After the MR-001, the MR-002…

In a previous blog post that you can find here, we told you about the RM-001, procedure simplifying the data processing statement during biomedical research at the CNIL-France (National Commission for Data Protection and Liberties). Do you know that this summer, a new methodology of reference, the MR-002, was created? It was published in the Official Journal on August 22nd. In this article we will explain what it is.

1- Which study (ies) are concerned by the MR-002?

Like the MR-001, MR-002 concerns the processing of data of a personal nature. However, it does not apply to Biomedical Research (BMR), but to non-interventional studies of Medical Devices performance in terms of In Vitro Diagnostic (MD-IVD).

2- MD-IVD, what’s that?

Remember, the Medical Devices In Vitro Diagnostic are

« products, reagents, materials, instruments and systems, components and accessories, as well as sample containers, specifically for use in vitro, alone or in combination, in the examination of samples from the human body, for providing information concerning a physiological or pathological condition, actual or potential, or a congenital anomaly, to monitor therapeutic measures, or to determine the safety of a collection of human body elements or its compatibility with potential recipients  » (definition from the Article L5221-1 of the Public Health Code)

We can mention as examples of MD-IVD: self-tests, tumor markers, assay reagent of glycated hemoglobin, assay reagent HDL-cholesterol…

3- The MR-002 principles …

The majority points raised by the MR-002 are similar to those of the MR-001. They include:

• Patient Information on the fate of their data,
• Information of investigators and his research team on the fate of their data
• The collection of patient consent (withdrawal of the study, data access and rectification rights…)
• The data collected,
• The nature and data processing,
• Data analysis (recipients)
• Those having access to these data,
• The data retention period,
• Processing security,
• The transfer of data abroad.

The differences lay in the following:

• Only treatments which goals are the conduct non-interventional studies of performance submitted to the provisions of Articles L.1121-1, L.1211- 2, L.1241-1 of Public Health Code, may be the subject of a compliance commitment by reference to the MR-002, :

« No one can put restrictions that are neither justified by the nature of the task, nor proportionated to the aim pursued; to human rights and individual and collective freedoms  » (L.1121-1)

« The human body organ taking and its products collecting cannot be practiced without the donor prior consent. This consent may be revoked at any time. « (L.1211-2)

• Beware to data transfer abroad!

Indeed it is stated in the Article 7 of the MR-002 that it is quite possible to transfer anonymous or encoded data of participants in this type of study outside the European Union. However, the investigators and their team personal data transfer can be possible outside the European Union, when that transfer is strictly necessary for the implementation of non-interventional study of performances or for the registering of MD-IVD in a country that requires it according to specific conditions (Binding Corporate Rules, or BCR, contractual clauses or Safe Harbor). However, remember that the Safe Harbor was invalidated last month. I invite you to read our previous article on this topic here)

• The concept of risk (Article 8): to be taken into account in the implementation and processing of data security. A policy of security and privacy must be set up by the data controller to preserve the safety of processed data: including the confidentiality, integrity and availability. This policy must be determined according to risk, which will be identified following a study of the risks.

To help you, a grid of risk study is available in Appendix 2. It will allow you not only to identify risks but also to take measures to reduce them to the minimum or even eliminate them.

The different types of risks may relate:

– To data processing: anonymisation of data, security of paper documents…

– on the information system: backup, maintenance, network security, physical access control, user profiles, updates, antivirus, mobile equipment, authentication means…

– and on the organization: security policy, risk and incident management, staff management …), Compliance Undertaking…)

You can find the full MR-002, and its grid of risk study here.

As you can see, the processing of personal data is at the heart of the clinical research news. I hope this article would have helped you to distinguish the MR-001 and MR-002, which in the end are similar in many aspects but are aimed for two very different types of research.

If you liked this article, I invite you to click on « I like » or share with your CRA colleagues and friends and project Manager

Also, visit Pharmaspecific website :  http://www.pharmaspecific.fr and discover our activities.

You can also visit the Facebook page of « blog de la recherche clinique », « Pharmaspecific » and click on « I like » to support us.

See « Pharmaspecific Linkedin » and « Vanessa Montanari Linkedin » for more relevant news on clinical researches.

See us as well on Pharmaspecific Viadeo and Vanessa’s Viadeo

You can also subscribe to the blog’s newsletter and we will keep you posted once a new article is published.