CNIL (France) - SAN-2023-082: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=CNIL2326885X |ECLI= |Original_Source_Name_1=legifrance.gouv.fr |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000048197556?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT |Original_Source_Language_1=French |Orig...")
 
 
(3 intermediate revisions by one other user not shown)
Line 32: Line 32:
|GDPR_Article_2=Article 9(4) GDPR
|GDPR_Article_2=Article 9(4) GDPR
|GDPR_Article_Link_2=Article 9 GDPR#4
|GDPR_Article_Link_2=Article 9 GDPR#4
|GDPR_Article_3=
|GDPR_Article_3=Article 14 GDPR
|GDPR_Article_Link_3=
|GDPR_Article_Link_3=Article 14 GDPR
|GDPR_Article_4=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=
Line 73: Line 73:


=== Holding ===
=== Holding ===
The data controller undertakes to only process data that is relevant, adequate and limited to what is necessary for the purposes pursued. The duration of access or retention of data in the controlled environment must be limited to the duration necessary for the implementation of the processing.In any case, this duration cannot exceed five years from the last effective provision of the data.Under certain conditions, this duration may exceptionally be extended.Only people authorized by the data controller or, where applicable, by the person responsible for implementing the processing, can access the data. The implementation of data processing takes place under the responsibility of the data controller, including when it is carried out by third parties acting on its behalf, in compliance with the general data protection regulations.
The data controller undertakes to only process data that is relevant, adequate and limited to what is necessary for the purposes pursued. The duration of access or retention of data in the controlled environment must be limited to the duration necessary for the implementation of the processing.In any case, this duration cannot exceed five years from the last effective provision of the data.Under certain conditions, this duration may exceptionally be extended.Only people authorized by the data controller or, where applicable, by the person responsible for implementing the processing, can access the data. The implementation of data processing takes place under the responsibility of the data controller, including when it is carried out by third parties acting on its behalf, in compliance with the general data protection regulations.MR-007 legal basis concerns organizations for which the implementation of research, study or evaluation in the field of health is necessary for the performance of a mission in the public interest or is in the exercise of official authority vested in them.
 
MR-007 sets out the purposes of the processing and adds the targeting of centres and/or carrying out feasibility studies for the performance of research involving or not involving the human person.The purposes listed, presumed to be in the public interest, are identical to those mentioned in the reference framework for the provision of the National Health Data System
 
Due to the large volume of data available and the complexity of the available databases, MR-007 require that the project has been the subject of an expressly favourable opinion from the Ethical and Scientific Committee for Research, Studies and Evaluations in the Field of Health (CESREES).
 
In addition, in the event of a favourable opinion with recommendations, the data controller must undertake to take them into account and to modify its file accordingly, prior to the implementation of the processing.
 
In order to facilitate the work of making data available MR-007 provides that the data controller must attach to its protocol an expression of needs, i.e. a document indicating:
 
·      the components of the main database of the NSDS concerned by the access request;
 
·      the target population;
 
·      the targeting period;
 
·      the data or categories of data required;
 
·      the historical depth of the data, up to a maximum of nine years in addition to the current year;
 
·      the requested access period, which may not exceed five years from the last effective provision of the data.
 
In the context of MR-007 the data processed must come exclusively and directly from the National Health Insurance Fund (CNAM).
 
Every three years, organizations implementing processing operations on the basis of MR-007 will have to send the CNIL a report on their practices and use of MR concerning all their processing.The CNIL will thus benefit from feedback from stakeholders, which will be useful for updating its reference frameworks.


== Comment ==
== Comment ==

Latest revision as of 17:06, 6 December 2023

CNIL - CNIL2326885X
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(2) GDPR
Article 9(4) GDPR
Article 14 GDPR
code de la santé publique article L. 1461-3
loi n° 78-17 du 6 janvier 1978 modifiée (loi "informatique et libertés")
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 20.07.2023
Published: 14.10.2023
Fine: n/a
Parties: n/a
National Case Number/Name: CNIL2326885X
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: legifrance.gouv.fr (in FR)
Initial Contributor: nikolaos.konstantis

The CNIL has adopted two new reference methodologies to enable public bodies (MR-007) to process data from the main database of the National Health Data System(SNDS), beyond the Medicalization of Information Systems Program (PMSI). The MR-007 reference methodology governs access by organizations acting within the framework of their public interest mission to data from the main database of the National Health Data System.

