Processing of personal health data:

Health data is personal data that is considered valuable and sensitive. It is subject to regulations that must be taken into account when designing your digital service or in the context of your research work if you collect, store, or otherwise process this data.  

In terms of legislation, you can refer in particular to: the General Data Protection Regulation (GDPR) at European level, and the Data Protection Act, the Public Health Code, and the Social Security Code at French level. 

The GDPR, which came into force in May 2018, is a European regulation that aims to strengthen and harmonize the protection of individuals' personal data within the European Union. It applies to all organizations that process personal data located within the EU or targeting individuals present within the EU.     
To protect users' rights and the confidentiality of the patient-caregiver relationship, the regulatory framework for digital health is specific: there is a GDPR for sensitive data, which corresponds to the General Data Protection Regulation applied to the health sector. 

Health data is data relating to a person's state of health, which is why its processing is strictly regulated.
The concept of health data comprises three categories of data:
- data that is health data by nature, such as past facts concerning the health of the patient or a member of their family, such as illnesses or treatments undertaken, etc.               
- data which, when cross-referenced with other data, becomes health data because it leads to a plausible conclusion about a person's state of health or health risk: cross-referencing weight measurements with other data (number of steps, calorie intake, etc.), cross-referencing blood pressure with exercise measurements, etc.             
- data that becomes health data due to its intended use, i.e., its use for medical purposes. 

The GDPR aims to strengthen individuals' rights and make stakeholders more accountable. When processing data, data controllers must therefore be able to demonstrate compliance with the requirements of the GDPR at all times by justifying all steps taken or in progress. 

The protection of health data is based on a principle of prohibition of processing, accompanied by exceptions. Article 9 of the Data Protection Regulation states that the processing of health data is prohibited unless specifically authorized. A list of exceptions allowing the processing of sensitive data is set out in Article 9(2) of the GDPR.  

The European Data Protection Board (EDPB) aims to ensure the application of the GDPR within the organizations of European Union member countries. It publishes opinions and guidelines to follow up on the work of developing a common doctrine among data protection authorities. Organizations must be able to demonstrate their compliance with the requirements of the GDPR at all times to ensure the protection of individuals' rights. The French Data Protection Act implements the GDPR into French law, applying national discretion.

The Public Health Code and the Social Security Code deal with issues specific to these sectors. Article L. 1110-4 of the Public Health Code specifies the categories of professionals who may be involved in the processing of personal health data. 

How can G_NIUS help me understand the regulatory requirements related to the processing of health data? 

G_NIUS saves you time by directing you to the relevant stakeholders and applicable laws and regulations, and by providing you with tools to help you identify the formalities required for the processing of health data or the secondary use of health data.

The CNIL (Commission Nationale de l'Informatique et des Libertés) is a key player in this area, given its mission to protect personal data and support innovation. The CNIL plays a crucial role in preserving individual freedom.
G_NIUS invites you to consult the CNIL fact sheet to understand what formalities apply if you process personal health data. 
The section on the CNIL provides information on the need to set up a processing register, conduct impact assessments, ensure that patients and users are properly informed, formalize the roles and responsibilities of the data controller, provide information on the measures taken to guarantee data security, etc. 

G_NIUS also invites you to consult the texts that apply to ensure compliance when processing data: the GDPR, the French Data Protection Act, the French Data Protection Decree, and various sector-specific regulations. 
Finally, G_NIUS provides you with three tools to save you time: the regulatory diagnosis to identify the regulations to which your solution is subject, the GDPR Sensitive Data fact sheet to decipher the regulations specific to this data, and episodes of its podcast 100 Days to Success related to health data processing and CNIL compliance issues.
The regulatory diagnosis tool offered by G_NIUS provides two types of diagnosis: a "purpose of my service" assessment, which identifies whether your service is subject to medical device (MD) regulations, and a "data and processing" assessment, which identifies whether your service is subject to regulatory issues related to health data processing.               
To supplement these diagnostics, it is important to consult the specific regulations relating to your project, such as the Code of Ethics of the French National Medical Council (CNOM) and the Public Health Code (CSP). 

In addition, G_NIUS provides you with documentation related to your personal health data processing issues, such as the CNIL's MOOC on the General Data Protection Regulation. 
Beyond the aspects of health data processing, G_NIUS also provides a policy compass that outlines the actions of the ministerial roadmap for digital transformation, "Putting digital technology at the service of health," for the period 2023-2027. 

G_NIUS supports digital health project leaders in understanding the regulatory framework, identifying funding, and connecting with the ecosystem to accelerate innovation in France.