The Computerised User File (DUI) in Social and Medico-Social Services (ESMS)

No items found.
This is some text inside of a div block.
November 19, 2025

Table of contents

Example H2

A Tool Supporting Quality of Care and Data Protection

In a context where digital technologies are profoundly transforming the social and medico-social sector for establishments and services (ESMS), the Computerised User File (DUI) has emerged as a genuine lever for improving the quality of support, enabling better coordination between professionals and enhanced data security.

Although the implementation of a DUI remains a complex undertaking (resistance to new practices, overall project cost sometimes high due to software acquisition, maintenance and training, and ongoing challenges with interoperability between heterogeneous systems), it is nonetheless a real driver of trust, fostering both high-quality support and respect for users’ privacy.

What exactly is the DUI?

The DUI is a software solution that centralises all information relating to the person being supported: administrative, social and medico-social data, assessments, reports, personalised support plans, exchanges between professionals, and the full history of care.

The objective is simple: to improve information sharing between stakeholders, while securing data and placing the user at the centre of their care pathway.

Although Law no. 2002-2 of 2 January 2002 made it mandatory to maintain a user file and ensure traceability of actions carried out, the obligation to computerise this file is more recent. With the latest digital health reforms (instruction of 24 September 2021, order of 21 July 2022, and decree of 31 May 2023), the deployment of the DUI is gradually becoming mandatory as part of the “ESMS Numérique” national programme, led by the National Solidarity Fund for Autonomy (CNSA) and the Ministry of Health and Prevention.

This national plan aims to equip all medico-social structures with a DUI that complies with a reference framework ensuring security, interoperability, data sharing and GDPR compliance.

Personal data protection at the heart of the DUI

The implementation of a DUI fully aligns with the requirements of the General Data Protection Regulation (GDPR). Indeed, the DUI centralises a large amount of personal—sometimes sensitive—information (health status, life history, support reports, social data), requiring heightened vigilance by ESMS.

The DUI supports GDPR compliance through the following:

Technical measures

  • Data encryption
  • Regular backups
  • Secure authentication
  • Defined and enforced access authorisations

Organisational measures

  • Collecting only the data necessary and ensuring its accuracy
  • Implementing retention periods
  • Establishing internal confidentiality procedures and providing complete information to users
  • Enabling users to exercise their rights

Controlled information sharing

Only with the professionals involved or through secure platforms such as Mon Espace Santé.

Before signing a contract, ESMS must:

  • Verify that the software provider uses HDS-certified hosting for health data, in accordance with Article L.1111-8 of the Public Health Code, which requires that electronically stored health data be hosted by a certified Health Data Host or an authorised health institution.
  • Check the security features (authentication, traceability, access logs, data encryption, etc.).
  • Review the provider’s privacy policies to ensure they meet legal obligations.
  • Request evidence of compliance, such as internal audit reports, ISO 27001 certification, or HDS attestations.

The contract with the software provider must specify—not only technical and organisational security measures—but also all obligations set out in Article 28 GDPR regarding data processing by a processor (respective responsibilities, audit rights, data hosting location, downstream processors, cooperation in the event of a data breach within 72 hours, etc.).

GDPR compliance does not stop once the contract is signed. The ESMS must regularly audit the provider and verify that security measures remain up to date and effective.

The Data Protection Officer (DPO) therefore plays a key role in monitoring and advising on the ongoing compliance of the DUI.

Conclusion

Introducing the DUI supports a more coordinated, secure and transparent approach to assisting vulnerable individuals.

This unified digital file has a promising, increasingly connected future, as interoperability is currently being developed with the Shared Medical Record (DMP). This connection, led by the French Digital Health Agency (ANS), will allow healthcare and medico-social professionals to quickly access essential information, improve care coordination and strengthen continuity of support—while respecting GDPR requirements and medical confidentiality.

Read this next

See all

CNIL 2026 Priorities: Key GDPR Compliance Areas Organizations Must Anticipate

Each year, the CNIL defines priority areas representing around 20% of its inspections. For 2026, three major topics have been identified, find out which ones.

Read more

The AI Act Delay: What Businesses Really Need to Know

The European Parliament has proposed pushing back the AI Act's high-risk AI rules to December 2027 and August 2028. What obligations still apply now? How should you prepare?

Read more

European Health Data Space (EHDS): Opportunities, Challenges and GDPR Compliance

In the era of personalized medicine and digital transformation, health data has become a major strategic resource but also one of the most sensitive under European law.

Read more
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000