In a statement published on 12 March 2020, the CNIL announced its annual control strategy. In addition to its usual activity, the CNIL will concentrate its controls on the security measures implemented to protect personal health data. This new focus will concern medical device manufacturers as well as service providers who participate in health data processing activities.

Remember that health data enjoy special protection as they are classed as “sensitive data” by the GDPR. According to the GDPR (Art. 4.15), health data means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.

Securing your health data: available tools

• Health data hosters

The first consideration, or better, obligation, to help secure your health data is to contract the services of a health data hoster to store the data, making sure that you are fully aware of the situations in which it is legally required to do so (Article L 1111-8 of the French Public Health Code). For example, if a health establishment “self-hosts” its health data, it is not necessary to hire a specialised hosting service provider.

Using the services of a specialised health data hoster, however, will ensure that the highest degree of safety is maintained when processing health data.

• References and other health data security guidelines

Once again, you can seek the security services offered by a range of entities.

The French Digital Health Agency (ANS, formerly ASIP Santé) in particular was created with the statutory mission of establishing interoperability and health data security references (L 1110-4-1 of the French Public Health Code). Its goal is to guarantee the exchange, sharing and confidentiality of health data. The ANS completed this task by creating and publishing the “General Policy for the Security of Health Data Systems” (PGSSI-S) on its website.

Even though these are a priori tools aimed at public players in the health, medical-social and social sectors, and not specifically at private sector companies, the latter should be compelled to conform to them as these companies are the ones which offer products and services to those in the public sector.

The PGSSI-S contains a series of different references focused on specific topics. These include, for example, references on connected devices, Wi-Fi access, the destruction of health data and rules for safeguarding them.

For applications and connected devices that collect health data that will not be used for medical purposes, an interesting reference has been provided by HAS on good practices in the use of applications and connected devices in health (mobile health, or mHealth). This document also features updates on security. In particular, it contains a list of the criteria that must be considered to guarantee the security and reliability of connected devices and, as a result, the data they collect.

• More “universal” tools

Health data security has once again been applied more generally by implementing tools that allow potential risks to personal data to be assessed. Impact assessments enable sources of risk to the rights and freedoms of data subjects to be identified and evaluated (illegitimate access to data, undesired modification to data, disappearance of data, etc.), in addition to offering measures to remedy the situation. This is mandatory whenever the processing is “likely to result in a high risk to the rights and freedoms of the natural person”, as detailed in Article 35 of the GDPR.

In order to help data controllers decide whether an impact assessment is necessary, the CNIL has outlined which types of processing require one and which ones don't. You may also find more information on this topic in the WP29's guidelines on data protection impact assessments (pages 10 to 13). Although this document predates the GDPR, it still proves to be valuable.

Controls performed by the CNIL

The controls carried out each year by the CNIL as part of its annual policy may be performed in situ or online, specifically on documentation or as a result of a summons.

In addition, the CNIL has published the list, instructions and its annual controls as open data on the government platform for broadcasting French public data.

In case of a violation, and depending on the degree of the violation, the CNIL may issue a formal notice to the body obligating them to comply with the texts within 6 to 12 months, implement a monetary sanction (a maximum of 4% of the company’s turnover or 20 million euros) or a non-monetary sanction (final warning, a legally binding court order, etc.). The CNIL may choose to make its decisions public by publishing them on the website legifrance.fr.

With the entry into force of the GDPR, greater levels of maturity are now required of data controllers when processing personal data. In this regard, the security of health data must never be neglected, even though the levels of security required by the authorities will logically increase with time.