The CNIL (Commission Nationale de l’Informatique et des Libertés) is the French data protection authority. CNIL has issued various “Reference Methodologies” (Méthodologies de Référence or MRs) which are guidelines/frameworks for compliance with data protection regulations in specific areas e.g., MR-001 (interventional research) and MR-003 (non-interventional research) which cover research involving direct interactions with people (RIPH), or MR-004 for research involving secondary use of existing personal healthcare data i.e., research not involving direct interaction with people (RNIPH).

By declaring conformity to the applicable reference methodology to the CNIL, research sponsors do not need to seek individual authorisation for each research project that involves non-anonymous data, making this an efficient and effective form of self-regulation.

Key features of MR-004 conformity include:

1. Data Minimisation: Only collect the data that is strictly necessary for the research or healthcare activity.
2. Purpose Limitation: Use the data only for the specified, explicit, and legitimate purposes for which it was collected.
3. Consent: Access to and use (re-use) of existing patient health data is subject to informing the affected patients (patient information).
4. Security: Guidelines for data storage, encryption, and access control, in line with GDPR requirements.
5. Data Subject Rights: Details about how to facilitate data subjects’ rights like access, rectification, deletion, and data portability.
6. Data Retention: Sets time limits on how long the data can be stored and provides guidance on secure deletion practices.
7. Accountability and Governance: Stresses the importance of record-keeping, conducting impact assessments, and potentially appointing a Data Protection Officer (DPO).
8. Data Sharing: Provides guidelines for sharing data with third parties, including cross-border data transfers.
9. Legal Compliance: Ensures that the data processing activities are compliant with other relevant laws and ethical considerations.

By adhering to MR-004 or similar CNIL Reference Methodologies (as applicable), healthcare organizations and researchers can use real-world data while fulfilling their legal obligations and ethical responsibilities for data protection (GDPR). Note that these guidelines are subject to change, so it’s crucial to consult the most current version and seek legal advice for complex scenarios.