Personal health data: clarifications from the Council of Europe and the EDPS.
Health data are diverse and pose major challenges, which are becoming increasingly important. On the one hand, because of the development of technologies that allow for ever greater processing, and the privacy issues that the processing of this data raises (for whom it is intended, existence of a subsequent purpose, management of the collection of consent, etc.). Secondly, because their processing is all the more topical due to the development by the Government of new tools to combat the spread of Covid-19.
The idea is to take stock of the legislation surrounding health data, in particular by looking back at the Council of Europe’s guidelines of 27 March 2019 governing the processing of health data. These guidelines extend the principles set out in the opinion issued on 23 January 2019 by the European Data Protection Committee (EDPS) on the interaction between the CTR and the GDPR.
What is health data?
The GDPR gives a broad definition of health data, which is qualified as data relating to the physical or mental health (past, present or future) of a natural person, revealing information about that person’s state of health.
The following are considered as personal data relating to health :
- Health data by nature: medical history, possible illness, the provision of care, etc.
- Data that become health data as a result of cross-referencing with other data: for example: cross-referencing a weight measurement with other data such as the number of steps or the measurement of caloric intake
- Data that become health data because of their destination, i.e. their medical use
Health data protection
A principle of prohibition of treatment…
In France, health data are protected by the French Data Protection Act, the GDPR and the Public Health Code.
The Data Protection Act states that health data are specific and their processing is prohibited unless a specific exception authorises it. Built on the same format, Article 9 of the GDPR also imposes a prohibition supplemented by exceptions.
With exceptions:
Article 9(2) of the GDPR sets out a list of exceptions allowing the processing of sensitive data, including health data.
Similarly, Article 9(3) of the Regulation provides that “personal data referred to in paragraph 1 may be processed for the purposes set out in paragraph 2(h) if those data are processed by a health professional subject to an obligation of professional secrecy”.
In this respect, Article L. 1110-4 of the Public Health Code specifies which categories of professionals are likely to have a role to play in data processing. It is therefore essential to read the RGPD in the light of the articles of the Public Health Code.
As the health sector is particularly affected by the GDPR, the processing of health data has been specified by the Council of Europe and the EDPS.
Interactions RGPD – Clinical Trials Regulation ( CTR)
The ethical and regulatory framework for clinical trials in Europe is based on Directive 2001/20/EC of 4 April 2001; however, in order to simplify and harmonise the regulations on clinical trials, the Clinical Trials Regulation (536/2014) was introduced.
An explanatory opinion was subsequently issued by the EDPS in order to clarify the respective scopes and the different interactions between the GDPR and the CTR. The nature of data processing in relation to clinical trials is thus specified and the use of health data is explained.
These two texts are not meant to be in opposition, but to be read in parallel.
The EDPS thus differentiates between :
- the primary use of data and their secondary use;
- among the primary uses, actions related to research on processing related to health protection (e.g. ensuring compliance with health standards)
Reference methodologies in the field of research
At present, there are two systems of formalities to be carried out with the CNIL for health data. In particular, there is an authorisation system for automated processing, the purpose of which is research or studies in the health field.
However, the CNIL is developing guidelines and reference methodologies to guide data controllers. As soon as one of these processing operations complies in all respects with a reference methodology (RM) drawn up by the CNIL, it may be implemented without authorisation from the CNIL, provided that the data controller first submits a declaration attesting to the compliance of the processing.
There are currently 5 reference methodologies in the field of research which must be applied by research sponsors processing data in the context of research in the health field.
State of play of RMs
- RM-001 and MR-003 concerning research involving the human person
- RM-004 concerning research not involving the human person
- RM-005 and MR-006 allowing access to PMSI (Programme de médicalisation des systèmes d’information) data by health establishments and industrial federations in the health sector for the purpose of carrying out studies under strict conditions of security and privacy.
What are the main new features of the RMs?
- The obligation for the controller to appoint a DPO
- To provide information in accordance with Articles 13 and 14 of the GDPR
- The possibility of processing of identifying data by processors of the controller under certain conditions and for specific purposes
Non-binding benchmarks
In July 2020, the CNIL adopted three new guidelines with the aim of helping the data controllers concerned in the management of health data, more specifically medical and paramedical practices.
A reference framework for the management of current processing in medical and paramedical practices, to help liberal health professionals in their compliance process: this reference framework concerns liberal health professionals, practising in individual or grouped practices, or health centres.
However, these guidelines are not binding. The data controller may deviate from it, provided that he justifies his choice.
In addition, the CNIL has drawn up two other guidelines to guide data controllers in establishing the data retention period.
- A reference framework for data processing in the field of health, excluding research
- A reference framework for the processing of data implemented for research, study and evaluation purposes in the health field
These last two guidelines published by the CNIL are an aid to decision-making and guide the data controller in setting the data retention period.
COVID-19: Health data processing in the fight against the epidemic
At a time when the fight against the Covid-19 epidemic is underway, the issue of health data processing is more topical than ever. On the one hand, because hitherto rare practices, such as teleconsultations, have undoubtedly intensified during periods of containment and have become quite common. On the other hand, because in order to curb the epidemic, the Government has set up numerous tools and files, dealing with the health data of the French, namely :
- The SI-DEP file, which centralises the results of tests carried out in private and public laboratories
- The “Contact Covid” file kept by the CNAM
- The TousAntiCovid application
In order to ensure that data processing complies with European regulations, the executive has chosen to submit a detailed report on the use of these measures to Parliament every quarter.
A first opinion of the CNIL was issued on 14 September 2020, in which irregularities in the processing of data in the StopCovid application (the former application deployed by the government) were noted.
Very recently, the CNIL issued a new opinion, in which it noted, with regard to the “Contact Covid” file, that bad practices persisted in certain Regional Health Agencies, and denounced a lack of consistency between the ARS in the processing of data.
In particular, one ARS was given formal notice to comply within one month, especially regarding the length of time data is kept and its security.
Finally, with regard to the TousAntiCovid application, the CNIL notes that there are no irregularities to date, and that the data processing carried out via the application complies with the regulations. Indeed, it was noted that no data processed in the TousAntiCovid application is processed on a central server, which is in line with the principle of data minimisation and data protection by design and by default.
However, as this application is due to be updated, other opinions are to be published, and the CNIL will continue to pay particular attention to the follow-up to this project and to the conditions of effective implementation of the system.