CNIL (France) - 2023-097

From GDPRhub
CNIL - 2023-097
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(1)(b) GDPR
Article 6(1)(e) GDPR
Article 9(2)(j) GDPR
Article 14(5)(b) GDPR
Article 28 GDPR
Article 36 GDPR
Type: Other
Outcome: n/a
Started: 31.07.2023
Decided: 07.09.2023
Published: 20.10.2023
Fine: n/a
Parties: University of Bordeaux
National Case Number/Name: 2023-097
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: Légifrance - le service public de la diffusion du droit (in FR)
Initial Contributor: R_e_

Following a request for prior consultation under Article 36 GDPR, the French DPA authorised the University of Bordeaux to implement automated processing of personal data for a study comparing health trajectories leading to cardio-metabolic diseases, to evaluate the interoperability of European health data.

English Summary

Facts

The University of Bordeaux, the data controller, applied for authorisation to undertake automated processing of personal data from the French DPA under Article 36 GDPR. The controller aimed to carry out the processing for a study comparing health trajectories leading to cardio-metabolic diseases on a national scale in order to evaluate the interoperability of European health data.

The project was selected by the European Commission as part of a 'European Health Data Area' pilot. Hence, the DPAs from Denmark, Finland, Norway and Hungary will also need to authorise similar studies to compare the aggregated results.

Holding

The French DPA authorised the project by the data controller on the basis that it met a number of obligations imposed by the GDPR.

Firstly, that the purpose of processing was determined, explicit and legitimate in accordance with Article 5(1)(b) GDPR when considering the project's objectives.

Secondly, the processing of health data was lawful as it was necessary for the execution of a task carried out in the public interest, per Article 6(1)(e) GDPR, and was also necessary for scientific research purposes under Article 9(2)(j) GDPR.

Thirdly, that the data was adequate, relevant and limited to what was necessary for the purposes of processing under Article 5(1)(c) GDPR, as the data was scientifically justified in the data controller's application and further filtering would be carried out before being transmitted to the hosting Health Data Platform; a French public structure whose objective is to enable project coordinators to access non-nominative data hosted on a secure platform.

Fourthly, since the data would only be accessible for a period of 5 years (after which it would be deleted or anonymised), the data controller would not be exceeding the period necessary for the collection and processing purposes of the data pursuant to Article 5(1)(e) GDPR.

The data controller was also not required to individually provide data subjects with the information listed under Article 14 GDPR, relying on the exception under Article 14(5)(b) GDPR since a disproportionate effort would be required. Instead, all of the information specified under Article 14 GDPR could be provided via a collective notice on the data controller website.

The DPA also noted that the data controller would need to have a formalised agreement in place with the Health Data Platform to distribute the various roles and responsibilities, including alert and incident management, and management of anonymous data exports, to comply with Article 28 GDPR. The data controller would also be expected to regularly re-assess who could access the data.

The DPA further noted that the security measures implemented by the data controller appear proportionate to the risks presented by the processing, when considering the comprehensive risk and privacy impact analysis, together with the impact assessments submitted by the controller on the technical solutions of the study.

Finally, the DPA noted that in compliance with Article R. 1461-1 of the Public Health Code, which does not allow the transfer of personal data outside the European Union, except in some circumstances, no transfer outside the European Union of individual personal data is planned, as no member of the research team is located outside the European Union.

Comment

Share your comments here! the CNIL gives its approval to many medical research studies like this every week; they not always publish them. the reason the CNIL has to give so many approvals is because they created the rule that obliges organisations to ask the CNIL: if you don't comply with their methodologies of reference, you cannot start the medical research/registry/cohort etc before you got approval from the CNIL and this can take several months. To my knowledge, they are the only DPA in Europe to have this approach (except Ireland, but for a very specific situation) atb, Bertrand

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation n°2023-097 of September 7, 2023 authorizing the University of Bordeaux to implement automated processing of personal data for the purpose of a study relating to the comparison of health trajectories leading to cardiometabolic diseases on a national scale to assess the interoperability of European health data, entitled "EHDS FR-FIN". (Authorization request no. 923197)
The National Commission for Information Technology and Liberties,

