CE - N° 428451
CE - 428451 | |
---|---|
Court: | CE (France) |
Jurisdiction: | France |
Relevant Law: | Article 6 GDPR Article 9(3) GDPR Article 25 GDPR Article 28 GDPR Article L. 6113-7 Code de la santé publique Article R. 6113-7 Code de la santé publique Loi informatique et libertés (version au 26/12/2018) Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale |
Decided: | 25.11.2020 |
Published: | |
Parties: | Conseil national de l'ordre des médecins |
National Case Number/Name: | 428451 |
European Case Law Identifier: | ECLI:FR:CECHR:2020:428451.20201125 |
Appeal from: | |
Appeal to: | |
Original Language(s): | French |
Original Source: | Légifrance (in French) |
Initial Contributor: | Fra-data67 |
The French Supreme Administrative Court (Conseil d’Etat) annulled the decree of 26/12/2018 as it does not have technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of a health establishment's activities are collected.
English Summary
Facts
Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.
The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French Supreme Administrative Court (Conseil d’Etat).
Dispute
In the present case, the dispute concerns the following points:
- Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the French Public Health Code?
- Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree?
- Does the processing carried out in accordance with Article L. 6113-7 of the French Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?
Holding
To reach the cancellation of the decree, the Supreme Administrative Court retained the following points.
On prior consultation
Contrary to what has been argued by the National Council of Physicians, the Supreme Administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree.
On the conditions laid down by the contested decree for the processing of data by auditors
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the Supreme Administrative Court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).
However, recalling the provisions of Articles 6 and 25 GDPR, the French Supreme Administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful.
On the conditions laid down by the contested decree for the processing of data by external service providers
Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.
The French Supreme Administrative Court outlines that the decree provides certain guarantees governing the mission of external service providers (they are placed under the responsibility of the doctor responsible for medical information, are subject to the obligation of medical confidentiality, may only access the data necessary for their mission, and may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract). However, the Court emphasises that the decree has not provided for technical and organisational measures to ensure that the only data processed, with sufficient guarantees, are those necessary for the purposes of the processing. Additionally, the Court stresses that the decree has not provided for provisions to ensure that they actually carry out these activities under the authority of the practitioner responsible for the medical information. The Court therefore concludes that the decree is unlawful, due to the absence of sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.
Comment
This decision concerns the derogation from the prohibition on processing special categories of personal data, including health data. More specifically, this decision addresses a specific issue relating to the link between the protection of so-called sensitive data (health data) and the administrative requirements for the proper administration of healthcare systems.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
FRENCH REPUBLIC IN NAME OF THE FRENCH PEOPLE Considering the following procedure: By a summary request, an additional brief, a reply and a new brief, registered on February 27 and April 24, 2019 and on January 28 and September 9, 2020 at the litigation secretariat of the Council of State, the National Council of order of doctors asks the Council of State: 1 °) to cancel for excess of power the decree n ° 2018-1254 of December 26, 2018 relating to the medical information departments; 2 °) to charge the State the sum of 3,000 euros under article L. 761-1 of the code of administrative justice. Having regard to the other documents in the file; Seen: - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016; - the commercial code; - the Penal Code ; - the public health code; - Law n ° 78-17 of January 6, 1978; - the code of administrative justice; After hearing in public session: - the report by Mr Damien Pons, master of requests for extraordinary service, - the conclusions of Mrs. Marie Sirinelli, public rapporteur; The floor having been given, before and after the conclusions, to SCP Matuchansky, Poupot, Valdelièvre, lawyer of the National Council of the Order of Physicians; Considering the following: 1. Under the terms of Article L. 6113-7 of the Public Health Code: "Health establishments, public or private, analyze their activity. / In compliance with medical confidentiality and the rights of patients, they implement information systems that take account in particular of pathologies and treatment methods in order to improve knowledge and assessment of activity and costs and to promote optimization of the care. / Practitioners working in public and private health establishments transmit the nominative medical data necessary for the analysis of the activity and the invoicing of this one to the doctor responsible for the medical information for the establishment under conditions determined by regulation after consultation with the National Council of the Order of Physicians. / (...) The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or ' deliberative body of a private health establishment if it exists, after consulting the medical commission or the medical conference. The conditions for this designation and the organizational methods of the medical information function, in particular the conditions under which staff placed under the authority of the responsible practitioner or of the auditors acting under the legal mission of certifying accounts mentioned in article L. 6145-16 can contribute to the processing of data, are fixed by decree (...) ". 