Regulations and Guidelines

1 - What is MR-004?

MR-004 is a rule adopted by the French data protection authority ("CNIL") for the processing of personal data within the context of an observational study. The term "observational study" includes all studies reusing health data already collected in the context of care or research. This concerns studies such as meta-analyses, epidemiological studies, medico-administrative studies.

The observational study must be based on a scientific protocol validated by the data controller conducting the study ("Sponsor").

MR-004 specifies how the GDPR applies to observational studies in France.

2 - Procedure

The French Data Protection Law proposes a binary system:
‍
Either the Sponsor is 100% compliant with the MR-004's requirements. It declares compliance to the CNIL, and the clinical trial can be initiated without further formalities.
Or the Sponsor is not 100% compliant with the MR-004's requirements. The Sponsor must then obtain PRIOR authorization to conduct the study.

The CNIL has a two-month period to respond from the date of the authorization request. In the absence of a response after this period, the authorization is considered tacit.

Therefore, compliance with MR-004 is an essential step in the regulatory journey of an observational study in France. A sponsor must, therefore, evaluate compliance with MR-004 in advance.

3 - Requirements related to data subjects

MR-004 distinguishes two categories of data subjects with their own requirements:

• The patients/participants whose data are processed by the study
• The professionals involved in conducting the study (PI, research team, etc.).

3.1 - Requirements related to patients

Regarding the processing of patients data, MR-004 specifies that:

1. Purposes

Personal data may only be processed for the purposes of the study (endpoint protocol, objectives of the protocol). Thus, any data processing outside the scope of the protocol (other studies not provided for in the protocol) is a separate data processing.

‍2. Categories of data

Only pseudonymized data may be reused in an observational study. A new pseudonym specific to the study must be assigned. The correspondence with the initial database must be kept under the control of the holder of the initial database with restricted access.

In the case of initial collection for an observational study, the patient's identity must be kept in a separate database under the control of the investigator site with restricted access (as provided by good clinical practices).

MR-004 provides a broad list of data that can be collected. Except for the social security number, any health data can be collected if necessary for the achievement of the study's objectives. Note: a specific de-identification process must be planned for photos, videos, and sound recordings.

‍3. Recipients of data
‍
Pseudonymized data of the patient are accessible by the Sponsor, its service providers, the professionals involved in the research, the CRAs, the authorities, and independent experts of a scientific review committee in case of publication of results. Especially for this last category, access must be limited to the sole purpose of re-analysis of the results and must be done through an interface provided by the Sponsor.

Identifying data of the patient is accessible only by the professionals involved in the research, the persons in charge of the Sponsor's quality assurance, and its DPO for the exercise of patients' rights, the authorities, and the Sponsor's insurer for the clinical trial.Notably, MR-004 specifies the conditions of access to directly identifying data by the Sponsor's service providers. Such access is limited to specific cases (reimbursement, connection to a portal for a questionnaire, delivery of medication to the home). This access is not possible if the service provider simultaneously has access to the patient's health data, or if the data available reveal a pathology or health status.

4. Information and rights of patients

Patients whose data are reused must be informed of the processing of their personal data according to the mandatory information provided by Article 14 of the GDPR. This information can be provided via an information website.
Note: This is the main point of non-compliance with MR-004. Indeed, an entity reusing data, even pseudonymized, is required to re-inform patients of the reuse of their data.

Patients may exercise their GDPR rights at any time with the Sponsor's DPO, who is required to respond within a month from the request. An additional month's extension is possible.
‍
5. Data retention period

Data can be kept in the information systems of the Sponsor, its service providers, and the investigator center until 2 years after the last publication or, in the absence of publication, the signing of the final report. After this period, the data is archived (more restricted access) for the legal duration. Depending on the nature of the observational study, this duration may vary.

3.2 - Requirements related to Professionals involved in the research

1. Purposes

Personal data can only be processed to ensure the legal obligations of the Sponsor

2. Categories of data

Any professional personal data (name, first name, professional address, diploma, etc.) can be collected.

3. Recipients of the data

The Sponsor, its service providers, the professionals involved in the research, the authorities can access professionals' data.
‍
4. Information and rights of professionals involved in research

Professionals must be informed of the processing of their data by the Sponsor in accordance with article 13 of the GDPR.
Note: This is a common oversight in the MR-004. This information can be delivered via email. Also, this information can be attached to the  agreement between the Sponsor and the research team.

Professionals can exercise their rights at any time with the Sponsor's DPO.

5. Data retention period

Data of professionals cannot be kept beyond 15 years from the last research in which the professional participated on behalf of the Sponsor.

4 - Other Requirements

A Data Privacy Impact Assessment ("DPIA") is required. This analysis must include a presentation of the data flow, the identification of security measures, and the analysis of potential risks to the rights and freedoms of the data subjects.
‍
Only pseudonymized patient data may be transferred outside the European Economic Area ("EEA"). These data, as well as those of the professionals, must then comply with the measures of Chapter V of the GDPR (adequacy decision, Standard Contractual Clauses, consent, ...).
Note: Data subjects must be informed of third countries data transfer, through the ICF (Patients) or the information notice (Professionals).

The agreements between the Sponsor (data controller) and its service providers and the investigator sites (data processors) must respect the mandatory mentions of the article 28 of the GDPR. These mentions are complementary with specific provisions related to data transfer to third countries.
‍
The Sponsor must appoint a DPO, internal or external, and keep a register of processing activities.