Regulations and Guidelines

1 - What is MR-008?

MR-008 is a rule adopted by the French data protection authority ("CNIL") for the processing of personal data within the context of an observational study requiring access to the national health public database, specifically referred to as SNDS (Système National des Données de Santé). It specifies how the GDPR applies to such activities conducted in France. MR-008 primarily concerns the preparation of documents for discussions with relevant authorities and committees, predominantly in the fields of pharmaceuticals and medical devices. This includes matters related to market authorization, pricing negotiations, CE marking, and conducting studies under real-world usage conditions.

The SNDS, which consolidates and makes available databases that previously existed independently, encopasses:

• SNIIRAM Database: Contains health insurance data.
• PMSI Database: Contains data derived from the activity of health establishments.
• CepiDC Database: Managed by INSERM, contains data on causes of death.
• Data related to disability: From departmental houses for disabled persons.
• Data from Vaccin-covid and SI-DEP databases.

Following studies are excluded from MR-008.

• Study requiring that SNDS data are matched with other data sources. This restriction is placed to prevent potential privacy risks that could arise from combining datasets from various origins without stringent controls and oversight.
• Study requiring the reuse of data made available in the context of a previous study or data from a health data warehouse that includes SNDS data. This provision ensures that data are not repurposed without a fresh review and approval process that considers the specifics and context of the new usage, adhering to data protection standards and regulations.

For those studies, CNIL's authorization is required.

2 - Procedure

The French Data Protection Law proposes a binary system:

Either the organization is 100% compliant with MR-008's requirements. It declares compliance to the CNIL.
Or the organization is not 100% compliant with MR-008's requirements. The organization must then obtain PRIOR authorization to conduct the research.

To benefit from this MR-008, Sponsors must first obtain a favorable opinion from the French national ethics committee, referred to as Comité éthique et scientifique pour les recherches, les études et les évaluations dans le domaine de la santé (CESREES). The submission process is done via the Health Data Hub.

Here are the conditions to submit to the Health Data Hub:

• A protocol must be submitted to the CESREES.
• Approval from CESREES. Study must receive an expressly favorable opinion from CESREES prior to their implementation. If this opinion includes recommendations, the Sponsor commits to taking them into account.‍
• Data must exclusively come from the CNAM (National Health Insurance Fund), which is the only authority competent to extract and transmit data from the SNDS (National Health Data System). The data must also come directly from CNAM. No reuse of data is permitted.‍
• Study can only be performed by a research laboratory or a study office, public or private, that has made a commitment to compliance with the CNIL.
• Data is made available to the research laboratory or study office in a project space of a controlled environment,
• Data is hosted by a certified data host (HDS certification)
• No data transfers outside of the European Union are allowed.

The CNIL has a two-month period to respond from the date of the authorization request. In the absence of a response after this period, the authorization is considered tacit.

3 - Requirements related to data subjects

MR-008 distinguishes two categories of data subjects with their own requirements:
The patients/participants included in the study.
The healthcare professionals involved in the study.

3.1 - Requirements related to patients

Regarding the processing of patients' data, MR-008 specifies that:

1. Purposes

Personal data can only be processed for the purposes of the study (endpoint and objectives of the protocol), MR-008 provides the following purposes as legitimate to access to SNDS data:

• Carrying out epidemiological and/or medico-economic studies, including studies to prepare dossiers for discussions and meetings with the relevant authorities and committees, or studies for surveillance purposes;
• Carrying out feasibility studies or targeting centres for research involving or not involving human subject
• Comparative evaluation of care provision;
• Changes in care practices;
• Comparative analysis of care activities;
• Description and analysis of pathologies and patient care pathways;

‍2. Categories of data‍

The data must come exclusively and directly from the SNDS databases. Only pseudonymized data is processed. MR-008 concerns data with a maximum historical depth of ten years, including the current year.

3. Recipients of data

Only research laboratory or a study office in charge of the conduct of the study can access to the data.

