Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

In a context where health data is both an essential scientific tool and a fundamental rights protection issue, healthcare establishments, laboratories and researchers regularly wonder about the rules for reusing data without direct contact with patients.

The mr 004 reference methodology, established by the CNIL (National Commission for Information Technology and Civil Liberties) provides a precise framework for this type of processing. It is one of a number of new reference methodologies designed to provide a framework for health research, whether involving the collection of health data or health data not collected directly from the individuals concerned, while guaranteeing a high level of protection.

Under certain conditions, this methodology allows research, studies or evaluations to be carried out in the healthcare field without prior authorization, provided that :

  • Rely on data already collectede.g: care records, PMSI, warehouses);
  • Does not involve any intervention on the human person;
  • Pursuing a public-interestPurpose ;
  • And respect the principle of data minimization.

In short, MR-004 facilitates the implementation of healthcare research while ensuring a high level of protection for personal data.

In this article, we answer our clients ' most frequently asked questions on the practical application of this regulatory framework.

Contents:

  • Is my research project covered by MR-004?
  • Is CNIL (National Commission for Information Technology and Civil Liberties) ) authorization required?
  • What health data is authorized by MR-004?
  • How do you inform the people concerned?
  • What are my obligations as a data controller?
  • Can I transfer data outside the EU?
  • How long can I keep my data?
  • Who can access study data?
  • Do I have to appoint a DPO (Data Protection Officer) for MR-004?
  • How can Dipeeo help me?
Healthcare professionals analyzing pseudonymized data as part of an MR 004-compliant study.

1. Is my research project covered by MR 004?

Yes, if your project :

  • Uses healthcare data already collectede.g: medical records, PMSI, warehouses);
  • Requires no human intervention (no tests, interviews or medical procedures);
  • Its purpose is research, study or evaluation of public interest in the field of health;
  • Does not fall into the legal category of "research involving the human person" (RIPH 1 or 2 under the French Public Health Code).

Here are a few concrete examples: a retrospective study on the effectiveness of a care pathway, a statistical evaluation based on a hospital data warehouse, the use of the PMSI (Programme de Médicalisation des Systèmes d'Information), or an analysis carried out by healthcare manufacturers as part of research aimed at assessing the impact of a management panel on care practices, hospital organization or clinical outcomes. These projects illustrate, in particular, studies carried out in the healthcare sector without direct data collection from patients.

2. Is CNIL (National Commission for Information Technology and Civil Liberties) authorization required?

No, if your project strictly complies with the MR-004 reference methodology, you don 't need to obtain prior authorization from the CNIL (National Commission for Information Technology and Civil Liberties). Instead, you need to make a declaration of conformity via the following portals:

The online declaration constitutes a formal compliance undertaking by the data controller to the CNIL (National Commission for Information Technology and Civil Liberties). It certifies that the project complies with all the requirements of MR-004, in particular in terms of security, data minimization and information for data subjects.

If your project does not meet all the criteria of MR 004e.g.: prohibited data, impossibility of informing the persons concerned, objectives outside the scope), then you must file a classic authorization request with the CNIL (National Commission for Information Technology and Civil Liberties).

🗃️ In addition, each project declared compliant with MR-004 must be registered in a public directory maintained by the Plateforme des Données de Santé (PDS) / Health Data Hub, accessible here :

🔗 https://www.health-data-hub.fr

3. What health data are authorized by MR 004?

MR 004 authorizes only data that is strictly necessary for the Purpose the research, in compliance with the minimization principle laid down by the GDPR. The data must be pseudonymized, i.e. it must not allow direct identification of the data subjects.

The list of authorized data is limited and precisely defined in the official text of the methodology. It is divided into two main categories: patient data and data from healthcare professionals speaker in the research.

Patient data authorized for research purposes :

1. Indirect identification data: gender, year or month/year of birth, age range, family situatione.g number of dependent children).

2. Administrative data: pseudonymous patient code (with secure correspondence table), date of admission to/discharge from care facility, postal code (under certain conditions), type of social security coverage.

3. Health data: pathologies, medical history, diagnosese.g: ICD-10 codes), medical procedurese.g: CCAM), medications and treatments, test results (biological, imaging), surgical procedures, medical follow-up or consultation data, treatment data (hospitalization, emergency, etc.).

4. Health-related behavioral and social data: Lifestyle habits (smoking, alcohol, physical activity, etc.), level of education, employment status, social class, etc.

5. Data from healthcare systems: data from PMSI, SNDS, SNIIRAM, hospital warehouses, subject to specific applicable rules.

Data explicitly forbidden (not allowed in MR 004) :

  • NIR (social security number)
  • Precise geolocation data
  • Biometric data
  • Uncoded genetic data
  • Religious, political and philosophical views
    Data relating to criminal offences or convictions

Data from authorized healthcare professionals :

Surname, first name, professional details, RPPS / ADELI number, specialty, role in the study, affiliation center, data required to manage agreements or reimbursements.

The same processor can never process both directly identifying data and health data.

4. How to inform the people concerned?

Informing the people whose data is used (patients)

Informing data subjects is an essential requirement of the MR 004 reference methodology. It guarantees the transparency of processing and enables individuals to exercise their rights, in accordance with Articles 13 and 14 of the GDPR.