Submission on July 31, 2023 by the University of Bordeaux of a request for authorization concerning automated processing of personal data for the purpose of a study relating to the comparison of health trajectories leading to cardiometabolic diseases on a national scale for evaluate the interoperability of European health data entitled “EHDS FR-FIN”;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (GDPR);

Having regard to law no. 78-17 of January 6, 1978, as amended, relating to data processing, files and freedoms (“data processing and freedoms” law), in particular its articles 66, 72 et seq.;

Having regard to the favorable opinion with recommendations of the Ethical and Scientific Committee for research, studies and evaluations in the field of health of July 20, 2023;

Considering the file and its supplements;

After hearing the report from Ms. Valérie PEUGEOT, commissioner, and the observations of Mr. Damien MILIC, Government commissioner;

Makes the following observations:

The CNIL was contacted by the University of Bordeaux for authorization relating to the implementation of a research project relating to health trajectories leading to cardiometabolic diseases based on data from the National Health Data System. health (SNDS).

This project is one of the five use cases selected by the European Commission as part of the creation of the pilot version of the European Health Data Space (HealthData@EU Pilot). Similar studies will be carried out, after authorization from the competent authorities, using Danish, Finnish, Norwegian and Hungarian data, in order to compare the aggregated results.

The Health Data Platform (PDS) will be involved in the implementation of the French study carried out by the University of Bordeaux.

The distribution of roles and responsibilities between the data controller and the PDS, particularly concerning the awareness of project users, the monitoring of traces, the management of alerts and incidents as well as the management of exports of anonymous data, must be formalized by an agreement between the two parties, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

On the purpose of the processing, its lawfulness and the conditions allowing the processing of data concerning health:

The purpose of the envisaged treatment is to implement a study on longitudinal health trajectories, in particular those leading to cardiometabolic diseases, and to compare these trajectories using French, Finnish, Danish, Norwegian and Hungarian data.

This study, entitled “EHDS FR-FIN”, meets three objectives:

establish a dictionary of disease evaluation criteria based on international diagnostic codes;
assess disease distribution and longitudinal association of disease endpoints derived in the NSDS;
build cardiometabolic disease prediction models based on health trajectories using statistical and machine learning approaches.
The purpose of the processing is determined, explicit and legitimate, in accordance with the provisions of article 5.1.b of the GDPR.

The processing implemented by the University of Bordeaux is necessary for the execution of the public interest mission with which it is entrusted.

This processing is, as such, lawful with regard to article 6.1.e of the GDPR. In addition, this processing, necessary for scientific research purposes, also meets the condition provided for in Article 9.2.j of the GDPR allowing the processing of data concerning health.

This research project is subject to the provisions of articles 44.3°, 66.III and 72 et seq. of the “data processing and freedoms” law, which results in the absence of conformity with a reference methodology, processing to purposes of research, study or evaluation in the field of health may only be implemented following authorization from the Commission.

On the nature of the data processed:

Provided that they can be disseminated by the National Health Insurance Fund (CNAM), the data controller requests access to the data from the national health insurance inter-regime information system (SNIIRAM), the health insurance program medicalization of information systems (PMSI) and medical causes of death (CépiDc), concerning the years 2010 to 2025.

A cohort of approximately twelve million people affiliated to the general system and who have not objected to the reuse of their data contained in the SNDS will be randomly constituted for the purposes of this study.

The data processed, the collection of which has been scientifically justified in the application file, will relate in particular to:

sociodemographic characteristics (year of birth, sex, department of residence code and social deprivation index);
causes of death, coded with ICD-10 (international classification of diseases);
surgical and medical procedures (procedure codes and dates from outpatient health expenditures and hospital discharge summaries);
clinical information (diagnosis codes, dates and length of stay from hospital discharge summaries; diagnosis codes and dates of registration for long-term condition; year, month and cause of death);
medicines dispensed (codes and dates of medicines dispensed from healthcare expenditures dispensed on an outpatient basis and hospital discharge summaries).
Only data that is strictly necessary and relevant to the purposes of the processing will be transmitted by the CNAM; in this regard, filtering and data matching will be carried out prior to this transmission by the CNAM.

