Health data hosting: deciphering forthcoming developments
Locations
Several texts will soon have an impact on the rules governing the hosting of health data.
The 1st one is a draft order, notified by the Digital Health Delegation to the European Commission, designed to amend the decree of 11 June 2018 approving the accreditation framework for certification bodies and the certification framework for the hosting of personal health data.
The 2nd text is the "Securing and Regulating the Digital Space"(SREN) bill, including provisions relating to the Protection of strategic and sensitive data in the cloud computing market impacting the regime.
Draft order amending the HDS certification reference framework
The main changes made to the standards are intended to:
- clarify the activities for which hosting providers have obtained certification, in particular by specifying the definition of the activity of administering and operating healthcare systems (as not including SaaS publishers);
- improve the clarity of the guarantees provided by the hosting provider to each service provider using its services;
- clarify the contractual obligations of the hosting provider;
- incorporating changes to the ISO 27001 standard into the HDS certification framework.
In addition, the risk of data being transferred outside the European Economic Area (EEA) and issues of sovereignty are addressed through new requirements relating to sovereignty and transparency obligations:
- storage of health data on the territory of a member state of the European Economic Area;
- two transparency requirements for hosting providers vis-à-vis their customers:
- information about any transfer or remote access to customer data from a territory outside the European Economic Area (EEA) that does not ensure an adequate level of data protection within the meaning of Article 45 of the GDPR, and the organisational and technical measures implemented to control this transfer;
- information on any subjection to non-EU regulations that may entail a risk of access to data by an organisation located in a country that does not ensure an adequate level of data protection within the meaning of Article 45 of the GDPR, and the measures taken to mitigate this risk;
- a transparency requirement vis-à-vis potential customers: the hosting provider must make public and keep up to date detailed information on any transfers of data it hosts to a country outside the EEA and on the measures taken to ensure compliance with the RGPD.
These sovereignty obligations are less strict than those of SecNumCloud V.3 .2, with DNS stating: "Pending the outcome of discussions at European level on the future European standards (EUCS - European Cybersecurity Certification Scheme for Cloud services), the decision has been made not to align ourselves, for the time being, with the requirements in terms of extraterritorial immunity set out in the French standard known as "SecNumCloud version 3.2", adopted by the ANSSI (French information systems security agency)".
To find out more about the changes introduced to the draft reference framework, click here.
SREN Bill
The bill was the subject of an amendment, which provoked strong reactions, aimed at modifying art. L1111-8 CSP and impose SecNumCloud certification: "From 1 July 2024, in the case of digital archiving using a cloud computing service." This amendment was rejected in the latest version of the text.
The text does, however, include European sovereignty requirements for sensitive data - including health data - and security requirements.
The authorities must ensure that the cloud computing service provided by a private service provider implements security and data protection criteria guaranteeing, in particular, that the data processed or stored is protected against unauthorised access by public authorities in countries outside the European Union.
If, on the date of entry into force of the text, the State administration or its operator has already undertaken a project requiring the use of a cloud computing service [that does not meet these criteria], a waiver of these requirements may be requested. A decree will specify the terms and conditions for applying these requirements, in particular the security and protection criteria, including in terms of capital ownership, for sensitive data, and the conditions under which a waiver may be granted for projects already undertaken.
Lastly, the regime for electronic archiving of health data will be aligned with that for hosting, making service providers subject to HDS certification from a date to be set by decree, but no later than 1 July 2025.
Article also published on DSIH.
