Back to CNIL Day on “Health Data Protection: From Care to Research”

On June 23rd the French Data Protection Authority, the National Commission for Data Protection and Liberties (herein after “CNIL”) organized a one-day conference in partnership with Bordeaux University. This event was an opportunity for attendees to receive a technical and operational point of view on the implementation of GDPR in the health care environment.

In accordance with Article 4 of GDPR, personal data relating to health are considered as information “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. By referring to this definition and the prohibition of processing them due to their sensitive nature mentioned as article 9, CNIL’s jurists have strengthened the full enforcement of GDPR on this type of data. The CNIL recommended identifying the data through a case-by-case analysis regarding to the context of their collection. This qualification work can reveal three types of health personal data: health data per nature, health data leading to health status per correlation with other information, and health data used for a specific medical purpose. In addition to GDPR, protection of health personal data shall also include other specific regulations applicable to health care environment such as:

• the prohibition of collection health personal data (article 8 and chapter 9 from French Computer and Freedom Law);
• medical confidentiality and respect for privacy (article L. 1110-4 from French Public Health Code);
• health personal data hosting (articles L. 1111-8, R. 1111-8-8)
• no commercial use of on health personal data (articles L. 1111-8, L. 4113-7 from French Public Health Code).

Jurists from CNIL and Bordeaux University introduced the French legal framework for data protection in medical research context. This system is built on the distinction of 2 types of research projects: projects involving the human subjects (RIPH) or projects not involving the human subjects (RNIPH).
There are 3 categories of RIPH:

• those entailing a procedure that is not justified by his or her usual care and is not without risks for the person (RIPH1), –
• those entailing entails a procedure with minimal risks and constraints for the person (RIPH2),
• those not entailing a procedure and not bringing any risks (RIPH3).
  For all of them (RIPH or RNIPH), the data protection is implemented through the following steps:
• characterizing the research project
• determining the procedure applicable to the research project
• carrying out a data protection impact assessment if necessary
• checking and documenting the research project’s conformity with a CNIL’s reference methods
• submitting the research project to French Competent Authorities and/or Ethic Committees to get their opinion or authorization before the start of the project if necessary;
• in case of non-conformity with a reference method, asking CNIL for a specific authorization for the research.

The DPO and the IT Director from Bordeaux Hospital provided an operational point of view on the enforcement of GPDR inside the structure. Together, they underlined the difficulty of implementating the GDPR enforcement due to the large number of processing activities involving large flows of personal data. These processing activities do not only cover healthcare within the hospital, but they also cover HR, financial affairs, and large-scale suppliers’ management. As in other structures, the DPO of Bordeaux Hospital emphasized the challenge to get people to consider GDPR implementation as a priority which implies their involvement. At the national level, CNIL reported that 30,000 DPO have been appointed for 80,000 organisations. This number has increased over the past years but still falls well short of what is required as many organisations are still working without a DPO even though it is mandatory.