Reuse of health data: the 8 prerequisites (RGPD, Public Health Code, CNIL doctrine and sectoral requirements)
The reuse of health data is a crucial innovation driver, especially for research, the improvement of care and the development of AI tools. However, this process is strictly regulated by the RGPD, the Public Health Code and the CNIL doctrine. Before any project, it is imperative to validate 8 essential prerequisites that condition the legality and conformity of subsequent processing. From the qualification of use (primary vs secondary) to HDS hosting and the requirements of the AI Act, a methodical and rigorous approach is the only guarantee of innovative, controlled and sustainable use.
The reuse of health data represents today a major driver of innovation, whether in research, improvement of care pathways, statistical analysis or the development of tools forartificial intelligence. But it is also governed by a set of strict rules combining RGPD, Public Health Code, doctrine CNIL and sectoral requirements.
Before considering any project, it is essential to identify the prerequisites that condition the legality of initial data processing.
1. Distinguish between uses: primary vs. secondary (GDPR)
The first step is to distinguish whether one is in a use primary or in a use secondary data.
- The use primary covers all treatments directly linked to the care pathway, such as prevention, diagnosis, patient care or the functioning of the patient file.
- Reuse secondary on the contrary, aims at subsequent and distinct objectives, such as scientific research, statistical analysis, product improvement or even the design of a model ofAI.
This distinction is fundamental because it determines the applicable legal regime, the legal bases that can be used and the obligations applicable to the data controller.
2. Validate the legality of the initial collection
No reuse is possible if the initial collection was not carried out in accordance with the RGPD. Indeed, the unlawfulness of the initial treatment vitiates De facto subsequent treatment.
Among the points to check, it is necessary to ensure:
- That an adequate legal basis was mobilized during the initial data collection, as well as an exception under article 9 of the RGPD authorizing the processing of sensitive data.
- That the information provided to persons at the time of collection was complete, loyal and transparent, in compliance with the mandatory information under articles 12 and following of the RGPD.
- That the planned retention periods are consistent with the new purpose and, where appropriate, adapted or reassessed.
- That the rights of individuals can be effectively exercised.
- That the initial treatment is properly documented in the register of treatment activities.
When the reuser is not the primary collector, additional precautions must be taken: explicit authorization from the original data controller, contractualization of the transfer, clarification of roles and strict verification of security and hosting requirements, in particular HDS.
3. Verify the compatibility of the new purpose
Reuse is only legal if the intended purpose is compatible with that of the initial collection. This compatibility must be evaluated using a real test, taking into account:
- The link between the purposes
- The context of collection
- The sensitive nature of data
- The potential impacts for people
- Planned security measures
However, some re-uses benefit from a specific regime, in particular those carried out for scientific or statistical research purposes, or those based on prior anonymization of data.
4. Qualify the project and the legal framework (Loi Jardé, AI Act)
The legal qualification of the project determines the applicable framework. A research project will not be treated in the same way as a project to train a model ofAI or an internal statistical study.
Reuse may be based on a reference methodology (MR-003 or MR-004), the Jardé Law, a data protection impact assessment (AIPD), or even a specific ethical opinion. Projects involvingartificial intelligence must also meet the requirements of theAI Act, which reinforces documentation, governance and risk management obligations.
5. Guarantee an appropriate level of security (HDS)
The reuse of health data requires a particularly high level of security.
- Outsourced treatments must be hosted by a certified provider. HDS (Host of Health Data).
- Data must be protected by strong encryption, logging, logging, traceability, access control and auditability measures.
- The management of authorizations must meet a strict principle of “need to know”.
Security is an absolute prerequisite and not just an ancillary part of the project.
6. Structuring governance and documentation (AIPD)
Beyond legality, a reuse project must be solidly documented.
- The treatment register must be updated to include the new data processing carried out.
- One AIPD may also be necessary due to the sensitivity of the data and the high risk.
- The legal basis, compatibility analysis, security measures, and minimization logic must be traced.
Clear governance must be defined: roles of actors, validation processes, internal bodies, documentation and procedures.
{{newsletter}}
7. Supervising external flows and partnerships
The reuse of health data frequently involves several actors. Exchanges must be precisely documented and secured.
- The responsibilities between data controller, subcontractor and possible joint manager must be defined.
- Transfers outside the EU must be avoided or strictly supervised.
- Contracts should include strong commitments to security, confidentiality, minimization, and traceability.
8. Ensure ethical management of the project
Legal compliance can also include compliance with ethical commitments. As such, reuse projects must also be part of an ethical logic based on transparency, proportionality and collective interest. Patients should be clearly informed of the possible uses of their personal data. Respecting the principle of minimization also ensures that only data that is strictly necessary is reused.
Conclusion
Reuse health data requires a controlled, methodical and rigorous approach. Clarification of the subsequent purpose pursued, legality of the initial collection, compatibility analysis, legal framework, reinforced security, complete documentation and ethical governance are the essential pillars to guarantee compliant and responsible reuse.
Organizations, like Adequacy, who invest in this structure create the conditions for an innovative, controlled and sustainable use of health data.
FAQ - Reuse of health data: key questions for DPOs and CISOs
Does illegal initial collection make reuse impossible?
No Reuse is only legal if the initial collection respected the RGPD (legal basis, complete information for individuals, article 9). Irregular collection automatically affects subsequent processing.
How important is the distinction between primary use and secondary reuse?
This distinction is fundamental. The use primary concerns direct care; reuse secondary has distinct objectives (research, analysis, AI). It determines the applicable legal regime and the obligations of the data controller.
Is Impact Assessment (AIPD) mandatory for the reuse of health data?
In the majority of cases, yes. Les health data being sensitive, their reuse often generates a high risk, which requires the carrying out of a Data Protection Impact Assessment (AIPD). It may be mandatory, especially in projects ofAI, large-scale studies or innovative treatments.
Does health data hosting have to be HDS certified?
Yes. If reuse involves hosting or outsourced processing of health data not anonymized, the provider must be certified Health Data Host (HDS), which covers increased security requirements.
What is the impact of the AI Act on the reuse of health data?
Projects involvingAI must respect theAI Act, in particular in terms of risk analysis and management, technical documentation, technical documentation, transparency, governance, data quality and traceability. Convergence RGPD + AI Act will become central for health institutions and manufacturers.
{{newsletter}}
