Processing of personal data in the context of HPV vaccination in college

Processing of data from parental authorization for vaccination forms for the purposes of implementing vaccination in schools

The parental authorization form for vaccination, which appears in the annex to interministerial instruction no. DGS/SP1/DGESCO/2023/99 of June 19, 2023 relating to the organization of a national vaccination campaign once morest infections human papillomavirus (HPV) in middle school from the start of the 2023-2024 school year, includes the following data:

• The child’s identity data (first and last name, date of birth and sex);
• The identity and contact data of the parents or legal guardians (first and last name, social security number to which the child is attached, postal code of residence, mobile telephone number), as well as data relating to their administrative situation ( social security scheme and whether or not you benefit from complementary health insurance);
• Authorization for HPV vaccination and other (compulsory) vaccinations as well as, in case of signature by a single legal person responsible for these authorizations, a declaration as to sole legal responsibility or authorization given by the second legal guardian of the child;
• Data relating to the desired vaccination once morest HPV or other pathologies mentioned in the additional authorization form.

This data is necessary for the purposes of identifying students to be vaccinated in schools, ensuring compliance with the conditions of this vaccination and organizing and piloting this campaign at the regional level. In accordance with the legal missions of the Regional Health Agencies (ARS), in charge of prevention and promotion of health in their territory (articles L. 1431-1 et seq. of the public health code), and vaccination centers and structures authorized by the ARS for vaccination (articles L. 3111-11 and D. 3111-22 of the same code), the processing of this data is implemented, on the basis of e) of 1 of article 6 of the GDPR (public interest mission), under the joint responsibility of each ARS and each structure authorized for vaccination concerned.

In accordance with article 26 of the GDPR, a joint responsibility agreement signed between each ARS and each structure authorized for vaccination defines their respective obligations with regard to the processing of this data. This agreement provides in particular that: the completed forms are only accessible to competent staff of structures authorized to vaccinate, responsible for the secure storage of this data; people are informed by means of mentions in the data collection form, supplemented by mentions appearing on the websites of the ARS and the ministry responsible for health; the structures authorized to vaccinate are responsible for responding to requests to exercise the rights of the people concerned; These structures are authorized to contract alone, on behalf of the two data controllers, with the educational establishments which are their subcontractors, responsible for collecting completed forms.

The data is in fact collected through educational establishments: blank parental authorization forms are distributed by these establishments to the students concerned then, following being completed by the parents or legal guardians, are given in a sealed envelope to the head of school. the establishment, responsible for transmitting them to the structures authorized to vaccinate designated by the ARS. Only authorized agents of these structures can read the data from the forms.

These forms will be kept by the structures authorized to vaccinate for a period of eighteen (18) years from the act of vaccination, for the purposes of managing disputes that may arise.

The persons concerned by these processing operations or, where applicable, their legal representatives have the rights of access, rectification, erasure, limitation and opposition, provided for respectively by Articles 15, 16, 17, 18 and 21. of the GDPR. These rights can be exercised through the head of the establishment who collects the data, responsible for transmitting the requests to the structure authorized to vaccinate in question.

These people also have the right to submit a complaint to the CNIL with regard to the processing of data to which they are subject.

Health insurance coverage data and statistical monitoring

In addition to the specific data processing mentioned above, the national HPV vaccination campaign gives rise to data processing usually implemented, under common law conditions, in matters of childhood vaccination.

Thus, each vaccination carried out in the school establishment is entered in the student’s health record (or vaccination record) as well as, where applicable, in My health space.

After the act of vaccination, the vaccination centers and structures transmit to the health insurance organizations the identity data of the students, including the social security number to which they are attached, for the purposes of financial coverage of the vaccines administered.

Finally, individual and non-nominative data of vaccinated students will be transmitted by the National Health Insurance Fund to the National Public Health Agency (Santé publique France), in accordance with its health monitoring and epidemiological surveillance missions. These data will be processed for the purposes of developing statistics relating to the estimation of the number of students vaccinated according to the territories (departmental, regional and national level) and the impact of the vaccination campaign; These aggregated statistics, devoid of any personal data, will be made available to the ARS and the Ministry of Health.