Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study

• Published in: JMIR medical informatics Vol. 13; p. e63754
• Main Authors: Riou, Christine, El Azzouzi, Mohamed, Hespel, Anne, Guillou, Emeric, Coatrieux, Gouenou, Cuggia, Marc
• Format: Journal Article
• Language: English
• Published: Canada JMIR Publications 17.04.2025
• Subjects: Advanced Data Analytics in eHealth; Big Data; Computer Security - legislation & jurisprudence; Computer Security - standards; Confidentiality - legislation & jurisprudence; Confidentiality - standards; Data Warehousing - standards; eHealth Infrastructures; Electronic Health Records - standards; France; Guideline Adherence; Hospitals, University; Humans; Ontologies, Classifications, and Coding; Original Paper; Policy; Research Infrastructures and Registries; Secondary Use of Clinical Data for Research and Surveillance; Security in Digital Health; France; personal data protection; privacy; university hospitals; personal data; security; French; data hub; clinical data warehouse; compliance; experiential analysis; applicability; operational challenge; France; legislation
• ISSN: 2291-9694; 2291-9694
• DOI: 10.2196/63754

The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management. This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains. A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91). Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research. This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.