COVID-19: ANSM guidance on Data Protection requirements for on-going trials

Regulatory 4 min
April 20, 2020

ANSM guidance underlines that adjustments to on-going clinical trials in the context of Covid-19 must comply with French Data Protection law requirements

French data protection law on health research applies to all sponsors, whatever their country of establishment, when they perform clinical trials in France.

In the context of Covid-19, the ANSM – the French Medicines Agency – now allows for adjustments to clinical trials, and has published guidance explaining which adjustments are possible and under which conditions.

However, the ANSM made very clear that any adjustment must remain in line with the rules governing data protection.

Home delivery of medicines and health products

With respect to home delivery of medicines and health products, which is made in order to avoid unnecessary visits of patients to the site, the ANSM underlines that the requirements of the “reference methodology” MR-001[1] from the CNIL must be complied with and explains which information notice requirements must be followed in this specific case.


  • the subcontractor of the sponsor in charge of the delivery (a processor in the meaning of the GDPR) who gets access to the identification data of the study subject necessary for the purpose of the delivery (such as name, address, phone number…) should not get access to any health data of the patient,
  •  in particular, the reference code of the trial transmitted to the subcontractor in charge of the delivery must not allow to reveal a pathology or any health information about the study subject – this means that the trial reference code provided to the subcontractor cannot be the one associated to the trial in public communications or public databases; otherwise, information about the fact that the trial concerns – for example – cancer, would amount to provide the subcontractor with health data,
  • the patient must be informed about the identity of the subcontractor, the categories of her/his personal data that will be disclosed to or be accessible by the subcontractor, and about the mission the subcontractor is entrusted with by the sponsor.

Concerning the new information which must be given to the patient about the processing of his personal data by the subcontractor for purposes of delivery, the ANSM considers that such information should be provided in two-steps, as follows:

  • Firstly, the site must reach out to the patient before the delivery of the products to inform him about the necessity to communicate his identity and address to the subcontractor for such delivery, and must keep record that the patient does not object,
  • Secondly the patient must then be informed with a written and detailed notice  (which can be sent to him by mail, or can be provided together with the packaging of the product, or else by any other means used to communicate with the patient).

In practice, this means that a two-layered approach must be followed: first a short information prior to the delivery which can be for instance by phone, and then a complete written information notice, fully compliant with the GDPR and MR-001, to be provided at the latest at the time of delivery.

Data quality monitoring

The ANSM recalls that in case the lock down prevents the performance of monitoring on site, no transmission of copies of medical records or remote access to electronic medical records should be authorized, even if the data is pseudonymised.

This is in line with the principle of medical secrecy and the confidentiality of personal data, and the MR-001 from the CNIL.

[1] The “reference methodology” MR-001 is a standard established by the CNIL (the French Data Protection Authority) specifying all the data protection conditions governing the clinical trial. Compliance with this reference methodology enables to avoid requesting a specific authorization from the CNIL to perform the trial. If compliance to MR-001 is not possible, an authorization must be obtained from the CNIL.

Written by
Ariane Mole
Ariane Mole
I am a partner and co-head of Bird & Bird's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world. In my role as co-head of our International Data Protection Group, I have extensive GDPR expertise and I assist clients through the twists and turns of local law divergences, so that they can reach global compliance and find practical solutions.
Dora Talvard
Dora Talvard
My work is focused on the life sciences and healthcare sectors. I advise clients on a broad range of regulatory aspects. I work hand in hand with the intellectual property, data protection, commercial and corporate lawyers of the firm to provide clients with tailor made advice and solutions.

Related articles

Impact of Brexit on Artificial Intelligence in Healthcare
AI developments in the UK The UK is starting to uncover significant opportunities...
TGA Proposes New Course of Treatment for Software as a Medical Device
In December 2019 the Therapeutic Goods Legislation Amendment (2019 Measures No. 1) Regulations 2019...