The National Commission of Computer Science and Freedoms' guide on data matching with the SNDS using the NIR

The independent administrative authority responsible for ensuring the protection of the personal data of the French recently published a guide on the matching of personal data with a national health data system.

A system that uses in particular the registration number in the directory still call the social security number. The guide has been published since January 8.

The administrative authority's objective is "to help researchers wishing to work with NSD data to implement a matching circuit in accordance with safety requirements" and to "assist those responsible for processing". The National Commission for Information Technology and Freedoms describes the guide as a document that "presents the most tr[de circulation du NIR]aditional circuits, in accordance with legal obligations and validated" by the commission. As a result, it must contain "the criteria to lead to the use of an independent third party in order to compartmentalinate the matching da[et ainsi d’éviter que le responsable de traitement ne dispose de données identifiants]ta, as well as the criteria for ensuring the independence of that third party" as explained by the administrative authority.

The independence highlighted here concerning piece demand and economic dependence, but also legal independence. Moreover, the third party concerned should not be in a situation in which he would be in a certain conflict, of interest, because that is what it is about, with those responsible for the treatment.

"Treatments involving the use of NIR as a pivotal identifier to make deterministic matching of health data with the SNDS require special attention," explained the National Commission for Information Technology and Freedoms. As a result, the administrative authority "identified several common pitfalls in the processing of authorization applications" that sent it "unnecessary circulation of niR and/or health data." In addition, "the unnecessary use of a third party when the NIR is already known to the treatment manager or the investigating centre involved in the research project" or "the involvement of an entity that is actually part of the same organization as the treatment manager and therefore cannot be considered a 'third party'. ».

Ultimately, the guide provided by the agency is to ensure that the collection of data and its processing in a large package are fully in compliance with the rules produced in the general regulation of personal data. The new guide is much more to the attention of health organizations as well as any organization with any interest or not this type of data collection. As far as sanctions are concerned, nothing has been provided in the guide provided by the National Freedom Commission. It is indeed legitimate in the sense that it is a guide. But for this set is organized and of course framed by rules that are present in the RGPD.

Now access an unlimited number of passwords: