The French National Commission for Information Technology and Civil Liberties (CNIL) has just reminded two medical research organizations of their legal obligations in the context of their processing of health data.
Such processing must be specifically authorized by the CNIL after receiving the opinion of the Ethical and Scientific Committee for Research, Studies and Evaluations in the Health Sector (CESREES) or the Committee for the Protection of Individuals (CPP), or declare that they comply with a reference methodology. In both cases, a data protection impact assessment (DPA) is required: it can be requested in the authorization process and its obligation is mentioned in the reference methodologies.
This impact analysis had not been carried out by the two organizations. Furthermore, the information provided to individuals regarding the processing was incomplete, which constitutes another breach of the RGPD and the Data Protection Act.
CASD, which offers the possibility of processing health data, accompanies applicants regarding the obligations to be fulfilled prior to such processing.