► “The risk of access by the American authorities is real”
Thomas dautieu, director of compliance for the CNIL.
The Health Data Hub aims to make better use of health data for medical research purposes, something everyone should welcome. However, the centralization of a very large number of such sensitive data, and their access by outside organizations, calls for special vigilance.
→ INVESTIGATION. Your health data in a “super-database”: what you need to know about the “Health Data Hub”
As such, the Cnil will soon rule on the security of the technological solution hosting the HDH. Regarding the choice of Microsoft, the CNIL wanted the HDH to use data hosting services falling exclusively under the jurisdictions of the European Union. She felt, with the current provider, that the risk of access by the American authorities was real, and must disappear.
The Ministry of Health has also undertaken to use a technical solution that prevents the data hosted by the HDH from being exposed to possible illegal access requests with regard to the General Data Protection Regulation (GDPR). ) within a period of between 12 and 18 months and, in any event, not exceeding two years. The CNIL considers that this period seems likely to guarantee a fair balance between the preservation of the right to the protection of personal data and the objective of promoting research and innovation in the field of health.
► “You have to be pragmatic”
Bernard Nordlinger, professor of surgery, president of the Ethical and Scientific Council for research, studies, and evaluations in the field of health.
When in 2019, the Health Data Hub was launched to host public health data from France, the teams toured the hosting providers and found that the players available in Europe (Orange, OVH, etc.) did not did not offer the sufficient technical framework, unlike Microsoft. Choosing a European “cloud” by sovereignty would have compromised the quality of the platform, access to data and therefore ultimately to research. Choosing a European host and asking them to adapt to technological needs would have taken time.
→ READ. Health data that is of increasing interest … at what cost?
However, there is no time to waste when it comes to medicine. The CNIL and associations have seized the Council of State, expressing their fears that certain data may be transferred to the United States, the parent company of Microsoft, where the regulations are not the same. But the servers are hosted in Europe, and subject to French legal rules.
I am not naive, I know there is no such thing as zero risk. But I am a surgeon, so I have a pragmatic temperament. I’m used to weighing the risk-benefit balance and it tilts on the benefit side. This is a transitional situation until we have a sovereign cloud.