Processing health data is the new challenge arising from the GDPR
In this area of healthcare, and concerning medical devices in particular, processing health data is inextricably linked to placing health products on the market.
Do you keep asking yourself about how to manage the health data that you are in possession of? It's true that legislations are constantly changing. We have recently witnessed:
The arrival of the General Data Protection Regulation, also known as the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data),
The amendment to the French Data Protection Act (Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties) by Order no. 2018-1125 of 12 December 2018, updating the French Data Protection Act to comply with the GDPR,
And the reformation of France’s health data hosting regulations (from approved HSPs to certified HSPs, amending articles L.1111-8 et seq of the French Public Health Code, modified by Act no. 2016-41 of 26 January 2016).
The challenge of qualifying health data
If the goal of the GDPR was to limit the reporting requirements for processing personal data, the Member States of the EU have been able to benefit from the margins for manoeuvre it allows to maintain the previous reporting requirements when processing health data.
Such is the case in the health sector.
As such, it is essential to know whether the data processed are health data in order to determine the legal regime that applies.
The GDPR, an asset for data controllers in the health sector
The General Data Protection Regulation (GDPR) gives companies in the health sector a unique opportunity to get the waiting time to start their processing operations under control. The cases in which it is necessary to request prior authorisation from the CNIL (French data protection agency) are reduced in order to speed up the often-long process of receiving authorisation. For this purpose, different frames of references and methodologies are implemented in France to define the applicable management rules in order to prevent the need for systematic authorisation requests.
Frame of reference
The CNIL has already adopted a “key” frame of reference, Decision no. 2019-057 of 9 May 2019 (only in French) on the processing of personal data for health monitoring purposes. The goal is to reduce the reporting obligations of health companies that are subject to monitoring obligations.
Reference methodology
Six reference methodologies have currently been adopted:
MR-001: health research with consent collection (decision no. 2018-153 of 3 May 2018 - only in French)
MR-002: non-interventional studies on in vitro medical devices (decision no. 2015-256 of 16 July 2015 - only in French) relating to the approval of a reference methodology for processing personal data as part of a non-interventional study on the performance of in-vitro diagnosis medical devices
MR-003: health research without consent collection (decision no. 2018-154 of 3 May 2018 - only in French)
MR-004: non-human research, health studies and evaluations (decision no. 2018-155 of 3 May 2018 - only in French)
MR-005: studies requiring access to PMSI and/or RPU data by healthcare facilities and hospital associations (decision no. 2018-256 of 7 June 2018 - only in French)
MR-006: studies requiring access to PMSI data by healthcare companies (decision no. 2018-257 of 7 June 2018 - only in French) relating to the approval of a reference methodology for data processing that requires access for persons manufacturing or selling the products mentioned in paragraph II of article L.5311-1 of the French Public Health Code to centralised PMSI data that is made available by the ATIH database through a secured solution
Key notions of personal data law
Data concerning health
Although “data concerning health” hadn’t been defined by legislation up until this point, the GDPR takes the plunge and defines them as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
Further still, the introduction to the Regulation gives us a general overview of this definition, specifying that health data more specifically includes “information about the natural person collected in the course of the registration for, or the provision of, health care services”, a “number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes”, “information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples,” and even “any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”.
Given their definition as a sensitive category of data, in principle, the processing of health data would therefore be prohibited. In Article 9, however, the GDPR presents exceptions that can already be found in the French Data Protection Act of 6 January 1978, such as when the data subject provides explicit consent, when protecting the vital interests of the data subject, and even when the processing is necessary for reasons of substantial public interest.
Genetic data
The GDPR considers genetic data to mean “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”. Notably, they may derive from the analysis of a biological sample of the individual’s chromosomes, DNA or RNA, which are now be considered as sensitive data for the very first time. The collection, processing and storage of these data will in principle be prohibited, except in the cases outlined in Article 9 of the GDPR.
The use of these data, which were initially limited to the medical field and legal identification, tend to be used in a seemingly constantly growing range of ways, from insurance and marketing to genealogy. The initial prohibition placed on the processing of these data by the GDPR is therefore a way of combatting the risks of discrimination or commercialisation of such data.
Biometric data
Biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Recently added to the list of sensitive data categories, European regulations therefore ban their processing, except in specific circumstances.
Processing records
On 25 May 2018, the GDPR imposed on enterprises or organisations employing more than 250 persons, those carrying out processing that is likely to result in a risk to the rights and freedoms of data subjects, those whose processing is not occasional, or those whose processing includes special categories of data, such as health data, the requirement to maintain a record of their personal data processing activities. This record will be used to ensure the enterprise or organisation’s conformity with the regulations.
