00:00:00
Voice-over: "100 days to success". It's the podcast of G_NIUS, the Guichet national de l'innovation et des usages en e-santé around Lionel Reichardt, find the innovators of e-health and the essential experts to help you succeed in your projects.

00:00:20
Lionel Reichardt: Hello everyone! You're listening to "100 days to success", the podcast aimed at innovators and entrepreneurs in digital healthcare, but also at anyone curious about this field. This podcast is produced by G_NIUS, the Guichet national de l'innovation et des usages en e-santé. In this episode, we'll be talking about compliance when dealing with health data. To do so, we welcome Adel Mebarki, co-founder and CEO of Kap Code, an e-health startup and board member of the Health Data Institute. We're also joined by Manon de Fallois, a legal expert in the health department of the CNIL's compliance division: the Commission nationale de l'informatique et des libertés.

00:01:05
Lionel Reichardt: Adel Mebarki Hello and thank you for agreeing to share your experience with us. First of all, could you tell us a little about your training and background?

00:01:13
Adel Mebarki: My background. I'll try to go quickly. I have a double degree from a business school and an engineering school specializing in industrial management. I started my career in telecommunications. I worked in marketing, in telecommunications and a little over eight years ago now, I joined the CRO Kappa Santé, which enabled me to develop a number of subjects around data processing, which we'll talk about in more detail in this podcast, and which enabled us in particular to co-found the startup Kap Code, which specializes in medical analysis of data from social networks.

00:01:50
Lionel Reichardt: What are the ambitions and major missions of your startup Kap Code?

00:01:54
Adel Mebarki: The aim of Kap Code is to summarize and render the patient experience expressed on social networks. The aim, in fact, is to analyze the various messages posted on social networks to give visibility to the reality of patient care. This is what we call real-life data. This real-life data will be used to gain insight into the quality of life, care pathways, unmet medical needs or simply difficulties in accessing care of patients expressed spontaneously on social networks.

00:02:30
Lionel Reichardt: So you specialize in analyzing data from social networks. Is this real-life data health data? And how do you deal with it?

00:02:38
Adel Mebarki: In fact, it might be remotely imagined that a tweet, for example, mentioning a therapeutic area, might only be a tweet that we would potentially consider not to be health data. However, in reality, when we take a closer look at the subjects and the various patient exchanges, we soon realize that we are necessarily dealing with health data, because we can identify the illness from which the patient is suffering, the therapeutic treatment he or she is going to use, and today we consider all the data we are going to analyze to be health data. We assume that, beyond the raw message or the raw data, we will inevitably, as part of our analyses, identify or seek to identify decisive health issues around the patient. And this allows us to qualify this type of data as health data.

00:03:34
Lionel Reichardt: How do you define health data?

00:03:36
Adel Mebarki: I won't take the liberty of giving you the definition according to theoretical definitions, but today at the Kap Code center we consider that everything that is directly appealing from a clinical point of view or from an indirect point of view around data, which we consider to be health data, i.e. data that will provide information on pathology, on physical activity, on the emotional or psychological impact on patients' daily lives, is considered to be health data. We'll consider all this data as referring, in a direct or indirect way, to a health condition that allows us to qualify this data as being health data.

00:04:17
Lionel Reichardt: What type of data do you analyze? How do you process it?

00:04:22
Adel Mebarki: In terms of data access, the typology of data we're going to analyze. We're going to extract all the data, all the messages relating to a pathology of interest, a therapy of interest or whatever. So we're going to recover both the raw message, i.e. the text shared by the user, and the metadata, i.e. everything to do with location, pseudonyms and so on. In fact, according to our definition of health data processing, we'll consider that we'll need approved health hosting, and we'll apply what we call Privacy by Design. Overall, all this data is anonymized before being stored in the detected database. So, typically, this type of challenge, this type of information system structure is due to the fact that we share our information system with the other company in the group from which we originate, called Kappa Santé, which is a CRO, a Contract Research Organisation, a company that conducts observational pharmacoepidemiological studies. And so, we oblige ourselves to have the same level of rigor in terms of IT security that we can have in observational studies.

00:05:39
Lionel Reichardt: Your level of requirement is close to that of clinical research. But how do you ensure that you process this data in compliance with the various regulations in force?