English Summary

Facts

The scope of the National Health Data System has been expanded, both by the Law on the organization and transformation of the health system and by modifying its Implementing Decree. These developments, coupled with a growing interest in this information among stakeholders, have led the CNIL to adopt new reference frameworks allowing access to all the data in the main database of the National Health Data System.

Holding

The data controller undertakes to only process data that is relevant, adequate and limited to what is necessary for the purposes pursued. The duration of access or retention of data in the controlled environment must be limited to the duration necessary for the implementation of the processing.In any case, this duration cannot exceed five years from the last effective provision of the data.Under certain conditions, this duration may exceptionally be extended.Only people authorized by the data controller or, where applicable, by the person responsible for implementing the processing, can access the data. The implementation of data processing takes place under the responsibility of the data controller, including when it is carried out by third parties acting on its behalf, in compliance with the general data protection regulations.MR-007 legal basis concerns organizations for which the implementation of research, study or evaluation in the field of health is necessary for the performance of a mission in the public interest or is in the exercise of official authority vested in them.

MR-007 sets out the purposes of the processing and adds the targeting of centres and/or carrying out feasibility studies for the performance of research involving or not involving the human person.The purposes listed, presumed to be in the public interest, are identical to those mentioned in the reference framework for the provision of the National Health Data System

Due to the large volume of data available and the complexity of the available databases, MR-007 require that the project has been the subject of an expressly favourable opinion from the Ethical and Scientific Committee for Research, Studies and Evaluations in the Field of Health (CESREES).

In addition, in the event of a favourable opinion with recommendations, the data controller must undertake to take them into account and to modify its file accordingly, prior to the implementation of the processing.

In order to facilitate the work of making data available MR-007 provides that the data controller must attach to its protocol an expression of needs, i.e. a document indicating:

·      the components of the main database of the NSDS concerned by the access request;

·      the target population;

·      the targeting period;

·      the data or categories of data required;

·      the historical depth of the data, up to a maximum of nine years in addition to the current year;

·      the requested access period, which may not exceed five years from the last effective provision of the data.

In the context of MR-007 the data processed must come exclusively and directly from the National Health Insurance Fund (CNAM).

Every three years, organizations implementing processing operations on the basis of MR-007 will have to send the CNIL a report on their practices and use of MR concerning all their processing.The CNIL will thus benefit from feedback from stakeholders, which will be useful for updating its reference frameworks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation No. 2023-082 of July 20, 2023 approving a reference methodology relating to the processing of data from the main database of the National Health Data System implemented for research, study or evaluation purposes in the field of health by organizations acting within the framework of their public interest mission (MR-007)

The National Commission for Information Technology and Liberties,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC;

Having regard to law n° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms, in particular its articles 66, 72 et seq.;

Considering the public health code, in particular its article L. 1461-3;

After hearing the report from Ms. Valérie PEUGEOT, commissioner, and the observations of Mr. Damien MILIC, Government commissioner;

Adopts a reference methodology relating to the processing of data from the main base of the National Health Data System implemented for the purposes of research, study or evaluation in the field of health by the organizations acting within the framework of their public interest mission (MR-007).

The president

Marie-Laure DENIS

Reference methodology relating to the processing of data from the main database of the National Health Data System implemented for the purposes of research, study or evaluation in the field of health by organizations acting within the framework of their public interest mission (MR-007)

Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the GDPR) provides, in particular in Article 5, point 2, that the data controller must be able to demonstrate that the principles of the regulation are respected.

Article 9(4) of the GDPR specifies that Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data or data concerning health.

Thus, in application of Law No. 78-17 of January 6, 1978 as amended (“Informatics and Freedoms” Law), the processing of personal data for the purposes of research, study or evaluation in the field of health may be implemented provided that the data controller has made a declaration of conformity with a reference methodology. In the absence of compliance with a reference methodology, the processing must be the subject of an authorization request from the National Commission for Information Technology and Liberties (the CNIL).

The CNIL may approve and publish reference methodologies, under the standards mentioned in II of Article 66 of the “Informatique et Libertés” law, established in consultation with the Health Data Platform (PDS), as well as with public and private organizations representing the stakeholders concerned.

Given their public interest missions, a large number of organizations carry out research, studies and evaluations in the field of health, which are part of a set of specific purposes corresponding to their missions (for example: evaluation of health pathway or quality of care, medico-economic assessments, responses to requests from public authorities, actions aimed at the general public, advice to members, etc.).

In addition to that relating to data processing requiring access by health establishments and federations to data from the medicalization of information systems program (PMSI), made available on the secure platform of the Technical Agency of the information on hospitalization (ATIH), the Commission adopts a reference methodology relating to certain data processing of the National Health Data System (SNDS) implemented by data controllers acting within the framework of their mission of public interest.

Data controllers who send a declaration of conformity to this reference methodology are authorized to implement their treatments, as long as they meet the conditions provided for by the methodology and have obtained a favorable opinion from the Ethical and Scientific Committee. for research, studies and evaluations in the field of health (CESREES).

Title I: DEFINITIONS, CONTROLLERS CONCERNED, SCOPE OF APPLICATION AND PUBLIC INTEREST

1.1. Definitions

For the purposes of this methodology, the following terms are defined as follows:

Assessment: summary, transmitted to the CNIL every three years by the data controller, reporting the use of the reference methodology observed during this period.

Ethical and scientific committee for research, studies and evaluations in the field of health (CESREES): committee which issues a reasoned opinion on research methodology, the necessity of using personal health data, the relevance of these in relation to the purpose of the processing and, if applicable, to the scientific and ethical relevance of the project as well as to the public interest nature of the research, study or evaluation ;

Personal data: any information relating to an identified or identifiable natural person (“data subject”); is deemed to be an "identifiable natural person" a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity (see art. 4 of the GDPR). As such, SNDS data, although pseudonymized, constitute personal data;

Controlled environment: set of resources (hardware, software, personnel, data) on which the manager of a system of the National Health Data System (SNDS) applies the requirements of the SNDS security framework;

Project space: work space dedicated to a study, secure and controlled by the system manager making SNDS data available;

Study: research or study in the field of health not meeting the definition of research involving humans as defined in Article L. 1121-1 of the Public Health Code (CSP). It may also be an evaluation or analysis of care or prevention practices or activities, within the meaning of article 72 of the “information technology and freedoms” law. This processing must be of public interest within the meaning of Article 66 of this same law. A study may require carrying out several queries using SNDS data;

Expression of needs: document indicating the components of the main database of the SNDS concerned by the access request, the targeted population, the targeting period, the data or categories of data necessary, the historical depth of the data and the duration of access requested, of which a model developed in collaboration with the PDS and the National Health Insurance Fund (CNAM) is made available;

Research laboratory / design office: organization responsible, where applicable, for the implementation of data processing and responsible for their analysis, having made a compliance commitment to the CNIL with the decree of July 17, 2017 relating to to the framework determining the criteria of confidentiality, expertise and independence for research laboratories and design offices. This is a subcontractor within the meaning of the GDPR who, within the framework of this reference methodology, accesses SNDS data on behalf of the data controller;

Health data platform (PDS): public interest group formed between the State, organizations ensuring representation of patients and users of the health system, producers of health data and public and private users of health data. health, including health research organizations, responsible for implementing the major strategic orientations relating to the SNDS and thus facilitating the sharing of health data from various sources in order to promote research;

Historical depth of data: years of production of data necessary to carry out the study;

Protocol: document drawn up by the data controller or under his responsibility, indicating in particular:

the methodology of the study; the objective of the processing of personal data; the categories of persons concerned by the processing; the origin, nature and list of the personal data used and the list of justifications for recourse to these; the duration and organizational methods of the study; the method of data analysis; the justification of the number of people and the observation method used;

Responsible for implementing the processing: organization, having access to the data by agreement, responsible for carrying out the analyzes on behalf of the processing manager. This may be a research laboratory or a design office;

Data controller: natural or legal person who, alone or jointly with others, is responsible for research, study or evaluation not involving humans, ensures its management, verifies that its financing is planned and determines the purposes and means of the processing necessary for this;

Processor: natural or legal person, public authority, service or other body which processes personal data on behalf of the controller;

National health data system: health database comprising a main database, covering the entire population, as well as other databases integrated into a “catalogue”;

Processing: any operation or set of operations, whether or not carried out using automated processes and applied to personal data or sets of data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction;

User: natural person who accesses individual SNDS data made available in a project space.

1.2. Data controllers concerned

1.2.1. Only the data controller(s) for whom the implementation of research, study or evaluation in the field of health is necessary for the execution of a mission may make a declaration attesting to compliance with this reference methodology. of public interest or falls within the exercise of the public authority with which it is vested within the meaning of article 6.1.e of the GDPR and meeting the purposes mentioned below. As such, these will most often be public bodies.

1.2.2. In the case of joint processing responsibility, controllers must transparently define their respective obligations in accordance with Article 26 of the GDPR.

1.3. Processing of personal data included in the scope of this methodology

1.3.1. Only processing of personal data intended to carry out research, studies or evaluations in the field of health, which is of public interest, may be subject to a declaration of conformity with this reference methodology. within the meaning of article 66 of the “information technology and freedoms” law and respecting the following conditions of security, organization and transparency:

a protocol, as well as an expression of needs, must be developed by the data controller before the start of the implementation of data processing. These documents must be submitted to CESREES; the processing covered by this reference methodology must obtain an expressly favorable opinion from CESREES prior to their implementation. When this opinion is accompanied by recommendations, the data controller undertakes to take them into account and to modify his file accordingly, prior to the implementation of the processing; the data processed must come exclusively from the CNAM, the only competent agency, within the framework of this methodology, to extract and transmit data from the SNDS, in strict compliance with the expression of needs; the processed data must also come directly from the CNAM. No reuse of data is permitted within the framework of this reference methodology; the data is made available to the data controller or to the person responsible for implementing the processing in a controlled environment, as defined in point 1.1 (Definitions ) and meeting the following cumulative conditions: has been subject to approval in accordance with the safety standards applicable to the SNDS. This approval, which must not have expired, must be subject to regular monitoring and is regularly renewed within the deadlines provided for in the approval decision; has been assessed by the CNIL as part of data processing having been the subject of express authorization by the CNIL. This authorization must be less than three years old; is in accordance with Title V of this deliberation concerning the terms of data hosting and the absence of transfers outside the European Union. the data controller undertakes not to not pursue one of the prohibited purposes described in Article L. 1461-1 V of the Public Health Code; the data controller and, where applicable, the person responsible for implementing the processing, must first sign an agreement access to data with the manager of the controlled environment making the SNDS data available. They must also have each authorized user sign an individual commitment to respect the conditions of use defined by the controlled environment. The data controller must finally transmit to the manager of the controlled environment the list, which can be updated, of the research laboratories or design offices he uses; the data controller undertakes to transmit it every three years to the CNIL as well as that at CESREES, a report summarizing the uses of the reference methodology, observed during this period. If they deem it relevant, the CNIL or CESREES may share this report with the CNAM and/or the PDS; the data controller must register each study carried out within the framework of the reference methodology in the public directory maintained by the PDS. . The method and the results obtained will be published by the PDS at the end of the processing, according to the terms provided for in paragraph 6.3 "Principle of transparency".

1.3.2. This reference methodology is therefore not applicable to treatments:

hosted outside a controlled environment meeting the cumulative conditions mentioned above; requiring matching of SNDS data with personal data from other sources (for example: medical records); requiring reuse of updated data available as part of a previous study or from a health data warehouse containing SNDS data.

1.3.3. The processing operations mentioned in paragraph 1.3.2 can only be implemented after authorization from the CNIL.

1.4. Public interest and prohibited purposes

1.4.1. Processing carried out within the framework of this reference methodology must:

present a character of public interest, justified by the data controller in the protocol, which will be transmitted to the PDS upon registration in the public directory; comply with all legislative and regulatory provisions relating to the SNDS (articles L. 1461-1 to L. 1461-7 of the Public Health Code), in particular the prohibition on using this data to pursue the purposes described in Article L. 1461-1 V of the Public Health Code: the promotion of products mentioned in II of article L. 5311-1 aimed at health professionals or health establishments; the exclusion of guarantees from insurance contracts and the modification of contributions or insurance premiums of a individual or a group of individuals presenting the same risk.

Title II: PROCESSING RELATING TO THE DATA OF PERSONS CONCERNED BY STUDIES

2.1. Purpose of processing

2.1.1. Only data processing relating to the purposes of research, studies or evaluations in the field of health, as well as planning and valorization of the care offer detailed below, can be carried out within the framework of the methodology of reference :

comparative evaluation of care provision: spatial analyses, strategic analyses; evolution of care practices, incidence of certain factors in hospitalizations, temporal analyses; comparative analyzes of care activities, patient trajectory studies, recruitment pool , becoming patients; description and analysis of pathologies and patient care pathways in health establishments; analysis of the health territory, territorial hospital groups (GHT), collaborative studies between establishments within a defined scope; continuous analysis comparative evaluations, better adaptation of the care offer, optimization, valorization of stays, creation of management indicators, strategy; modeling work, simulation, planning, hospital logistics, operational research (data analysis with the aim of optimizing organizations or producing decision support elements for new organizations); targeting centers and/or carrying out feasibility studies for carrying out research involving or not involving humans; epidemiological studies; medico-economic studies.

2.2. Origin and nature of the data

2.2.1. Origin of personal data

2.2.1.1. The data must come exclusively and directly from the databases made available by the CNAM.

2.2.2. Nature of personal data

2.2.2.1. Pursuant to Article 5(1)(c) of the GDPR, the data processed must be relevant, adequate and limited to what is necessary for the purposes for which they are processed (principle of data minimization). In this regard, the data controller undertakes to only process data that is strictly necessary and relevant to the objectives of the study. Therefore, each of the categories of data can only be processed if their processing is justified in the protocol.

2.2.2.2. The following categories of personal data may be processed under this methodology:

For those affected:

2.2.2.3. Only data from the main SNDS database, as defined in article R. 1461-2 of the public health code, can be processed. The latter currently includes:

data from the information systems mentioned in Article L. 6113-7 of the Public Health Code (PMSI database); data from the national inter-scheme health insurance information system mentioned in Article L. 161-28-1 of the social security code (SNIIRAM database); data on the causes of death mentioned in article L. 2223-42 of the general code of local authorities (CépiDC database of INSERM); medico-social data from the information system mentioned in Article L. 247-2 of the Social Action and Families Code (data relating to disability); data from the “Vaccin-Covid” and “Covid” databases. SI-DEP" (screening information system).

2.2.2.4. The processing operations included in this reference methodology relate to data whose maximum historical depth is nine years in addition to the current year, provided that they can be disseminated by the CNAM.

2.2.2.5. The following must in particular be justified in the protocol with regard to the purpose of the processing: the categories of data processed, the period of targeting of the persons concerned, the components of the SNDS and the historical depth of the requested data consulted, the duration of access, the area geographical location and the number of people affected.

For users:

2.2.2.6. The categories of personal data relating to users that may be subject to processing are as follows:

surname, first names, position, access profiles; if relevant: professional telephone, postal and/or electronic contact details, employing organization; training, diplomas; elements necessary for the assessment of knowledge in order to carry out the study.

2.2.2.7. The sole purpose of processing user data must be the implementation of the study and compliance with the legal obligations of the data controller.

2.2.2.8. In particular, the purpose of the processed data is the management of declarations of interest, their transmission to the PDS, where applicable, and the management of internal authorization procedures.

2.3. Accessors and recipients of processed data (users)

2.3.1. The data controller or, where applicable, the person responsible for implementing the processing, maintains documents indicating the competent person(s) within it to issue authorization to access the data, the list of persons authorized to access this data, their respective access profiles and the terms of allocation, management and control of authorizations.

2.3.2. Only persons authorized by the data controller or, where applicable, by the person responsible for implementing the processing, may have access to the data processed in relation to their functions and under conditions in compliance with the regulations.

2.3.3. These categories of people are subject to professional secrecy under the conditions defined by articles 226-13 and 226-14 of the penal code.

2.3.4. The qualification of authorized persons and their access rights must be regularly reassessed, in accordance with the terms described in the authorization procedure established by the data controller or by the person responsible for implementing the processing.

2.4. Information and rights of people concerned by the study

2.4.1. Information of people

2.4.1.1. Concerning data coming exclusively from the SNDS, the persons concerned are informed of the possible reuse of their personal health data according to the terms defined by article R. 1461-9 of the public health code.

2.4.1.2. The provisions of Article 69 of the “Informatics and Liberties” law, which establishes the principle of individual information for people whose data is processed, are applicable to all processing carried out using SNDS data.

2.4.1.3. However, in application of the provisions of article 14.5.b of the GDPR, the data controller may assert an exception to the obligation of individual information for the implementation of processing comprising exclusively data from the database. main body of the SNDS.

2.4.1.4. In this case, it must take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the persons concerned, including by making the information publicly available.

2.4.1.5. In this regard, informing the people concerned cannot be limited to the registration of the study in the public PDS directory.

2.4.1.6. As part of this reference methodology, the completion of each research, study or evaluation in the field of health must be made known to the public.

2.4.1.7. At a minimum, the following measures must be implemented to guarantee publicly available information:

the distribution of the information note on the website of the data controller as well as, where applicable, the research laboratory or design office; the establishment of a transparency portal when the data controller carries out several studies based on SNDS data. This transparency portal includes general information on the SNDS and an information note specific to each study implemented.

2.4.1.8. Other collective information methods may also be planned, depending on the characteristics of the studies carried out (social networks, patient associations, press releases, etc.).

