CNIL (France) - CNIL2326891X

From GDPRhub
CNIL - CNIL2326891X
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(2) GDPR
Article 9(4) GDPR
Article 72, Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 20.07.2023
Published: 14.10.2023
Fine: n/a
Parties: n/a
National Case Number/Name: CNIL2326891X
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: National Commission for Information Technology and Liberties (in FR)
Initial Contributor: violette_maris

The CNIL approved a reference methodology for health data processing by organisations acting within a framework of legitimate interests. This methodology will ensure that the privacy of individuals is protected while simultaneously facilitating researchers when accessing the National Health Data System.

English Summary

Facts

The CNIL adopted a reference methodology for processing data from the main base of the National Health Data System (SNDS).

This methodology would apply to organisations conducting research, studies, or evaluations in the field of health within the framework of their legitimate interests. Data controllers who meet the conditions set out in the methodology and who submit a declaration of compliance with it are authorised to implement their processing operations, provided that they have also obtained a favourable opinion from an independent community (CESREES); responsible for issuing opinions on proposed studies requiring the use of health data, prior to authorisation by the CNIL.

This will ensure that the privacy of individuals is protected while simultaneously facilitating researchers when accessing the SNDS.

Holding

To begin with, the CNIL reminded that the data controllers concerned with this methodology are only those for whom the implementation of the research, study or evaluation in the field of health is necessary for the pursuit of a legitimate interest within the meaning of Article 6(1)(f) GDPR.

The CNIL also clarified that the processing of personal data in these circumstances could be implemented once a controller has made a declaration of conformity with the new reference methodology. Where there is no conformity, the processing must be subject to prior consultation from the CNIL. Additionally, the CNIL provided that every three years, the controller should send the CNIL and the CEREES a report summarising the use of the methodology during this period and that each study should be registered in the public Health Data Hub (PDS) and be published at the end of the data processing.

Moreover, the CNIL stated that, in accordance with Article 5(1)(c) GDPR, the processing must be compliant with the principle of data minimisation, meaning that the data must be relevant, adequate and limited to what is necessary for the study for which they are processed. The CNIL also noted that the data should be kept up to date and that only authorised persons may access it. It further mandated that all the information on the data processing mentioned in Article 14 GDPR be made available on the website of the controller and, where appropriate, the research laboratory or research office.

Additionally, the CNIL reminded the exercise of the rights of data subjects to be complied with and for the principle of transparency to be respected. In terms of data retention, the CNIL ascertained that the period should be limited to what is strictly necessary for the duration of the study but should not exceed five years from the last effective availability of the data. This period may exceptionally be extended for a maximum of two years upon reasoned request to the CESREES. After the end of the study, the personal data may not be retained for more than five years.

Lastly, the CNIL reiterated that under Article 28 GDPR, commitments should be in place between data controllers and possible processors and that a DPO should be designated pursuant to Article 37 GDPR, who should keep records of the processing activities under Article 30 GDPR. Moreover, the CNIL mandated that the data processed may not be transferred outside the EU, and impact assessments should be carried out in accordance with Article 35 GDPR, reviewed and updated regularly.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation No. 2023-083 of July 20, 2023 approving a reference methodology relating to the processing of data from the main database of the National Health Data System implemented for research, study or evaluation purposes in the field of health by organizations acting within the framework of their legitimate interests (MR-008)

The National Commission for Information Technology and Liberties,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC;

Having regard to law n° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms, in particular its articles 66, 72 et seq.;

Considering the public health code, in particular its article L. 1461-3;

After hearing the report from Ms. Valérie PEUGEOT, commissioner, and the observations of Mr. Damien MILIC, Government commissioner;

Adopts a reference methodology relating to the processing of data from the main base of the National Health Data System implemented for the purposes of research, study or evaluation in the field of health by the organizations acting within the framework of their legitimate interests (MR-008).

The president

Marie-Laure DENIS

Reference methodology relating to the processing of data from the main database of the National Health Data System implemented for the purposes of research, study or evaluation in the field of health by organizations acting within the framework of their legitimate interests (MR-008)

Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), and in particular Article 5, point 2, provides that the data controller must be able to demonstrate that the principles of the regulation are respected.

