FAQ: the "health vigilance systems" Standard

This standard is intended for manufacturers, companies, and organisations responsible for marketing a medicine, device or product that process personal health data for the purpose of managing health vigilance systems.

What are the steps to take with the CNIL?

• The processing meets all the requirements set by the standard: in this case, the manufacturer, the company, the organisation responsible for placing the medicine, the device or the product on the market, sends a declaration of compliance to the CNIL; on this basis, it is authorised to implement the processing;
• The processing does not meet the requirements set by the standard: in this case, the controller must apply for an authorisation.

No, the processing operations implemented by these professionals and institutions constitute "processing operations necessary for the purposes of preventive medicine, medical diagnoses, the administration of care or the management of health services" (article 65 1° of the French Data Protection Act), for which no prior formality is required since the application of the GDPR. However, these processing operations must still comply with the principles set out in the GDPR.

This standard covers the vigilance systems mentioned by the ministerial Order of 27 February 2017 establishing the list of categories of adverse sanitary events for which reporting or notification can be made through the adverse sanitary event reporting portal:

• Psychoactive substance’s vigilance;
• biovigilance;
• cosmetic product’s vigilance;
• haemovigilance;
• medical device’s vigilance;
• pharmacovigilance;
• veterinary pharmacovigilance ;
• in vitro diagnostic medical device’s vigilance;
• vigilance of chemical substances and biocidal products;
• food vigilance;
• vigilance exercised over software and devices for non-medical purposes used in medical biology laboratories for medical biology examinations;
• vigilance of tattoo products;
• vigilance in relation to medically assisted reproduction and phytopharmacovigilance.

The former notification of compliance with AU-013 remains valid as long as the processing is not modified.

In the event of a substantial change in the processing operation (e.g. as regards the data processed, the storage period), the controller must make a new notification of compliance with the "health vigilance systems" standard, provided that the processing operation meets its requirements.

Please note that the scope covered by the new "health vigilance systems" standard is not identical to that of the former single authorisation AU-013.

The standard refers to compliance with a legal obligation. Indeed, various legal obligations enshrined in the French Public Health Code require the management of adverse sanitary events and involve the processing of personal data.

In view of the sensitivity of such data, manufacturers, companies, organisations responsible for placing a medicine, device or product on the market may collect it as controllers only if they comply with the following cumulative conditions:

• a document presenting the characteristics of the medicine, device or product validated by the competent authority (e.g. summary of product characteristics for medicines, summary of medical device characteristics, etc.) shall state the reason why the ethnic origin of persons may have an impact on its efficiency or safety ;
• this document is based on scientific work.

If these conditions are not met, the CNIL will assess if it is appropriate to collect such data when considering an application for authorisation. The file must then include any information that might justify the collection of such data.

The controller may keep the data only for as long as is necessary for the purposes for which they are collected (Article 5(1)(e) of the GDPR).

In the absence of a legal or regulatory duration, the maximum retention period authorised by the CNIL in the standard is seventy years from the date of withdrawal of the medicine, product or device from the market. At the end of this period, the data must be deleted or archived in an anonymized form. For more information on anonymization techniques, you can consult the WP29 opinion.

If the data controller wishes to keep the data beyond this retention period, he will have to make a specific request for authorisation and provide an adequate justification for it.

The information of the data subject shall be provided by the person who notified the adverse sanitary event (e.g. the healthcare professional). It should consist in the written information supplied to him by the  controller when he notified.

The controller should be able to prove at all times that the information to the data subjects has been provided, and it is up to the controller to obtain proof of this from the notifying party.

The use of an approved or certified health data hosting service is imposed by the standard when the data are stored and processed by an external service provider.

By way of exception, if the controller is not established in France, it must demonstrate that the service provider has equivalent security guarantees.

Due to its nature, scope and the large-scale processing of health data, the processing of sanitary alerts is subject to the obligation to carry out an impact assessment prior to the implementation of the processing operation.

The NIR cannot be used to identify persons exposed to an adverse sanitary event.

Identifying information (age, date or year of birth, gender, weight, height) or an identification number (alphanumeric code, alphabetical identification code as provided for in the existing forms) may however be used.

The standard does not authorise the collection of genetic data.

If the data controller wishes to collect this type of data as part of its health vigilance processing, it must apply for a specific authorisation to the CNIL and provide a justification for it.

Indirectly identifying data of persons exposed to or notifying an adverse sanitary event may be transferred outside the European Union provided that the recipients of the data are those referred to in the standard and that the transfer is strictly necessary for the implementation of the vigilance system.

In addition, one of the following conditions must be met:

• the transfer is conducted to a country or an international organisation recognised by the European Commission as providing an adequate level of protection in accordance with Article 45 of the GDPR (adequacy decision);
• the transfer is subject to appropriate safeguards, listed in Article 46(2) of the GDPR (in particular: standard contractual clauses approved by the European Commission, binding corporate rules, code of conduct, certification mechanism);
• in the absence of an adequacy decision or appropriate safeguards, the transfer may be based on one of the exceptions provided for in Article 49 of the GDPR where such a transfer is not repetitive, massive or structured.

Finally, the controller must have previously informed the data subjects of the transfer of their personal data to third countries, of the existence or absence of an adequacy or guarantee decision and of the means to obtain a copy of it in accordance with Article 13(1)(f) of the GDPR.