This information must be provided before or at the time of processing, and can take two forms, depending on the context in which the data are collected:

Individual information: recommendedwhenever possible:

  • By post or e-mail
  • A project sheet given to the patient,
  • Via a dedicated mention on a website.

General information

Particularly applicable when data was initially collected as part of medical treatment. It can be provided by :

  • Posting on the premises of the healthcare facility,
  • A note in the welcome booklet or medical file,
  • An institutional document on research carried out by the company.

The information provided must contain the following elements: The Purpose of the data processinge.g: retrospective study, medical evaluation), the identity of the data controller and the contact details of the DPO, the legal basis of the processing (public interest), the categories of data processed and the data recipients, the Data retention periods, the rights of individuals (access, rectification, opposition, limitation, etc.), where applicable, data transfers outside the EU.

Good to know: the impossibility of informing excludes MR-004. If you can't inform the people concerned, even in general terms, you can't use the MR-004 methodology.

Informing the healthcare professionals involved

Healthcare professionals taking part in the research must also be informed about the processing of their data (name, role, study center, etc.). This information is generally included :

  • In participation agreements,
  • Or in the contractual documents provided by the sponsor or research center.

5. What are my obligations as a data controller?

The data controller, whether a healthcare institution, research organization or sponsor, must implement a set ofconcrete actions to ensure that the project complies with MR 004 and the GDPR. These obligations aim to ensure the traceability, security and transparency of personal data processing.

As a data controller, you must :

  • Keep an up-to-date treatment register, including research carried out under MR-004 ;
  • Carry out a data protection impact assessment (DPIA) if the processing operation presents a high risk to the rights and freedoms of data subjects;
  • Implement technical and organizational security measures, based in particular onANSSI (Agence nationale de la sécurité des systèmes d'information) recommendations;
  • Document data pseudonymization and ensure that mapping tables are stored securely and separately;
  • Save the project in the Health Data Hub's public directory, accessible at : https://www.health-data-hub.fr in accordance with theregistration procedure for non-collected health research data.

6. Can I transfer data outside the EU?

The transfer of personal data to a country outside the European Union is possible, but only :

  • If the transfer is strictly necessary for carrying out or exploiting the research;
  • If you implement GDPR legal safeguardse.g: standard contractual clauses, binding corporate rules - BCR, adequacy rulings);
  • And if this transfer is clearly mentioned in the information note given to data subjects, as well as in the declaration of compliance to the CNIL (National Commission for Information Technology and Civil Liberties)).

7. How long can I keep my data?

The MR 004 methodology sets precise Data retention periods for data processed as part of a research project, to ensure a balance between scientific needs and the protection of data subjects. These periods must be strictly respected and justified in the project documentation.

  • Patient data: up to 2 years after publication of results, or, in the absence of publication, until signature of the final research report.
  • Healthcare professionals' data: up to 15 years after the end of their participation in the last research project to which they contributed.

Once these deadlines have been reached, data can be archived securely, on paper or electronically, in compliance with applicable legal rulese.g: Public Health Code, GDPR).

8. Who can access study data?

Screenshot of a healthcare research dashboard showing a secure, anonymized data warehouse.

Access to data processed as part of an MR 004 project is strictly controlled. Only duly authorized persons with a defined role in the research may consult these data, in compliance with the confidentiality and security rules laid down in the methodology.

The data can only be consulted by :

  • Healthcare professionals involved in the researche.g: investigating physicians, coordinators) ;
  • Designated collaborators of the data controllere.g: authorized personnel of the promoter or healthcare establishment);
  • Some processorsfor specific, clearly-defined missionse.g: sending out questionnaires, logistics management, expense reimbursement).

Important: the same processor may never process both directly identifying data and health data. This combination is expressly forbidden by MR-004 and exposes the project to the risk of falling outside its regulatory scope, notably with regard to Title VII of the French Public Health Code concerning the processing of personal data for research purposes.

9. Do I have to appoint a DPO (Data Protection Officer) for MR-004?

Yes, in the vast majority of cases, the appointment of a DPO is compulsory.

According to Article 37 of the GDPRthe appointment of a data protection officer (DPO) is mandatory for any public or private body that :

  • Performs large-scale data processing of sensitive data (such as health data),
  • Or whose main activity is to regularly and systematically track people on a large scale.

However, in the context of MR 004, processing operations relate exclusively to health data, and often involve a large volume of pseudonymized data, sometimes taken from warehouses, hospital databases or the SNDS. This fully meets the criteria for the mandatory appointment of a DPO.

10. How can Dipeeo help me?

At Dipeeo, we support establishments and project leaders throughout the entire process:

  • Assessment of eligibility for MR 004 ;
  • Drafting of information documents (patients and pros) ;
  • Completion or verification of the AIPD ;
  • Declaration to the CNIL (National Commission for Information Technology and Civil Liberties) : Outsourced DPO for you
  • Legal structuring and security of data processing
  • GDPR compliance training for your teams.

To take things a step further, we've produced a Health Guide specifically for healthcare professionals.

Anaïs Guilloton
Anaïs Guilloton

Marketing Manager - GDPR Expert