CE - N° 428451

From GDPRhub
Revision as of 07:42, 7 December 2020 by Mh (talk | contribs)
CE - 428451
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 6 GDPR
Article 9(3) GDPR
Article 25 GDPR
Article 28 GDPR
Article L. 6113-7 Code de la santé publique
Article R. 6113-7 Code de la santé publique
Loi informatique et libertés (version au 26/12/2018)
Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale
Decided: 25.11.2020
Published:
Parties: Conseil national de l'ordre des médecins
National Case Number/Name: 428451
European Case Law Identifier: ECLI:FR:CECHR:2020:428451.20201125
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Légifrance (in French)
Initial Contributor: Fra-data67

The French Supreme Administrative Court (Conseil d’Etat) annulled the decree of 26/12/2018 as it does not have technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of a health establishment's activities are collected.

English Summary

Facts

Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.

The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.

In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French supreme administrative Court (Conseil d’Etat).

Dispute

In the present case, the debate concerns the following points:

  • Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the Public Health Code?
  • Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree?
  • Does the processing carried out in accordance with Article L. 6113-7 of the Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?

Holding

To reach the cancellation of the decree, the supreme administrative Court retained the following points.

On prior consultation

Contrary to what has been argued by the National Council of Physicians, the supreme administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree.

On the conditions laid down by the contested decree for the processing of data by auditors

The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the supreme administrative court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.

In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).

However, recalling the provisions of Articles 6 and 25 GDPR, the French supreme administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful.

On the conditions laid down by the contested decree for the processing of data by external service providers

Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.

The French supreme administrative Court emphasises that although the decree provides certain guarantees governing the mission of external service providers (they are placed under the responsibility of the doctor responsible for medical information, are subject to the obligation of medical confidentiality, may only access the data necessary for their mission, and may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract), the decree has not provided for technical and organisational measures to ensure that only those identifying data are processed, with sufficient guarantees, which are necessary for the purposes of the processing, nor has it provided for provisions to ensure that they actually carry out these activities under the authority of the practitioner responsible for the medical information. The Courttherefore concludes that the decree is unlawful, due to the absence of sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.

Comment

This decision concerns the derogation from the prohibition on processing special categories of personal data, including health data. More specifically, this decision addresses a specific issue relating to the link between the protection of so-called sensitive data (health data) and the administrative requirements for the proper administration of healthcare systems.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.