Hosting of health data and GDPR

As part of the compliance with the GDPR of those who host health data, the question arises about their certification and /or approval provided by the article L.1111-8 du Code de la santé publique (French Public Health Code (CSP).

The decree of February 26, 2018, taken in application of this article, defines the activity of hosting health data, but does not specify if it concerns the internal hosting or an external hosting of these data.
In other words, it does not define whether it is a hosting made by a controller or a processor.
It is why, in practice there are problems of interpretation: some consider that this regulation applies to the internal hosting of health data, while others consider that it only applies to external hosting.
Examined from the GDPR, the hosting of health data regulation seems to apply only to the external hosting with a processor (1), and not to the internal hosting by a controller (2).

1 / An external hosting with a processor

According to article L. 1111-8 of the French Public Health Code, the regulations on the hosting of health data apply to: « Anyone who hosts personal health data collected during activities prevention, diagnosis, care or social and medico-social follow-up, on behalf of natural or legal persons at the origin of the production or collection of these data or on behalf of the patient himself (…) « .
The article R.1111-8-8 I of the CSP created by the decree of February 26, 2018 specifies that this activity of lodging is carried out:
« 1 ° For the account of natural or legal persons, controllers within the meaning of the law n ° 78-17 of January 6, 1978, at the origin of the production or the collection of these data;
2. For the account of the patient himself.  »
At last, the article R.1111-8-8 of the CSP I 1 ° provides that the hosting of health data can be performed on behalf of a controller, or on behalf of the patient himself.

On behalf of a controller

The article R.1111-8-8 I 1 ° of the CSP specifies that the hosting « on behalf of natural or legal persons », is carried out on behalf of « controllers within the meaning of the law n ° 78-17 of the January 6, 1978 « .
However, a processing performed on behalf of a data controller is itself defined by the General Data Protection Regulation (GDPR) as a subcontracting operation.
According to Article 4 (8) of the GDPR, a « processor » is the natural or legal person, the public authority, agency or other body which processes personal data on behalf of the controller.
The host of health data acting « on behalf of natural or legal persons, controllers within the meaning of the law n ° 78-17 of January 6, 1978″ is a processor within the meaning of the GDPR.
It can be inferred that, in the case of hosting health data on behalf of a data controller, the above-mentioned regulation refers to the hosting by a processor, and therefore externally, and not internally hosting such data.

On the behalf of the patient « himself »

Regarding the hosting on behalf of the « patient himself », the article R.1111-8-8 does not qualify him as a « controller ».
The patient himself is not a person in charge of personal data within the meaning of the GDPR, he acts « in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity ». (RGPD Recital 18)).
Accordingly, such processing activities avoid the qualification of a data controller.
Nevertheless, it does not exclude the application of the GDPR to controllers or processors who provide the means for processing personal data to persons acting for such personal or household activities.
The recital 18 of the GDPR provides: « However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.  »
In other words, a processor can act on behalf of a controller but also of a private individual acting for household, personal purposes.
Accordingly, the hosting of health data as provided in the article L. 1111-8 of the French Public Health Code must be interpreted as meaning that it is performed by a processor acting on behalf of a controller, or behalf of the patient « himself ».
On the other hand, the specific regulations governing the hosting of health data do not appear to apply to the « internal » hosting of health data by a controller.

2/ An internal hosting by a controller

The person who internally hosts health data does not act as a processor, on behalf of a data controller, or the patient « himself ».
A doctor or a healthcare facility does not act on instruction, on behalf of their patients. They host health data in a medical file, which is strictly regulated by the French Public Health Code.
Similarly, a health service in a company does not act on instruction, and on behalf of its employees, or in case of inter-company service (SSTI), on behalf of its members. These persons act as controllers in accordance with the applicable regulations (French Labor Code).
All these people determine the purposes and means of the data processing according to the applicable regulations, and not on the instructions of patients, employees, or members.
However, the hosting of health data, within the meaning of articles L. 1111-8 et seq. CSP performs « on behalf of », and therefore as a processor.
Doctors, healthcare facility and occupational health services do not appear to be processors, and therefore health data providers within the meaning of the aforementioned articles.
Otherwise, the Decree No. 2018-137 of February 26, 2018 relating to the HDS states that it « determines the conditions of application of the obligation, for any natural or legal person at the origin of the production or collection of such health data, to use a certified or approved hosting provider when externing the conservation of the data for which it is responsible « . [1]
The decree of 26 February 2018 does not appear to be applicable to the « internal » hosting of health data, and this type of hosting should therefore not be the subject of an HDS certification, or an accreditation.
In addition, it is clear from the government’s explanation that « By this framework, the legislator wishes to guarantee trust in third parties to which structures and professionals in the health, social and medico-social sectors entrust the health data they produce. or collect, (…) « [2]
The government interprets its own decree as aiming at hosting by third parties to the controllers, in other words externally.
Intern hosting of health data should not be subject to the certification and / or accreditation provided for by article L1111-8 of the CSP.
This does not exclude of course that these persons are bound by an obligation of security of such data (article 32 of the GDPR) and must respect interoperability and security standards (article L1110-4-1 of the CSP).
On the other hand, a processor who is hosting on behalf of a controller or a patient health data will have to make sure that he is well certified and / or approved. This may be the case, for example, of a patient requesting a host to save their data in a cloud, or of a healthcare facility (hospital or clinic) that asks a processor to host medical records.
It should be noted that the hosting activity is not limited to data backup but also extended to the outsourcing activity (article R1111-9 of the CSP), and that the contract for hosting health data is strictly regulated by article R. 1111-11 of the CSP. The host, as a processor, must finally comply with the provisions of the GDPR, and especially the article 28.
In every instance, the articles of the French Public Health Code on the qualification of health data host are unclear and incoherent with the GDPR.
In its notice of 12.10.2017 on the draft decree relating to the hosting of health data, the CNIL had already pointed out the lack of precision of the qualification of HDS. [3]
As legal certainty and the security of personal data are two very different things but also closely linked: there can be no security of personal data without good legal certainty.