Article 9(4) of the GDPR specifies that Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data or data concerning health.

Thus, in application of the law of January 6, 1978 as amended (“information technology and freedoms” law), the processing of personal data for the purposes of research, study or evaluation in the field of health can be implemented provided that the data controller has made a declaration of conformity with a reference methodology. In the absence of compliance with a reference methodology, the processing must be the subject of an authorization request from the National Commission for Information Technology and Liberties (the CNIL).

The CNIL may approve and publish reference methodologies, under the standards mentioned in II of Article 66 of the “Informatique et Libertés” law, established in consultation with the Health Data Platform (PDS), as well as with public and private organizations representing the stakeholders concerned.

Among the most common processing of data from the National Health Data System (SNDS) are those carried out at the request of private organizations and more particularly of persons producing or marketing products mentioned in II of Article L. 5311- 1 (health products), of the public health code (CSP).

These treatments make it possible in particular to prepare discussion files with the competent authorities and committees mainly in the field of medicines and medical devices (marketing, pricing discussions, CE marking, etc.) and the carrying out of studies under conditions actual use.

In addition to that relating to data processing requiring access on behalf of persons producing or marketing products mentioned in II of Article L. 5311-1 of the CSP to data from the medicalization program of centralized information systems and made available on the secure platform of the Technical Agency for Information on Hospitalization, the Commission adopts a reference methodology relating to the processing of SNDS data necessary for the purposes of the legitimate interests pursued by the data controller.

Data controllers who send a declaration of conformity to this reference methodology are authorized to implement their processing operations, as long as they meet the conditions provided for by the methodology and in particular have obtained an expressly favorable opinion from the Ethics Committee. and scientist for research, studies and evaluations in the field of health (CESREES).

Title I: DEFINITIONS, CONTROLLERS CONCERNED, SCOPE OF APPLICATION AND PUBLIC INTEREST

1.1. Definitions

For the purposes of this methodology, the following terms are defined as follows:

Assessment: summary, transmitted to the CNIL every three years by the data controller, reporting on the uses of the reference methodology observed during this period;

Ethical and scientific committee for research, studies and evaluations in the field of health (CESREES): committee which issues a reasoned opinion on research methodology, the necessity of using personal health data, the relevance of these in relation to the purpose of the processing and, if applicable, to the scientific and ethical relevance of the project as well as to the public interest nature of the research, study or evaluation ;

Personal data: any information relating to an identified or identifiable natural person (“data subject”); is deemed to be an "identifiable natural person" a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity (see art. 4 of the GDPR). As such, SNDS data, although pseudonymized, constitute personal data;

Controlled environment: set of resources (hardware, software, personnel, data) on which the manager of a system of the National Health Data System (SNDS) applies the requirements of the SNDS security framework;

Project space: work space dedicated to a study, secure and controlled by the system manager making SNDS data available;

Study:: research or study in the field of health not meeting the definition of research involving humans as defined in Article L. 1121-1 of the Public Health Code (CSP). It may also be an evaluation or analysis of care or prevention practices or activities, within the meaning of article 72 of the “information technology and freedoms” law. This processing must be of public interest within the meaning of Article 66 of this same law. A study may require carrying out several queries using SNDS data;

Expression of needs: document indicating the components of the main database of the SNDS concerned by the access request, the targeted population, the targeting period, the data or categories of data necessary, the historical depth of the data and the duration of access requested, of which a model developed in collaboration with the PDS and the National Health Insurance Fund (CNAM) is made available;

Research laboratory / design office: organization responsible, where applicable, for the implementation of data processing and responsible for their analysis, having made a compliance commitment to the CNIL with the decree of July 17, 2017 relating to to the framework determining the criteria of confidentiality, expertise and independence for research laboratories and design offices. This is a subcontractor within the meaning of the GDPR which, within the framework of this reference methodology, is the only one able to access the SNDS data instead of the data controller(s);

Health data platform (PDS): public interest group formed between the State, organizations ensuring representation of patients and users of the health system, producers of health data and public and private users of health data. health, including health research organizations, responsible for implementing the major strategic orientations relating to the SNDS and thus facilitating the sharing of health data from various sources in order to promote research;

Historical depth of data: years of production of data necessary to carry out the study;

