French CNIL is setting the tone for 2023: patients data and medical research on its radar - Hogan Lovells Engage
French CNIL is setting the tone for 2023: patients data and medical research on its radar
27 March 2023
While the French Data Protection Authority (the "CNIL") has consistently emphasized the importance of protecting health data, there will be even more focus for 2023 with more investigations and sanctions in this sector. The CNIL declared patient data as one of its four priority topics for investigations in 2023, and initiated its program with two official warnings issued to organizations conducting medical research (Sponsors) about their GDPR breaches. The CNIL is now more than ever underscoring the significance of compliance with data protection regulations within the realm of medical studies.
Context
CNIL has always been very attentive to the processing of health data and to their security and confidentiality. It regularly publishes content on its website (practical information sheets, guidelines and binding recommendations), and has also made health data security one of its priority topics for its investigations back in 2020 and 2021. It also regularly supports needs of health data localization within the European Union, for example in guidelines regarding early-access programs and health data warehouses. The CNIL also issues and regularly updates its standards for clinical studies, known as Méthodologies de reference (MR) like MR-001 or MR-003 for research involving human beings or MR-004 for research not involving human beings (e.g., for reuse of health data). The CNIL is now taking its efforts even further, kicking off 2023 with an intensified focus on medical research and patient data protection.
CNIL warns two medical research organizations
CNIL made public in early March 2023 that it performed investigations during the first half of 2022 relating to processing of patients personal data by two organizations conducting medical research (which are understood as being Sponsors of past clinical trials).
The CNIL identified two major breaches for these organizations:
Insufficient information of patients: the organizations did not provide sufficient information to the patients in the Informed Consent Form (ICF). ICFs were notably missing the categories of personal data collected and their retention periods, the DPO contact details and the right to lodge a complaint to the CNIL and how to lodge this complaint, whereas GDPR lists such information to be mandatorily provided; and
Lack of DPIA: the organizations did not conduct any data protection impact assessment (DPIA), whereas this should be performed before starting the processing of patients data. The CNIL reminds that, in any case, any compliance commitment made to one of its MR always requires to perform a prior DPIA.
The CNIL also indicated that one of organizations provided incorrect information in the ICF when mentioning that patients data was anonymized, whereas it was only pseudonymized, as patients data is only key-coded and patients can always be re-identified.
The CNIL issued warnings and specified that the reason why it did not issue any sanctions (e.g. fines) is because the data processing operations concerned ceased. These two organizations were fortunate to be the first two targeted, and that the problematic trials were relatively old. However, this serves as a strong message to other sponsors and stakeholders in medical studies. The CNIL has initiated with warnings but will assume that the actors of the sector are now aware and understand that they could face heavy sanctions in the future.
CNIL's investigations program for 2023 focusing on patients data
The CNIL also revealed in March 2023 its top priorities for investigations for the upcoming year.
One of these priorities is patients data, including the access to the patients' electronic medical records (EMR) within health institutions (known in French as “Dossier patient informatisé” or “DPI").
This choice is motivated by the multiple complaints the CNIL received about unauthorized third-party access to the patients data and the EMR.
CNIL also indicated that investigations carried out will focus on technical and organisational measures implemented to ensure security of such data. After years of being the only authority in Europe to provide the higher number of guidelines and frameworks for health data subjects, the CNIL is now turning more to enforcement.
Next steps
Health care stakeholders must be prepared for the CNIL investigations in 2023, whether they are off-site or on-site and whether they are acting as controller or processor.
This means in particular paying attention to:
Security measures effectively implemented in practice to protect patients data;
Contractual provisions negotiated between stakeholders (e.g. liability provisions and warranties in the agreements);
Adequate transparency and information notices;
Proper conduct of trials and studies in compliance with the MRs or under a prior authorization;
If the processing of patients data imply data transfers, safeguards to protect the patients data when transferred outside the EU.
27 March 2023
While the French Data Protection Authority (the "CNIL") has consistently emphasized the importance of protecting health data, there will be even more focus for 2023 with more investigations and sanctions in this sector. The CNIL declared patient data as one of its four priority topics for investigations in 2023, and initiated its program with two official warnings issued to organizations conducting medical research (Sponsors) about their GDPR breaches. The CNIL is now more than ever underscoring the significance of compliance with data protection regulations within the realm of medical studies.
Context
CNIL has always been very attentive to the processing of health data and to their security and confidentiality. It regularly publishes content on its website (practical information sheets, guidelines and binding recommendations), and has also made health data security one of its priority topics for its investigations back in 2020 and 2021. It also regularly supports needs of health data localization within the European Union, for example in guidelines regarding early-access programs and health data warehouses. The CNIL also issues and regularly updates its standards for clinical studies, known as Méthodologies de reference (MR) like MR-001 or MR-003 for research involving human beings or MR-004 for research not involving human beings (e.g., for reuse of health data). The CNIL is now taking its efforts even further, kicking off 2023 with an intensified focus on medical research and patient data protection.
CNIL warns two medical research organizations
CNIL made public in early March 2023 that it performed investigations during the first half of 2022 relating to processing of patients personal data by two organizations conducting medical research (which are understood as being Sponsors of past clinical trials).
The CNIL identified two major breaches for these organizations:
Insufficient information of patients: the organizations did not provide sufficient information to the patients in the Informed Consent Form (ICF). ICFs were notably missing the categories of personal data collected and their retention periods, the DPO contact details and the right to lodge a complaint to the CNIL and how to lodge this complaint, whereas GDPR lists such information to be mandatorily provided; and
Lack of DPIA: the organizations did not conduct any data protection impact assessment (DPIA), whereas this should be performed before starting the processing of patients data. The CNIL reminds that, in any case, any compliance commitment made to one of its MR always requires to perform a prior DPIA.
The CNIL also indicated that one of organizations provided incorrect information in the ICF when mentioning that patients data was anonymized, whereas it was only pseudonymized, as patients data is only key-coded and patients can always be re-identified.
The CNIL issued warnings and specified that the reason why it did not issue any sanctions (e.g. fines) is because the data processing operations concerned ceased. These two organizations were fortunate to be the first two targeted, and that the problematic trials were relatively old. However, this serves as a strong message to other sponsors and stakeholders in medical studies. The CNIL has initiated with warnings but will assume that the actors of the sector are now aware and understand that they could face heavy sanctions in the future.
CNIL's investigations program for 2023 focusing on patients data
The CNIL also revealed in March 2023 its top priorities for investigations for the upcoming year.
One of these priorities is patients data, including the access to the patients' electronic medical records (EMR) within health institutions (known in French as “Dossier patient informatisé” or “DPI").
This choice is motivated by the multiple complaints the CNIL received about unauthorized third-party access to the patients data and the EMR.
CNIL also indicated that investigations carried out will focus on technical and organisational measures implemented to ensure security of such data. After years of being the only authority in Europe to provide the higher number of guidelines and frameworks for health data subjects, the CNIL is now turning more to enforcement.
Next steps
Health care stakeholders must be prepared for the CNIL investigations in 2023, whether they are off-site or on-site and whether they are acting as controller or processor.
This means in particular paying attention to:
Security measures effectively implemented in practice to protect patients data;
Contractual provisions negotiated between stakeholders (e.g. liability provisions and warranties in the agreements);
Adequate transparency and information notices;
Proper conduct of trials and studies in compliance with the MRs or under a prior authorization;
If the processing of patients data imply data transfers, safeguards to protect the patients data when transferred outside the EU.