00:05:47
Adel Mebarki: An important point is that we're going to be in a slightly different overlap of regulations. We're going to have both the Health Data Protection Regulation and the General Personal Data Protection Regulation. All in all, with each study, each project, each extraction, we're bound to have to call into question the traceability of processing, its purpose and regulatory compliance. Overall, this is a process that we consider to be iterative, and with each new use case, with each extraction, we're bound to ask ourselves the question: can we or can't we? And if we can, what regulatory framework do we fall into? Typically, to give you a concrete example, we're going to have subjects where we're going to analyze a moment in time, a subject on social networks. Take, for example, the mental health of students, but we can also have projects where we're going to follow these same students over time, in order to have a prospective or retrospective assessment of their mental health, and so, in each use case, in one case, we'll have a typology of data. In the second, we'll be collecting more data to be able to monitor patients over time. And so, we're always going to have to ask ourselves: what regulations are we complying with? And if we're not, what areas of improvement can we bring to our project?

00:07:12
Lionel Reichardt: You mentioned the notion of Privacy By Design. How does this translate for a startup that deals with healthcare data?

00:07:20
Adel Mebarki: We see Privacy by design as a method of structuring data extraction and processing with the aim of protecting personal data as much as possible. If I take the example of our social network analyses, by definition we're going to retrieve personal data. What we're going to do is to anonymize as much information as possible that isn't important for data processing, such as name, age and gender. However, we are interested, for example, in the notion of location. This is personal data in itself, but we're not going to apply Privacy by Design. If we take a concrete example of what we do today at the Kap Code center, it's that right from the extraction stage, if the purpose requires this personal data, we'll select the types of data we're going to anonymize before storing them in the database. If we take the example of a pseudonym or a name, we will never have the individual identity of the person. By definition, we're going to transform it into what we call an ID, a patient ID, which will enable us to have an identifier that allows us to trace the message back to the user without having any personal data about the user.

00:08:35
Lionel Reichardt: You regularly have to work with CNIL regulations and guidelines. How can a project manager keep up to date with the latest regulations?

00:08:45
Adel Mebarki: I'd say it's a mix of the two, meaning that we'll be keeping a constant watch on the regulatory framework. We're dealing with subjects where the processing of health data is becoming increasingly wide-ranging, and incorporating more and more new types of data, which means that regulators, and I'm thinking of the CNIL in particular, are going to have strategic reflections and recommendations that will evolve over time, with regard to practices and the integration of new data. We'll inevitably be keeping a close watch, both on the CNIL website, in the various white papers and other documents produced by CNIL teams, and in the Webinars in which the CNIL participates to give its regulatory vision, initially. On certain subjects, we will also have specific support from the CNIL. If I may give a concrete example, we had a research project aimed at predicting the onset of major depressive events via social network analysis. We had to use a tool developed by the CNIL, which enables us to carry out privacy impact assessments. We received additional support from CNIL teams to test this tool, and provide feedback as a user to try and take into account the regulations with the tools developed by CNIL itself to help the various players comply. So, overall, I'd say that today, any entrepreneur can keep a watchful eye and rely on the constantly evolving reference frameworks made available by the CNIL, but also on extremely specific subjects where you don't necessarily have the answers to all my questions, don't hesitate to turn to the CNIL teams, who are today very much in demand for support and answers to very specific questions from project developers.

00:10:36
Lionel Reichardt: To conclude, what advice would you give to a digital health innovator looking to process healthcare data?

00:10:42
Adel Mebarki: I'd say I have two big pieces of advice I could give. First, don't see the regulator as a coercive authority. In other words, today, it's mainly the CNIL's extensive work and the support it offers. Today, the CNIL has no direct vocation to be in a position of coercion. Its aim is to bring as many project developers into compliance as possible, so don't hesitate to approach the authorities and regulators to gain expert knowledge of the field and see how regulations will apply to our subject. And the second element that seems very important to me is to be able to talk to all the stakeholders in your project. There's an issue that's becoming increasingly important for entrepreneurs in France, and that's the fact that we tend to want to hold on to our ideas for fear of being copied. However, we realize that the more we talk to different players in data processing, legal players and technical players, the more we'll be able to understand the technical feasibility and regulatory feasibility, but also the need we're addressing with the innovation we're trying to develop. So, on the whole, working with the regulator and, above all, trying to exchange as much as possible around data typologies: What is the access to data? Can we do it? Is it feasible? What needs are being met? All these discussions will only help to mature the quality of the project and thus optimize the ability to put ideas and different entrepreneurs into operation.

00:12:20
Lionel Reichardt: Adel Mebarki Thank you for your testimonial.

