The CNIL wishes to “help researchers wishing to work with data from the SNDS to implement a matching circuit in accordance with security requirements” and “to support data controllers”.
This guide “presents the circuits [de circulation du NIR] the most classic, in accordance with legal obligations and validated “by the commission.
It also contains “the criteria that should lead to resorting to an independent third party in order to partition the matching data. [et ainsi d’éviter que le responsable de traitement ne dispose de données identifiantes], as well as the criteria to ensure the independence of this third party “.
This independence must be legal and economic vis-à-vis the controller, it is stated in the guide. The third party must not be “in a situation of conflict of interest vis-à-vis the controller” either.
“The processing operations providing for the use of the NIR as a pivot identifier to carry out deterministic matches of health data with the SNDS require special attention”, explained the Cnil.
She identified “several frequent pitfalls in the processing of authorization requests” addressed to her, “unnecessary circulation of the NIR and / or health data”, “unnecessary recourse to a third party while the NIR is already known to the controller or the investigating center participating in the research project “or” the involvement of an entity that is actually part of the same body as the controller and therefore cannot be considered a ‘third party’ . “
Cnil, practical guide on “NIR circuits for health research”
– .