2.4.1.9. These documents must include all of the information provided for in Article 14 of the GDPR.

2.4.2. Exercise of people’s rights

2.4.2.1. The data subject exercises their rights of access, rectification, erasure, limitation of processing and opposition concerning the processing implemented within the framework of this methodology, directly with the data protection officer of the organization responsible for processing.

2.4.2.2. User information, as well as the methods for exercising their rights, must comply with the principle of transparency provided for in Chapter III of the GDPR.

2.5. Duration of access or retention of data

2.5.1. This duration must be strictly necessary for the implementation of the treatment and must not exceed the duration of the study. In any case, the duration of access or retention cannot exceed five years from the last effective provision of the data. This duration may exceptionally be extended for a maximum period of two years, upon reasoned request from the data controller, addressed to CESREES, which then issues a new opinion. No archiving of data can be carried out.

2.5.2. Personal data processed within the framework of this methodology cannot be stored outside the controlled environment used by the data controller or its subcontractor.

2.5.3. Only anonymous results, within the meaning of Article 29 Group Opinion (G29) No. 05/2014 or any subsequent EDPS Opinion relating to anonymization, may be exported.

2.5.4. The personal data of users responsible for carrying out the study cannot be kept beyond a period of five years after the end of the study.

2.6. Publication of results

2.6.1. In accordance with the provisions of the “Informatique et Libertés” law, the presentation of the results of data processing cannot under any circumstances allow the direct or indirect identification of the persons concerned.

Title III: SECURITY

3.1. The processing of data from the National Health Data System and its components must be carried out in accordance with the provisions of Articles L. 1461-1 to L. 1461-7 of the Public Health Code.

3.2. The security measures must comply with the security standards applicable to the National Health Data System, provided for by the decree of March 22, 2017 and its subsequent updates.

3.3. In accordance with the aforementioned framework, when the data controller uses a research laboratory or a design office, the data controller must ensure that the contract concluded with the research laboratory or design office specifies the measures and the safety conditions relating to compliance with the aforementioned standards. In particular, the controlled environment must have been the subject of approval prior to the implementation of the data processing necessary for the study.

3.4. The data controller or, where applicable, the person responsible for implementing the processing, must adopt the following technical and organizational measures:

Distribution of roles and responsibilities

SEC-REP-1

The distribution of roles and responsibilities between the processing manager(s), the person responsible for implementing the processing and the manager of the controlled environment must be formalized by an agreement. The latter must focus in particular on raising awareness among users of the study, monitoring traces, managing alerts and incidents as well as managing exports of anonymous data. This agreement must comply with article 28 of the GDPR.

Management of authorizations and logical access to data

SEC-HAB-1

Different authorization profiles must be planned in order to manage access to data as necessary and exclusively.

SEC-HAB-2

Persons authorized to access personal data must be individually authorized according to a procedure involving validation by their line manager.

SEC-HAB-3

A review of authorizations must be carried out regularly and at least annually, as well as at the end of each study.

SEC-HAB-4

Access permissions must be withdrawn as soon as authorizations are withdrawn, for example after the departure of an authorized user or a modification of their missions.

User identification and authentication

SEC-IDE-1

Access to personal data must be subject to local or national identification for any natural or legal person, in accordance with the requirements of level 2 of the PGSSI-S Identification Framework.

SEC-IDE-2

Access to personal data must be subject to strong authentication involving at least two distinct authentication factors, in accordance with the requirements of level 2 of the PGSSI-S Authentication Standard. If one of these factors is a password, it must comply with the CNIL recommendations on passwords on the date of writing of this reference methodology (deliberation no. 2022-100 of July 21, 2022) .

Project space

SEC-ESP-1

The data from a study must be handled by authorized users only in a project space specific to this study, sealed with the data from the central SNDS as well as with the project spaces of other studies carried out in the same controlled environment.

SEC-ESP-2

Data sets imported into a project space specific to a study must be minimized and limited to only the data necessary for the study. A unique pseudonym number specific to each project space must be generated under the same pseudonymization conditions as those defined by the security framework applicable to the aforementioned SNDS. For example, this unique pseudonymous number could be generated by a cryptographic hash function resistant to brute force attacks or a cryptographically secure pseudo-random number generator.

Data transmission

SEC-TRA-1

All data transmissions from or to the controlled environment or project spaces must be subject to encryption measures in accordance with appendix B1 of the general security framework (RGS) in order to guarantee confidentiality.

These encryption measures apply to data in transit and to its storage after receipt in the controlled environment or project spaces.

