How to frame the reuse of health data: a look back at our webinar

This event was co-hosted by Calixte Descamps, Privacy Officer, certified DPO Afnor (Adequacy) and Valentine Chauveau, Lawyer at the Paris Bar (Aumans Avocats), with multidisciplinary expertise, particularly in the area of compliance in the health sector. You can right now watch the replay of the event and download the presentation material.

‍

The reuse of health data for research or artificial intelligence requires strict compliance with RGPD, to the reference methods of the CNIL And in the future EHDS. Between the verification of the initial legality, the information of patients and the application of The IA Act, data controllers must navigate between legal security and innovation. This guide details the essential requirements for health data warehouses (EDS), medical chatbots, and scientific publications.

‍

‍

In order to verify the legality of the initial collection, is the information notice sufficient?

‍

‍

The sole verification of the information notice is not sufficient to establish the legality of the initial collection of health data. If the instructions are likely to meet the requirements of RGPD and reference methodologies (SEA) of the CNIL, it alone does not ensure the overall compliance of the treatment. It is therefore also necessary to ensure the existence of:

‍

• Of a valid legal basis (article 6) RGPD)
• Of a derogation applicable to health data (article 9) RGPD)
• From a compliance commitment to a SEA or an authorization CNIL if applicable
• Respect for the fundamental principles of RGPD (purpose, minimization, security, personal rights)

‍

In case of reuse of health data, a complete review of the protocol, consents and advices/authorizations is also essential.

‍

‍

‍

‍

What should we mention in health research results publications?

‍

‍

As a matter of principle, the publication of health research results should not contain data that directly or indirectly identifies patients, unless their explicit consent has been obtained for this purpose. This means that only results that include anonymized data can be published.

‍

Research managers will therefore have to verify that the published data meets the conditions applicable to the anonymization of data (currently set by the opinion of the G29, now EDPS, on anonymization techniques).

‍

‍

What steps should the developer of an AI chatbot for medical students take?

‍

‍

In practice, the developer of such a chatbot must in particular ensure compliance with the following obligations:

‍

• Check if health data is concerned: if the chatbot uses real medical scenarios, you must ensure that this data is anonymized (no identifying information). Otherwise, it will be necessary in particular to mobilize one of the derogations in Article 9 of the RGPD And of Achieve a AIPD (impact assessment)
• Ensuring respect for the principle of Privacy by design : integrating data protection into the technical architecture, in particular by integrating fictional data sets for chatbot training, or by adapting the user path so that the information relating to data processing carried out via the chatbot is visible and clear
• Verify the legal basis and the complete information of the persons concerned: define an adequate legal basis for data processing and clearly inform students before use (identity of the person responsible, purposes, categories of data collected, categories of data collected, duration of conservation, rights, etc.)

‍

If the chatbot integrates a system ofAI (AIS) in the sense of TheIA Act, the developer must qualify his role (e.g. deployer, supplier, distributor) and the risk level of the AIS. Depending on these two elements, more or less stringent obligations arising from theIA Act must also be respected and integrated from the chatbot design phase.

‍

To find out more about the obligations applicable to health projects involving the use ofAI, Aumans Avocats and Adequacy are organizing a dedicated webinar on April 16 to which you can participate by registering here.

‍

‍

What steps are required in case of secondary treatment by the same manager?

‍

‍

In the event of reuse of data by the same data controller, the latter must ensure, in accordance with article 6.4 of RGPD, that the new purpose is compatible with the original purpose. To do this, he must carry out a compatibility test based on 5 criteria (link between the purposes, context of the collection, nature of the data, consequences for people and security guarantees). Two scenarios then arise:

‍

• If the test is positive (compatible): treatment can continue without a new legal basis. The manager should simply update Sound register and inform people about this new purpose (Art. 13.3)
• If the test is negative (incompatible): the manager must either obtain new consent or rely on a specific legal basis. He will then have to create a new treatment sheet

‍

Finally, an impact assessment (AIPD) should be considered if this new treatment is likely to generate a high risk, especially in the event of a significant change in the nature of the treatment or in the use of innovative technologies.

‍

‍

Can the establishment of an EDS have a commercial purpose?

‍

‍

The constitution of a EDS may include goals for the optimization of health products by private actors, as this is part of scientific research and innovation. However, the legal framework (frame of reference of CNIL) requires that the treatment pursue a public interest. Purely mercantile purposes such as marketing, advertising or the adjustment of insurance premiums are therefore strictly excluded.

‍

Detailed analysis: a private player (health manufacturer) can fully access a EDS or constitute one, provided that the purpose is research, study or evaluation (REDS). The optimization of a health product (medication, medical device) by analyzing patient behavior is considered as a scientific research goal. Even if this research ultimately serves the economic interests of a company, it is recognized as having an indirect public interest (improvement of care, therapeutic innovation).

