Accepted for/Published in: JMIR Medical Informatics
Date Submitted: Jul 1, 2024
Open Peer Review Period: Jul 18, 2024 - Sep 12, 2024
Date Accepted: Dec 25, 2024
(closed for review but you can still tweet)
Ensuring GDPR Compliance and Security in a Clinical Data Warehouse: Challenges and Insights from a University Hospital
ABSTRACT
Background:
The digital transformation of health data has enabled the utilization of advanced data analytics and Artificial Intelligence (AI) techniques, which are crucial for driving innovation in healthcare. Countries such as France, the UK, Germany, and the US have adopted strategies to secure and ethically manage health data. In France, the Health Data Hub and clinical data warehouses (CDWs) within hospitals are central to this effort. However, the stringent regulatory framework, including the GDPR and French Data Protection Act, presents significant implementation challenges
Objective:
This paper aims to evaluate the applicability of the French CNIL CDW framework through an experiential analysis of its implementation and operational challenges in university hospitals within the French Great Western region . The study seeks to provide insights into the encountered obstacles and propose areas for improvement to enhance compliance and facilitate research.
Methods:
A detailed evaluation was conducted in may 2023 at the University Hospital of Rennes (CHU de Rennes) on the compliance of their eHOP CDW with the CNIL framework. The study categorized the frameworkâs requirements into those applicable to the eHOP software and those relevant to the institution's implementation. Each criterion was assessed by technical managers and data protection officers, with validation by information security officers.
Results:
Out of 116 criteria in the CNIL framework, 25 were identified as relevant to the eHOP software, with 15 criteria fully compliant, 7 non-compliant or partially compliant, and 3 not applicable. Institutional responsibilities covered 91 criteria, with several key areas identified as non-compliant or partially compliant, primarily involving security and governance measures. Notably, challenges in data retention management, encryption of sensitive genetic data, and robust authentication mechanisms were highlighted.
Conclusions:
The study underscores both the benefits and challenges of implementing the CNIL CDW framework, emphasizing the need for technological and organizational adaptations to meet compliance requirements. Proposed adjustments aim to streamline research processes while maintaining stringent data protection. This evaluation offers valuable insights for other institutions and frameworks aiming to balance rigorous data protection with research and innovation needs. Future research should extend the scope to include multiple institutions and CDW technologies to validate and generalize these findings.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.