In brief

The French data protection authority (CNIL) published three sets of guidelines on processing of health data and retention periods in the health sector in July 2020. 

The first reference framework deals with the management of the main processing activities in medical and paramedical practices. 

The other two reference frameworks provide guidelines on retention periods. The first one relates to data processed in the field of health — excluding research (e.g., patient record keeping, medical vigilance, etc.). The second one is specific to data processing implemented for the purposes of research, study and evaluation in the health field (e.g., intervention research, research on data already collected, etc.).

These reference frameworks, although not mandatory, serve as guidance and are often regarded as the applicable data protection standard to comply with. However, data controllers may depart from them, subject to adequate justification and compliance with the rules of the General Data Protection Regulation (GDPR).    

1) Reference framework for management of processing activities in medical and paramedical practices

This reference framework is intended for independent healthcare professionals to ensure compliance with the processing of personal data commonly conducted in their practices. However, it is not intended to apply to processing activities conducted by healthcare services (such as health establishments, health centres, etc.), nor to those conducted by the medical services of public or private entities (occupational medicine, school medicine etc.), by pharmacists, by medical biology analysis laboratories or by opticians.

This new set of guidelines is intended to replace the simplified norm No. 50 of the CNIL, which, despite not being in force since the entry into force of the GDPR, still served as guidance for management of medical offices. Certain rules have been specified, in particular in relation to the relevant legal bases for these processing operations, as well as regarding data security. 

It is available here in French. 

2) Reference framework on retention periods in the field of health

Clinical research is explicitly excluded from the scope of this reference framework. It provides for various retention periods that stem either from applicable regulation (in which case they are mandatory) or from other guidelines issued by the CNIL. The retention periods provided mainly relate to personal data in the context of patient care, patient records, prescriptions, medical practice management, medical biology analysis laboratories activities, pharmaceutical files and medical vigilance. For instance, a biology analysis laboratory may retain in an active database patient records for five years from the date of last intervention, whereas a period of three years is recommended for a pharmacy.  

The framework is available here in French. 

3) Reference framework on retention periods in the field of clinical research 

Most retention periods described in this reference framework are those set out under the various methodologies of reference (MRs) published by the CNIL and which apply to the conduct of clinical trials and research (for instance MR-001, which notably applies to interventional research). Thus, this reference framework is a useful compliance tool for data controllers, in particular clinical research sponsors, wishing to have a summary of the applicable retention periods. For instance, in the context of a clinical trial conducted in compliance with MR-001, patient data may be retained in an active database in the IT systems of the data controller, of the investigator site or of the professional involved in the research until the product studied is placed on the market or up to two years from the last publication of the results of the study. 

The framework also envisages the case where the study at stake is not compliant with the relevant methodology of reference. In such case, the data controller is generally responsible for determining the appropriate retention period in light of the processing purposes, remembering the importance of the accountability principle under the GDPR.  

The framework is available here in French. 

Although not exhaustive, these last two data retention reference frameworks are a good basis for data controllers to manage and implement the mandatory periods pursuant to applicable regulation and, in particular, the Public Health Code as well as the retention periods recommended by the CNIL.

They were published shortly after a more general guide on the rules applicable to data retention, available here in French.