Protocol: document drawn up by the data controller or under his responsibility, indicating in particular:

the methodology of the study; the objective of the processing of personal data; the categories of persons concerned by the processing; the origin, nature and list of the personal data used and the list of justifications for recourse to these; the duration and organizational methods of the study; the method of data analysis; the justification of the number of people and the observation method used;

Responsible for implementing the processing: organization, having access to the data by agreement, responsible for carrying out the analyzes on behalf of the processing manager. This may be a research laboratory or a design office;

Data controller: natural or legal person who, alone or jointly with others, is responsible for research, study or evaluation not involving humans, ensures its management, verifies that its financing is planned and determines the purposes and means of the processing necessary for this;

Processor: natural or legal person, public authority, service or other body which processes personal data on behalf of the controller;

National Health Data System (SNDS): health database comprising a main database, covering the entire population, as well as other databases integrated into a “catalogue”;

Processing: any operation or set of operations, whether or not carried out using automated processes and applied to personal data or sets of data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction;

User: natural person who accesses individual SNDS data made available in a project space.

1.2. Data controllers concerned

1.2.1. Only data controllers for whom the implementation of research, study or evaluation in the field of health is necessary for the pursuit of a legitimate interest in the field of health can make a declaration attesting to compliance with this reference methodology. meaning of article 6.1.f of the GDPR, with the exception of the organizations mentioned in 1° of A and in 1°, 2°, 3°, 5° and 6° of B of I of article L. 612 -2 of the Monetary and Financial Code and the insurance intermediaries mentioned in Article L. 511-1 of the Insurance Code.

1.2.2. In the case of joint processing responsibility, the controller(s) must transparently define their respective obligations, in accordance with Article 26 of the GDPR.

1.3. Processing of personal data included in the scope of this methodology

1.3.1. Only processing of personal data intended to carry out research, studies or evaluations in the field of health, which is of public interest, may be subject to a declaration of conformity with this reference methodology. within the meaning of article 66 of the “information technology and freedoms” law and respecting the following conditions of security, organization and transparency:

a protocol, as well as an expression of needs, must be developed by or under the responsibility of the data controller before the start of the implementation of data processing. These documents must be submitted to CESREES;

the treatments covered by this reference methodology must obtain an expressly favorable opinion from CESREES prior to their implementation. When this opinion is accompanied by recommendations, the data controller undertakes to take them into account and to modify his file accordingly, prior to the implementation of the processing;

the processed data must come exclusively from the CNAM, the only competent, within the framework of this methodology, to extract and transmit the data from the SNDS, in strict compliance with the expression of needs; the processed data must also come directly from the CNAM. No reuse of data is permitted within the framework of this reference methodology;

data processing can only be carried out by a research laboratory or a design office, public or private, having made a compliance commitment to the CNIL with the decree of July 17, 2017 relating to the framework determining the criteria of confidentiality, expertise and independence for research laboratories and design offices; the data is made available to the research laboratory or a design office in a project space in a controlled environment, such as defined in point 1.1 (Definitions) and meeting the following cumulative conditions: has been subject to approval in accordance with the safety standards applicable to the SNDS. This approval, which must not have expired, is subject to regular monitoring and is regularly renewed within the deadlines provided for in the approval decision; was assessed by the CNIL as part of data processing having is subject to express authorization by the CNIL. This authorization must be less than three years old; is in accordance with Title V of this deliberation concerning the terms of data hosting and the absence of transfers outside the European Union.

the data controller does not access individual data in the SNDS. Therefore, he cannot himself be the manager of the controlled environment used in the context of the studies covered by this reference methodology; the data controller undertakes not to pursue one of the prohibited purposes, described in article L. 1461-1 V of the public health code;

the data controller and, where applicable, the person responsible for implementing the processing, must first sign a data access agreement with the manager of the controlled environment making the SNDS data available. They must also have each authorized user sign an individual commitment to respect the conditions of use defined by the controlled environment. The data controller must finally send to the manager of the controlled environment the list, which can be updated, of the research laboratories or design offices he uses;

the data controller undertakes to transmit every three years to the CNIL as well as to CESREES, a report summarizing the uses of the reference methodology, observed during this period. If they deem it relevant, the CNIL or CESREES may share this report with the CNAM and/or the PDS; the data controller must register each study carried out within the framework of the reference methodology in the public directory maintained by the PDS. . The method and the results obtained are published by the PDS at the end of the processing, according to the procedures provided for in paragraph 6.3: “Principle of transparency”.

