The one who wants to re-use the data and inform its patients

As holders of sensitive data on their patients, healthcare professionals must manage it with great caution. However, they must not fall into the opposite trap of locking up the data. A question then arises: how can data be used for medical research while being sure to respect privacy and GDPR?

THE REFERENCE METHODOLOGY, AN EMPOWERING AND FACILITATING TOOL

The health data used in research are usually obtained from the records of patients managed in a hospital. More rarely, they are obtained through clinical trials in which individuals are invited to participate. In both cases, the data can potentially be re-used for other medical research.

Before using data extracted from patient records, it is important to ensure that the regulatory framework in force is respected. To do so, it is recommended to use MR-004, a French reference methodology created by the CNIL (French authority). This methodology provides a framework for the processing of personal data for the purposes of study, evaluation or research not involving the human person. Like other reference methodologies (MR), it sets out a list of conditions that must be respected, particularly concerning the responsibilities of the processing, the purposes of the processing, the personal data concerned, the length of time the data is kept, the recipients of the data, the information given to patients, etc.

Why is it essential to take these precautions? Simply because any research using health data must be done in compliance with GDPR and local laws. The data may be pseudonymized, but it can still be related to individuals and is therefore considered as personal data (for more information on pseudonymization, you can read the article The one who wanted to escape the GDPR thanks to anonymization).

Responding to the MR-004 standard requires a joint effort by the project manager, the DPO and possibly the hospital's IT department. Indeed, it is sometimes difficult to identify the contractual framework of the study, especially when a health data host is used (who is then a subcontractor aka data processor) or when the research is launched in partnership with a start-up (who is therefore jointly responsible for the processing in most cases).

If the project meets all the conditions set out in MR-004, the project manager need only send the CNIL a simple commitment to comply with the methodology once on behalf of the hospital and for all projects that meet the MR. This is a considerable reduction in formalities.

INFORMING PATIENTS, A PREREQUISITE FOR MEDICAL RESEARCH

Using the information defined in MR-004, an information document specific to the research project concerned can be drawn up. It summarizes the data used and their retention period, the purpose of the study, its data controllers, etc.

From the moment the information has been sent to the patients concerned, it is necessary to wait 3 weeks. If after this time the patient has not opt-out to the processing of his or her data, the research can begin. The patient remains in control of his or her data and can always choose to opt-out at any time.

Do we need to ask for the patients' consent before starting the research? No, this is not necessary as long as the study is in the public interest and therefore fulfils a public interest mission.

The information leaflet must be readable, understandable, and accessible! In concrete terms, there are 4 ways to inform patients.

First, the hospital can simply add it to its website. Few patients think to regularly consult the websites of their health care centers! The individuals whose data is processed may then discover the information document after the processing or even never know about the study. The risk of loss of trust and not compliance is high.

Second, the information document can be sent by mail (paper). This is costly, time-consuming and has traceability problems. Moreover, patients who wish to object to the processing of their data have no choice but to respond by mail (which requires effort) or by e-mail (which is not secure).

Third, the information document can be sent by e-mail. This method has several problems: it is not secure and does not allow good traceability, the opening rates are generally poor, and each response must be processed manually.

Are you beginning to wonder if the perfect solution exists? Don't despair! With Isalid, informing your patients in full compliance with GDPR becomes child's play (we are the only ones to really do it...). Your patients are invited to connect to our secure platform, on which they find the information notice and can opt-out to the processing of their data in one click. An excellent traceability is ensured: on the one hand, you can know if the contacted patients have opened their email or SMS invitation to connect, and on the other hand, the patients' answers are secure and unalterable. Thanks to Isalid, you create a real environment of trust with your patients!

With Isalid, you have found the perfect ally to inform your patients safely and effectively!