Can a patient request the deletion of data from his/her medical record?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We’re meeting again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

The question of the day is whether a patient can request that data contained in their medical record be deleted. The medical record is a set of documents that will trace the life of the patient concerning his health. So there can be histories of operations, treatments taken, medical visits… Except that the importance of this medical record is such that if a doctor consults a patient’s medical record and some information are missing, his decision making can be erroneous because he will not have all the information at his disposal.

This problem must be weighed against the principles of personal data protection, which require that a data subject, in this case the patient, may still have certain powers over his personal data. Indeed, the patient can ask for the deletion or rectification of personal data contained in his medical file; he can make this request to the hospital, but it is not without conditions.

Firstly, he can only do so if the data are inaccurate, ambiguous, outdated or incomplete. Secondly, he must be able to justify a legitimate reason for the deletion or rectification of his data. For example, a patient was able to obtain the deletion of his data on the grounds that a member of his family worked in the same hospital and that he did not want the member of his family to have access to his health information, in particular a pathology of which he was a victim.

So, if all these conditions are met, the patient will be able to ask for a modification or a deletion of his data, but in practice the reason must really be justified.

That’s all for today, I hope you enjoyed this video. If you do, don’t hesitate to subscribe to our channel, to like this video and you will find in the information bar the information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Should clinical study technicians take the steps related to the GDRP ? Who should carry out these procedures?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today once again to talk about the GDPR, the General Data Protection Regulation which is, I remind you, the reference text in terms of personal data protection within the EU. It came into force on May 25, 2018 in the EU member states.

The question of the day is whether clinical study technicians (CSTs) are responsible, at their level, for implementing the obligations related to the GDPR or whether it happens at another level. As a reminder, the clinical study technicians are the personnel who will be in charge of entering the study data that are collected from the patients in order to set up the proper conduct of the study. They are confronted with personal data on a daily basis. However, it is not up to them to implement the obligations related to the GDPR since this happens at the level of the data controller.

I remind you that the controller is the person who determines the purposes and means of the processing. In practice, in clinical research, it is the sponsor. Within the sponsor’s organization, there are different levels that can deal with GDPR compliance.

First of all, if a Data Protection Officer has been appointed – which is not always an obligation – if a Data Protection Officer has been appointed, he or she will be responsible for ensuring compliance with the DPMR, i.e., putting in place all the required tools, processing registers, impact assessment where appropriate, supervision of transfers outside the EU, etc.

If there is no DPO in the sponsor’s organization, it will happen either at the level of the legal department if there is one and if not directly at the management level. It is therefore not up to the clinical study technicians to implement GDPR compliance. On the other hand, they must, like all the personnel involved in the study, be trained in the rules of the GDPR, in its spirit and in the way in which the data must be processed, since they are confronted with this data on a daily basis, they must be able to know what they can or cannot do with the data.

I hope you enjoyed this video, if so, you can subscribe to our channel and like this video and you will find in the information bar all the information about our services such as the monthly legal watch or the legal advice in clinical research. As for us, we will soon meet again for a new video!

GDRP : Can an impact assessment be made after once the processing has begun?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today to talk about the General Data Protection Regulation (the GDPR) which is, I remind you, the reference text in terms of personal data protection and which came into force in the European Union on May 25, 2018.

The question of the day is whether it is possible to implement a data protection impact assessment a posteriori, i.e. once the processing has already begun. The impact assessment is a tool to ensure compliance with the GDPR and is intended for processing operations that could generate high risks for the rights and freedoms of the data subjects, i.e., it balances the security measures implemented by the data controller with the rights and freedoms of the data subjects.

So, in practice, the impact assessment can be done as you wish, but the CNIL provides a software called PIA that allows you to perform your impact assessment in a very clear and simple way. So, you can use this software and it is better for all these reasons to set up the impact assessment before your processing because it will allow you, if you find that some security measures are insufficient or are badly used, to adopt corrections before your processing.

However, the GDPR is not always straightforward so you may have forgotten to implement your impact assessment. If this is the case, there is nothing to stop you from doing it anyway during your processing. This will allow you, if you have corrections to make on certain security measures, to identify and implement them and, otherwise, if you identify a data breach, you can still notify the CNIL to be truly in compliance with the GDPR.

In conclusion, the impact assessment is preferably set up before the processing, but nothing prevents you from setting it up during your processing if you have not been able to do it before. Please refer to the CNIL website to know in which case you have to set up an impact assessment. And I remind you that this is the responsibility of the data controller with the help of his processor, if necessary.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video and you will find in the information bar information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Is there an GDRP certification? How can I prove that my company is GDRP compliant?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We’re meeting again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

Today we’re interested in certification. We want to know if there is a certification in terms of GDPR. First of all, certification is provided for by the GDPR in its articles 42 and 43. It will allow a data controller to request that a third-party certification body attests the conformity of its processes, products, services or skills to the characteristics that will be defined in a given reference system. The certifying body must be independent and impartial, and for this, there are two ways: either the body has been approved by the CNIL, or it has been accredited by the French Accreditation Committee (COFRAC).

The certification will allow an organization to prove its compliance with the GDPR and thus, to be a guarantee of confidence for its customers. The most well-known certification in terms of personal data protection is the certification of the competences of the DPO, i.e. the data protection officer, and the fact of passing this certification will allow the company to prove that its DPO, the person who deals with all aspects related to the GDPR, carries out his missions in accordance with the reference frameworks provided by the CNIL. So, once again, it will be a guarantee of confidence for your customers.

In conclusion, it is possible to obtain a GDPR certification. There are different ones on different subjects but the main one is the one of the DPO’s skills. If you wish to have recourse to a certification, you can go to the COFRAC website (French Committee for Accreditation) since it lists all the certifying bodies.

That’s it for this video, I hope you enjoyed it. If you do, don’t hesitate to subscribe to our channel, to like this video and you will find in the information bar the information concerning our monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.