Exporting anonymous data outside of workspaces

SEC-EXP-1

Only anonymous datasets can be exported outside the controlled environment or a project space. The anonymization process must produce a dataset that complies with the three criteria defined by G29 Opinion No. 05/2014 or any subsequent EDPS opinion relating to anonymization. This compliance must be documented. Otherwise, if these three criteria cannot be met, a study of the risks of re-identification must be carried out and documented, prior to each export.

SEC-EXP-2

Data exports must be subject to prior validation by a manager in order to endorse the principle, particularly with regard to the SEC-EXP-1 requirement.

SEC-EXP-3

Exports must be subject to automatic or manual monitoring by a specialized operator in order to verify their anonymous nature. In the event that this monitoring is automatic, any export identified as non-compliant must be the subject of an alert and quarantine in a partitioned and dedicated space, then must be verified manually by a specific manager. trained and empowered.

User awareness and workstation security

SEC-SEN-1

Each person authorized to access the controlled environment must be trained in respecting professional secrecy and regularly made aware of the risks and obligations inherent in the processing of health data.

SEC-SEN-2

Each person authorized to access the controlled environment must sign a confidentiality charter. This must specify in particular the obligations with regard to both the protection of personal health data and the security measures put in place in the controlled environment, as well as the sanctions relating to non-compliance with these obligations.

SEC-SEN-3

The workstations of people authorized to access the controlled environment, including external users accessing only project spaces, must be subject to specific security measures, for example by setting up nominative accounts, adequate authentication , automatic session locking, hard drive encryption and filtering measures. In the event that the workstations are not under the control of the data controller, the security measures to be put in place on the workstations must be regulated by means of an agreement between the parties concerned.

Logging

SEC-JOU-1

The actions of project space users and those of users of the controlled environment must be subject to logging measures, in accordance with the requirements of level 3 of the PGSSI-S Accountability Framework. In particular, connections (identifiers, date and time), requests and operations carried out must be traced.

SEC-JOU-2

A trace control must be carried out regularly and at least monthly, as well as at the end of each authorization period linked to a study. This control must be carried out by:

a solution carrying out automatic monitoring with the reporting of alerts processed manually by an authorized operator; orsemi-automatic control via execution of programs allowing selection of abnormal traces, followed by manual rereading by an authorized operator.

SEC-JOU-3

The logging traces defined in the SEC-JOU-1 requirements must be kept for a period of six months to one year from their collection, unless otherwise justified by the importance of the risk for individuals in the event of diversion from the purposes of the processing. and the frequency of occurrence of such practices. In the latter case, the maximum retention period for logging traces can be extended to three years.

Managing security incidents and personal data breaches

SEC-INC-1

The parties to the agreement must provide a procedure for managing and handling security incidents and personal data breaches, specifying the roles and responsibilities and the actions to be taken in the event of such incidents occurring.

SEC-INC-2

Any security incident, whether of malicious origin or not and occurring intentionally or unintentionally, having the consequence, even temporary, of compromising the integrity, confidentiality or availability of personal data, must be the subject of 'internal documentation in a register of violations.

SEC-INC-3

Any data breach must be notified to the CNIL under the conditions provided for in Article 33 of the GDPR.

SEC-INC-4

In the event that the violation is likely to result in a high risk for the rights and freedoms of a natural person, the data controller is required to communicate the data violation to the data subjects as soon as possible, in accordance with the article 34 of the GDPR.

3.5. These measures are not exhaustive and must be supplemented with regard to the risks weighing on the processing implemented.

3.6. In addition, Articles 5.1.f and 32 of the GDPR require security measures to be updated with regard to regular reassessment of risks and that the measures comply with the state of the art.

Title IV: SUBCONTRACTORS

4.1. When the data controller uses one or more subcontractors, he ensures that they provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures, so that the processing meets the requirements. of the GDPR and the “data processing and freedoms” law and guarantees the protection of the rights of the person concerned.

4.2. A data controller may in particular choose as a subcontractor a health establishment, a hospital federation or a research laboratory or design office.

4.3. The data controller establishes a contract or other legal document with the subcontractor specifying the obligations of each party and setting out the requirements of Article 28 of the GDPR.

4.4. Furthermore, subcontractors:

must appoint, where applicable, a data protection officer in accordance with Article 37 of the GDPR; must keep a register of the categories of processing carried out on behalf of the data controller, in accordance with Article 30 of the GDPR.

