Reference Methodologies
Created by the French Data Protection Act of January 6, 1978, the Commission Nationale de l'Informatique et des Libertés (CNIL) is an independent administrative authority (IAA), i.e. a public body that acts on behalf of the State, without being placed under the authority of the government or a minister.
​
It is responsible for ensuring the protection of personal data contained in computer or paper files and processing, both public and private.
​
Thus, in practice in clinical research, any new study requires a request for authorization from the CNIL since it involves the processing of personal data for the purpose of research in the field of health.
illustration — Michel Spingler/AP/SIPA
In order to facilitate administrative procedures for data processors, the CNIL has published 5 reference methodologies (RM) according to the type of study conducted.
Thus, for a given project, as soon as the data controller undertakes to comply in all points with the RM applicable to his project, the authorization request from the CNIL is no longer necessary. A simple declaration of conformity is sufficient. This considerably simplifies the number of regulatory submissions.
TrialPEX and the RM
Contrary to previous versions which did not mention it, the new RM-001 , RM-003 and RM-004 of May 3, 2018 now define the type of data to which a subcontractor like TrialPEX can have access. It is indeed specified that:
" subcontractors, acting on behalf of the data controller, may be recipients of administrative data identifying persons lending themselves to research (last name, first name, postal, electronic and telephone contact details, bank details) under certain conditions and for specific missions (reimbursement of expenses, compensation, [...]). "
On the other hand, it is now impossible for TrialPEX to process directly identifying or health-related data (with the exception of the organization responsible for processing, even if it may reveal a health field).