2. For the application of these provisions, the decree of December 26, 2018 relating to medical information departments authorizes and regulates access to patient medical data for the purposes of analyzing the activity, billing and the control of this invoicing, on the one hand, by external service providers and, on the other hand, by auditors. The National Council of the Order of Physicians requests the cancellation for excess of power of this decree. On external legality: 3. Firstly, neither III of Article L. 1112-1 of the Public Health Code, which provides for consultation of the National Council of the Order of Physicians on the regulatory provisions which lay down procedures according to which individuals treated as well as certain doctors have access to the information held by health establishments on the people they receive, nor that of article L. 6113-7 of the same code, cited in point 1, did not require consultation of the Council. national law on the contested decree. The fact that this decree would include modifications made after the Council had delivered its opinion on the project is therefore irrelevant to its legality. The plea alleging that the contested decree does not mention this consultation in its visas is also ineffective. 4. Secondly, if, under the terms of a) of 4 ° of I of article 11 of the law of 6 January 1978 relating to data processing, files and freedoms, in the version applicable on the date of decree attacked, the National Commission for Informatics and Freedoms "is consulted on any bill or decree or any provision of a bill or decree relating to the protection of personal data or the processing of such data" , it is only in the cases provided for in articles 26 and 27 of the law and "when a law provides that a decree or an order is taken after the opinion of the commission" that the same provisions require that this notice be published with the decree or order. In addition, when the publication of the opinion of the National Commission for Informatics and Freedoms must take place at the same time as that of the decree or order, failure to observe this obligation can in any event only have no effect on the legality of the latter. Consequently, the Council of the Order of Physicians cannot usefully maintain that the failure to publish the opinion delivered by the National Commission for Informatics and Freedoms, whose consultation was not necessary in this case by virtue of a legislative provision other than that of article 11 of the law of January 6, 1978 cited above, would vitiate the contested decree with illegality. On internal legality: With regard to the applicable legal framework: 5. It follows from the provisions of Article L. 6113-7 of the Public Health Code cited in point 1 that the implementation, by health establishments, of information systems for the analysis of their activity must be carried out in accordance with medical confidentiality and the rights of patients. By virtue of I of article L. 1110-4 of this code: "Any person taken care of by a health professional, an establishment or service, a professional or an organization contributing to prevention or treatment for which the conditions of exercise or activities are governed by this code (...) has the right to respect for his private life and the secrecy of information concerning him. / Except in cases of exemption expressly provided for by law, this secrecy covers the whole information concerning the person that has come to the attention of the professional, of any member of the staff of these establishments, services or organizations, and of any other person in relation, through his activities, with these establishments or organizations. professionals involved in the health system ". The following provisions of this same article specify the conditions under which the information thus protected can be shared between professionals of the same care team or exchanged between the professionals mentioned in I for the care of the same person. 