This internal document holds the organisation carrying out the processing accountable, determining the means and purpose of the processing. As part of the process of keeping this record, the data controller must specifically indicate the different personal data processing activities it undertakes, the categories of personal data and data subjects processed, the purposes of these processing activities, the actors involved in the processing, and the origin and destination of the data stream in order to identify possible transfers of personal data to countries outside the European Union where the GDPR also applies. Continuing with the topic of holding data controllers responsible, this record must also include the envisaged time limits for erasure of the different categories of data, as well as a general description of the technical and organisational security measures implemented.
On its website, the CNIL offers a simplified template of a processing record.
Impact assessment
Data protection impact assessments (DPIA) are necessary when carrying out personal data processing that is likely to result in a high risk to the rights and freedoms of natural persons, particularly when processing on a large scale. This is another tool used to ensure that data controllers are held accountable for their actions, verifying their compliance with the GDPR through a study of the necessity and proportionality of the processing in relation to the purposes, while also considering the risks to the rights and freedoms of data subjects.
The analysis is performed by the data controller under the supervision of the data protection officer who, after systematically presenting the health data processing operations envisaged, must indicate the measures envisaged by the data controller to mitigate the risks.
There are tools available to data controllers to determine whether it is necessary to perform a DPIA, however.
On a European level, the Article 29 Data Protection Working Party (WP29), the predecessor to the European Data Protection Board (EDPB), in 2017 established a series of guidelines (reference WP 248) on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a hight risk”. Even though this document was written prior to the entry into force of the GDPR, it is still current and has even been adopted by the EDPB.
On a French scale, the CNIL has established several tools:
A list of processing operations that require an impact assessment: decision no. 2018-327 of 11 October 2018.
The list contains numerous situations regarding health data that result in an impact assessment:
Processing carried out by healthcare or medical-social establishments to provide treatment to individuals.
Health data processing operations that are necessary to create a data warehouse or a record.
Biometric data processing for the purpose of identifying “vulnerable” people from among their patients.
A list of processing operations that do not require an impact assessment: decision no. 2019-118 of 12 September 2019.
This list stipulates that healthcare professionals practising individually within a medical practice, pharmacy or medical laboratory doesn't have to perform an impact assessment for processing operations that are necessary to treat a patient. This information serves as further confirmation of WP29’s continued presence in the aforementioned guidelines.
A decision tree. The CNIL outlines the “severity” criteria for processing, stating that the presence of two of these criteria (or one if the processing presents a “high” risk) leads to the need for an impact study.
Among these criteria are the processing of health data and the processing of patient data. In other words, in the health sector, operators will be quickly faced with the obligation to carry out an impact assessment.
Data protection officers.
The GDPR requires certain companies to designate a data protection officer (DPO), particularly when the core activities of the company consist of the large-scale processing of sensitive categories of data, which include health data.
Both the notion of “core activity” and “large-scale processing” are once again open to interpretation upon the entry into force of the GDPR.
The data protection officer must be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”, with their role being “to inform and advise the controller or the processor and the employees who carry out processing of their obligations” and to “monitor compliance” with the GDPR and with all other legal texts on data protection.
Cabinet Barbey, advising its clients on the world of health data
Here are just a few of the questions that our clients frequently ask us regarding health data:
Are the data I've processed classed as health data?
Do I need to keep a processing record?
Do I have to designate a data protection officer?
Do I need to do a data protection impact analysis (DPIA)?
Do I have to apply the provisions on health data hosting (art. L.1111-8 and R.1111-8-8 et seq of the French Public Health Code)?
By answering these questions, you'll ensure that your company complies with all applicable health data laws.
Once these preliminary issues have been resolved, and depending on the case in question, Cabinet Barbey provides further assistance to its clients:
Helping healthcare companies fulfil their obligations to submit reports to CNIL.
Setting up processing records.
Drafting impact assessments.
Acting as an external data protection officer.
Reviewing agreements with health data hosting service providers.
Executing contracts with personal data processors.
Astrid Barbey, member of the Paris bar association
Astrid Barbey
Founder of the firm
Thanks to years spent practicing in both England and France in renowned law firms such as FTPA and Baker McKenzie, in addition to her work as an in-house lawyer for the pharmaceutical company AstraZeneca, Astrid Barbey has gained invaluable knowledge as both a lawyer and decision-maker, which she now draws on to help her own firm’s clients.
Astrid Barbey boasts extensive experience working with clients in the healthcare and life sciences sectors (health products, pharmaceutical industry, medical devices, biotechnology), in particular on an international level.
Astrid Barbey holds professional diplomas in European business law from the University of Nancy (France) and Lancaster University Law School (United Kingdom).