Repository on the processing of personal data for the purpose of creating data warehouses in the field of health

The CNIL adopted a new reference framework in deliberation No. 2021-118 of 7 October 2021 (JORF 24 October 2021), which aims to "simplify procedures" and propose a framework "adapted to practices" when creating a health data warehouse(HDF).

The DHS regime

This repository is intended for data controllers who wish to collect data for re-use for specific purposes in the context of their public interest missions.

This legal basis therefore primarily concerns processing operations carried out by public authorities. It may, however, authorise the implementation of processing operations by private bodies, provided that they pursue a mission of public interest or are endowed with prerogatives of public authority.

In this respect, the data processing must be strictly justified:

• or, scientifically, through health or medico-social care, via the production of indicators and the strategic management of activity, the improvement of the quality of medical information or the optimisation of coding within the framework of the PMSI, the operation of tools to assist medical diagnosis or care and the carrying out of feasibility studies (pre-screening).
• or, by carrying out a specific research project, study or evaluation, and provided for by a protocol.

In the latter case, the processing must be subject to the appropriate formalities:

• through the use of a reference methodology and a declaration of such compliance, or
• by obtaining "research authorisation" on the basis of Article 66 III of the "Data Protection" law.

In any event, only personal data that are adequate, relevant and limited to what is necessary for the purposes of the processing may be collected and processed.

In this respect, the controller may only collect and process :

• data contained in the data subject's medical and administrative file or single computerised file, the collection of which is justified by his or her care, and/or
• data from previously conducted health-related research projects, studies and evaluations whose retention period has not expired.

Creating a DHS in practice

Until then, the creation of this type of DHS was necessarily subject to an application for a "health" (non-research) authorisation, unless the persons concerned had given explicit consent for the constitution of the DHS.

The compliance of the processing operations with this reference system will allow the actors concerned to no longer subject the DHS to the prior authorisation procedure.

It should be noted that a Data Protection Impact Assessment(DPIA) will still be required in all cases.

This measure should be complemented by the establishment of governance to verify compliance with the purposes pursued and various technical and organisational measures to safeguard the security of personal data.