1.3.2. This reference methodology is therefore not applicable to treatments:

hosted outside a controlled environment meeting the cumulative conditions mentioned above; requiring matching of SNDS data with personal data from other sources (for example: medical records); requiring reuse of updated data available as part of a previous study or from a health data warehouse containing SNDS data.

1.3.3. The processing operations mentioned in paragraph 1.3.2 can only be implemented after authorization from the CNIL.

1.4. Public interest and prohibited purposes

1.4.1. Processing carried out within the framework of this reference methodology must:

present a character of public interest, justified by the data controller in the protocol, which will be transmitted to the PDS upon registration in the public directory;

comply with all legislative and regulatory provisions relating to the SNDS (articles L. 1461-1 to L. 1461-7 of the public health code), in particular the prohibition on using this data to pursue the purposes described in article L. 1461-1 V of the public health code: the promotion of the products mentioned in II of article L. 5311-1 towards health professionals or health establishments; the exclusion of guarantees from health contracts insurance and the modification of insurance contributions or premiums for an individual or a group of individuals presenting the same risk.

Title II: PROCESSING RELATING TO THE DATA OF PERSONS CONCERNED BY STUDIES

2.1. Purpose of processing

2.1.1.Only data processing relating to the purposes of research, studies or evaluations in the field of health, detailed below, can be carried out within the framework of the reference methodology:

comparative evaluation of the provision of care; evolution of care practices; comparative analyzes of care activities; description and analysis of pathologies and patient care pathways; epidemiological and/or medico-economic studies, including studies for the preparation of files for discussions and meetings with the competent authorities and committees, or studies for monitoring purposes; feasibility studies or targeting of centers for carrying out research involving or not involving humans.

2.1.2. The processing of personal data of the persons concerned must not have the main or secondary objective, or the effect of enabling the achievement of one or more prohibited purposes, described in article L. 1461-1 V of the CSP.

2.2. Origin and nature of the data

2.2.1. Origin of personal data

2.2.1.1. The data must come exclusively and directly from the databases made available by the CNAM.

2.2.2. Nature of personal data

2.2.2.1. Pursuant to Article 5(1)(c) of the GDPR, the data processed must be relevant, adequate and limited to what is necessary for the purposes for which they are processed (principle of data minimization). In this regard, the data controller undertakes to only process data that is strictly necessary and relevant to the objectives of the study. Therefore, each of the categories of data can only be processed if their processing is justified in the protocol.

2.2.2.2. The following categories of personal data may be processed under this methodology:

For those affected:

2.2.2.3. Only data from the main database of the SNDS, as defined in article R. 1461-2 of the public health code, can be processed. The latter currently includes:

data from the information systems mentioned in Article L. 6113-7 of the Public Health Code (PMSI database); data from the national inter-scheme health insurance information system mentioned in Article L. 161-28-1 of the social security code (SNIIRAM database); data on the causes of death mentioned in article L. 2223-42 of the general code of local authorities (CépiDC database of INSERM); medico-social data from the information system mentioned in Article L. 247-2 of the Social Action and Families Code (data relating to disability); data from the “Vaccin-covid” and “Covid” databases. SI-DEP” (screening information system).

2.2.2.4. The processing operations included in this reference methodology relate to data whose maximum historical depth is nine years in addition to the current year, provided that they can be disseminated by the CNAM.

2.2.2.5. The following must in particular be justified in the protocol with regard to the purpose of the processing: the categories of data processed, the period of targeting of the persons concerned, the components of the SNDS and the historical depth of the requested data consulted, the duration of access, the area geographical location and the number of people affected.

For users:

2.2.2.6. The categories of personal data relating to users that may be subject to processing are as follows:

surname, first names, position, access profiles; if relevant: professional telephone, postal and/or electronic contact details, employing organization; training, diplomas; elements necessary for the assessment of knowledge in order to carry out the study.

