Finally, the decree sets out the rules for the composition, functioning and terms of operation of the audit committee operating on the SNDS. The committee carries out audits (on those health data management systems selected by the chairman of the committee) through independent contractors. Both the committee and the contractors must pursue their actions according to an audit charter that will be defined in a future ministerial order. The audited entities have the right to oppose the audits and reply to the audit report (including an action plan in the event that shortcomings have been identified in the audit). The final audit report will be sent to the CNIL.

A prior version of this post was originally published by the same authors in Practical Law – Life Sciences, August 2018 Issue (Thomson Reuters).

This post was originally co-authored by Patricia Carmona Botana.