CNIL (France) - SAN-2023-0076

From GDPRhub
CNIL - Délibération 2023-0076
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(e) GDPR
Article 9(2)(j) GDPR
Article 35 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 20.07.23
Published: 04.09.23
Fine: n/a
Parties: n/a
National Case Number/Name: Délibération 2023-0076
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA (CNIL) authorised a request made by l’Institut du cerveau et de la moelle épinière (The Brain and Spinal Cord Institute) to undertake automated processing of personal data from national health databases for the purpose of conducting a national study on epilepsy.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller, l’Institut du cerveau et de la moelle épinière (The Brain and Spinal Cord Institute), requested that the CNIL authorise their plans to undertake automated processing of personal data from national health databases to conduct a study on epilepsy. In pursuit of this they conducted a data protection impact assessment (DPIA) under Article 35 GDPR and consequently sought to consult with the CNIL, as necessitated by Article 36 GDPR.

The elements of the DPIA under scrutiny were the sources of the data used and the purpose of processing.

In relation to the sources of data used, in its DPIA, the controller outlined that it sought to use data from the National Health Database of patients who had been prescribed anti-epileptic drugs, patients who had been hospitalised or were receiving on-going care for epilepsy, and patients who had a long-term condition relating to epilepsy. In total, this consisted of the personal data of 1.5 million data subjects. The controller also sought to use data from the combined patient database from Paris hospitals, relating to patients who had received anti-epileptic treatment. In total, this consisted of the data of approximately 340,000 people.

In relation to the purpose of processing, the controller sought to rely on Article 5(1)(b) GDPR to justify further processing of the national health data. This provision establishes that further processing for purposes in the public interest or for scientific, historical, or statistical research is compatible with the principle of purpose limitation. The controller noted that their processing was for the purposes of quantifying the national demand and supply of care for patients with epilepsy, to identify and improve the pathways of case for people with epilepsy, and to quantify the cost of the disease for the national health service. The controller argued that these purposes were compatible with the principle of purpose limitation as the processing aimed to conduct scientific and statistical research for the public interest.

Holding[edit | edit source]

The CNIL issued a favourable opinion on the DPIA and approved the processing.

Firstly, the CNIL noted that the basis for processing were legal and fell within the provisions that the controller was seeking to rely upon. In this instance, the controller sought to rely upon Article 6(1)(e) GDPR and Article 9(2)(j) GDPR. Article 6(1)(e) GDPR establishes a lawful basis for the processing of data related to the performance of tasks carried out in the public interest. While, Article 9(2)(j) GDPR establishes a lawful basis for the processing of sensitive data (in this case health data) for purposes in the public interest. The CNIL decided that as the research concerned a national study on epilepsy for the purpose of improving the national health care system, the controller’s reliance on the above grounds was lawful, as it was fell within the definition of “public interest.”

Secondly, in its DPIA, the controller argued that to fulfil its disclosure obligations under Article 14 GDPR to the data subjects involved would involve a disproportionate effort given the number of data subjects concerned in the study. In total, this amounted to approximately 1.84 million people. The controller proposed instead of communicating the information required by Article 14 GDPR to each individual data subject, to publish the relevant information on its website, as well as the website of the Paris hospitals, and on the website of the French Association of Epilepsy. The CNIL approved of this and allowed for the controller to rely on the Article 14(5)(b) GDPR exception.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation No. 2023-076 of July 20, 2023 authorizing the Brain and Spinal Cord Institute to implement automated processing of personal data for the purpose of a study on the epidemiology of epilepsy in France, entitled “Epi²” (Authorization request no. 923151)

The National Commission for Information Technology and Liberties,

Submission on June 13, 2023 by the Brain and Spinal Cord Institute of a request for authorization concerning automated processing of personal data for the purpose of a study on the epidemiology of epilepsy in France, entitled “Epi²” ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (general data protection regulation);

Having regard to law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms, in particular its articles 66, 72 et seq.;

Having regard to the favorable opinion with recommendations of the Ethical and Scientific Committee for research, studies and evaluations in the field of health of April 13, 2023;

Considering the file and its supplements;

On the proposal of Ms. Valérie PEUGEOT, commissioner, and after hearing the observations of Mr. Damien MILIC, Government commissioner,

Makes the following observations:

On the data controller

The data controller for this study is the Brain and Spinal Cord Institute (ICM).