2.2.2.7. The sole purpose of processing user data must be the implementation of the study and compliance with the legal obligations of the data controller.

2.2.2.8. In particular, the purpose of the processed data is the management of declarations of interest, their transmission to the PDS, where applicable, and the management of internal authorization procedures.

2.3. Accessors and recipients of processed data (users)

2.3.1. The data is made available to the research laboratory or design office within a controlled environment. The data controller does not access individual data in the SNDS.

2.3.2. The person responsible for implementing the processing maintains and makes available to the data controller documents indicating the competent person(s) within it to issue authorization to access the data, the list of persons authorized to access these data, their respective access profiles and the terms of allocation, management and control of authorizations.

2.3.3. Only authorized persons from the research laboratory and the design office can access the data, in compliance with the provisions set out in Article 3 of the framework determining the criteria of confidentiality, expertise and independence for research laboratories. and design offices.

2.3.4. These categories of people are subject to professional secrecy under the conditions defined by articles 226-13 and 226-14 of the penal code.

2.3.5. The qualification of authorized persons and their access rights must be regularly reassessed, by the research laboratory or design office, in accordance with the terms described in the authorization procedure established by the person responsible for implementing the processing, respecting where applicable, the instructions given by the data controller.

2.4. Information and rights of people concerned by the study

2.4.1. Information of people

2.4.1.1. Concerning data coming exclusively from the SNDS, the persons concerned are informed of the possible reuse of their personal health data according to the terms defined by article R. 1461-9 of the public health code.

2.4.1.2. The provisions of Article 69 of the “Informatics and Liberties” law, which establishes the principle of individual information for people whose data is processed, are applicable to all processing carried out using SNDS data.

2.4.1.3. However, in application of the provisions of article 14.5.b of the GDPR, the data controller may assert an exception to the obligation of individual information for the implementation of processing comprising exclusively data from the database. main body of the SNDS.

2.4.1.4. In this case, it must take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the persons concerned, including by making the information publicly available.

2.4.1.5. In this regard, informing the people concerned cannot be limited to the registration of the study in the public PDS directory.

2.4.1.6. As part of this reference methodology, the completion of each research, study or evaluation in the field of health must be made known to the public.

2.4.1.7. At a minimum, the following measures must be implemented to guarantee publicly available information:

the distribution of the information note on the website of the data controller as well as, where applicable, the research laboratory or design office; the establishment of a transparency portal when the data controller carries out several studies using SNDS data. This transparency portal includes general information on the SNDS and an information note specific to each study implemented.

2.4.1.8. Other collective information methods may also be planned, depending on the characteristics of the studies carried out (social networks, patient associations, press releases, etc.).

2.4.1.9. These documents must include all of the information provided for in Article 14 of the GDPR.

2.4.2. Exercise of people’s rights

2.4.2.1. The data subject exercises their rights of access, rectification, erasure, limitation of processing and opposition concerning the processing implemented within the framework of this methodology, directly with the data protection officer of the organization responsible for processing.

2.4.2.2. User information, as well as the methods for exercising their rights, must comply with the principle of transparency provided for in Chapter III of the GDPR.

2.5. Duration of access or retention of data

2.5.1. This duration must be limited to that strictly necessary for the implementation of the treatment and must not exceed the duration of the study. In any case, the duration of access or retention cannot exceed five years from the last effective provision of the data. This duration may exceptionally be extended for a maximum period of two years, upon reasoned request from the data controller, addressed to CESREES, which then issues a new opinion. No archiving of data can be carried out.

2.5.2. Personal data processed within the framework of this methodology cannot be stored outside the controlled environment used by the research laboratory or design office.

2.5.3. Only anonymous results, within the meaning of Article 29 Group Opinion (G29) No. 05/2014 2014 or any subsequent EDPS Opinion relating to anonymization, may be exported.

2.5.4. The personal data of users responsible for carrying out the study cannot be kept beyond a period of five years after the end of the study.

2.6. Publication of results

2.6.1. In accordance with the provisions of the “Informatique et Libertés” law, the presentation of the results of data processing cannot under any circumstances allow the direct or indirect identification of the persons concerned.

