Individual Professional
MY STEPS
THEMES
TECHNOLOGIES
OFFICIAL TEXTS
THE CNIL
MY COMPLIANCE WITH THE GDPR
THEMES
TECHNOLOGIES
OFFICIAL TEXTS
THE CNIL
NEED HELP ?
FR | EN
> Research in the health sector: the CNIL adopts new simplification measures
Health research: the CNIL adopts
new simplification measures
July 16, 2018
To ease the formalities related to data processing carried out in research
in the health sector, the CNIL has adopted five new benchmark methodologies
adapted to the legal framework for health data.
The CNIL has adopted five new reference methodologies (MR-001, MR-003, MR-004, MR-005 and MR-006) which
offer a secure framework for the implementation of research treatments in the health field. She comes
also to approve a simplification procedure to access the "EGB" (Generalist Sample of
Beneficiaries) from the medico-administrative base of SNIIRAM). These new frameworks reflect the will of the
Commission to continue its process of simplifying formalities in the field of health research.
An update required
The creation and updating of reference methodologies were made necessary by the evolution of the texts
national laws, by the entry into force of the General Data Protection Regulation (GDPR) as well as by
feedback from the field actors on existing frameworks (see below for the main
news).
As required by law, prior consultation with representative public and private bodies took place in
2018.
Advantages of reference methodologies
The adoption by the CNIL of these methodologies aims to create a favorable protective framework for the persons concerned
research, innovation and competitiveness.
When the data controller performs research in accordance with a reference methodology, the
authorization request to the CNIL is not necessary. So :
. In the context of research involving the human person, only the opinion of a personal protection committee, provided for by the
public health code, must be obtained;
. In the context of research that does not involve the human person, the opinion of CEREES is not necessary. However, the
data controller must register his treatment in the public directory maintained by the INDS.
Who is concerned ?
Research promoters who process data as part of research, study or evaluation in the
field of health.
The scope of the reference methodologies is clarified:
. From now on, MR-001 & MR-003 concern research involving the human person, as defined by the code of
public health ;
. The new MR-004, relates to research not involving the human person, studies or evaluations in the field of
health;
. Finally, the MR-005 & MR-006 are the first reference methodologies for one of the components of the SNDS: the
PMSI (Information Systems Medicalization Program). They allow access to PMSI data by
health establishments, federations and manufacturers in the health sector for the purpose of carrying out studies under conditions
strict confidentiality and security.
New reference methodologies may be adopted, depending on the needs identified.
What are the formalities to be carried out?
The data controller who wishes to implement one or more treatments in accordance with one of
these reference methodologies send the CNIL a declaration attesting to this compliance for each
reference methodology applicable to its projects.
This declaration applies to all the processing operations implemented, which must be documented in the
within the register of processing activities provided for by the GDPR.
It is not necessary for data controllers who have already made a commitment to comply with
old versions of a reference methodology send a new declaration of conformity to this text. The
processing operations must, however, comply with the new text.
> Make a declaration attesting to compliance with a reference methodology
If the treatment does not comply with one of the RMs:
. For research involving the human person, a CNIL authorization request must be made online:
. For research not involving the human person, a file must be submitted to the INDS.
Main new features of the reference methodologies (MR-001.003, MR-
004)
The main new products from RM:
. the obligation for the controller to designate a data protection officer (DPO);
. informing people whose content must now comply with the provisions of article 13 or 14 of the GDPR;
. the possibility of processing directly identifying data by subcontractors of the data controller under
certain conditions and for specific missions (reimbursement of costs, allowances, follow-up of people (sending a message
text, link to an online questionnaire etc.), product delivery); attention, data processing directly
identifiers and health data by the same subcontractor remains excluded from the reference methodology. The treatment of
name of the body responsible for treatment, even if it can reveal an area of ​​health (cancer, AIDS etc.) is admitted
MR;
. the possibility of processing the department of residence (the commune of residence being excluded as well as the data of
geocoding);
. the possibility of communicating data to independent experts or researchers responsible for re-analyzing the data,
especially at the request of publishers of scientific journals.
In this specific case, the data controllers must use a technical solution allowing only the consultation
data, without the possibility of extracting personal data.
. An arrangement of the individual information of people in the event of data reuse (MR-004): or
the information delivered during the collection of data and / or biological samples refers to a specific information device,
to which the persons concerned may refer before the implementation of each future treatment (for example: a site
Internet).
The new features of the reference methodologies are detailed in the articles below:
> Research in the health field: what changes with the new reference methodologies
> Access to the Information Systems Medicalization Program (PMSI) for research purposes
Generalist Sample of Beneficiaries
Finally, in April 2018, the CNIL approved conditions for the provision of the Generalist Sample of
Beneficiaries (EGB) from the National Inter-Regime Health Insurance Information System (SNIIRAM),
allowing, for certain treatments and subject to specific conditions, a single examination by the INDS (therefore without
CEREES opinion and without authorization from the CNIL).
See Deliberation n ° 2018-134 of April 12, 2018 approving the conditions of provision of the sample
generalist of beneficiaries (EGB) and thematic databases called "datamarts" of the National System
Information System for Health Insurance (SNIIRAM)
Learn more about benchmark methodologies
> MR-005 Studies requiring access to PMSI and / or SPS data by health establishments and federations
hospitable
> MR-006 Studies requiring access to PMSI data by healthcare industry
> MR-004 Research not involving the human person, studies and evaluations in the health field
> MR-003 Research in the health field without obtaining consent
> MR-001 Research in the health field with consent
Keywords associated with this article
#Medical research
This may also interest you ...
HEALTH RESEARCH: WHAT CHANGES WITH NEW REFERENCE METHODOLOGIES
Since 2006, the CNIL has undertaken a simplification of the procedures for the processing of personal data implemented
works within the framework of research in the field ...
July 16, 2018
ACCESS TO THE INFORMATION SYSTEMS MEDICALIZATION (PMSI) PROGRAM FOR RESEARCH PURPOSES
The MR-005 & MR-006 reference methodologies simplify access to hospital data (PMSI - Program de
medicalization of information systems), in ...
July 16, 2018
Subscribe to the newsletter
nom@example.fr SUBSCRIBE TO THE NEWSLETTER
Your email address is only used to send you CNIL newsletters. You can use the link at any time
unsubscribe integrated into the newsletter. Learn more about managing your data and your rights
Follow us
MEDIA
GLOSSARY
FR-EN LEXICON
NEED HELP
HURRY
FR | EN
COOKIES MANAGEMENT
LEGAL NOTICE | PERSONAL DATA | PUBLIC INFORMATION | RECRUITMENT | RSS FEED | CONTACT