4. Information and rights of patients

Patients must be informed of the processing of their personal data according to GDPR Article 14. Patients are informed of the possible re-use of their personal health data by the CNAM.
In additions, the public must be informed of any research, study or evaluation carried out in the health field. As a minimum, the following measures must be implemented to ensure that information is publicly available

• Information notice on the website of the controller and, where applicable, of the research laboratory or study office;
• Setting up a transparency portal when the data controller carries out several studies using SNDS data.
• Other forms of collective information may also be provided, depending on the characteristics of the studies carried out (social networks, patient associations, press releases, etc.).

5. Data retention period

Data can kept until five years from the date on which the data was last made available. Personal data cannot not be stored outside the controlled environment used by the research laboratory or study office.

3.2 - Requirements related to professionals involved in the research

1. Purposes

Personal data can only be processed to ensure the legal obligations of the data controller

2. Categories of data

Only the following data is processed:

• Name, First names, title
• Professionals contact details
• All data needed to perform the Study

3. Recipients of the data‍

Sponsor, its service providers, and authorities can access professionals' data.

4. Information and rights of professionals

Professionals must be informed of the processing of their data by the organization.

5. Data retention period

Data of professionals cannot be kept beyond 15 years from the last research in which the professional participated.

4 - Data security

The security measures will have to comply with the security framework applicable to the SNDS.
Research laboratory and study office must comply framework applicable to research laboratory and study office.
The Sponsor must adopt the following technical and organisational measures:

• Roles & Responsibilities (SEC-REP-1: Roles and responsibilities must be formalised in an agreement. This agreement must comply with Article 28 of the GDPR).
• Authorisation management and logical access to data (SEC-HAB-1: Different profiles must be provided in order to manage access to data on an as-needed and exclusive basis / SEC-HAB-2: Persons accessing data must be individually authorised / SEC-HAB-3: Authorisations must be reviewed on a regular basis, at least annually / SEC-HAB-4: Access permissions must be withdrawn as soon as authorisations are withdrawn)
• User identification and authentication (SEC-IDE-1: Access to personal data must be subject to local or national identification / SEC-IDE-2: Access to personal data must be subject to strong authentication involving at least two distinct authentication factors. If one of these factors is a password, it must comply with the CNIL's recommendations on passwords)
• Project space (SEC-ESP-1: Data must only be processed by authorised users in a project space specific to this study, which is separatedfrom the SNDS and with other studies spaces / SEC-ESP-2: Datasets imported into a project space specific to a study must be kept to a minimum and limited to the data required for the study. A unique pseudonym number specific to each project space must be generated.
• Data transmission (SEC-TRA-1: Data must be encrypted These encryption measures apply to data in transit and to its storage after receipt in the project spaces).
• Exporting anonymous data from workspace (SEC-EXP-1: Only anonymised datasets may be exported outside the project spaces / SEC-EXP-2: Data exports must be subject to prior validation / SEC-EXP-3: Exports must be monitored.
• User awareness and workstation security (SEC-SEN-1: All persons authorised to access data must be trained. / SEC-SEN-2: Each person authorised to access the controlled environment must sign a confidentiality charter. / SEC-SEN-3
  The workstations must be subject to specific security measures
• Logging (SEC-JOU-1: The actions of users must be subject to logging measures. / Traces must be checked regularly, at least once a month, and at the end of each period of authorisation linked to a study. / SEC-JOU-3: The logging traces defined in requirements SEC-JOU-1 must be kept for a period of six months to one year from the date of collection.
• Management of security incidents and personal data breaches (SEC-INC-1: The parties to the agreement must establish a procedure for managing and handling security incidents and personal data breaches. / SEC-INC-2: Any security incident must be documented internally in a breach register / SEC-INC-3: Any data breach must be notified to the CNIL / SEC-INC-4: data controller is required to communicate the data breach to the data subjects.

5 - Other Requirements

A Data Privacy Impact Assessment ("DPIA") is required.

The Sponsor must appoint a DPO and keep a register of processing activities.

Study results must be published in the public registry managed by the Health Data Hub.

Data host must be certified Hébergements de données de santé (HDS).

Every three years, the Sponsor shall send the CNIL a report summarising the Studies conducted under MR-008.