var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="https://rwrregs.matomo.cloud/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.data-privacy-src='//cdn.matomo.cloud/rwrregs.matomo.cloud/matomo.js'; s.parentNode.insertBefore(g,s); })();

Real World Evidence (RWE) 201 – France – CNIL Regulatory Sandbox: Digital Health

RWE 201 – France – CNIL Regulatory Sandbox: Digital Health

The French Data Protection Agency (CNIL) has been actively supporting digital health technology innovators through its regulatory “sandbox.” These projects range from federated learning across health data warehouses to building diagnostic tools in oncology, statistical indicators for medical research, and a therapeutic game for minors with eating disorders. The CNIL provides crucial guidance on overcoming regulatory challenges, including the nature of data, legal frameworks, and data security measures.

Benefits for RWD, RWE, and Digital Health Innovators:

  1. Navigating Regulatory Challenges: The CNIL’s sandbox provides a safe environment to test solutions and understand regulations. For RWD and RWE developers, this means an easier path to compliance with GDPR and other privacy laws.
  2. Interconnected Data Sources: For projects like Resilience in oncology, CNIL’s guidance enabled the interconnection of various data sources. This has implications for RWD, as it becomes easier to integrate data from disparate sources for more comprehensive Real-World Evidence.
  3. Data Security: With its focus on secure data processing, the sandbox offers a blueprint for ensuring the safety of health data, which is invaluable for digital health innovators dealing with sensitive patient information.
  4. AI and Machine Learning: Projects like the one carried out at Lille University Hospital utilized federated learning protocols, offering a roadmap for implementing machine learning algorithms in healthcare. This aids RWD and RWE applications where machine learning could provide new insights.
  5. Specialized Use-Cases: The Vertexica project focusing on minors with eating disorders shows how data protection can be maintained even in specialized healthcare solutions, thereby ensuring the ethical use of Real-World Data.
  6. Knowledge Sharing: The joint work and multiple exchanges with CNIL have generated lessons that could be useful for the broader health sector, facilitating faster and more secure innovation.
  7. ‘Privacy by Design’: The emphasis on integrating GDPR compliance from the design phase benefits all stakeholders by baking in data protection from the outset, which is a fundamental need in RWD and RWE applications.
  8. Stakeholder Collaboration: The sandbox projects involve multi-disciplinary teams, demonstrating a collaborative approach that could benefit digital health innovators, RWD and RWE developers in addressing complex regulatory and ethical issues.

In essence, the CNIL’s regulatory sandbox serves as an invaluable resource, not just as a testing ground but as a knowledge base for RWD, RWE, and digital health innovators. It provides practical insights into overcoming regulatory challenges and implementing secure, effective healthcare solutions.

Share this story...

Real World Evidence (RWE) 201 – France – CNIL Regulatory Sandbox: Digital Health2023-09-03T18:17:48+00:00

Real World Evidence (RWE) 201 – France – CNIL Reference Methodologies: Facilitating Access to Real World Data

RWE 201 – France – CNIL Reference Methodologies: Facilitating Access to Real World Data

 

The CNIL (Commission Nationale de l’Informatique et des Libertés) is the French data protection authority. CNIL has issued various “Reference Methodologies” (Méthodologies de Référence or MRs) which are guidelines/frameworks for compliance with data protection regulations in specific areas e.g., MR-001 (interventional research) and MR-003 (non-interventional research) which cover research involving direct interactions with people (RIPH), or MR-004 for research involving secondary use of existing personal healthcare data i.e., research not involving direct interaction with people (RNIPH).

By declaring conformity to the applicable reference methodology to the CNIL, research sponsors do not need to seek individual authorisation for each research project that involves non-anonymous data, making this an efficient and effective form of self-regulation.

Key features of MR-004 conformity include:

  1. Data Minimisation: Only collect the data that is strictly necessary for the research or healthcare activity.
  2. Purpose Limitation: Use the data only for the specified, explicit, and legitimate purposes for which it was collected.
  3. Consent: Access to and use (re-use) of existing patient health data is subject to informing the affected patients (patient information).
  4. Security: Guidelines for data storage, encryption, and access control, in line with GDPR requirements.
  5. Data Subject Rights: Details about how to facilitate data subjects’ rights like access, rectification, deletion, and data portability.
  6. Data Retention: Sets time limits on how long the data can be stored and provides guidance on secure deletion practices.
  7. Accountability and Governance: Stresses the importance of record-keeping, conducting impact assessments, and potentially appointing a Data Protection Officer (DPO).
  8. Data Sharing: Provides guidelines for sharing data with third parties, including cross-border data transfers.
  9. Legal Compliance: Ensures that the data processing activities are compliant with other relevant laws and ethical considerations.

By adhering to MR-004 or similar CNIL Reference Methodologies (as applicable), healthcare organizations and researchers can use real-world data while fulfilling their legal obligations and ethical responsibilities for data protection (GDPR). Note that these guidelines are subject to change, so it’s crucial to consult the most current version and seek legal advice for complex scenarios.

Share this story...

