Health sector: master the RGPD in your EDS
Setting up a health data warehouse requires strict compliance with the RGPD and the CNIL standard, based on clear governance, comprehensive documentation and high security measures. The DPO is the guarantor, ensuring transparency and compliance at each stage of the project.
GDPR and Data Warehouse
Health data warehouses have become strategic devices for healthcare institutions, but their implementation requires strict compliance with the GDPR.
Between legal basis, governance, security and reuse, this type of treatment raises complex technical and legal questions.
In this article, we explore the requirements for creating a compliant data warehouse, the mistakes to avoid, and the levers to activate to ensure security and transparency.
An operational guide for DPOs, CISOs, lawyers and data controllers.
DPO notice
The health data warehouse should be perceived as a massive storage of pseudonymized data whose reuse must then be justified by research, study and management projects that often themselves rely on foundations of public interest.
In the context of the public interest, the EDS must respond to the CNIL standard on EDS.
- A health data warehouse is a structured process subject to the requirements of the GDPR.
- The CNIL standard allows a declaration of conformity for projects of public interest
- AIPD, ethical governance and documentation are indispensable
- Pseudonymization is not enough to rule out the GDPR: the data remains identifiable
- The DPO must be integrated from the design stage to secure the entire project
Adequacy has a Health module, where the CNIL Health Data Warehouse repository is registered and usable.
Understanding health data warehouses in light of the GDPR
Health data warehouses (EDS) have become strategic tools for health institutions wishing to value their data for the purposes of management, research or optimization of care. However, their implementation requires a rigorous legal framework, in particular with regard to the General Data Protection Regulation (GDPR).
Definition of a health data warehouse
A health data warehouse is a structured processing of personal data, implemented by a health institution or a hospital group, in order to allow the reuse of data collected during care¹. This data may relate to:
- Strategic management
- Improving the quality of care
- Medical decision support
- Feasibility studies
- Research, under conditions
This treatment is distinguished from a traditional database by its reuse objective, its volume, its structuring for analytical purposes and its strengthened governance framework.
Health data: a category of “sensitive” data
The GDPR (article 9) considers health data to be sensitive data, subject to a prohibition of processing in principle, except for clearly defined exceptions². Because of the sensitivity of the information they aggregate (pathologies, treatments, hospital stays, medical procedures, etc.), data warehouses are therefore subject to a high level of vigilance.
Specific GDPR requirements include:
- A solid legal basis
- Appropriate technical and organizational security measures
- A strict limitation of purposes
- Transparent governance
Legal basis: the three applicable regimes
Data processing under an EDS may be based on several legal bases:
Important note: The most frequently used basis in EDS is the public interest mission, which allows data to be processed without individual consent, as long as the processing is supervised by a legal or regulatory system (CNIL reference system, authorization).
Purpose and transparency: elements to be documented
Each purpose of an EDS must be:
- Legitimate
- Determined
- Explicit
- Compatible with the public interest
It is imperative to clearly inform the persons concerned about this via an accessible and understandable privacy policy.
Formal prohibitions: Treatment may under no circumstances be used for commercial purposes, for the promotion of drugs or for the adjustment of insurance guarantees (in accordance with article L.5311-1 of the CSP and the restrictions of the CNIL standard).
To remember
The RGPD requires a detailed reading of the treatments implemented via an EDS. The choice of the legal basis, the definition of the purpose, the nature of the data, and governance are all determining factors in ensuring compliance.
Implement a GDPR-compliant data warehouse
The creation and operation of a health data warehouse (EDS) require a structured approach, in accordance with the requirements of the RGPD and the recommendations of the CNIL³. From governance to documentation, each step must ensure the legality, security and traceability of the treatments implemented.
Legal framework: compliance or authorization?
The CNIL proposes a specific framework to frame the creation of an EDS as part of a mission in the public interest4. If the project is in strict compliance with this standard, a declaration of conformity is sufficient. Otherwise, a request for authorization must be sent to the CNIL (article 66 III of the “Informatique et Libertés” law).
Summary table of procedures
Mandatory documentation
Regardless of the regime, GDPR documentation is a central pillar of compliance. The data controller must keep up to date:
- A register of processing activities (article 30 GDPR)
- A privacy impact assessment (AIPD) (article 35 GDPR)
- A governance file specifying the bodies in charge of steering and validation
- Security and authorization protocols
Important: These documents must be available at all times in the event of an inspection, and updated in the event of changes in the perimeter of the warehouse.
Recommended governance
Strong governance is essential. The CNIL standard requires the implementation of:
Mandatory governance structure
| Instance | Rôle | Responsabilités |
|---|---|---|
| Comité de pilotage | Orientations stratégiques | Définit les orientations stratégiques et tient un inventaire exhaustif des données |
| Comité scientifique et éthique | Évaluation des demandes | Évalue chaque demande de réutilisation des données et valide les projets de recherche |
| DPO | Conformité RGPD | Garant de la conformité et conseil méthodologique |
| DIM | Information médicale | Expertise technique et validation des aspects médicaux |
| Instance | Rôle | Responsabilités |
|---|---|---|
| Comité de pilotage | Orientations stratégiques | Définit les orientations stratégiques et tient un inventaire exhaustif des données |
| Instance | Rôle | Responsabilités |
|---|---|---|
| Comité scientifique et éthique | Évaluation des demandes | Évalue chaque demande de réutilisation des données et valide les projets de recherche |
| Instance | Rôle | Responsabilités |
|---|---|---|
| DPO | Conformité RGPD | Garant de la conformité et conseil méthodologique |
| Instance | Rôle | Responsabilités |
|---|---|---|
| DIM | Information médicale | Expertise technique et validation des aspects médicaux |
Requirement: These bodies need to be formalized, and their roles clearly documented.
Lifecycle of the compliance stages
With regard to information to the persons concerned and the need for a transparency portal, read the article from the Aumans Avocats law firm.
Checklist — Launching a warehouse
The key role of the DPO
The DPO is both a guarantor of compliance and methodological support, here are the missions of the DPO within the framework of an EDS:
- Validates the purposes and the legal basis
- Coordinates the implementation of the AIPD
- Ensures that people's rights are respected
- Advises on minimization and pseudonymization measures
Advice: It is imperative to integrate the DPO from the warehouse design phase.
Data Security, Anonymization and Reuse: Requirements and Limits
The implementation of a health data warehouse involves a high level of requirements in terms of security, risk management and respect for fundamental rights. The GDPR imposes a strict framework on the management of access, the reuse of data and the guarantee of confidentiality, especially when it comes to health data.
Data security: specific obligations
Article 32 of the GDPR requires data controllers to put in place appropriate technical and organizational measures to ensure a level of security adapted to the risks.