00:12:27
Lionel Reichardt: Are you wondering how to comply with our health treatment? Elements of an answer with Manon de Fallois, legal expert in the health department of the Compliance Department of the CNIL, the French Data Protection Authority.

00:12:40
Lionel Reichardt: Manon de Fallois , hello and thank you for accepting our invitation. First of all, could you tell us about your training and career path?

00:12:48
Manon de Fallois: Thank you. I took a general degree in private law, then specialized in health law and personal data law. Three years ago, I joined the Health Department of the CNIL, the French Data Protection Authority. This department is made up of seven legal experts, a legal assistant and a department manager. It is responsible for assisting players in the health sector, whether public or private organizations, healthcare establishments or health professionals. It is organized into two divisions: Medical Research and Non-Research. And so, I'm attached to this first pole.

00:13:24
Lionel Reichardt: Can you remind us what the CNIL's main missions are?

00:13:27
Manon de Fallois: The CNIL was created by the French Data Protection Act of January 6, 1978. It is the French regulator of personal data. It has four main missions. Its first mission is to inform and protect rights. In this context, it fulfills an information role. For example, it responds to requests from individuals and professionals, and carries out communication campaigns. It also receives and handles complaints from individuals, particularly when they encounter difficulties in exercising their rights. CNIL's second mission is to support compliance and advise organizations. To this end, it will support public and private organizations in implementing their personal data protection compliance, in accordance with the support charter it published last February. This support is multi-faceted. In particular, it involves the publication of thematic Fact sheets on our website. I'm thinking in particular of the practical RGPD awareness guides for SMEs, the Guide to personal data security. It also publishes templates, such as a model information note or a model register of processing activities. Last but not least, it puts pedagogical tools on line, such as Outil PIA, an open-source software tool for carrying out data protection impact assessments. It also responds to requests for advice. And to make the link between two of the CNIL's missions. I wanted to bring you up to date on a little news. Last February, the CNIL published a call for projects on its website to enable innovative projects in the field of digital health to benefit from enhanced support as part of its personal data sandbox, and the list of winners of this call for projects has just been published on the commission's website. The CNIL's third mission is to anticipate and innovate. To this end, it sets up a watch to detect and analyze technologies or new uses that could have a major impact on privacy. In this context, it advises organizations in a logic of Privacy by design and finally, the CNIL can carry out controls or require an organization to regularize its processing or pronounce sanctions against it if it finds breaches during controls.

00:15:42
Lionel Reichardt: How do you interact with the CNIL health department when you're a digital project developer?

00:15:48
Manon de Fallois: let's face it, regulations in the healthcare sector aren't necessarily easy. And so, to make these regulations a little more accessible, we have published thematic Fact sheets on our website to help professionals comply and determine, where applicable, whether they need to complete a formality when implementing health data processing. This is the first point. We have published thematic Fact sheets on our website. And once you've defined your project, if you have more specific questions, you can contact us at the Health Department's twice-weekly legal hotline. You can also send us a written request for advice or meet us when, of course, the health crisis has ended during external interventions, notably at conferences or during RGPD awareness-raising actions.

00:16:38
Lionel Reichardt: What questions should a digital project owner dealing with data ask? What steps must be taken to comply with regulations?

