CNIL guidance biomedical research

22 March 2006

Hélène Lebon

In February 2006, the French Data Protection Authority (CNIL) adopted guidance concerning biomedical research.

According to articles 53 to 61 of the French Data Protection Act each application for the processing of personal data for medical research involves two stages. Firstly a “Comité consultatif sur le traitement de l’information en matière de recherche dans le domaine de la santé” (an advisory committee on the processing of information for medical research) expresses its opinion on the methodology of the research with respect to the provisions of the French Data Protection Act, the necessity of recourse to personal data and their relevance to the purpose of the research. Following this, authorisation is required from the CNIL.

Several years ago, the CNIL issued a simplified approval procedure. According to this procedure, data controllers should submit a simplified prior authorisation request and review it every year.

The new guidance states rigorous conditions which must be complied with by sponsors who want to notify their commitments to comply with guidance issued by the CNIL; only one notification is necessary for all the research carried out by the data controllers.

The guidance applies only to biomedical research carried out according to article L.1121-1 of the French Public Health Code, consequently, it does not cover phamarcovigilance processing, furthermore, the document excludes some kinds of research, such as epidemiological researches, and research on behaviour of individuals.

In order to comply with the rules stated by the CNIL:

  • processing must only contain indirect personal data relating to patients, who can only be identified by their initials or a specific number;
  • personal data must be collected direct from patients or by investigators;
  • only limited categories of personal data can be collected;
  • the CNIL must be informed of the purpose(s) of the processing as well as the function of the processing.

The categories of persons who can process or access the data are strictly limited by the document issued by the CNIL.

Furthermore, data controllers must provide information and ask for patients’ consent in the form of the notices adopted by the CNIL and included in the guidance.

The guidance also imposes compulsory retention periods and security measures and, according to this document, data controllers must implement a security and confidentiality policy, and organise training sessions for employees who can access the data processed.

Moreover, only coded or anonymous data relating to patients can be transferred outside the European Union.

It should be noted that data controllers will have to check carefully whether they comply with the guidance since data controllers who fail to submit a notification or to comply with this guidance could have criminal liability.