Reference methodologies (MR) in healthcare: which ones to choose and how to use them?

‍The health reference methodologies (MR) defined by the CNIL provide a simplified framework for processing personal health data for research purposes.

‍

They allow project leaders to work in a legally secure environment without having to obtain prior authorization every time.

‍

Designed for projects of public interest, MRs cover various situations, such as studies without consent, observational research, database matching, and data reuse.

‍

Nevertheless, it is necessary to identify the appropriate methodology, comply with its conditions, and implement the measures provided by the GDPR.

‍

This guide offers a clear, practical overview of MR001–MR007 and provides advice on integrating them into an effective governance strategy.‍

Find out how Adequacy can support your efforts.

‍

Key points:

‍

• Reference methodologies (MR) provide a framework for processing certain types of health data without prior authorization from the CNIL
• Seven separate MRs cover cases such as research without consent, data integration, reuse, and non-interventional studies. Integrating MRs into data governance streamlines projects and strengthens GDPR compliance
• A declaration of compliance is mandatory if the project meets all the conditions of an MR
• The DPO plays a central role in validating, documenting, and monitoring MR processing
• Integrating MRs into data governance streamlines projects and strengthens GDPR compliance

‍

‍

Understanding health Reference Methodologies (MR)

‍

‍

MRs are a legal and operational tool established by the CNIL to regulate the processing of personal data for research purposes in the field of health. They allow data controllers to dispense with individual authorization requests, provided they comply with a strict predefined framework.

‍

HRs are based on Article 66 of the French Data Protection Act, amended in line with the GDPR. They aim to secure projects while facilitating access to data for purposes of public interest.

Objectives and Scope of MRs

‍

MRs serve a dual purpose:

‍

• To secure the processing of personal health data without explicit consent and ensure compliance with the GDPR, and 2) to reduce the administrative burden on data controllers by providing a pre-approved framework
• To deduce the administrative burden on data controllers by providing a pre-approved framework

‍

MRs are based on a philosophy of trust, transparency, and efficiency for those involved in health research, including hospitals, regional hospital groups, university hospitals, institutes, researchers, and data protection officers (DPOs).

‍

Who are reference methodologies intended for?

‍

They are intended for public or private data controllers who wish to process health data for the following purposes:

‍

• Conducting non-interventional research
• Research without systematic consent collection
• Reusing data from healthcare or other research
• Conducting feasibility studies or preliminary analyses
• Produce public health indicators

‍

These organizations must carry out tasks in the public interest (legal basis: Article 6-1-e of the GDPR).

‍

MR and GDPR: a close relationship

‍

The GDPR strictly regulates the processing of sensitive health data. Article 9 of the GDPR establishes the principle of prohibiting processing, with certain exceptions, including:

‍

• Explicit consent (Article 9.2.a)
• Public interest in public health (Article 9.2.i)
• Scientific research (Article 9.2.j)

‍

MRs rely particularly on the last two exceptions, which specify the conditions that must be met to ensure the adequate protection of individuals' rights.

‍

Benefits for data controllers

‍

Registering for an MR allows you to:

‍

• Save time: The declaration replaces the authorization request
• Operate within a stable, clear framework validated by the CNIL
• Anticipate GDPR compliance from the project design stage
• Reassure stakeholders (e.g., patients, users, and guardians)

‍

Please note that an MR only applies if all conditions are met. Otherwise, a specific authorization request is still required.

‍

Did you know?

A reference methodology is not a mere formality. It holds the data controller responsible for demonstrating compliance at all times.

‍

Details of reference methodologies MR001 to MR007

‍

These methodologies, defined by the CNIL, provide a framework for various types of health-related research data processing. Each MR corresponds to a specific type of project. Below is an overview of MRs 1 to 7, including their fields of application, requirements, and specific features.

‍

How to comply with Reference Methodologies (MR)?

‍

‍

Compliance with a reference methodology is not based solely on a simple declaration to the CNIL. Rather, it requires implementing a set of legal, organizational, and technical measures aimed at ensuring a high level of compliance with the GDPR and the French Data Protection Act. ‍

‍

Below are the key steps and tools for achieving compliance in the context of an MR project.

