Key Benefits:
Commission National information technology and freedoms,
In view of the Council of Europe Convention No 108 for the protection of persons with regard to the automatic processing of personal data;
In view of Directive 95 /46/EC of the European Parliament and The Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data;
In view of the public health code, in particular Articles L. 1411-6, L. 1411-7 and L. 6211-1;
Seen Social Security Code, including articles L. 321-1 (6 °), L. 322-3 (16 °), R. 115-1, and R. 115-2;
Seen Law n ° 78-17 of January 6, 1978 as amended relating to computers, files and freedoms, including articles 8-IV, 25-I (1 °) and 25-II;
Seen Order No. 2005-1309 of October 20, 2005 Modified for the application of Act No. 78-17 of January 6, 1978 relating to computers, files and freedoms;
Seen decree n ° 2015-390 of 3 April 2015 authorising the processing of personal data by the managing bodies of compulsory basic insurance schemes Sickness for the performance of their duties of affiliation, of registration, Education of the rights to benefits and care of care, products and services;
In the light of the decree of 29 September 2006 on cancer screening programmes;
In the light of the decree of 23 September 2014 introducing the Immunological test in the colorectal cancer screening programme;
After hearing Mr Alexandre LINDEN, Commissioner, in his report and Mr Jean-Alexandre SILVY, Commissioner of the Government, in his observations,
Formula les The following observations:
National programs for organized breast cancer screening and colorectal cancer are part of the Government's Cancer Plan to reduce mortality and burden-related treatment Late. In accordance with the amended Decree of 29 September 2006 on cancer screening programmes, organised screening programmes for breast cancer and colorectal cancer are implemented by departmental management structures or Inter-departmental who have signed a convention with state representatives and health insurance in their region.
With regard to the organized screening of colorectal cancer, the medical laboratory-centres for reading examinations Defined by the aforementioned order implement an electronic platform Dedicated to the sharing of results between the different actors involved in screening and involving personal data relating to the health of persons.
As such, such treatment for a public health purpose is the responsibility of the article 25-I (1 °) of the Act of 6 January 1978 amended and, as such, must be authorized by the CNIL.
Pursuant to Article 25-II of the Act of 6 January 1978, as amended, the Commission may authorise by a single decision a category of treatment which Satisfy the same purposes, relate to identical categories of data and Have the same recipients or categories of recipients.
The processing of personal data, automated or otherwise, implemented by the management structures under contract for the purpose of carrying out their tasks within the framework of the Organized screening for colorectal cancer and breast cancer can, under certain conditions, fall under this definition.
Contract management structures that provide a declaration with a compliance commitment to the Commission For the processing of personal data responding to the Conditions laid down in this single decision shall be authorised to implement them.
Any processing of personal data which exceeds the framework or fails to comply with the requirements laid down in this single authorisation shall, on the other hand, Be the subject of a specific authorization request.
Scope
Only can be committed to Conformity with reference to the present decision, Automated or non-automated, implemented by the management structures invested contractually by the representatives of the State in their region.
In accordance with the amended Order of 29 September 2006, the management structures, placed under the Medical responsibility of a doctor coordinating the programme, ensure the local organisation of organised screening of breast and colorectal cancer at the level of one or more departments.
Finalities Processing.
may be subject to a commitment to comply with this single authorisation for the automated or non-automated processing of personal data for the purpose of implementing organised screening programmes of the Breast cancer and colorectal cancer.
These treatments include:
-the constitution, by the management structures, and the management by them of the files of the data subjects, from the data transmitted by the participating health insurance funds, for the purpose of invitation to the operations of the Screening according to the eligibility criteria of persons;
-the conduct of monitoring of these persons in the context of organized screening programmes, including the transmission of the results of the screening tests;
-management Contacts with attending physicians, specialists, and Reading labs.
Nature of the data processed.
The Commission recalls that in accordance with Article 6 (3 °) of the Computer Law and Freedoms, the data Must be relevant, adequate and not excessive in relation to the purposes of the processing.
For the purposes described in Article 2, the following categories of personal data may be processed:
-data relating to the identification of data subjects as transmitted by participating health insurance funds, namely: Name of birth and name of use, if applicable, given name (s), gender, date of birth, address, telephone contact information;
-data relating to the identification of health professionals involved in the programme, namely: name, first name (s), RPPS number and mailing address;
-data relating to the health of the data subjects, namely, exhaustively:
-the identifier or invitation number of the person generated by the management structure from the files transmitted by the health insurance funds;
-the previous examinations and medical history strictly necessary to the Determination of the level of risk and the definition of the eligibility of persons with regard to cancer screening programmes;
-where applicable, if the persons concerned accept it, their reason (s) for refusing to participate in the operations Screening;
-test results and reports, and, Imaging images;
-the dates on which the results are sent to the doctor and the data subject;
-the information on the actual medical care to verify the entry into a health care supply chain. The test would have been positive.
