French Data Protection Authority - New Guidelines on health and medico-social data
The French Data Protection Authority, the CNIL, has published a reference framework relating to the processing of personal data implemented in the context of the reception, accommodation and social and medico-social support of the elderly, people with disabilities and those with special needs.
The CNIL has recently published its Reference Guide to facilitate the processing of personal data for health establishments. These Guidelines are not binding but help to ensure compliance with GDPR-rules for actors in the sector. As we have several clients operating in this field, in France and abroad, this subject is important to us. We therefore thought it might be useful to create a short summary of the key points of the CNIL's latest guidance in this area which we share with you in this article!
Clear and justified purpose
Firstly, the processing of personal data must always serve a specific purpose and be justified.
In this case, the obligations of health professionals, organisations or health services are no different from those of any other data controller under the GDPR.
For processing operations relating to care, accommodation and social and medico-social support, various processing operations may be implemented. According to Article 6 of the GDPR, a controller must invoke a legal basis to justify the processing of personal data. This is nothing new and is a basic obligation for all players in the GDPR arena, especially in this sensitive sector.
Here, we summarise the various processing operations and the legal basis(s) recommended by the CNIL for the processing of personal data in the context of these actions by private organisations in the health, care, elder-accommodation and social and medico-social support sectors.
Valid purpose and applicable legal basis
In particular, various personal data processing operations may take place in this sector. We therefore set out the CNIL’s latest guidance in respect of these activities, as well as the basis which can be relied upon. Therefore, processing of personal data may take place:
to provide the services defined in the framework of a contract concluded between the organisation and the person concerned or his/her legal representative and, where applicable, to ensure the management of the administrative file of the person concerned -> Legal basis: performance of the contract or legitimate interests where the processing carried out exceeds what is necessary for the contract
to investigate, manage and, where appropriate, open entitlements and/or pay legal and optional social benefits -> Legal basis: for optional benefits: legitimate interests
to offer social and medico-social support adapted to the difficulties encountered, with the particular aim of drawing up a personalised support project with regard to the person's lifestyle, particular requests, particular needs, physical and psychological autonomy and to ensure any monitoring or follow-ups, and to provide the person with the necessary support and to ensure that he/she receives it, including to ensure the monitoring and after-care of individuals in accessing and exercising their rights, in particular in respect of any assistance regarding the steps to be taken and, if necessary, to direct such individuals towards the competent structures likely to take care of them -> Legal basis: legitimate interests
to exchange and share information that is strictly necessary in order to guarantee the coordination and continuity of support and monitoring of individuals between social, medical and paramedical workers -> Legal basis: legitimate interests
to ensure the administrative (number of places available, capacity of the establishment, etc.), financial and accounting management of the establishment, service or organisation -> Legal basis: legal obligation
to ensure the forwarding of previously anonymised information to the competent authorities concerning serious malfunctions or events that threaten or compromise the health, safety or well-being of the persons in care, to draw up statistics, internal studies and satisfaction surveys for the purpose of evaluating the quality of activities and services and the needs to be covered -> Legal basis: legal obligation or legitimate interests.
When selecting a legal basis for processing personal data, it is important to consider the nature of the personal data to be processed (is it ordinary data, or data deemed 'sensitive' under Article 9 of the GDPR), and also what the processing is - how is it carried out, what is the purpose, and are innovative tools used or are you using third parties? This will help you to better understand the risks and therefore select the appropriate basis.
While the CNIL list above is useful, it does not exempt data controllers from carrying out their own analysis of the legal basis to be applied to processing.
Principle of data minimisation
In addition, the CNIL guidance reminds us that the data controller should only collect the personal data that it really needs, and only from the moment that this need becomes a reality. This is indeed the case for any data controller - indeed, data protection legislation tells us that we should only collect what is strictly necessary for our processing purposes - regardless of the sector in which we operate. Given that in the social/social-medical sector, the data subjects are often very vulnerable and the data and information can be invasive, this requirement is even more important.
The CNIL considers that relevant data in this instance would include information related to:
the identification of beneficiaries of social and medico-social support and, where applicable, their legal representatives
personal life; and
the professional and training pathway in the context of helping people to find work;
material living conditions
social security coverage;
bank details, insofar as this information is necessary for the payment of a benefit;
the social and medico-social assessment of the person concerned
the type of support and actions implemented;
the identification of the persons involved in the social and medico-social care and the family and friends who may be contacted; and
the identification of individuals in the context of digital support.
Caution: sensitive data
However, certain categories of data are subject to specific protection because of their extremely sensitive nature. This is the case for :
national insurance numbers which should only be exchanged with health professionals or social security organisations
data relating to offences, criminal convictions and related security measures, which may only be processed in certain cases in compliance with any additional or national legal provisions relating to criminal offence data
so-called "sensitive data", i.e. data revealing a person's ethnic or allegedly racial origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sex life or sexual orientation. This data may not be collected, unless the law provides for exceptions to do so.
There are two options for collecting so-called "sensitive" data:
Either you are operating on the basis of a specific exception provided for by the GDPR and other applicable law, where sensitive data is: (A) collected for the purposes of administering care, treatment, medical diagnosis, preventive medicine or the management of health services (processed by a health professional); or; (B) collected to deliver a social benefit intended for persons in a situation of loss of autonomy or disability provided for by a legislative or regulatory provision; or
Free, specific and informed consent has been obtained from the data subject.
Furthermore, personal data may only be made accessible to persons authorised to have access to such data in the light of their responsibilities. The CNIL identifies several possibilities:
Individuals accessing the data on behalf of the data controller: this will only be individuals or entities who are authorised to do so by virtue of their duties or functions and within the limits of these duties/functions
The recipients of the data (i.e. the organisations receiving the data)
Subcontractors (processors): care must be taken to ensure that only organisations with sufficient guarantees are used
Other specifically authorised third parties.
Data retention
In principle, it is recommended that the data collected and processed for the purposes of care, accommodation and social and medico-social support of individuals should not be kept in the establishment’s active database for more than two years from the last contact made by the person who was the subject of this support.
The CNIL provides a table (p.17 and 18 of the Reference Manual) which makes it possible to determine the duration of data retention according to the processing activity.
Security and confidentiality
Because of the risk presented by the processing in this sector, the organisation collecting the data must take all necessary measures to preserve the security of personal data.
Conclusion
Of course, the field of social and medico-social care for the elderly, people with disabilities and those in difficulty can be difficult for many reasons - budget, time constraints, various regulatory obligations in addition to those imposed by data protection laws. In this sector, trust is essential, so it is important that all personal data (whether administrative or even sensitive) is handled fairly, transparently and securely. Many players in this sector are pleased with the latest CNIL publication on this subject. As a note - it is worth stating that this CNIL guidance is of course applicable to France - but may be useful to any organisation processing personal data in this field. It is of course important to seek any localized legal advice depending on the jurisdiction in which you operate.
Finally, if you have any questions about the collection or processing of personal data, please do not hesitate to contact us by clicking here!
Article by Inès Papaix @ Gerrish Legal, June 2021 (translated from the original French version)