Skip to content

French data protection authority (CNIL) publishes reference methods for health data processing

On 16 July 2018, the French Data Protection Authority (CNIL) published revised and new reference methods (MRs) regarding data processing in health research to adapt the existing framework to the EU General Data Protection Regulation (GDPR) and the national health data system (SNDS).

Specifically, the CNIL updated:

  • MR-001 on interventional research.
  • MR-003 on non-interventional research.

It also issued a new:

  • MR-004 concerning non-human research, health studies or evaluations and research that reuses data that has already been collected.
  • MR-005 regarding access to the programme for the medicalisation of information systems (PMSI), an SNDS component which simplifies access to hospital data, by healthcare facilities and hospital associations.
  • MR-006 regarding access to PMSI data by research laboratories or consulting firms on behalf of the industry.

The CNIL also indicated that it intends to update MR-002 regarding non-interventional studies on in vitro diagnostic medical devices by the end of 2018.

The recently published MRs, in particular:

  • Oblige the data controller to appoint a Data Protection Officer (DPO) and inform the data subject when collecting personal data in order to comply with the GDPR.
  • Cover non-interventional research under minimum risks for which information can be collective, subject to a favourable opinion of the ethics committee (MR-003).
  • No longer require written consent for the examination of genetic characteristics, under certain conditions (prior information, opposition right) (MR-003, MR-004).
  • Do not apply to processing requiring access to national health-administrative databases (for example, SNDS and SNIIIRAM), with a few exceptions.
  • Clarify that subcontractors may use directly identifying data under certain conditions. However, the processing of directly identifying data and health data by the same subcontractor remains excluded from the MRs.

Data controllers conducting research pursuant to the MRs do not require CNIL's prior authorisation provided they have lodged a compliance undertaking (engagement de conformité) with CNIL. The processing of data that does not comply with the MRs requires: (i) CNIL's prior authorisation for interventional human research; or (ii) the submission of a dossier to the national health data institute (INDS) (for non-interventional human research).

A prior version of this post was originally published by the same authors in Practical Law – Life Sciences, July 2018 Issue (Thomson Reuters).