The 2 major aspects of the GDPR for medical research

Personal data rules are at the heart of healthcare players' concerns.
GDPR and medical research: 2 key actions

1 - The responsibilities of each player in medical research are set out in a Accountability contract.

In the context of medical research involving human subjects, a great deal of personal data, particularly sensitive health data, has to be handled.

This type of research almost systematically involves a range of players working together to bring the research to fruition.

Each of the players will play a role in the research, and particularly in the data processed.

For example, a hospital will be able to consolidate and anonymize patient data, while a start-up will process this data for analysis.

Each player will therefore manipulate data and transfer or store it at different times.

One of the pillars of the GDPR is to define and document "responsibilities" around personal data.

In the case of medical research, it is therefore necessary to draw up a Accountability contract describing all personal data processing carried out by each entity, and defining the responsibilities of each.

This will make it possible to frame the research and enable each entity to put in place everything necessary to respect these commitments made in this contract and in particular on the GDPR aspect.

This will involve security measures for the tools used to process and store data, as well as patient information and consent management.

CASE STUDY

MAGIA Diagnostics 👨‍⚕️estan innovative diagnostic technology that offers a new approach against infectious diseases. Through its service, Magia processes personal health data, something that requires GDPR compliance. As a result, Dipeeo is their referent to the CNIL (National Commission for Information Technology and Civil Liberties) and manages all their GDPR matters. 

In addition, Magia diagnostics was able to launch a patient study with the virology laboratory at Henri Mondor Hospital, thanks to a research protocol for which Dipeeo was involved in the Accountability clauses concerning the exchange of personal data.

Discover the GDPR guide dedicated to the healthcare sector

Available now, the practical guide to GDPR issues for healthcare organizations and professionals.

Download

2 - ✔️ Medical research: CNIL (National Commission for Information Technology and Civil Liberties) ) authorization and reference methodology

The CNIL (National Commission for Information Technology and Civil Liberties) places strict restrictions on the processing of health data for medical research. Indeed, the impact on individual rights and freedoms in the event of abuses would be considerable.

For this reason, all medical research must be authorized by the CNIL (National Commission for Information Technology and Civil Liberties).

This involves filing a dossier with the CNIL (National Commission for Information Technology and Civil Liberties).

However, there are several simplification measures that have been put in place since July 2018.

The CNIL (National Commission for Information Technology and Civil Liberties) ) has published reference methodologies: MR-001, MR-003, MR-004, (5 and 6)

These methodologies consist of a set of rules to be followed at all points of the research, notably concerning Data retention periods, information to be provided to individuals, data transfers outside the European Union and responsibilities for processed data.

In most cases, an AIPD (Data Protection Impact Assessment) must be carried out. This makes it possible to measure the risk to the individuals whose data is being processed against the gain to be made from the research. This may result in a "disproportion" requiring a higher level of protection for individuals.

If medical research follows these methodologies (MR-00...), it is exempt from authorization requirements. For further details, please consult the CNIL (National Commission for Information Technology and Civil Liberties) article on the subject: Health research: the CNIL (National Commission for Information Technology and Civil Liberties) adopts new simplification measures | CNIL (National Commission for Information Technology and Civil Liberties). However, it may still be necessary to file a medical research "declaration" with the CNIL CNIL (National Commission for Information Technology and Civil Liberties).