Title III: SECURITY

3.1. The processing of data from the National Health Data System and its components must be carried out in accordance with the provisions of Articles L. 1461-1 to L. 1461-7 of the Public Health Code.

3.2. The security measures must comply with the security standards applicable to the national health data system, provided for by the decree of March 22, 2017 and its subsequent updates.

3.3. Research laboratories and design offices must comply with the decree of July 17, 2017 relating to the framework determining the criteria of confidentiality, expertise and independence for research laboratories and design offices.

3.4. The systems providing the data referred to in this methodology must therefore comply with the security standards applicable to the aforementioned SNDS.

3.5. In accordance with the aforementioned standard, the data controller must ensure that the contract concluded with the research laboratory or design office specifies the security measures and conditions relating to compliance with the aforementioned standard. In particular, the controlled environment must have been the subject of approval prior to the implementation of the data processing necessary for the study.

3.6. The data controller or, where applicable, the person responsible for implementing the processing, must adopt the following technical and organizational measures:

Distribution of roles and responsibilities

SEC-REP-1

The distribution of roles and responsibilities between the processing manager(s), the person responsible for implementing the processing and the manager of the controlled environment must be formalized by an agreement. The latter must focus in particular on raising awareness among users of the study, monitoring traces, managing alerts and incidents as well as managing exports of anonymous data. This agreement must comply with article 28 of the GDPR.

Management of authorizations and logical access to data

SEC-HAB-1

Different authorization profiles must be planned in order to manage access to data as necessary and exclusively.

SEC-HAB-2

Persons authorized to access personal data must be individually authorized according to a procedure involving validation by their line manager.

SEC-HAB-3

A review of authorizations must be carried out regularly and at least annually, as well as at the end of each study.

SEC-HAB-4

Access permissions must be withdrawn as soon as authorizations are withdrawn, for example after the departure of an authorized user or a modification of their missions.

User identification and authentication

SEC-IDE-1

Access to personal data must be subject to local or national identification for any natural or legal person, in accordance with the requirements of level 2 of the PGSSI-S identification framework.

SEC-IDE-2

Access to personal data must be subject to strong authentication involving at least two distinct authentication factors, in accordance with the requirements of level 2 of the PGSSI-S authentication framework. If one of these factors is a password, it must comply with the CNIL recommendations on passwords on the date of writing of this methodology (deliberation no. 2022-100 of July 21, 2022) .

Project space

SEC-ESP-1

The data from a study must be handled by authorized users only in a project space specific to this study, sealed with the data from the central SNDS as well as with the project spaces of other studies conducted in the same controlled environment.

SEC-ESP-2

Data sets imported into a project space specific to a study must be minimized and limited to only the data necessary for the study. A unique pseudonym number specific to each project space must be generated under the same pseudonymization conditions as those defined by the security framework applicable to the aforementioned SNDS. For example, this unique pseudonymous number could be generated by a cryptographic hash function resistant to brute force attacks or a cryptographically secure pseudo-random number generator.

Data transmission

SEC-TRA-1

All data transmissions from or to the controlled environment or project spaces must be subject to encryption measures in accordance with appendix B1 of the general security framework (RGS) in order to guarantee confidentiality.

These encryption measures apply to data in transit and to its storage after receipt in the controlled environment or project spaces.

Exporting anonymous data outside of workspaces

SEC-EXP-1

Only anonymous datasets can be exported outside the controlled environment or a project space. The anonymization process must produce a dataset that complies with the three criteria defined by G29 Opinion No. 05/2014 or any subsequent EDPS opinion relating to anonymization. This compliance must be documented. Otherwise, if these three criteria cannot be met, a study of the risks of re-identification must be carried out and documented, prior to each export.

SEC-EXP-2

Data exports must be subject to prior validation by a manager in order to endorse the principle, particularly with regard to the SEC-EXP-1 requirement.

SEC-EXP-3

Exports must be subject to automatic or manual monitoring by a specialized operator in order to verify their anonymous nature. In the event that this monitoring is automatic, any export identified as non-compliant must be the subject of an alert and quarantine in a partitioned and dedicated space, then must be verified manually by a specific manager. trained and empowered.

User awareness and workstation security

SEC-SEN-1

Each person authorized to access the controlled environment must be trained in respecting professional secrecy and regularly made aware of the risks and obligations inherent in the processing of health data.

