- Change Management,
- Data Strategy,
– 12 Sep, 2018
New Rules for Clinical Trials in France
A look at the new rules applicable for clinical trials in France
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
In July 2018, the CNIL (the French data protection authority) adopted new simplified rules that relate to the processing of personal data in health research, and in particular with clinical trials.
There are five new reference methodologies which are intended to simplify the legal framework for the processing of health data (they are numbered MR-001 through MR-006, excluding MR-002).
MR-001 “Health Research with Consent Collection”
For clinical trials specifically, MR-001 “Health Research with Consent Collection” would usually be applicable.
Any trial that doesn’t conform to one of the five reference methodologies must apply for authorization of its research directly with the CNIL.
Under the new regime, if you are assessed under the new simplified approach, you are obliged to appoint a DPO for each clinical trial.
Previously, the appointment of a DPO had to meet the standard “core activities consist of large-scale processing of special categories of data.”
The key difference here is that clinical trials (which obviously deal with the processing of special categories of data) do not have to be “large scale processing” in order to trigger the appointment of a DPO.
The distinction is made due to the frequent examination of genetical factors in such trials. It also applies to so-called “intervention” trials, and the use of drugs and other medications.
Updates to MR-002
MR-002 may follow suit soon.
The CNIL indicated that it intends to update MR-002 regarding non-interventional studies on in vitro diagnostic medical devices by the end of 2018 to oblige the data controller to appoint a Data Protection Officer (DPO) and inform the data subject when collecting personal data in order to comply with the GDPR.
As far as we are aware, France is the first of the E.U. nations which has made a DPO necessary under these situations.
However it seems likely that other states may follow their example, meaning it would be prudent for all sponsors of clinical trials to consider the appointment of a DPO, regardless of the number of participants.
Please click here for the full CNIL article.
Chaucer offers advisory services on GDPR, as well as DPO and GDPR Representative services. Please contact us on DataPrivacy@Chaucer.com or 0203 934 1099.
Paul Gillingwater MBA, CISSP, CISM, RHCE
Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18
Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.