‍

It is forbidden to use the data of a EDS (Article L1461-1 of the Public Health Code) for:

• Product promotion (direct marketing to patients or doctors)
• The exclusion of insurance contract guarantees or the modification of contributions
• Advertising targeting

‍

For a EDS (or access to a EDS) be authorized, the data controller must demonstrate that the project is in the public interest:

‍

• If the analysis is only aimed at “selling more”: it is forbidden
• If the analysis aims to “better understand the side effects to improve the safety of the product”: it is allowed, even if it helps the company commercially

‍

‍

Can a private company reuse health data for anonymous profiling?

‍

‍

The key point here lies in the anonymization process. While anonymization makes it possible to remove the restrictions related to the application of data protection regulations in this case, this aspect must be subject to some vigilance. In fact, anonymization in itself is considered to be a processing of personal data, which thus implies respect for RGPD.

‍

It is therefore necessary to have an adequate legal basis or to inform the persons concerned (patients) about the processing of their personal data for anonymization purposes. The anonymization process must also comply with the conditions applicable in this field (currently set by the opinion of the G29, now the EDPS, on anonymization techniques).

‍

However, here, profiling seems to be at odds with the notion of anonymization — which implies not being able to re-identify or re-individualize the people concerned. The profiling in question should therefore not make it possible to isolate a patient and should only make it possible to constitute sufficiently large groups of patients to avoid any re-individualization.

‍

‍

Is specific consent necessary and sufficient for this treatment?

‍

‍

The use of explicit and specific consent would ensure that patients have been informed that health data is going to be used outside of the original purpose for which it was collected.

‍

However, the collection of consent does not constitute a “blank check” allowing health data to be reused in itself. The conditions mentioned above remain applicable. In addition, consent must be free, specific, informed and explicitly formulated (article 9.2.a). RGPD).

‍

‍

What is the difference between health research and scientific research for the GDPR?

‍

‍

The difference between health research and scientific research lies not only in the object of the study, but in the applicable regulatory framework. While scientific research is a broad concept in the sense of RGPD (Art. 89) allowing for flexibility in the retention period and reuse of data, health research constitutes a special regime. It imposes stronger security and ethical constraints (Art. 9 of the RGPD) because it manipulates sensitive data.

‍

In France, health research is strictly regulated by the Public Health Code and often requires compliance with the reference methods of CNIL and the intervention of protection committees (CPP), which is not the case for standard scientific research that does not involve health data.

‍

Detailed analysis: in the sense of RGPD, scientific research is not just a “subject”, it is a status. If data processing is qualified as “scientific research”, it benefits from derogations:

‍

• Default compatibility: you can reuse data collected for another purpose if it is for scientific research (presumption of compatibility)
• Long storage: you can keep the data longer than originally planned
• Rights of individuals: some rights (access, correction, opposition) may be limited if they make it impossible to carry out the research

‍

Health research is a form of scientific research, but by definition it deals with sensitive data (health data). As such:

‍

• Prohibition in principle: the processing of health data is prohibited, with some exceptions (Art. 9.2.j of the GDPR for research)
• The French framework (CNIL): in France, unlike conventional scientific research, health research must generally respect reference methods (SEA) of the CNIL (MR-001, MR-003, MR-004, etc.)
• Jardé law (RIPH): if the research involves humans (clinical trials), it must obtain the opinion of a CPP, which is not required for scientific research in mathematics or physics

‍

‍

What are the impacts of the future EHDS regulation on health research?

‍

‍

Regulation No. 2025/327 says EHDS aims in particular to facilitate access to large volumes of data within the European Union via organizations providing access to health data (Health Data Access Bodies), responsible for evaluating requests for data reuse. Thus, the regulation EHDS makes a distinction between primary and secondary research:

‍

• Primary research covers all treatments directly linked to the care pathway, such as prevention, diagnosis, patient care or the functioning of the patient file.
• Secondary research has subsequent and distinct goals, such as scientific research, statistical analysis, health technology assessment, etc.

‍

In particular, this regulation will provide a unified framework for conducting research or health data warehouses at European level. However, it should be noted that the provisions relating to the secondary use of data will not come into force until March 2029.

‍

‍

‍

‍

FAQ - overseeing the reuse of health data

‍

‍

Can health data be reused without new consent?

Yes, if a compatibility test according to article 6.4 of the RGPD is positive or if the treatment is within the scope of scientific research with appropriate guarantees.

‍

What are the penalties for the prohibited commercial use of an EDS?

‍
Does the EHDS regulation replace the GDPR?