SEC-SEN-2

Each person authorized to access the controlled environment must sign a confidentiality charter. This must specify in particular the obligations with regard to both the protection of personal health data and the security measures put in place in the controlled environment, as well as the sanctions relating to non-compliance with these obligations.

SEC-SEN-3

The workstations of people authorized to access the controlled environment, including external users accessing only project spaces, must be subject to specific security measures, for example by setting up nominative accounts, adequate authentication , automatic session locking, hard drive encryption and filtering measures. In the event that the workstations are not under the control of the data controller, the security measures to be put in place on the workstations must be regulated by means of an agreement between the parties concerned.

Logging

SEC-JOU-1

The actions of project space users and those of users of the controlled environment must be subject to logging measures, in accordance with the requirements of level 3 of the PGSSI-S accountability framework. In particular, connections (identifiers, date and time), requests and operations carried out must be traced.

SEC-JOU-2

A trace control must be carried out regularly and at least monthly, as well as at the end of each authorization period linked to a study. This control must be carried out by:

a solution carrying out automatic monitoring with the reporting of alerts processed manually by an authorized operator; or by semi-automatic control via the execution of programs allowing selection of abnormal traces, followed by manual rereading by an authorized operator.

SEC-JOU-3

The logging traces defined in the SEC-JOU-1 requirements must be kept for a period of six months to one year from their collection, unless otherwise justified by the importance of the risk for individuals in the event of diversion from the purposes of the processing. and the frequency of occurrence of such practices. In the latter case, the maximum retention period for logging traces can be extended to three years.

Managing security incidents and personal data breaches

SEC-INC-1

The parties to the agreement must provide a procedure for managing and handling security incidents and personal data breaches, specifying the roles and responsibilities and the actions to be taken in the event of such incidents occurring.

SEC-INC-2

Any security incident, whether of malicious origin or not and occurring intentionally or unintentionally, having the consequence, even temporary, of compromising the integrity, confidentiality or availability of personal data, must be the subject of 'internal documentation in a register of violations.

SEC-INC-3

Any data breach must be notified to the CNIL under the conditions provided for in Article 33 of the GDPR.

SEC-INC-4

In the event that the violation is likely to result in a high risk for the rights and freedoms of a natural person, the data controller is required to communicate the data violation to the data subjects as soon as possible, in accordance with the article 34 of the GDPR.

3.7. These measures are not exhaustive and must be supplemented with regard to the risks weighing on the processing implemented.

3.8. In addition, Articles 5.1.f and 32 of the GDPR require security measures to be updated with regard to regular reassessment of risks and that the measures comply with the state of the art.

Title IV: SUBCONTRACTORS

4.1. The data controller never accesses individual data from the SNDS and must use, for all processing, a research laboratory or an independent design office, a subcontractor having declared itself to the CNIL in compliance with the determining standards. the criteria of confidentiality, expertise and independence for research laboratories and design offices, set by decree of July 17, 2017.

4.2. This obligation to use a research laboratory and design office is not applicable to the latter when it acts as data controller.

4.3. In accordance with this decree and Article 28 of the GDPR, the respective commitments of the data controller and the research laboratory or design office are formalized in a contract whose content is defined by these texts.

4.4. In addition, subcontractors:

must appoint, where applicable, a data protection officer in accordance with Article 37 of the GDPR; must keep a register of the categories of processing carried out on behalf of the data controller, in accordance with Article 30 of the GDPR.

The data controller(s) undertake to:

not have any links of interest with the research laboratory or design office and the subject of the processing likely to constitute a conflict of interest; not seek to access the personal data made available to the laboratory research or design office; do not use the results provided for any of the prohibited purposes.

TITLE V: HOSTING OF SNDS DATA AND ABSENCE OF DATA TRANSFER OUTSIDE THE EUROPEAN UNION

5.1. As part of this reference methodology, the study data controller(s) ensures:

that the data from the main database of the SNDS hosted in the controlled environment are exclusively within the member countries of the European Economic Area and without possible transfer outside the European Union; the absence of remote access to data from outside the territory of the European Union.