6. It also results from the provisions of Article L. 6113-7 of the Public Health Code that the practitioner responsible for medical information is the sole recipient of the nominative medical data necessary for the analysis of the activity and the invoicing sent to it for this purpose by the practitioners working in the establishment. These data are listed in Article R. 6113-1 of the Code, which provides that: "For the analysis of their medical activity, health establishments, public and private, proceed, under the conditions set by this section, to the synthesis and computer processing of data appearing in the medical file mentioned in Article L. 1112-1 which is collected, for each patient, by the practitioner responsible for the medical or medico-technical structure or by the practitioner who provided care for the patient and which is sent to the doctor responsible for medical information for the establishment, mentioned in article L. 6113-7. / These data can only concern: / 1 ° The patient's identity and his place of residence; / 2 ° The modalities according to which the care was provided, such as hospitalization with or without accommodation, part-time hospitalization, home hospitalization, outpatient; / 3 ° The patient's family or social environment in so far as it influences the modalities of its processing; / 4 ° The methods and dates of entry and exit; / 5 ° The medical units taking care of the patient; / 6 ° Pathologies and other medical characteristics of the person treated; / 7 ° The diagnostic and care procedures performed for the benefit of the patient during his stay in the establishment. / The data mentioned in 1 ° is not collected when a person can legally be admitted to a health establishment or receive treatment there while remaining anonymous ". 7. Finally, it follows from the provisions of L. 6113-7 of the Public Health Code that personnel placed under the authority of the responsible practitioner as well as auditors acting under the legal mission of certifying the accounts of public establishments can contribute to the processing of nominative medical data, under conditions which it is for the regulatory power to set under the supervision of the judge. In this regard, Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of this data, or General Data Protection Regulation, defines "processing" as "any operation or set of operations carried out or not using automated processes and applied to data or sets of personal data , such as the collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, limitation, erasure or destruction "and" data concerning health "such as" personal data relating to the physical or mental health of a person physical, including the provision of health care services, which reveal information about that person's state of health. The 3 of article 9 of this regulation authorizes the processing of data relating to health necessary for the management of health care or social protection systems and services only by a health professional subject to an obligation of secrecy. professional or under his responsibility or by another person also subject to an obligation of secrecy, allowing Member States to maintain or introduce additional conditions or limitations. 6 ° of II of article 8 of the law of January 6, 1978, in the wording applicable on the date of the decree, requires that such treatment be implemented by a member of a health profession or by a other person to whom the obligation of professional secrecy provided for by article 226-13 of the penal code is imposed by reason of his or her duties. Article 6 of this law, in the wording then applicable, further provides that: "Processing can only relate to personal data that meet the following conditions: / (...) 3 ° They are adequate, relevant and not excessive with regard to the purposes for which they are collected and their subsequent processing (...) ". With regard to the conditions set by the decree under appeal for the processing of data by auditors or by external service providers: 8. The contested decree inserts in Article R. 6113-5 of the Public Health Code provisions providing that: "Are subject to the obligation of secrecy, the disregard of which is punished in accordance with Articles 226-13 and 226-14 of the penal code: / (...) 3 ° The statutory auditors who have access, for consultation only and without the possibility of creation or modification, to personal data mentioned in article R. 6113-1, in within the framework of their legal mission of certifying the accounts of health establishments mentioned in article L. 6145-16; / 4 ° External service providers who contribute under the responsibility of the doctor responsible for medical information to the processing of personal data personnel mentioned in article R. 6113-1 as part of their subcontracting contract "and that:" The auditors and the external service providers mentioned in the two preceding paragraphs can only access personal data necessary mentioned in article R. 6113-1 within the strict limit of what is necessary for their missions ". He reminds that if the external service provider also provides hosting for health data, it must do so in accordance with the conditions specific to this activity, provided for by article L. 1111-8 of the same code. It also specifies, by inserting an article R. 6113-9-1 in the code, that interested parties cannot keep the data made available by the establishment beyond the period strictly necessary for their mission and , by that of an article R. 6113-9-2, that: "The traces of any access, consultation, creation and modification of data relating to patients are kept for a period of six rolling months by the health establishment" . Finally, it provides, in article R. 6113-7 of the code, that the people treated in the establishment are informed by the reception booklet or another written document that the data concerning them are transmitted to the doctor responsible for the hospital. medical information and to persons intervening under its authority and may, when they give rise to invoicing, "be the subject of a random consultation of traceability by the auditor in his function of certifying the annual accounts of the