TITLE V: HOSTING OF SNDS DATA AND ABSENCE OF DATA TRANSFER OUTSIDE THE EUROPEAN UNION

5.1. As part of this reference methodology, the study data controller(s) ensures:

that the data from the main database of the SNDS hosted in the controlled environment are exclusively within the member countries of the European Economic Area and without possible transfer outside the European Union; the absence of remote access to data from outside the territory of the European Union.

5.2. Furthermore, organizations and, where applicable, their subcontractors, accessing SNDS data as part of carrying out operations for hosting the technical infrastructure of the controlled environment, as well as the administration and exploitation associated with this storage, must be exclusively subject to the laws of the European Union.

Title VI: IMPLEMENTATION OF THE PRINCIPLE OF RESPONSIBILITY

6.1. Data protection impact analysis

6.1.1. The data controller carries out a data protection impact analysis carried out in accordance with the provisions of Article 35 of the GDPR, which must cover in particular the risks to the rights and freedoms of the data subjects.

6.1.2. This impact analysis must be re-examined and updated regularly, in particular if significant changes are planned in the processing implemented within the framework of this methodology or if the risks for the persons concerned have evolved.

6.1.3. A single analysis can cover a set of similar processing operations that present similar risks.

6.2. Formalities

6.2.1. Each data controller appoints a data protection officer, in accordance with article 37 of the GDPR. This data protection delegate will have the particular mission of verifying compliance with the conformity of the processing implemented according to this methodology.

6.2.2. The data controller sends the CNIL a single declaration of conformity to this methodology for all the processing operations it implements as long as they are and will be carried out in compliance with all the provisions of the methodology.

6.2.3. As part of joint responsibility, each data controller makes a declaration of conformity to the reference methodology on its own behalf.

6.2.4.The treatments covered by this reference methodology must obtain an expressly favorable opinion from CESREES prior to their implementation. To obtain this opinion, a file must be submitted to the PDS single secretariat and must include the elements listed in this methodology.

6.2.5. In accordance with Article 30 of the GDPR, the data controller maintains, within the register of processing activities, the list of processing operations implemented within the framework of this methodology. It regularly checks the compliance of ongoing processing with the requirements of the reference methodology and documents this analysis.

6.3. Principle of transparency

6.3.1. The legal framework allowing the provision of SNDS data is designed to report their use to the population. To this end, article L. 1461-3 II of the CSP makes access to SNDS data and its components subject to communication to the PDS of several elements by the data controller, before and after carrying out the studies.

6.3.2. Thus, the data controller undertakes to record in the public directory maintained by the PDS each study carried out within the framework of this methodology.

6.3.3. This recording must be made, before the start of each study, by the data controller or the person acting on his or her behalf. It is accompanied by the transmission to the PDS of a file including:

the protocol, including the justification of the public interest, as well as a summary, according to the model made available by the PDS. In the event of a favorable opinion with recommendations from CESREES, the protocol and the summary clearly taking into account the recommendations, must be registered; the declaration of interests, in relation to the object of the study, of the data controller and where applicable from the subcontractor.

6.3.4. At the end of the study, the method and the results obtained must be communicated to the PDS for publication.

6.3.5. The recording of the treatment and the transmission of the results are carried out in accordance with the procedures defined by the PDS.

6.4. Balance sheet

6.4.1. The data controller, where applicable after consulting the subcontractor(s), transmits to the CNIL every three years a report summarizing the observed uses of this reference methodology, indicating in particular:

the number of studies implemented over the period analyzed; the types of purposes pursued; the financing arrangements for projects and partners (in particular public funding, etc.); concerning the data processed: the components of the SNDS mainly requested; compliance overall expression of needs for the objectives of the study; the average historical depth requested and its sufficiency or not; the average number of people concerned by the studies; the average duration of access or retention of data requested and their sufficiency or not; the collective information supports implemented; the quality of the people authorized to access SNDS data; concerning data security: security incidents, likely to impact the rights of individuals, possibly revealed or avoided; any substantial modification to the architecture of the controlled environment; the number of scientific publications resulting from research, studies and evaluations carried out within the framework of the methodology; the benefits, scientific contributions observed and/or measured.

Title VII: ENTRY INTO FORCE

7.1. This reference methodology comes into force from its publication in the Official Journal.

7.2. When research, study or evaluation in the field of health, previously authorized by the CNIL, is subject to a substantial modification and complies with this methodology, it is not necessary to obtain a new authorization of the CNIL.

7.3. This deliberation will be published in the Official Journal of the French Republic.