‍

‍

Step 1: Determine the project's eligibility for MR

‍

First, determine if the project falls within the scope of a reference methodology. This involves:

‍

• Knowing the types of MR available (see the previous section)
• Analyzing the purpose of the processing and the data used‍
• Identifying the legal bases used (public interest mission, consent, etc.)
• Ensure that all MR conditions are strictly complied with

‍

Please note that if even one condition is not met (e.g., unplanned matching or retaining identifying data without justification), the project must be subject to a specific authorization request to the CNIL.

‍

Step 2: Submit a declaration of compliance.

‍

Once eligibility has been confirmed, the data controller can submit a declaration of compliance online via the CNIL's teleservice. Useful link: Declare a File — CNIL

‍

Information to be provided:

‍

• Identity of the data controller
• Reference of the methodology concerned (e.g., MR004)
• Summary description of the processing
• Compliance commitment

‍

This declaration is mandatory: processing can only benefit from an MR if it has been previously declared.

‍

Step 3: Document in the processing register.

‍

In accordance with Article 30 of the Regulation, the processing must be documented in the organization's GDPR register.

‍

This register must contain the following:

‍

• The legal basis used (Article 6 and, where applicable, Article 9 of the GDPR)
• The categories of data and data subjects
• Retention periods
• The security measures
• Whether or not an MR is used

‍

The DPO must be able to produce this register at any time in the event of an inspection by the CNIL.

‍

Step 4: Conduct an impact assessment (AIPD).

‍

Depending on the level of risk involved in the processing, a DPIA (Data Protection Impact Assessment) may be required.

‍

A DPIA is mandatory if:

‍

• The data is sensitive (e.g., genetic or biometric)
• The volume or scope of the processing is significant
• The processing involves automated decision-making or behavioral monitoring

‍

Expected content:

‍

• Description of the processing
• Assessment of necessity and proportionality
• Analysis of risks to rights and freedoms
• Measures planned to reduce the identified risks

‍

A reference methodology never exempts a Data Protection Impact Assessment (DPIA) if the project requires one.

‍

Step 5: Involve the DPO and implement internal procedures.

‍

The DPO (Data Protection Officer) plays an advisory and supervisory role in MR-based projects. Their tasks include:

‍

• Analyzing the project before declaration
• Checking documentation
• Assisting with drafting the AIPD
• Monitoring compliance commitments over time

‍

It is advisable to formalize a standard internal procedure for MR projects with a checklist and validation process.

‍

Encadré – Déclaration ou autorisation?

Ethical issues, transparency, and communication with individuals.

‍

Implementing a reference methodology in healthcare requires sustained attention to the rights of those affected. The GDPR imposes strict requirements regarding information, processing fairness, and ethical safeguards. These requirements are not merely formal; they determine the social legitimacy of research and public trust.

‍

Informing the individuals concerned is an essential obligation.

‍

Even when consent is not required, the obligation to inform individuals remains a cornerstone of the GDPR. In particular, Articles 13 and 14 require that individuals be informed.

‍

• The existence of data processing
• The purposes pursued
• The legal bases used
• Your rights (access, objection, rectification, etc.)
• Retention period
• DPO contact details

‍

The information must be:

‍

• Clear, understandable, and accessible
• Proportionate to the collection context (consultation, hospitalization, etc.)
• Suitable for the target audience (e.g., users, patients, and vulnerable persons)

‍

In practice, this information may be disseminated via display, hand-delivered notice, dedicated webpage, or communication through patient portals.

‍

In the case of data from previous care,

‍

When the data comes from previous processing (e.g., data warehouses or medical records) and individuals are not contacted directly, Article 14 of the GDPR applies. It provides exceptions to individual notification, particularly when:

‍

• It is impossible, or it would require a disproportionate amount of effort
• It would seriously compromise the objectives of the processing
• The individuals already have the information
‍

In these cases, the information must be made public by appropriate means, such as posters in establishments, websites, or institutional communications.

‍

Regulating Secondary Reuse

‍

The reference methodologies provide specific safeguards for the reuse of data within a secondary project or by a third party. Thus:

‍

• Projects must be validated by a scientific or ethics committee
• Data may only be used for the initially intended purpose, unless a new declaration or authorization is provided
• Data recipients must be identified, authorized, and limited to what is strictly necessary

‍

Using the data for commercial, promotional, or insurance pricing purposes is prohibited.