Real World Evidence (RWE) 201 – France – CNIL Reference Methodologies: Facilitating Access to Real World Data2023-09-03T18:11:56+00:00

Real World Evidence (RWE) 101 – Consent to Participate in Research vs Consent to Access and Process Sensitive Healthcare Data (GDPR)

RWE 101 – Consent to Participate in Research vs Consent to Access and Process Sensitive Healthcare Data (GDPR)

Consent to participate in research and consent to access and process sensitive healthcare data are two different but overlapping types of consent, each governed by distinct legal and ethical principles. In the context of Real-World Evidence (RWE) studies:

[1] Consent to Participate in Research: This is the informed consent given by individuals to participate in a research study. Informed consent is a process by which researchers provide potential and enrolled participants with information about the study (purpose, procedures, risks, benefits, alternatives), and the participants voluntarily agree to participate. This consent can be withdrawn at any time, at which point the individual’s participation in the study would end.

[2] Consent to Access and Process Sensitive Healthcare Data: This relates to the consent given by individuals to have their personal and sensitive health data accessed and used for specific purposes, such as research. This type of consent is governed in Europe by the General Data Protection Regulation (GDPR). Under the GDPR, the use of health data is considered a processing of special category data and requires explicit consent, which must be freely given, specific, informed, and unambiguous.

In a RWE study, both types of consent may be (are) needed. The first ensures that participants agree to be part of the study and understand what will happen during the study. The second ensures that participants agree to their data being used in the manner specified, and it provides protections around how their data can be stored, transferred, and otherwise processed.

One key difference between these two types of consent is that withdrawal of consent to participate in the research study generally means the individual will not be part of the study going forward, but it does not necessarily mean that the data collected up to that point cannot be used. In contrast, under the GDPR, if an individual withdraws their consent to data processing, not only does the data processing have to stop, but in many cases, the data collected up to that point cannot be used further and may need to be deleted.

Another difference is that, while there are legal and ethical requirements to obtain informed consent for research participation in most cases, there are certain circumstances under which health data can be processed for research purposes under the GDPR without obtaining explicit consent, such as if the processing is necessary for reasons of public interest in the area of public health, or if the data has been anonymized.

In both cases, the principles of transparency, respect for persons, and their autonomy are paramount. Proper management of both types of consent is crucial for ethical research and for maintaining trust with study participants.

Share this story...

Real World Evidence (RWE) 101 – Consent to Participate in Research vs Consent to Access and Process Sensitive Healthcare Data (GDPR)2023-08-07T17:41:42+00:00

Real World Evidence (RWE) 101 – EHDS and GDPR – How does GDPR support the secondary use of existing health data for the purposes of scientific research?

RWE 101 – EHDS and GDPR – How does GDPR support the secondary use of existing health data for the purposes of scientific research?

The GDPR (General Data Protection Regulation) includes provisions that support the secondary use of existing health data for scientific research purposes, while also protecting the privacy and data protection rights of individuals.

One of the key ways that the GDPR supports the secondary use of health data for research is through the concept of “legitimate interests”. Article 6(1)(f) of the GDPR allows for the processing of personal data if it is necessary for the legitimate interests of the data controller or a third party, provided that those interests do not override the fundamental rights and freedoms of the data subject. Scientific research can be considered a legitimate interest, provided that appropriate safeguards are in place to protect individuals’ rights and freedoms.

In addition, the GDPR includes provisions that specifically address the use of health data for scientific research. For example, Article 9(2)(j) allows for the processing of special categories of personal data, such as health data, for scientific research purposes, provided that appropriate safeguards are in place.

The GDPR also requires that data controllers implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, including health data. This includes requirements for data pseudonymization and encryption, as well as procedures for data breach notification.

Overall, the GDPR strikes a balance between protecting individuals’ privacy and data protection rights, and supporting the important public interest in scientific research. By providing a framework for the responsible and transparent use of health data for research purposes, the GDPR can help to facilitate the development of new treatments and interventions that can improve public health outcomes.

Share this story...

Real World Evidence (RWE) 101 – EHDS and GDPR – How does GDPR support the secondary use of existing health data for the purposes of scientific research?2023-08-07T23:09:58+00:00

Real World Evidence (RWE) 101 – The Impact of GDPR on RWE Research

RWE 101 – Real World Evidence (RWE) 101 – The Impact of GDPR on RWE Research

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). Its implementation in May 2018 has had a significant impact on research, particularly in the context of real-world evidence (RWE).

RWE refers to data collected outside of the traditional clinical trial setting, such as electronic health records (EHRs), claims data, and patient-generated data. RWE is increasingly being used to support regulatory decisions and to inform clinical practice. However, the use of RWE must comply with GDPR, which has implications for the collection, processing, and use of personal data in research.

Under GDPR, personal data must be collected and processed lawfully, fairly, and transparently, and individuals have the right to be informed about how their data is being used. This means that researchers must obtain explicit and informed consent from individuals to use their personal data for research purposes. In addition, the data must be pseudonymized or anonymized to protect individuals’ privacy.

GDPR has also increased the administrative burden for researchers, who must ensure that their data management practices are compliant with GDPR. This includes developing and implementing policies and procedures for data protection, privacy, and security, as well as appointing a Data Protection Officer to oversee data management activities.

Overall, GDPR has had a positive impact on research by increasing transparency and protecting the privacy of individuals whose data is used in research. However, compliance with GDPR can be challenging, particularly in the context of RWE, where large volumes of data are collected from multiple sources. It is essential for researchers to work closely with data protection and privacy experts to ensure that their research practices are compliant with GDPR.

Share this story...

Real World Evidence (RWE) 101 – The Impact of GDPR on RWE Research2023-08-07T22:51:18+00:00
Go to Top