Diagnostics: Data and Processing
Attention, the suggested results correspond to the answers checked. They provide an initial insight but they are no substitute for the personalised and in-depth analysis that a legal or regulatory expert can provide
Do you process these data?
What is considered to be data processing?
The processing of personal health data is carefully regulated in order to secure access to these data, guarantee their confidentiality and the rights of patients:
Your obligations concern in particular
- the hosting of the data
- the information and the consent of the patient
As a reminder:
Data processing is: "any operation or set of operations which may or may not be performed using automated processes and which are applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." (source: GDPR)
Personal data processing is not necessarily computerised: paper files are also concerned and must be protected under the same conditions.
As soon as your company collects, stores, files or analyses personal data, it is "processing" these data within the meaning of the GDPR
Regulations:
Articles 4 and 9 of the GDPR (Regulation No. 2016/679, known as the General Data Protection Regulation).
Article 4 of the Law No. 78-17 of 6 January 1978, known as the French Data Protection Act.
Practical guide
You don't know how to answer, the keys for choosing
You don't know how to answer, the keys for choosing
Example:
Service / product involving processing: you design a pedometer activity tracker measuring the frequency and speed of walking of the user, who has input his/her name, weight, age, tobacco consumption, the presence of asthma and allergies so that the service/ products can establish recommendations on sports activities for the user.
Service / product not involving processing: you design an informative tool on a theme (sports activity) without the possibility for the user to input information (no account is opened, no data is input).
Note on storage and hosting
Your service / product records data that it stores on a server: this is data processing because the simple collection and storage of data constitutes processing.
As a reminder, the hosting of health data is regulated:
- All persons who host personal health data collected for the purposes of preventive treatment, diagnosis, healthcare or social care and medical-social care on behalf of physical or legal persons who have produced or gathered that data, or on behalf of the patients themselves, must perform this hosting under strict conditions.
- The hosting, regardless of the medium, whether on paper or in digital form, is performed only after the person under care has been duly informed and unless there is a legitimate objection.
Regulations:
Items 45 et seq. and Article 9 of the GDPR (Regulation No. 2016/679, known as the General Data Protection Regulation).
Articles 64 et seq. of the Law No. 78-17 of 6 January 1978, known as the French Data Protection Act, as amended, in particular, by Decree No. 2019-536 of 29 May 2019.
Article L. 1111-8 of the French Public Health Code.
Useful links:
ANS:
https://esante.gouv.fr/labels-certifications/hds/liste-des-herbergeurs-agrees
https://esante.gouv.fr/securite/messageries-de-sante-mssante
CNIL:
https://www.cnil.fr/fr/la-plateforme-des-donnees-de-sante-health-data-hub
https://www.cnil.fr/fr/telemedecine-comment-proteger-les-donnees-des-patients
https://www.cnil.fr/fr/definition/traitement-de-donnees-personnelles
https://www.cnil.fr/fr/quelles-formalites-pour-les-traitements-de-donnees-de-sante-caractere-personnel