‍

The role of scientific and ethics committees

‍

Any processing carried out within the framework of an MR, particularly that involving sensitive data or reuse, must be reviewed by an ethics committee.

‍

• Analyzes the ethical risks of the project
• Verifies compliance with the intended purposes
• Approves or rejects requests for access to data

‍

Recommended composition:

‍

• Physicians and researchers
• Medical and social professionals
• Independent individuals
• User representatives

‍

This body acts as a safeguard against abuses and promotes transparency with patients and civil society.

‍

Best practices for enhanced transparency

‍

• Provide a standardized information notice
• Create a dedicated page on the website
• Include a user representative on committees
• Regularly publish approved projects

‍

Integrate reference methodologies (RM) into health data governance

‍

Beyond formal compliance with regulatory requirements, healthcare institutions and project leaders are highly motivated to integrate RM into an overall data governance strategy. This integration secures processing, streamlines internal processes, and strengthens the consistency of compliance procedures.

‍

RM should be at the heart of internal processing policies.

‍

RM should be viewed as organizational tools, not additional constraints. They provide a ready-to-use operational framework that can be integrated into:

‍

• Research project launch procedures
• Internal data protection charters or policies
• Governance documents (master plans, internal HIS regulations, etc.)
• Quality control mechanisms (certifications and accreditations)

‍

For example, an institution may require verification of a project's eligibility for an MR in an internal validation process as a condition for project approval.

‍

Harmonization with Hospital Information Systems (HIS):

‍

Integrating MRs into an HIS involves several concrete actions.

‍

• Integration of project sheet templates or compliance forms directly into the electronic health record (EHR) or research management software
• Implementing traceability logs for accessing data warehouses
• Strict separation of environments containing identifying and pseudonymized data
• Automation of purging, anonymization, or archiving processes according to the timeframes defined in the MRs

‍

These actions strengthen control over processing and facilitate audits.

‍

Structure project governance around MRs

‍

Effective governance relies on cross-functional stakeholder involvement. Internal governance committees can play a pivotal role in MR compliance.

‍

• A steering committee can establish compliance guidelines
• An ethics and scientific committee can evaluate the eligibility of projects based on the intended MR
• The DPO should participate in validation and monitoring

‍

Tip: Involving a representative from the legal or medical affairs department in this process can streamline risk management.

‍

Automate and equip compliance

‍

Some organizations have implemented digital tools dedicated to automating the MR processing lifecycle.

‍

• Pre-filled processing log generators
• MR project tracking dashboards (status, deadlines, managers, etc.)
• Automatic reminders for data review or purging
• Pseudonymized data export modules based on validated models

‍

These features improve traceability and limit human error.

‍

Conduct ongoing audits and monitor compliance

‍

Good governance also requires a periodic evaluation system. This may include:

‍

• Internal audits focused on MR processing
• Verification of procedures for informing data subjects
• Evaluation of the relevance of data stored in warehouses
• Annual reports should be shared with the DPO and management

‍

These audits must be based on compliance indicators, such as:

‍

• Ratio of declared vs. undeclared MR projects
• Average time for ethical validation
• Percentage of projects with an associated AIPD
• Compliance with retention periods

‍

Best practices to remember

‍

• Centralize MR management within a dedicated unit
• Train project leaders in MR principles
• Deploy practical guides or quick reference sheets
• Integrate MR into GDPR training modules

‍

FAQ: Reference Methodologies and CNIL obligations

‍

• Are patients always required to be informed in the context of MR?

Yes. Even without consent, individuals must be informed of the processing in accordance with the GDPR (Articles 13 and 14).

‍

• Can MR be used for a clinical research project?

No, because research involving human subjects (RIPH) is governed by a different regulatory regime and requires specific authorization.

‍

• How do you know if a project is eligible for MR?

Check if the project corresponds to the purposes, legal bases, and conditions specified in one of the reference methodologies published by the CNIL.

‍

• Can a private organization submit an MR project?

Yes, as long as the organization performs a public interest mission and complies with all the conditions set out in the applicable methodology.

‍

• Une MR remplace-t-elle uDoes an MR replace an AIPD?ne AIPD ?

No, if the processing presents a high risk, an impact assessment is still required, even if the project is within the scope of a reference methodology.