Transparency Portals & healthcare professionals : how to use them?

Transparency portals are increasingly becoming an indispensable benchmark for healthcare professionals, given the proliferation of sensitive data processing. How do these tools ensure compliance with GDPR and which concrete benefits do they offer to healthcare providers and patients? An exploration of a strategic framework at the heart of compliance and trust in healthcare.

I. Presentation of the framework

1. The transparency portal and health data warehouses (HDW)

What is a health data warehouse? According to the CNIL, health data warehouses (HDWs) are databases designed to be maintained long-term, primarily for reuse mainly for operational management (management, control, administration) as well as for research, study or evaluation projects in the health sector¹.

Their number has continued to grow, as demonstrated by the mapping published by the Digital Innovation Laboratory of the CNIL (LINC) relating to EDS present on French territory². Indeed, since 2017, nearly 100 EDS have been implemented or are in the process of being established, supported by 88 different actors. Among these, 40 are public sector entities (hospitals, research institutes), 26 are private non-profit sector entities (cancer centers, associations), and 22 are private for-profit sector entities (clinics, companies). Some of these actors manage multiple data centers or group together to administer them collectively.

Given the increasing power of sensitive data processing, the CNIL has emphasized the importance for healthcare actors to thoroughly master the legal framework applicable to this health data.

2. What is a health transparency portal?

Due to the growth in the number of EDS, the implementation of a “transparency portal” is becoming an indispensable component, even if this initiative also addresses other areas. According to the CNIL³, this is a dedicated space on the website of a data controller and/or its partners, or a dedicated online site, which centralizes and disseminates all information relating to health data processing activities carried out, as well as future reuse projects of said data. In other words, this tool ensures the continuous information of the individuals concerned and guarantees the transparency of the uses made of the data.

Several transparency portals exist. Hospitals such as the Bordeaux University Hospital Center⁴ or the Nice University Hospital Center⁵ have already adopted this system, thereby providing access to concise, understandable, and easily accessible information in clear and simple terms to patients and healthcare professionals.

II. The objective: to ensure compliance with information and transparency obligations.

1. The role of the transparency portal: to ensure compliance with GDPR obligations.

The logic of the transparency portal is to directly respond to the obligations set out in articles 12 (transparency of information and communications and modalities of exercise of the rights of the person concerned), 13 (information to be provided when personal data is collected from the person concerned) and 14 (information to be provided when personal data has not been collected from the person concerned) of the GDPR, particularly when it concerns the processing of sensitive data such as health data⁶.

The CNIL’s repository of health data archives⁷ and the corresponding compliance checklist⁸ specify the situations in which such a transparency portal is required.

2. In what situations does the operation of a health data warehouse require the implementation of a transparency portal?

The EDS checklist – in order to comply with the EDS framework – requires the implementation of a transparency portal in the following cases:

• The implementation of a transparency portal is mandatory when an establishment reuses data from patients admitted prior to the creation of the data warehouse and it is no longer possible to inform them individually – for example, due to the age of the data, its volume, or the physical impossibility of contacting them (EDS Reference pt 8.2.3.4). In this type of case, the data controller may invoke an exception to the obligation of individual information, provided that the information is made publicly available (Art 14(5)(b) GDPR and CNIL Checklist p11, pt 8.2.3.6). The transparency portal then becomes one of the main information supports: it must be clearly displayed on the establishment’s website, in a dedicated section, accessible from the homepage, and present the treatments implemented, as well as the projects of data reuse (EDS Reference pt 8.2.3.6, CNIL Checklist p11, pt 8.2.3.6). This is an explicit requirement of the EDS Reference, confirmed by the CNIL compliance checklist, which makes it a central element of transparency when individual information is not feasible.
• When a health data repository is established, the individuals concerned must be informed of each reuse of their data for research, study, or evaluation (EDS Annex 8.4). This obligation applies unless such information is materially impossible or would require disproportionate efforts, in accordance with Article 14(5)(b) of the GDPR. To meet this requirement, the compliance checklist provides that the data controller shall establish a transparency portal on its website. It must inform the individuals concerned of research projects reusing their data (CNIL Checklist Annex 8.4). Furthermore, the information notes provided to patients must refer to this same portal. The checklist also specifies that information on each reuse can be made via this portal (CNIL Checklist Annex 8.4), making it a key tool for ensuring compliance with transparency obligations throughout the lifetime of the repository.

