E-Health: new “health data warehouse” guidelines coming soon
The French National Commission for Information Technology and Civil Liberties (CNIL FRANCE) has launched a consultation on a project of reference for the creation of health data warehouses. This consultation is available until April 2, 2021.
In order to assist professionals in their GDPR compliance, the CNIL wishes to gather the opinions of private public actors wishing to create a health data warehouse as part of a public interest mission. This consultation will enable the CNIL to establish a new reference system.
A health data warehouse is a large database intended for the reuse of health data from several sources for several study, research or evaluation projects. These data are stored in a single, massive file that is intended to be kept for a long time.
The creation of such a repository requires the explicit consent of the patients involved in the collection, recording and storage of health data. If the explicit consent of the persons concerned is not obtained, the processing relating to the creation of the warehouse must be the subject of a request for “health” authorization (excluding research) from the CNIL and the purpose pursued must be of a public interest nature.
In all cases, a data protection impact assessment (DPA) must be carried out by the data controller. This analysis must then be sent with the application for authorization to the CNIL.
Once it has been compiled, the re-use of this data in the context of a research project must be carried out in accordance with the provisions relating to research and be the subject of a commitment to comply with a reference methodology (simplified procedure) or, in the absence of compliance with one of these guidelines, an application for research authorization.
With this new reference[1] system, the processing operations that comply with it (adopted after the consultation) will be able to declare their compliance to the CNIL and will no longer be subject to the authorization procedure.
The processing operations that do not comply with it will have to justify their deviation from the standard in order to obtain an authorization.
Our UGGC law firm and its team of lawyers specialized in digital and health law are at your disposal to assist you in protecting your legal and economic interests.
By the IP/IT team of UGGC Law Firm
Source : CNIL
[1] As a “flexible” regulatory instrument, a reference framework is intended to give organizations greater legal certainty. It is drawn up in consultation with the stakeholders concerned and can update the old reference frameworks adopted before the RGPD came into force, such as the single authorizations (UA) and the single regulatory acts (RU).