As regards the use of the registration number in the national directory of identification of natural persons (NIR), this authorisation covers its use only in the context of the reimbursement To which the compulsory health insurance proceeds with the Health professionals in application of the articles R. 115-1 and R. 115-2 of the Social Security Code.
Data Retention Period.
Data on support for The persons concerned are kept by the management structures until the end of the follow-up, decided by the person himself or his doctor. These durations must be in accordance with the applicable laws and regulations.
At the end of this period, the data are deleted or archived in an anonymous form.
Data retention and archiving must be Carried out in accordance with the provisions of Article 34 of the Law of 6 January 1978 as amended.
Data recipients.
Within the limits of their respective powers and for the purposes of the above purposes, only the following persons may be entitled to access the data:
For data only related to the people they support:
-the health care professionals who have prescribed or performed the screening act;
-the physician coordinating the management structure;
-the physician Treating or the physician designated by the person as the recipient of the results of the screening test.
In addition, the data relating to such persons may be addressed to the authorized personnel:
-from the medical biology laboratory reading centre;
-health insurance organizations, for the only data necessary for the reimbursement of care under conditions that are in accordance with article 3 of decree n ° 2015-390 of 3 April 2015 ; medical specialists who have carried out additional tests following a test Positive.
Information and right of access of data subjects.
The controller shall inform the persons concerned of the implementation of a processing of personal data having for For the purpose of conducting organized screening for breast cancer or colorectal cancer.
This information is as follows:
-the management structure prompts the person eligible for the screening program by mail to consult their attending physician or authorized health care professional. The letter of reply attached to this letter contains an information note drawn up in accordance with Article 32-I of the law of 6 January 1978 amended which recalls in particular the rights of access and rectification and opposition recognised by the Articles 38 to 40 of the Act. This note specifies the service to which these rights may be exercised;
-the attending physician or health professional who conducts the screening examination shall orally inform the persons concerned in accordance with Article 32-I of the Law of 6 January 1978 amended. It specifies the procedures for the exercise of the aforementioned rights of access, rectification and opposition;
-this information is also posted on the premises of the participating health care professionals.
Health in the screening program:
-the management structures inform them of the processing of their personal data in accordance with Article 32-I of the IT Law and freedoms;
-if an electronic platform is used for communication of the Health professionals are informed when they connect to this platform in accordance with the terms and conditions laid down in Article 32-I of the law and freedoms.
Data security and action traceability.
In accordance with article 34 of the Computer Law and Freedoms of 1978 amended, the controller takes all the necessary precautions to preserve security and Confidentiality of data processed, including To prevent them from being distorted, damaged or unauthorized third parties.
The controller defines a security policy tailored to the risks posed by the treatments and the size of the body concerned. This policy should describe:
-the security objectives and physical, logical, and organizational security measures to achieve them;
-data access clearances, based on the need of users of the information system, In particular measures to restrict access to the identity of health professionals involved in the programme, methods of access to treatment, including identification and authentication measures; control devices for the Identifications and clearances and traceability procedures Access to medical information, as well as connection history;
-security measures to be implemented for data transmission.
If the electronic format is used through a platform Electronic collection, exchange and availability of results:
-people need to create a personal account to view the results. Their email address can be collected in order to send an email containing a link to activate the account and verify that the email address entered is valid;
-the access control to the professionals account Must be operated in accordance with the provisions of Article L. 1110-4 of the Public Health Code which imposes a Strong authentication of these professionals through use A health professional card (CPS) or equivalent device approved by the body responsible for issuing the CPS, for any transmission or access to health data;
-the transmission of health information must Operate under conditions consistent with deliberation n ° 2014-239 of 12 June 2014 on the sole authorisation of implementation by professionals and institutions of Health as well as professionals in the empowered medical-social sector By law, processing of personal data for the purpose of electronic exchange of health data through a secure messaging system.
In the case of transmission by fax, the measures The following security must be in place:
-the fax must be located in a physically controlled space that is accessible only to the authorized staff;
-the printing of messages must be subject to the introduction of a personal access code;
-when issuing the Messages, the fax must display the identity of the receiving fax in order to be sure of the identity of the recipient;
-the fax address book must pre-record, to the extent possible, the potential recipients.
In case of The use of an external service provider for the implementation of the Contract should include:
-limiting the use of data to the purpose provided for in this authorization;
-a confidentiality clause;
-the framework for the destruction or return of all manual media or Computerised personal data at the end of the performance;
-that the hosting of the data, the methods of access to them and their methods of transmission are in conformity with the article L. 1111-8 of the Public Health Code.
This release will be published in the Official Journal of the French Republic.
The President,
I. Falque-Pierrotin