On subcontractors

The Health Data Platform (PDS) will be involved in the implementation of this study.

The distribution of roles and responsibilities between the data controller and the PDS, particularly concerning the awareness of project users, the monitoring of traces, the management of alerts and incidents as well as the management of exports of anonymous data, must be formalized by an agreement between the two parties in accordance with Article 28 of the General Data Protection Regulation (GDPR).

On the purpose of the processing and its nature of public interest

The intended treatment is intended to be the implementation of a study on the epidemiology of epilepsy in France, entitled "Epi²" intended to:

quantify the demand and supply of care for epileptic patients on a national scale; identify and describe "typical" care pathways for epileptic patients; estimate the cost of the disease by the different amounts reimbursed (hospitalizations, treatments, sick leave) work).

The Commission notes that the ICM had proposed the "Epi²" project as part of the call for expressions of interest launched by the PDS in 2021, relating to the development of targeting algorithms in the SNDS, and that it was accompanied by the latter.

Subject to the exercise of the right of opposition, two cohorts will be formed as part of this study:

a first cohort, formed from data from the National Health Data System (SNDS), comprising patients who had a prescription for at least one antiepileptic medication in community care or who had been hospitalized with a diagnosis linked to epilepsy or having a long-term condition relating to ongoing severe epilepsy, made up of approximately 1.5 million people; a second cohort, comprising patients whose data appears in the Public Assistance health data warehouse – Paris Hospitals (AP-HP), having received antiepileptic treatment or having a significant main or associated diagnosis linked to epilepsy or having a significant main or associated diagnosis code, made up of approximately 340,000 people.

The purpose of the processing is determined, explicit and legitimate, in accordance with article 5.1.b of the GDPR, and this processing has a purpose of public interest, in accordance with article 66.I of law no. 78-17 of January 6, 1978 amended (“information technology and freedoms” law).

On the lawfulness of the processing and the conditions allowing the processing of data concerning health

The processing implemented by the ICM is necessary for the execution of the public interest mission with which it is entrusted.

This processing is, as such, lawful with regard to article 6.1.e of the GDPR. In addition, this processing, necessary for scientific research purposes, also meets the condition provided for in Article 9.2.j of the GDPR allowing the processing of data concerning health.

This research project is subject to the provisions of articles 44.3°, 66.III and 72 et seq. of the “data processing and freedoms” law, which results in the absence of conformity with a reference methodology, processing to purposes of research, study or evaluation in the field of health may only be implemented following authorization from the Commission.

On points of non-compliance with the reference methodology concerned

The application file mentions that the envisaged processing complies with the provisions of reference methodology MR-004, with the exception of the nature of the data processed and the methods of informing the persons concerned.

Apart from these exceptions, this processing must respect the framework provided by the reference methodology MR-004.

On the reuse of existing database data

Certain data from the AP-HP health data warehouse (EDS) authorized by the CNIL (authorization request no. 198012 – deliberation no. 2017-013 of January 19, 2017) will be reused as part of this study and matched probabilistically to data from the National Health Data System (SNDS).

On the special categories of data processed

Regarding the processing of SNDS data:

Provided that they can be disseminated by the National Health Insurance Fund (CNAM), the data controller requests access to the data from the national inter-regime health insurance information system (SNIIRAM), the health insurance program medicalization of information systems (PMSI) and medical causes of death (CépiDc) from 2015 to 2019.

Only data that is strictly necessary and relevant to the purposes of the processing will be transmitted by the CNAM; in this regard, filtering and data matching will be carried out prior to this transmission by the CNAM.

Since the data from SNIIRAM, PMSI and CépiDc come from databases making up the SNDS, all the legislative provisions (articles L. 1461-1 to L. 1461-7 of the public health code – CSP) and regulations relating to SNDS are applicable in this case, in particular:

the prohibition of using this data for the purposes described in article L. 1461-1 V of the public health code; compliance with the security standards applicable to the SNDS provided for by the decree of March 22, 2017.

The Commission considers that the data whose processing is envisaged are adequate, relevant and limited to what is necessary with regard to the purposes of the processing, in accordance with the provisions of article 5.1.c of the GDPR.

On information and people’s rights

Under article 69 of the “data processing and freedoms” law and article 14.5.b of the GDPR, the obligation to provide individual information to the person concerned may be subject to exceptions, in the event that where the provision of such information would prove impossible, would require disproportionate effort or would seriously compromise the achievement of the objectives of the processing. In such cases, the data controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including by making the information publicly available.

