This text aims to describe the procedure for using personal medical data by SAS RAIDIUM, data controller, within the framework of the MR004 methodology.
The data controller determines the purposes and means of the processing, in accordance with article 24 of the GDPR (General Data Protection Regulation). This text aims to demonstrate compliance with the principles of the GDPR applicable to the RAIDIUM company's research project, in accordance with Article 5(2) of the GDPR.
As part of its research project, RAIDIUM is working on the development of an Artificial Intelligence solution to aid diagnosis in radiology. The desired aim is to improve the characterization of imaging biomarkers on a foundation model dedicated to radiology. As radiologists are today overwhelmed by the quantity of images to analyze and the monitoring of a disease is essential to administer the appropriate treatment, this represents a clear public interest (article 5(1)(a) of the GDPR).
Purpose of data collection
The goal mentioned above requires a versatile technology (capable of working with all types of anatomical elements, and all types of medical images), a general model and not specialized for a single task. Such a model must be trained on a very large number of multimodal medical images and associated radiological reports (article 5(1)(b) of the GDPR).
The data used come from a cohort of patients followed at the Cardiological Center of the North (responsible for the database) between 07/10/2019 and 07/11/2022. This represents 419,134 examinations (images and radiological reports) including x-rays, CT scans and MRIs. The data are exclusively retrospective and do not contain any characteristics relating to the patients or pathologies other than those of the radiological reports. In accordance with Article 5(1)(c) of the GDPR, this data corresponds to the minimum necessary for the pursued purpose (adequate development of the model). In accordance with Article 5(1)(e) of the GDPR, measures guaranteeing the rights and freedoms of data subjects will be put in place, and the data will be deleted no later than two years after the last publication arising from of the research project.
Security and Privacy
Personal data is pseudonymised before its use by RAIDIUM to guarantee non-access to the personal information of the persons concerned (article 32(1)(a) of the GDPR). They are stored securely on an HDS server (article 32 of the GDPR).
Rights of data subjects
The data is collected using the “opt-out” approach: the persons concerned are individually notified of the use of their data, and can exercise their right of access (article 15 of the GDPR), rectification (article 16), erasure (article 17) or opposition (article 21) via a secure form. The data is used by RAIDIUM three months after the individual information. Individuals are also informed via this text, in accordance with Article 13 of the GDPR. It is still possible to assert your rights even after the start of the use of the data. In the event of a request, the database is modified without affecting the confidentiality of the persons concerned and the person is informed thereof, in accordance with paragraphs 2 and 3 of Article 12 of the GDPR.
In case of request, it is possible to contact the DPO of the base manager (Centre Cardiologique du Nord): dpo@ccnradio.fr It is also possible to contact the RAIDIUM DPO (dpo@raidium.fr)