How to frame the processing of health data for research: a compliance guide
The use of health data for research purposes is based on a complex regulatory framework, between the RGPD, the Data Protection Act (LIL) and the recommendations of the CNIL or the ANS. To secure your projects, it is imperative to correctly qualify the actors (data controller or subcontractor) and to choose the appropriate legal regime: internal studies, research subject to reference methodologies (MR) or constitution of a health data warehouse (EDS). This guide summarizes the compliance obligations to navigate peacefully in this ecosystem that is changing with the arrival of the EHDS.
In the health sector, research projects generally involve the processing of a large amount of personal data from patients and health professionals. This use of health data is governed in France by various texts: the RGPD, the so-called Data Protection Act (LIL) or by the provisions of the Public Health Code. In addition to these texts, there are recommendations from competent authorities, such as the CNIL (National Commission for Informatics and Freedoms) or the ANS (Agence du Numérique en Santé).
The use of personal health data for research purposes is therefore subject to compliance with a fragmented regulatory and legislative framework. It can be complex for actors to navigate and understand their obligations. The purpose of this article is to present the main scenarios and the associated compliance rules.
A webinar dedicated to the reuse of health data that we organize with our partner Aumans Avocats will complement the principles set out here:
Qualify the research project and the actors
Depending on the characteristics of the health research project under consideration, several distinct regimes may apply. It is therefore essential to define the contours of the research project as precisely as possible in advance and in particular:
- Project stakeholders
- Sources of health data
- The categories of data processed
- The scope of medical research
- Where the data is stored
The roles of each of the project participants must also be precisely defined. Depending on their degree of interference in research, they will alternately be qualified as data controller (independent or joint) or subcontractor (initial or subsequent). The criteria to be taken into account are defined by the EDPS (European Data Protection Board) within its guidelines no. 07/2020.
For example, in a clinical trial-type research project, the sponsor (or sponsor) of the research will generally be considered to be the person responsible for processing patient data, while the CRO (Clinical Research Organization) will most often be referred to as a subcontractor because it operates on the instructions of the sponsor of the trial.
However, analyses of applicable qualifications must be carried out on a case-by-case basis, according to the characteristics and roles of each stakeholder in the processing of personal health data carried out as part of the research.
Also, a subcontractor may wish to reuse the health data that it collects and processes on behalf of a data controller (for example, as a publisher of e-health software) in order to carry out further research. In this case, he will become the data controller of the reused data, which implies in particular the explicit and prior agreement of the primary data controller.
While these considerations make it possible to define the distribution of data protection obligations applicable to all actors involved in research, the legal framework applicable in itself must also be established.
The case for specific research: internal studies and health research
When the research project focuses on a specific purpose and responds to a specific health problem, it may have two alternative qualifications: it will be either an internal study, which does not require the completion of prior formalities with the CNIL because it is among the exceptions listed in article 65 of the Data Protection Act No. 78-17 (hereinafter the LIL); or a health research project.
To be qualified as an internal study, the research project must meet three cumulative conditions:
- This is a study carried out using data collected as part of the individual care of the patients concerned.
- This is a study carried out by the health personnel providing this follow-up.
- It is a study carried out for their exclusive use
If the study does not meet these criteria, it will not benefit from the exception to the completion of prior formalities as provided for in article 65 of the LIL. However, this will ultimately be the majority of research projects, which most often involve laboratories or CROs.
In this case, the internal research project must then:
- Comply in all respects with one of the CNIL's standards: MR-001 to 008 (reference methodologies) and be the subject of a declaration of conformity with the CNIL
- In the absence of compliance with one of the MRs, the data controller must file an application for authorization of the research with the CNIL.
In any event, it will generally be necessary to carry out a data protection impact assessment (hereinafter a DPIA) in order to comply with one of the CNIL's MRs or to compile your authorization request file.
In addition, it should be emphasized that the compliance procedures carried out for a specific search cannot be extended to a later search. The latter will then have to be the subject of a specific compliance file.
The case of the health data warehouse (EDS)
Health research actors are regularly confronted with the following problem: is my research project a health data warehouse or is it health research?
In order to determine if the project corresponds more to The constitution of a warehouse rather than carrying out a specific search, it is necessary to check whether:
- The research project does not have a limited and defined duration or if the databases are created for a long period of time (for example 10 years)
- Databases do not have a specific search objective but are likely to be reused for several different searches.
- Databases are fed from multiple sources and continuously over time.
When the project meets the qualification of a health data warehouse, it can be implemented subject to complying with one of the following frameworks:
- Or the warehouse is implemented as part of the pursuit of a mission in the public interest by the data controller and meets in all respects the criteria defined by the dedicated framework established by the CNIL
- Or the warehouse does not meet these conditions and must be the subject of an authorization request from the CNIL services.
In the first case, only a declaration of compliance with the CNIL standard must be sent to the CNIL.
Finally, there is another alternative for actors in the health sector: the collection of the explicit consent of the persons concerned by the processing of their personal data. This possibility is provided for by article 65 of the LIL and allows actors, subject to compliance with all the classical conditions of the RGPD, to avoid the prior formality regime with the CNIL.
In all cases, it will be necessary to ensure that the persons concerned are fully informed and in accordance with articles 12 to 14 of the GDPR of the reuse of their data for the constitution of the warehouse and for all subsequent research.
As such, the establishment ofa transparency portal, when individual information is impossible, can be a good practice for centralizing information relating to the constitution of the warehouse and the searches carried out.
Finally, it is interesting to note that the CNIL was able to requalify health data warehouse searches concerning data collections carried out without authorization. This was the case when he decided to sanction against the company Cegedim Santé in 2024.
The rules in case of anonymization of health data
Research projects can rely on anonymized data in order to benefit from greater flexibility in their implementation. Indeed, as soon as the personal data processed in the context of research is subject to complete anonymization, the rules applicable to data protection no longer apply.
However, actors will have to be particularly vigilant when setting up such an anonymization process, in particular in order to avoid the pitfall of simple requalification. Pseudonymization process with the full application of data protection regulations. For example, this was the case in 2024 in the above-mentioned decision for the company Cegedim Santé, which was sanctioned by the CNIL to the tune of 800,000 euros.
At present, the criteria for evaluating an anonymization process are set out in the G29 opinion no. 05/14. These must be the subject of a documented analysis by the actors and prior tests of the anonymization process used.
The rules for creating data warehouses, especially at the European level, and for health research are subject to change. The regulation (EU) on The European Health Data Space (EHDS) No. 2025/327, whose provisions come into force between 2027 and 2035, will in particular make it possible to set up a single framework for the establishment of European data warehouses.
Finally, The draft European Omnibus regulation, which aims to simplify certain existing regulations including the RGPD, may also change the framework applicable to the processing of health data carried out for research purposes.
These developments should be closely monitored by actors in the health sector as well as their advice.
{{newsletter}}