In this case, an exception will be made to the principle of individual information of people and appropriate measures will be implemented by the dissemination of collective information on the ICM website, on the transparency portal of the EDS of the AP-HP, as well as on the website of the Association Epilepsie France.

This processing will also be recorded within the PDS transparency portal.

These information methods are satisfactory with regard to the provisions of the GDPR and the “information technology and freedoms” law.

Regarding the terms of exercise of rights:

Data subjects will be able to exercise their rights with the data protection officer of the data controller for the duration of the study.

These methods of exercising rights are satisfactory with regard to the provisions of the GDPR and the “data processing and freedoms” law.

On buyers and recipients

Only the data controller and the people authorized by him have access to the data within the framework of this authorization. The data controller maintains documents indicating the competent person(s) within it to issue authorization to access the data, the list of authorized persons, their respective access profiles and the terms of allocation, management and authorization control.

These categories of people are subject to professional secrecy under the conditions defined by articles 226-13 and 226-14 of the penal code.

The qualification of authorized persons and their access rights must be regularly reassessed, in accordance with the terms described in the authorization procedure established by the data controller.

On data security and their hosting arrangements

As a preliminary point, the Commission notes that the application file justifies the need to use the technical solution of the PDS, taking into account the characteristics as well as the specific methods of implementing this study, in particular the use of a set of software and technical solutions made available by the latter.

Concerning data hosting within the PDS technical solution:

The data security of the project space dedicated to the "Epi²" project essentially depends on the technical solution of the PDS, which has been the subject of a global analysis of risks and impact on privacy, followed by approval according to the SNDS safety standards.

More specifically, an impact analysis relating to data protection was sent to the CNIL concerning the technical solution of the PDS, which corresponds to a secure SNDS bubble and which will host the "Epi²" project.

The data controller has carried out and transmitted in support of the authorization request an impact analysis relating to data protection specific to the "Epi²" project and integrating the elements provided by the PDS for its technical solution.

An approval of the project space was thus carried out by the data controller on June 8, 2023, for a period of three years, subject to the implementation of the action plan that he defined.

This approval decision is only valid until June 8, 2026 and must therefore be renewed before this date if the project is still in progress.

Concerning the extraction of data from the AP-HP warehouse:

The CNIL recommends that the data transmitted to the CNAM for the purpose of carrying out the matching, which include identifying data (date of birth, sex, department of residence), be extracted in a temporary zone distinct from that where will be extracted the health data necessary for the study. Each temporary zone must have a level of security equivalent to that of the EDS. The extractions must also be carried out by two separate warehouse administrators, who will respectively be in charge of transmitting the data to the CNAM and the PDS in accordance with the planned procedures. These extractions must be the subject of a written procedure, activated only at the request of those responsible for the study, providing for adequate security measures and the deletion of the extracted data at the latest after validation that the matching has been carried out correctly. Each destruction must be the subject of a destruction report, communicated to those responsible for the study.

Finally, the password policy, among other things concerning access to ICM workstations, must comply with deliberation no. 2022-100 of July 21, 2022 of the CNIL on the subject.

The security measures implemented by the data controller appear proportionate to the risks presented by the processing.

On data transfers outside the European Union

The provisions of article R. 1461-1 of the CSP provide that no transfer of personal data may be carried out outside the European Union, except in the case of one-off access to data by persons located in outside the European Union, for a purpose falling under 1° of I of Article L. 1461-3 of the CSP.

In this case, the application file mentions that, although the service provider is not exclusively subject to the laws and jurisdictions of the European Union, no transfer outside the European Union of individual data from the SNDS is planned, with no members of the research team located outside the European Union.

On the duration of data retention

The data will be made available for five years.

This data retention period does not exceed the period necessary for the purposes for which they are collected and processed, in accordance with the provisions of article 5.1.e of the GDPR.

Additional comments

The targeting algorithms developed or validated as part of this project may be shared with the scientific community for possible reuse.

In the event that they are published as open source, a risk study must be carried out beforehand in order to verify that it is not possible to extract personal data from them or to infer the presence of a person in the training dataset.

Authorizes, in accordance with this deliberation, THE BRAIN AND SPINAL CORD INSTITUTE to implement the aforementioned treatment.

The president

Marie-Laure DENIS