establishment ". With regard to the statutory auditors: 9. Article L. 6145-16 of the public health code provides that: "The accounts of public health establishments defined by decree are certified. / The certification procedures, by an auditor or by the Court of Auditors , are fixed by regulation ". It follows from what was said in points 5 to 7 that the legislator intended that the auditors may, when they intervene under this legal certification mission, access personal health data collected by the responsible doctor. medical information for the establishment for the analysis of the activity. However, it did not intend to allow restrictions to be made to respect for medical confidentiality, recalled by the provisions cited above in Article L. 1110-4 of the Public Health Code, which would not necessarily be involved by their legal certification mission. It is therefore incumbent on the regulatory power, when it sets the conditions under which the statutory auditors can contribute to the processing of this personal data, to provide the necessary guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of this mission. 10. It follows from the provisions of Article L. 823-9 of the Commercial Code that auditors must only, for the performance of their legal mission of certifying the accounts of public health establishments, be able to justify that the annual accounts of these establishments are regular and fair and give a true picture of the results of operations for the past financial year as well as of their financial situation and their assets. It emerges from the documents in the file, in particular the observations of a general nature presented by the High Council of the statutory auditors in application of article R. 625-3 of the code of administrative justice, that access to all the data of health, taken from patients' medical files, mentioned in article R. 6113-1 of the public health code cited in point 6, is necessary for the accomplishment of this mission, for a sample of files allowing verification by sampling the reliability and traceability of the data used to calculate the establishment's revenue, from patient admission to billing. On the other hand, it does not appear that this mission cannot be accomplished on the basis of data subject to adequate technical and organizational protection measures, such as - failing the use, as an expert, of a doctor responsible for medical information in another establishment - the pseudonymization of data, which Article 25 of the General Data Protection Regulation provides for the implementation to protect the rights of the data subject and to ensure, to this end, that the persons whose data are processed cannot be identified. Consequently, if the contested decree was able, without disregarding the scope of Article L. 6113-7 of the Public Health Code, to regulate the conditions under which the auditors have access to these data, limited to, '' on the one hand, to provide that they can only consult them, within the framework of their legal mission, without creating or modifying data, with appropriate information for patients, by limiting their retention to the period strictly necessary for this mission and by recalling the obligation of secrecy to which they are subject and, on the other hand, to limit their access to only data "necessary (...) within the strict limit of what is necessary for their missions", without excluding by in principle their access to any of these data, it is, on the other hand, tainted with illegality in that it does not provide for technical and organizational measures capable of guaranteeing the protection of the right of the person concerned to respect for medical confidentiality recalled by the provisions. cited above in Article L. 1110-4 of the Public Health Code. Regarding external service providers: 11. Pursuant to Article 28 of the General Data Protection Regulation: "1. When processing must be carried out on behalf of a controller, the latter only calls on processors who provide sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subject. / (...) 3. Processing by a processor is governed by a contract or other legal act under Union law or the law of a Member State, which binds the processor with regard to the controller, defines the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal act provides, in particular t, that the processor: / a) processes personal data only on the documented instruction of the controller (...); / b) ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; / (...) h) make available to the controller all the information necessary to demonstrate compliance with the obligations provided for in this article and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by him, and contribute to these audits (...) ". 