Since the data from SNIIRAM, PMSI and CépiDc come from databases making up the SNDS, all the legislative provisions (articles L. 1461-1 to L. 1461-7 of the public health code – CSP) and regulations relating to SNDS are applicable in this case, in particular:

the ban on using this data for the purposes described in article L. 1461-1 V of the public health code;
compliance with the safety standards applicable to the SNDS provided for by the decree of March 22, 2017.
The data whose processing is envisaged are adequate, relevant and limited to what is necessary with regard to the purposes of the processing, in accordance with the provisions of article 5.1.c of the GDPR.

On information and people’s rights:

Under Article 69 of the “Informatique et Libertés” law and Article 14.5.b of the GDPR, the obligation to provide individual information to the person concerned may be subject to exceptions, in the event that where the provision of such information would prove impossible, would require disproportionate effort or would seriously compromise the achievement of the objectives of the processing. In such cases, the data controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including by making the information publicly available.

In this case, an exception will be made to the principle of individual information of people and appropriate measures will be implemented by the dissemination of collective information on the website of the data controller. This information note must include all the information provided for in Article 14 of the GDPR.

This processing will also be recorded within the PDS transparency portal.

These information methods are satisfactory with regard to the provisions of the GDPR and the “information technology and freedoms” law.

Data subjects will be able to exercise their rights with the data protection officer of the data controller for the duration of the study.

These methods of exercising rights are satisfactory with regard to the provisions of the GDPR and the “data processing and freedoms” law.

On the duration of data retention:

The data will be accessible for five years. Beyond that, the data will be anonymized or deleted.

These data retention periods do not exceed the periods necessary for the purposes for which they are collected and processed, in accordance with the provisions of article 5.1.e of the GDPR.

On accessors and recipients:

Only the data controller and the persons authorized by him have access to the data within the framework of this single decision. The data controller maintains documents indicating the competent person(s) within it to issue authorization to access the data, the list of authorized persons, their respective access profiles and the terms of allocation, management and authorization control.

These categories of people are subject to professional secrecy under the conditions defined by articles 226-13 and 226-14 of the penal code.

The qualification of authorized persons and their access rights must be regularly reassessed, in accordance with the terms described in the authorization procedure established by the data controller.

On data security and their hosting arrangements:

The CNIL notes that the application file justifies the need to use the technical solution of the PDS, taking into account the characteristics as well as the specific modalities of implementation of this study.

The security of the data of the project space dedicated to the "EHDS FR-FIN" project essentially depends on the technical solution of the PDS, which has been the subject of a global analysis of the risks and impact on privacy, followed by approval according to the SNDS safety standards.

More specifically, an impact analysis relating to data protection was sent to the CNIL concerning the technical solution of the PDS, which corresponds to a secure SNDS bubble and which will host the "EHDS FR-FIN" project.

The data controller has carried out and transmitted in support of the authorization request an impact analysis relating to data protection specific to the "EHDS FR-FIN" project and integrating the elements provided by the PDS for its technical solution .

An approval of the project space was thus carried out by the data controller on April 4, 2023, for a period of three years, subject to the implementation of the action plan that he defined.

This approval decision is only valid until April 3, 2026 and must therefore be renewed before this date if the project is still in progress.

The security measures implemented by the data controller appear proportionate to the risks presented by the processing.

On data transfers outside the European Union:

The provisions of article R. 1461-1 of the CSP provide that no transfer of personal data may be carried out outside the European Union, except in the case of one-off access to data by persons located in outside the European Union, for a purpose falling under 1° of I of Article L. 1461-3 of the CSP. In this case, the application file mentions that, although the service provider is not exclusively subject to the laws and jurisdictions of the European Union, no transfer outside the European Union of individual data from the SNDS is planned, with no members of the research team located outside the European Union.

Authorizes, in accordance with this deliberation, the University of Bordeaux to implement the processing mentioned above.

The president

Marie-Laure DENIS