00:16:46
Manon de Fallois: First of all, we shouldn't take fright and we shouldn't conceive of RGPD compliance as a brake on innovation or as yet another regulatory straitjacket. On the contrary, compliance will represent an indicator of good governance and a competitive advantage for your organization. It will enhance your organization's reputation and help build user confidence. The first point to bear in mind is that privacy protection will have to be integrated into the development of your tool right from the design stage. This is known as the Privacy by Design principle. So, if you want to develop an innovative healthcare solution, you need to ask yourself the right questions at the right time. First question: are you going to process personal data for the purposes of your project? So, of course, to answer this question, you need to have a clear understanding of the main concepts that apply to the protection of personal data. What is processing? A processing operation is any operation or set of operations involving personal data, regardless of the process used: collection, recording, communication, extraction, etc. What is a processing operation? Next, what is personal data? Personal data is information relating to a natural person who can be identified directly or indirectly. For example, first and last names, postal or e-mail addresses. And finally, if your project is in the field of health, it may also be interesting to take an interest in the notion of health data. Health data is defined by the RGPD as personal data that relates to the physical or mental health, past present or future of a natural person that will reveal information about the person's state of health. So, to help you determine whether you are collecting health data, you can refer to a page that is available on our website on the notion of health data. It's important to remember that health data is sensitive data, in the same way as genetic data or data relating to sex life or sexual orientation. As such, they are subject to special regulations. In principle, their processing is prohibited. There are exceptions, however, which allow health data to be processed, such as when explicit consent has been obtained from the individuals concerned. If it turns out that you are indeed processing personal data, don't panic. But you do need to ask yourself the right questions. Firstly, why do you want to carry out this processing? What is the purpose of this processing? Is this purpose precise and legitimate? Do you have the right to process this data? Do you have a legal basis for this processing? Here, you can refer to a Fact sheet available on our website to help you determine the legal basis for your processing. In addition, are the data you plan to process relevant and strictly necessary for the purpose you are pursuing? What is your role? Do you determine the purpose of the processing and the way in which the data is processed? In which case, you are the data controller. Or do you process data on the instructions and on behalf of a controller, in which case you are a processor? You also need to ask yourself how you are going to process the data. Is your processing fair and transparent? Have you properly informed the data subjects? Can they properly exercise their rights? Is the data accurate? And if not, can they be updated? Have you set a retention period that is proportionate to the purpose? And finally, have you taken care to implement technical and organizational measures to preserve the integrity and confidentiality of the data processed? As I said earlier, health data is particularly sensitive, so you need to put in place both IT and physical security measures, adapted to the sensitivity of the data and the risks to the people concerned. You should also consider whether you need to carry out a data protection impact analysis. This is an analysis produced by the data controller for certain processing operations, the aim of which is to assess the risks and take measures in line with these risks, in order to set up processing operations that respect the privacy of data subjects. You should therefore be aware that an impact analysis is mandatory when the processing operation is likely to give rise to high risks. To help you determine whether you need to carry out an impact analysis, you should know that at European level, criteria have been drawn up to help data controllers. For example, if you are processing sensitive data, such as the health data of vulnerable individuals like patients, and you are also using new technologies, it is highly likely that your processing will require an impact analysis. Finally, the last question you need to ask yourself is whether you need to complete a formality with the CNIL. So, you need to know that the RGPD, the General Data Protection Regulation has induced a greater sense of responsibility in organizations and the consequence of this greater sense of responsibility in organizations is the lightening of formalities for virtually all processing given of a personal nature, with the exception of healthcare. And so, to help you determine whether you need to complete a formality with the CNIL. We have published a Fact sheet on this subject on our website. It's important to know that all data processing for purposes of public interest is subject to formalities. So, for example, health data warehouses for which the express consent of individuals is not required, or all processing carried out for health research purposes. So, in short, you need to put measures in place to ensure that your project is compliant, and you need to be able to demonstrate this compliance at any time by tracing all the steps you've taken. This is the principle of accounting. In practice, this dynamic compliance will be based on tools such as the register of processing activities, the impact analysis and, where mandatory, on an actor. Thus, the data protection officer, who is the orchestra conductor for compliance within the organization.

00:23:03
Lionel Reichardt: When data processing involves the human person, are there additional questions to ask, additional rules to follow?

00:23:10
Manon de Fallois: So, effectively, when it comes to research, we're going to distinguish two categories of research, so research involving the human person and research not involving the human person. Thus, research involving the human person is governed by the provisions of the French Public Health Code, which requires that a favorable opinion be obtained from a personal protection committee before any formalities are carried out with the CNIL.

00:23:34
Lionel Reichardt: Here again, practical fact sheets are available on the CNIL website to ensure proper compliance of data processing and indeed also on the G_NIUS website. To conclude, what advice would you give to a project owner who would like to process health data in full compliance?

00:23:49
Manon de Fallois: As I said earlier, you have to ask yourself the right questions at the right time, as far upstream as possible. You need to know how to surround yourself internally. So, if you've appointed a data protection officer, you need to be able to rely on him or her. And you can also count on the CNIL to support you once you've defined your project. You also need to document your compliance as you go along, and complete the CNIL formality if necessary.

00:24:16
Lionel Reichardt: Manon de Fallois Thank you for all this information.

00:24:24
Lionel Reichardt: Our episode is coming to an end. Thank you for listening. We thank our two guests for their availability. Don't hesitate to subscribe to the podcast on your listening platforms. We look forward to seeing you very soon for a new episode of "100 Days To Success".

00:24:42
Voice-over: Those who are making the e-health of today and tomorrow are on the G_NIUS podcast and all the solutions to succeed are on gnius.esante.gouv.fr