Health data law

Frame of reference

The CNIL has already adopted a “key” frame of reference, Decision no. 2019-057 of 9 May 2019 (only in French) on the processing of personal data for health monitoring purposes. The goal is to reduce the reporting obligations of health companies that are subject to monitoring obligations.

Reference methodology

Six reference methodologies have currently been adopted:

• MR-001: health research with consent collection (decision no. 2018-153 of 3 May 2018 - only in French)

• MR-002: non-interventional studies on in vitro medical devices (decision no. 2015-256 of 16 July 2015 - only in French) relating to the approval of a reference methodology for processing personal data as part of a non-interventional study on the performance of in-vitro diagnosis medical devices

• MR-003: health research without consent collection (decision no. 2018-154 of 3 May 2018 - only in French)

• MR-004: non-human research, health studies and evaluations (decision no. 2018-155 of 3 May 2018 - only in French)

• MR-005: studies requiring access to PMSI and/or RPU data by healthcare facilities and hospital associations (decision no. 2018-256 of 7 June 2018 - only in French)

• MR-006: studies requiring access to PMSI data by healthcare companies (decision no. 2018-257 of 7 June 2018 - only in French) relating to the approval of a reference methodology for data processing that requires access for persons manufacturing or selling the products mentioned in paragraph II of article L.5311-1 of the French Public Health Code to centralised PMSI data that is made available by the ATIH database through a secured solution

Data concerning health

Although “data concerning health” hadn’t been defined by legislation up until this point, the GDPR takes the plunge and defines them as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

Further still, the introduction to the Regulation gives us a general overview of this definition, specifying that health data more specifically includes “information about the natural person collected in the course of the registration for, or the provision of, health care services”, a “number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes”, “information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples,” and even “any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”.

Given their definition as a sensitive category of data, in principle, the processing of health data would therefore be prohibited. In Article 9, however, the GDPR presents exceptions that can already be found in the French Data Protection Act of 6 January 1978, such as when the data subject provides explicit consent, when protecting the vital interests of the data subject, and even when the processing is necessary for reasons of substantial public interest.

Genetic data

The GDPR considers genetic data to mean “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”. Notably, they may derive from the analysis of a biological sample of the individual’s chromosomes, DNA or RNA, which are now be considered as sensitive data for the very first time. The collection, processing and storage of these data will in principle be prohibited, except in the cases outlined in Article 9 of the GDPR.

The use of these data, which were initially limited to the medical field and legal identification, tend to be used in a seemingly constantly growing range of ways, from insurance and marketing to genealogy. The initial prohibition placed on the processing of these data by the GDPR is therefore a way of combatting the risks of discrimination or commercialisation of such data.

Biometric data

Biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.

Recently added to the list of sensitive data categories, European regulations therefore ban their processing, except in specific circumstances.

Processing records

On 25 May 2018, the GDPR imposed on enterprises or organisations employing more than 250 persons, those carrying out processing that is likely to result in a risk to the rights and freedoms of data subjects, those whose processing is not occasional, or those whose processing includes special categories of data, such as health data, the requirement to maintain a record of their personal data processing activities. This record will be used to ensure the enterprise or organisation’s conformity with the regulations.

This internal document holds the organisation carrying out the processing accountable, determining the means and purpose of the processing. As part of the process of keeping this record, the data controller must specifically indicate the different personal data processing activities it undertakes, the categories of personal data and data subjects processed, the purposes of these processing activities, the actors involved in the processing, and the origin and destination of the data stream in order to identify possible transfers of personal data to countries outside the European Union where the GDPR also applies. Continuing with the topic of holding data controllers responsible, this record must also include the envisaged time limits for erasure of the different categories of data, as well as a general description of the technical and organisational security measures implemented.

On its website, the CNIL offers a simplified template of a processing record.

Impact assessment

Data protection impact assessments (DPIA) are necessary when carrying out personal data processing that is likely to result in a high risk to the rights and freedoms of natural persons, particularly when processing on a large scale. This is another tool used to ensure that data controllers are held accountable for their actions, verifying their compliance with the GDPR through a study of the necessity and proportionality of the processing in relation to the purposes, while also considering the risks to the rights and freedoms of data subjects.

The analysis is performed by the data controller under the supervision of the data protection officer who, after systematically presenting the health data processing operations envisaged, must indicate the measures envisaged by the data controller to mitigate the risks.

There are tools available to data controllers to determine whether it is necessary to perform a DPIA, however.

On a European level, the Article 29 Data Protection Working Party (WP29), the predecessor to the European Data Protection Board (EDPB), in 2017 established a series of guidelines (reference WP 248) on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a hight risk”. Even though this document was written prior to the entry into force of the GDPR, it is still current and has even been adopted by the EDPB.

On a French scale, the CNIL has established several tools:

• A list of processing operations that require an impact assessment: decision no. 2018-327 of 11 October 2018.

The list contains numerous situations regarding health data that result in an impact assessment:

• Processing carried out by healthcare or medical-social establishments to provide treatment to individuals.

• Health data processing operations that are necessary to create a data warehouse or a record.

• Biometric data processing for the purpose of identifying “vulnerable” people from among their patients.

• A list of processing operations that do not require an impact assessment: decision no. 2019-118 of 12 September 2019.

This list stipulates that healthcare professionals practising individually within a medical practice, pharmacy or medical laboratory doesn't have to perform an impact assessment for processing operations that are necessary to treat a patient. This information serves as further confirmation of WP29’s continued presence in the aforementioned guidelines.

• A decision tree. The CNIL outlines the “severity” criteria for processing, stating that the presence of two of these criteria (or one if the processing presents a “high” risk) leads to the need for an impact study.

Among these criteria are the processing of health data and the processing of patient data. In other words, in the health sector, operators will be quickly faced with the obligation to carry out an impact assessment.

Data protection officers.

The GDPR requires certain companies to designate a data protection officer (DPO), particularly when the core activities of the company consist of the large-scale processing of sensitive categories of data, which include health data.

Both the notion of “core activity” and “large-scale processing” are once again open to interpretation upon the entry into force of the GDPR.

The data protection officer must be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”, with their role being “to inform and advise the controller or the processor and the employees who carry out processing of their obligations” and to “monitor compliance” with the GDPR and with all other legal texts on data protection.

1.

Health, Pharma & Biotechnologies
Regulatory law

2.

Health, Pharma & Biotechnologies
Digital health

3.

Competition & Distribution
Health and pharma industry