3. What information must appear in a transparency portal?

The transparency portal must include at least the following elements:

III. The use of transparency portals: an essential tool in the healthcare sector.

1. How to strengthen compliance with the implementation of a transparency portal?

The implementation of a transparency portal, initially highlighted within the context of EDS, is today recommended by the CNIL in much broader contexts. In its practical guide relating to authorization requests in the healthcare sector, including non-research contexts⁹, the CNIL emphasizes that certain sensitive data treatments – particularly when they concern a large number of people or are of a long duration – must be the subject of appropriate information.

To this end, the CNIL explicitly recommends the implementation of a transparency portal, enabling the centralization of information relating to processing activities and future reuse of data. It specifies that this portal can come as a complement, or in substitution, to individual information when the latter is difficult to achieve, notably in cases provided for in Article 14(5)(b) of the GDPR.

Thus, the use of a transparency portal is not limited to the sole use of EDS, but corresponds to a broader use in the healthcare sector, provided that data can be reused, that processing extends over several years, or that it applies to a large or difficult population to identify individually. The transparency portal is gradually becoming a cross-functional compliance tool, adapted to the specificities of the healthcare sector, which is also found in the framework relating to early access and the framework relating to compassionate access to medicines, both published by the CNIL in 2022.

2. Transparency Portal: a cross-sectoral tool in the field of health

In the repository on early access¹⁰, the CNIL expressly provides that when a reuse of personal data is contemplated for research or study purposes, patients must be informed via an information note provided at the time of data collection, provided that it refers to a transparency portal. This framework is presented as a complementary transparency measure that can prevent the need to routinely provide individual information with each new data processing.

The same logic is found in the Compassionate Access Repository¹¹, in which the CNIL has reaffirmed that patients can be informed of subsequent treatments either individually or through a transparency portal mentioned in the initial information note.

Aumans Avocats: specialists in IT/Data, data protection and DPO outsourcing

As a law firm specializing in IT/Data and data protection, we are at your disposal to assist you with all your projects. Whether you are a startup, a SME or a corporate group, our expertise will allow you to navigate smoothly within the complex landscape of health data regulation and compliance. Do not hesitate to contact us to benefit from personalized advice and secure your digital future.

Sources:

1. https://www.cnil.fr/fr/la-cnil-adopte-un-referentiel-sur-les-entrepots-de-donnees-de-sante – The CNIL adopts a framework on health data warehouses. ↩︎
2. https://www.cnil.fr/fr/explorez-la-cartographie-des-entrepots-de-donnees-de-sante-en-france#:~:text=Qu’est%2Dce%20qu’,le%20domaine%20de%20la%20sant%C3%A9 – LINC CNIL – Explorez la cartographie des entrepôts de données de santé en France ↩︎
3. https://www.cnil.fr/fr/demande-dautorisation-dans-le-domaine-de-la-sante-hors-recherche-les-informations-fournir-et-les – Request for authorization in the health sector (excluding research): information to provide and criteria for granting ↩︎
4. https://www.chu-bordeaux.fr/Professionnels-recherche/Recherche-clinique-et-Innovation/Participer-%C3%A0-une-recherche-clinique/Portail-de-transparence/ – CHU de Bordeaux, Portail de transparence ↩︎
5. https://www.chu-nice.fr/recherche/patients/portail-de-transparence – CHU de Nice, Portail de transparence, Protection et traitement de vos données personnelles dans le cadre de nos projets de recherche ↩︎
6. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – General Data Protection Regulation, Articles 9, 12, 13 and 14 ↩︎
7. https://www.cnil.fr/fr/la-cnil-adopte-un-referentiel-sur-les-entrepots-de-donnees-de-sante – The CNIL adopts a framework on health data warehouses ↩︎
8. https://www.cnil.fr/sites/cnil/files/atoms/files/check-list_de_conformite_referentiel-donnes-sante.pdf – Conformity checklist to the EDS reference framework ↩︎
9. https://www.cnil.fr/fr/demande-dautorisation-dans-le-domaine-de-la-sante-hors-recherche-les-informations-fournir-et-les – Request for authorization in the health domain (excluding research): information to provide and criteria for granting ↩︎
10. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046542586 – Resolution No. 2022-107 of September 22, 2022 adopting a framework relating to personal data processing carried out by the holder of the rights of exploitation of a medicine benefiting from early access authorization ↩︎
11. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046542576 – Resolution No. 2022-106 of September 22, 2022 adopting a framework relating to personal data processing carried out by the holder of the rights of exploitation of a medicine benefiting from a compassionate access authorization ↩︎