MR-003: The French guideline to conduct a non-interventional study in France

1 - What is MR-003?

MR-003 is a rule adopted by the French data protection authority ("CNIL") for the processing of personal data within the context of non-interventional studies. A non-interventional study within the French law is a study where patient consent is not required. This encompasses:

  • Study that do not involve any risk or constraint and where all acts are performed and products used in a habitual manner (Studies as defined by Article L.1121-1 2° and 3° of the Public Health Code.
  • Study aimed at evaluating routine care subject.
  • Clinical trials for which the person does not object to his or her participation (Article 30 of Clinical Trial Regulation), also known as cluster clinical trials.

MR-003 specifies how the GDPR applies to such studies conducted in France.

Generally, this MR-003 is applicable to studies which are not considered as a clinical trial under the MR-001.

2 - Procedure

The French Data Protection Law proposes a binary system:

Either the Sponsor is 100% compliant with the MR-003's requirements. It declares compliance to the CNIL, and the study can be initiated without further formalities.
Or the Sponsor is not 100% compliant with the MR-003's requirements. The Sponsor must then obtain PRIOR authorization to conduct the study.

The CNIL has a two-month period to respond from the date of the authorization request. In the absence of a response after this period, the authorization is considered tacit.

Therefore, compliance with MR-003 is a crucial step in the regulatory journey of a non-interventional study in France. A sponsor must, therefore, evaluate the compliance of its study with MR-003 in advance.

3 - Requirements related to data subjects

MR-003 distinguishes two categories of data subjects with their own requirements:
The patients/participants included in the study. This includes healthy volunteers.
The healthcare professionals involved in the study (PI, nurses, etc.).

3.1 - Requirements related to patients

Regarding the processing of patients' data, MR-003 specifies that:

1. Purposes

Personal data can only be processed for the purposes of the study (endpoint and objectives of the protocol). Thus, any data processing outside the scope of the protocol (meta-analyses, data reuse, ancillary studies not provided for in the protocol) is a separate data processing subject to another regulatory framework.

2. Categories of data

Only pseudonymized data may be integrated into the study databases. The patient's identity must be kept in a separate database under the control of the investigator site with restricted access (as provided by good clinical practices). MR-003 provides a broad list of data that can be collected. Except for the social security number, any health data can be collected if necessary for the achievement of the study's objectives.
Note: a specific de-identification process must be planned for photos, videos, and sound recordings.

3. Recipients of data

Patient's identity is accessible only by the healthcare professionals following the patient, the Clinical Research Associates ("CRAs"), the Data Protection Officer ("DPO") for data subjects' rights of the Sponsor, the authorities, and the Sponsor's civil liability insurance body.
Notably, MR-003 specifies the conditions of access to directly identifying data by the Sponsor's vendors (not investigational site). Such access is limited to specific cases (reimbursement, connection to an e-PRO/e-COA portal, IMP delivery to patient's home). This access is not possible if the service provider simultaneously has access to the patient's health data, or if the data available reveal a pathology or health status.

Pseudonymized data of the patient are accessible by the Sponsor, its service providers, the professionals involved in the research, the CRAs, the authorities, and independent experts of a scientific review committee in case of publication of results.
Especially for this last category, access must be limited to the sole purpose of re-analysis of the results and must be done through an interface provided by the Sponsor.

4. Information and rights of patients

Patients must be informed of the processing of their personal data according to the mandatory information provided by Article 13 of the GDPR.
Note: The CNIL refers to the Sponsor's legitimate interest as the recommended legal basis for data processing. However, the consent as a legal basis remains accepted.

Patients may exercise their GDPR rights at any time with the Sponsor's DPO, who is required to respond within a month from the request. An additional month's extension is possible.
Note: Patients may also exercise their right of access at any time with the principal investigator.

5. Data retention period

Data can be kept in the IT systems of the Sponsor, its service providers, and the investigator site until up to 2 years after the last publication or, in the absence of publication, the signing of the final report. After this period, the data is archived (restricted access) for the legal duration. For example, the CTR provides for an archiving duration of 25 years for data appearing in the TMF.

3.2 - Requirements related to Professionals involved in the research

1. Purposes

Personal data can only be processed to ensure the legal obligations of the Sponsor.

2. Categories of data

Any professional personal data (name, first name, professional address, diploma, etc.) can be collected.

3. Recipients of the data

The Sponsor, its service providers, the professionals involved in the research, the authorities can access professionals' data.

4. Information and rights of professionals involved in research

Professionals must be informed of the processing of their data by the Sponsor in accordance with article 13 of the GDPR.
Note: This is a common oversight in the MR-003. This information can be delivered via the CRO, by email, and/or through the study documentation like the ISF. Also, this information can be attached to the agreement between the investigator site and the Sponsor.

Professionals can exercise their rights at any time with the Sponsor's DPO.

5. Data retention period

Data of professionals cannot be kept beyond 15 years from the last research in which the professional participated on behalf of the Sponsor.

4 - Other Requirements

A Data Privacy Impact Assessment ("DPIA") is required. This analysis must include a presentation of the data flow, the identification of security measures, and the analysis of potential risks to the rights and freedoms of the data subjects.

Only pseudonymized patient data may be transferred outside the European Economic Area ("EEA"). These data, as well as those of the professionals, must then comply with the measures of Chapter V of the GDPR (adequacy decision, Standard Contractual Clauses, consent, ...).
Note: Data subjects must be informed of third countries data transfer, through the ICF (Patients) or the information notice (Professionals).

The agreements between the Sponsor (data controller) and its service providers and the investigator sites (data processors) must respect the mandatory mentions of the article 28 of the GDPR. These mentions are complementary with specific provisions related to data transfer to third countries.

The Sponsor must appoint a DPO, internal or external, and keep a register of processing activities.

Pierre Malvoisin

COO

No items found.