It is quite coincidental that the subject about the relationship between technology and medical institutes has come up several times recently.
Image by rawpixel.com on Freepik
Tech used in health sectors
In the report of Laura Landro on The Wall Street Journal, “Why Hospitals Still Make Serious Medical Errors – and How They Are Trying to Reduce Them” she underlined the application of AI algorithms to scrutinise and determine the motifs and system deficiency, causing recurring mistakes in the U.S. hospitals. In France, the AI is applied in radiology but still too sceptical for both researchers and hospitals to put it into operation. However, the technological applications in the health sectors raised several privacy issues there, particularly in relation to the patients’ personal information.
Current privacy context in France
The French data protection authority (CNIL) on 15 March 2023 announced its focus controls in 2023, including the management of patient records. Accordingly, CNIL and the Ministry of Health and Prevention raised their concerns about the various systems used in the health sector, such as the general policy on the security of health information systems (PGSSI-S), the shared medical record (DMP), the health professional card (CPS-eCPS), the “pro Santé connect” service, etc. CNIL stated that it will continue to audit the access to digitalised patient records (DPI) as initiated in 2022. Such audits will also examine all the measures put in place to ensure personal data security.
Legal obligations of medical research organisations
Within the control in 2022, the CNIL found the breaches of the data protection obligations of two medical research organisations, including the responsibility to conduct the impact assessment and to inform individuals. In principle, they must obtain the CNIL’s authorisation to conduct the medical research or comply with the methodologies of reference. There are currently 6 methodologies published by the CNIL. Accordingly, they would have to produce an analysis of impact, detailing the operations of personal data processing and forecasting related risks. The CNIL also addressed that the information given to the participants of their studies was not adequate. They failed to specify the nature of information collected, retention duration, DPO contact or possibility to file the complaint to the CNIL. Furthermore, they also wrongly affirmed the anonymisation of the patient’s personal data. It actually was just pseudonymisation.
For more information about the tech in health sector: https://www.astraiagear.com/2023/02/19/human-rights-technologies-in-biomedicine/