April 2, 2023
Before beginning health research - other than internal research (i.e., using data collected during care by health professionals caring for patients and for their exclusive use) - the organization must either obtain authorization from the CNIL to proceed with such research or comply with a reference methodology involving the completion of a data protection impact assessment.
The impact analysis must therefore be carried out before starting the research. It must foresee the risks to the rights and freedoms of the data subjects - bearing in mind that the same analysis may cover a set of processing operations that present similar risks.
In addition, the organization has an obligation to provide complete information to the persons participating in the research. This information must at least cover the identity and contact details of the organization, the compulsory or optional nature of the data collection, the nature of the information collected, the purposes of the data processing, the legal basis for the processing, the duration of the data storage, the recipients or categories of recipients of the data, the rights of the persons concerned, the contact details of the data protection officer and the procedures for lodging an appeal with the CNIL.
This is an opportunity for the CNIL to recall the difference between "anonymization" and "pseudonymization" of data.
Simply replacing the identity of patients with a "patient number" and a "patient code" consisting of two letters corresponding to the first initial of the surname and first name of the person concerned does not amount to anonymization but to pseudonymization of the data. In fact, this procedure makes it possible to isolate an individual in the data set and to re-identify him or her.
In this case, the two organizations having ceased the data processing for which the breaches had been noted, the President of the CNIL sent them a reminder of their legal obligations, in accordance with the Data Protection Act.
.png)
