Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL publishes notice on security of health data

On February 9, 2024, the French data protection authority (CNIL) published a notice on the security of health data. In particular, CNIL highlighted that it has notified several health care establishments to take measures to ensure the security of computerized patient files (DPI), a centralized health data file for patients that allows health care professionals to access their medical information. CNIL carried out 13 checks on health establishments between 2020 and 2024 owing to the sensitivity of data contained within the DPI and found that the authorization policy in many cases allowed non-health care professionals to access the data within the DPI.

Recommended security measures

CNIL recommended corrective measures for health care establishments to implement relating to the DPI, including:

  • secure access through a robust authentication policy, including sufficiently complex passwords;
  • specific authorizations such that health care professionals only access files that they need to know, which includes the combination of two criteria:
    • employees responsible for welcoming patients must only be capable of accessing administrative files, not medical data;
    • authorizations must also take into account the care team so that professionals involved in actually caring for the patient have access to information covered by medical confidentiality;
  • enhanced confidentiality measures for specific files;
  • tracing access or logging to the DPI, indicating who accessed data, what data was accessed, and automated mechanisms to identify which access appeared abnormal; and
  • emergency measures that allow administrative and medical professionals to access patient data in the event of an emergency.

You can read the press release, only available in French, here.