Personal health data: clarifications from the Council of Europe and the EDPS.
Health data is diverse and poses significant challenges, becoming increasingly important. On the one hand, this is due to the development of technologies that allow for more considerable processing, and on the other hand, the privacy issues that arise from processing this data (such as intended recipients, following purpose, consent management, etc.). Furthermore, health data processing has gained further relevance due to the government’s development of new tools to combat the spread of Covid-19.
The purpose here is to provide an overview of the legislation surrounding health data, particularly by examining the Council of Europe’s guidelines issued on 27 March 2019, which govern health data processing. These guidelines build upon the principles outlined in the opinion issued by the EDPS (European Data Protection Committee) on 23 January 2019 regarding the interaction between the CTR and the GDPR.
What is health data?
The GDPR provides a broad definition of health data, referring to data relating to a natural person’s physical or mental health (past, present, or future), which discloses information about the person’s health status.
The following types of data are considered personal data relating to health:
- Health data by nature, including medical history, possible illnesses, provision of care, etc.
- Data that become health data through cross-referencing with other data: for example, combining weight measurements with other data such as the number of steps or calorie intake measurements
- Data that become health data due to their intended medical use
Health data protection
The principle of prohibition of processing…
In France, health data is protected by the French Data Protection Act, the GDPR, and the Public Health Code.
The Data Protection Act states that health data is considered specific, and its processing is prohibited unless particular exceptions authorize it. Similarly, Article 9 of the GDPR follows the same format and prohibits processing, supplemented by exceptions.
With regards to exceptions:
Article 9(2) of the GDPR provides a list of exceptions that allow the processing sensitive data, including health data.
Likewise, Article 9(3) of the Regulation states that “personal data referred to in paragraph 1 may be processed for the purposes set out in paragraph 2(h) if those data are processed by a health professional subject to an obligation of professional secrecy.”
In this regard, Article L. 1110-4 of the Public Health Code specifies which categories of professionals may have a role in data processing. Therefore, it is essential to interpret the GDPR in conjunction with the articles of the Public Health Code.
Since the health sector is primarily affected by the GDPR, health data processing has been further clarified by the Council of Europe and the EDPS (European Data Protection Supervisor).
Interactions between GDPR and Clinical Trials Regulation (CTR)
The ethical and regulatory framework for European clinical trials is based on Directive 2001/20/EC of 4 April 2001. However, the Clinical Trials Regulation (536/2014) was introduced to simplify and harmonize the regulations on clinical trials.
Subsequently, the EDPS (European Data Protection Supervisor) issued an explanatory opinion to clarify the respective scopes and interactions between the GDPR (General Data Protection Regulation) and the CTR. The nature of data processing related to clinical trials is thus specified, and the use of health data is explained.
These two texts are not intended to be in opposition but should be read in parallel. The EDPS differentiates between:
- The primary use of data and their secondary use
- Among the primary uses are actions related to research on processing related to health protection (e.g., ensuring compliance with health standards)
Reference methodologies in the field of research
Two formal systems must be followed when dealing with health data and the CNIL (National Commission for Informatics and Liberties). One of these systems is the authorization process for automated processing, specifically for research or studies in the health field.
However, the CNIL is in the process of developing guidelines and reference methodologies for data controllers. If a processing operation fully adheres to a reference methodology (RM) established by the CNIL, it can be implemented without requiring authorization from the CNIL. Nonetheless, the data controller must first submit a declaration confirming the processing compliance.
Currently, five reference methodologies in the field of research must be followed by research sponsors when processing data in the context of health research.
State of play of RMs
- RM-001 and RM-003 pertain to research involving human subjects
- RM-002 concerns non-interventional studies of the performance of in vitro diagnostic medical devices
- RM-004 applies to research that does not involve human subjects
- RM-005 and RM-006 enable health establishments and industrial federations in the healthcare sector to access PMSI (Programme de médicalisation des systèmes d’information) data for conducting studies under strict security and privacy protocols
What are the main new features of the RMs?
- The requirement for the controller to designate a Data Protection Officer (DPO).
- Compliance with the information provision requirements outlined in Articles 13 and 14 of the GDPR.
- The possibility of processors working for the controller to process identifying data under specific conditions and for specific purposes.
Non-binding benchmarks
In July 2020, the CNIL (French Data Protection Authority) adopted three new guidelines to assist data controllers in managing health data, specifically in medical and paramedical practices.
The first guideline provides a reference framework for managing current data processing in medical and paramedical practices. Its purpose is to support liberal health professionals in their compliance process. This reference framework applies to both individual or grouped practices and health centers.
It is important to note that these guidelines are not legally binding. Data controllers can deviate from them if they can justify their choice.
Additionally, the CNIL has developed two other guidelines to assist data controllers in determining the appropriate data retention period:
- A reference framework for data processing in the health field, excluding research
- A reference framework for data processing carried out for research, study, and evaluation purposes in the health field
These last two guidelines, published by the CNIL, provide guidance and aid in decision-making for data controllers when establishing the data retention period.
COVID-19: Health Data Processing in the Fight Against the Epidemic
During the ongoing battle against the COVID-19 epidemic, the issue of health data processing has become more relevant than ever. On the one hand, previously uncommon practices such as teleconsultations have undoubtedly increased during periods of containment and have become quite common. On the other hand, to curb the epidemic, the Government has implemented numerous tools and databases to manage the health data of the French population, namely:
- The SI-DEP database centralises the results of tests conducted in private and public laboratories
- The “Contact Covid” database maintained by the CNAM
- The TousAntiCovid application
To ensure compliance with European regulations, the executive branch has chosen to submit a detailed report on the use of these measures to Parliament every quarter.
An initial opinion from the CNIL was issued on September 14, 2020, noting irregularities in the data processing of the StopCovid application (the former application deployed by the Government).
More recently, the CNIL issued a new opinion in which it noted that concerning the “Contact Covid” database, certain Regional Health Agencies continued to practice poor data processing and highlighted a lack of consistency among the ARS (Regional Health Agencies) in the data processing.
Specifically, one ARS was formally instructed to comply within one month, particularly regarding the retention period of data and its security.
Regarding the TousAntiCovid application, the CNIL determined that there are no irregularities and that the data processing carried out through the application complies with regulations. It was emphasized that no data processed in the TousAntiCovid application is stored on a central server, aligning with data minimisation principles and data protection by design and default.
However, as this application is scheduled for updates, other opinions will be published, and the CNIL will continue to closely monitor the progress of this project and the conditions for its effective implementation.