5.2. Furthermore, organizations and, where applicable, their subcontractors, accessing SNDS data as part of carrying out operations for hosting the technical infrastructure of the controlled environment, as well as the administration and exploitation associated with this storage, must be exclusively subject to the laws of the European Union.

Title VI: IMPLEMENTATION OF THE PRINCIPLE OF RESPONSIBILITY

6.1. Data protection impact analysis

6.1.1. The data controller carries out a data protection impact analysis carried out in accordance with the provisions of Article 35 of the GDPR, which must cover in particular the risks to the rights and freedoms of the data subjects.

6.1.2. This impact analysis must be re-examined and updated regularly, in particular if significant changes are planned in the processing implemented within the framework of this methodology, or if the risks for the persons concerned have evolved.

6.1.3. A single analysis can cover a set of similar processing operations that present similar risks.

6.2. Formalities

6.2.1. Each data controller appoints a data protection officer, in accordance with article 37 of the GDPR. This data protection delegate will have the particular mission of verifying compliance with the conformity of the processing implemented according to this methodology.

6.2.2. The data controller sends the CNIL a single declaration of conformity to this methodology for all the processing operations it implements as long as they are and will be carried out in compliance with all the provisions of the methodology.

6.2.3. As part of joint responsibility, each data controller makes a declaration of conformity to the reference methodology on its own behalf.

6.2.4. The treatments covered by this reference methodology must obtain an expressly favorable opinion from CESREES prior to their implementation. To obtain this opinion, a file must be submitted to the PDS single secretariat and must include the elements listed in this methodology.

6.2.5. In accordance with Article 30 of the GDPR, the data controller maintains, within the register of processing activities, the list of processing operations implemented within the framework of this methodology. It regularly checks the compliance of ongoing processing with the requirements of the reference methodology and documents this analysis.

6.3. Principle of transparency

6.3.1. The legal framework allowing the provision of SNDS data is designed to report their use to the population. To this end, article L. 1461-3 of the CSP makes access to the data of the SNDS and its components subject to the communication to the PDS of several elements by the data controller, before and after the study.

6.3.2. Thus, the data controller undertakes to record in the public directory maintained by the PDS each study carried out within the framework of this methodology.

6.3.3. This recording must be made, before the start of each study, by the data controller or the person acting on his or her behalf. It is accompanied by the transmission to the PDS of a file including:

the protocol, including the justification of the public interest, as well as a summary, according to the model made available by the PDS. In the event of a favorable opinion with recommendations from CESREES, the protocol and the summary clearly taking into account the recommendations must be recorded; the declaration of interests, in relation to the object of the study, of the data controller, as well as than that of the research laboratory or the design office, as provided for by article 5 of the aforementioned decree of July 17, 2017.

6.3.4. At the end of the study, the method and the results obtained must be communicated to the PDS for publication in compliance with business secrecy and intellectual property.

6.3.5. The recording of the treatment and the transmission of the results are carried out in accordance with the procedures defined by the PDS.

6.4. Balance sheet

6.4.1. The data controller, where applicable after consulting the subcontractor(s), transmits to the CNIL every three years a report summarizing the observed uses of this reference methodology, indicating in particular:

the number of studies implemented over the period analyzed; the types of purposes pursued; the financing arrangements for projects and partners (in particular public funding, etc.); on the data processed: the components of the SNDS mainly requested; compliance overall expression of needs for the objectives of the study; the historical depth requested on average and its sufficiency or not; the average number of people concerned by the studies; the average duration of access or retention of data requested and their sufficiency or not; the collective information supports implemented; the quality of the people authorized to access SNDS data; on data security: security incidents, likely to impact the rights of individuals, possibly revealed or avoided; any substantial modification to the architecture of the controlled environment; the number of scientific publications resulting from research, studies and evaluations carried out within the framework of the methodology; the benefits, scientific contributions observed and/or measured.

Title VII: ENTRY INTO FORCE

7.1. This reference methodology comes into force from its publication in the Official Journal.

7.2. When research, study or evaluation in the field of health, previously authorized by the CNIL, is subject to a substantial modification and complies with this methodology, it is not necessary to obtain a new authorization of the CNIL.

7.3. This deliberation will be published in the Official Journal of the French Republic.

The president,
Denis