Context

CNIL has always been very attentive to the processing of health data and to their security and confidentiality. It regularly publishes content on its website (practical information sheets, guidelines and binding recommendations), and has also made health data security one of its priority topics for its investigations back in 2020 and 2021. It also regularly supports needs of health data localization within the European Union, for example in guidelines regarding early-access programs and health data warehouses. The CNIL also issues and regularly updates its standards for clinical studies, known as Méthodologies de reference (MR) like MR-001 or MR-003 for research involving human beings or MR-004 for research not involving human beings (e.g., for reuse of health data). The CNIL is now taking its efforts even further, kicking off 2023 with an intensified focus on medical research and patient data protection.

CNIL warns two medical research organizations

CNIL made public in early March 2023 that it performed investigations during the first half of 2022 relating to processing of patients personal data by two organizations conducting medical research (which are understood as being Sponsors of past clinical trials).

The CNIL identified two major breaches for these organizations:

• Insufficient information of patients: the organizations did not provide sufficient information to the patients in the Informed Consent Form (ICF). ICFs were notably missing the categories of personal data collected and their retention periods, the DPO contact details and the right to lodge a complaint to the CNIL and how to lodge this complaint, whereas GDPR lists such information to be mandatorily provided; and
• Lack of DPIA: the organizations did not conduct any data protection impact assessment (DPIA), whereas this should be performed before starting the processing of patients data. The CNIL reminds that, in any case, any compliance commitment made to one of its MR always requires to perform a prior DPIA.

The CNIL also indicated that one of organizations provided incorrect information in the ICF when mentioning that patients data was anonymized, whereas it was only pseudonymized, as patients data is only key-coded and patients can always be re-identified.

The CNIL issued warnings and specified that the reason why it did not issue any sanctions (e.g. fines) is because the data processing operations concerned ceased. These two organizations were fortunate to be the first two targeted, and that the problematic trials were relatively old. However, this serves as a strong message to other sponsors and stakeholders in medical studies. The CNIL has initiated with warnings but will assume that the actors of the sector are now aware and understand that they could face heavy sanctions in the future.

CNIL's investigations program for 2023 focusing on patients data

The CNIL also revealed in March 2023 its top priorities for investigations for the upcoming year.

One of these priorities is patients data, including the access to the patients' electronic medical records (EMR) within health institutions (known in French as “Dossier patient informatisé” or “DPI").

This choice is motivated by the multiple complaints the CNIL received about unauthorized third-party access to the patients data and the EMR.

CNIL also indicated that investigations carried out will focus on technical and organisational measures implemented to ensure security of such data. After years of being the only authority in Europe to provide the higher number of guidelines and frameworks for health data subjects, the CNIL is now turning more to enforcement.

Next steps

Health care stakeholders must be prepared for the CNIL investigations in 2023, whether they are off-site or on-site and whether they are acting as controller or processor.

This means in particular paying attention to:

• Security measures effectively implemented in practice to protect patients data;
• Contractual provisions negotiated between stakeholders (e.g. liability provisions and warranties in the agreements);
• Adequate transparency and information notices;
• Proper conduct of trials and studies in compliance with the MRs or under a prior authorization;
• If the processing of patients data imply data transfers, safeguards to protect the patients data when transferred outside the EU.

Authored by Julie Schwartz, Patrice Navarro, and Clément Taieb.