12. It follows from what has been said in points 5 to 7 that the legislator intended that the personnel placed under the authority of the practitioner responsible for medical information for the establishment can contribute to the processing of personal health data collected. by this doctor for the analysis of the activity and invoicing, by derogating from the respect of medical confidentiality recalled by the provisions cited above of Article L. 1110-4 of the Public Health Code in the only to the extent that the exercise of the mission which is recognized to them by article L. 6113-7 of the same code would necessarily imply it. Contrary to what the National Council of the Order of Physicians maintains, it does not follow from these provisions that it would have intended to exclude these personnel from being service providers outside the establishment, having the status of subcontractor where appropriate. within the meaning of the provisions cited in the previous point of the General Data Protection Regulation. However, it is the responsibility of the regulatory power, when it sets the conditions under which these service providers can contribute to the processing of this personal data, to provide the necessary guarantees to ensure that access to this data does not exceed that which is strictly necessary for the exercise of the mission recognized by law. 13. By limiting themselves to providing that the external service providers who contribute to the processing of personal data mentioned in Article R. 6113-1 of the Public Health Code are placed under the responsibility of the doctor responsible for medical information, that they intervene within the framework of their subcontracting contract, that they are subject to the obligation of secrecy, the disregard of which is punished in accordance with articles 226-13 and 226-14 of the penal code, that they can access "only the necessary personal data (...) within the strict limit of what is necessary for their missions" and that they cannot keep the data made available by the establishment beyond the strictly necessary for the activities that have been entrusted to them by contract, without providing for technical and organizational measures to ensure that only the identifying data that are necessary with regard to s purposes of the processing or of provisions intended to guarantee that they effectively carry out these activities under the authority of the practitioner responsible for medical information, regardless of the location, the decree under appeal did not provide sufficient guarantees for ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognized by law. 14. It follows from all of the foregoing that the National Council of the Order of Physicians is only justified in requesting the annulment of the decree which it attacks inasmuch as it does not provide for, when the commissioners have access to accounts with personal health data collected during the analysis of the activity, technical and organizational protection measures to ensure the absence of processing of identifying data and, when accessing this data from external service providers, technical and organizational measures designed to ensure that only the identifying data necessary for the purposes of the processing or provisions intended to guarantee that they effectively carry out their activities under the authority of the practitioner responsible for the processing are processed, with sufficient guarantees. medical information. 15. Pending the enactment of the additional regulations necessarily implied by the execution of the annulment thus pronounced, this necessarily has the effect of avoiding an unjustified infringement of the right to respect for medical confidentiality of persons whose attacked decree organizes the processing of personal data relating to health, on the one hand, that the auditors, if they do not use the service of an expert doctor under the conditions mentioned in point 10, do not receive only pseudonymized data and, on the other hand, that each health establishment ensures that the work entrusted to any external service providers is organized in such a way that the practitioner responsible for medical information in each health establishment is able to organize and control the work of service providers under its responsibility, as required by Article L. 6113-7 of the Public Health Code, which implies that the composition of the teams, the place of exercise of the activity and the details of the services provided, and that it can ensure that they access identifying data within the strict limit of what is necessary for their missions. On the costs of the proceedings: 16. It is appropriate, in the circumstances of the case, to put a sum of 2,000 euros payable by the State under Article L. 761-1 of the Code of Administrative Justice for the costs incurred. by the National Council of the Order of Physicians. DECIDES: -------------- Article 1: Decree n ° 2018-1254 of December 26, 2018 relating to medical information departments is canceled insofar as it does not provide, when the auditors access personal health data collected during the '' analysis of the activity, technical and organizational protection measures suitable for guaranteeing the absence of processing of identifying data and, when external service providers access this data, technical and organizational measures suitable for ensuring that only processed, with sufficient guarantees, the identifying data necessary for the purposes of the processing and provisions intended to ensure that they effectively carry out their activities under the authority of the practitioner responsible for medical information. This cancellation includes the obligations set out in point 15 of this decision. Article 2: The State will pay a sum of 2,000 euros to the National Council of the Order of Physicians under Article L. 761-1 of the Code of Administrative Justice. Article 3: The surplus of the conclusions of the request is rejected. Article 4: This decision will be notified to the National Council of the Order of Physicians and to the Minister of Solidarity and Health. A copy will be sent to the Prime Minister and to the High Council of the Auditors.