The Computerised User File (DUI) in Social and Medico-Social Services (ESMS)

A Tool Supporting Quality of Care and Data Protection

In a context where digital technologies are profoundly transforming the social and medico-social sector for establishments and services (ESMS), the Computerised User File (DUI) has emerged as a genuine lever for improving the quality of support, enabling better coordination between professionals and enhanced data security.

Although the implementation of a DUI remains a complex undertaking (resistance to new practices, overall project cost sometimes high due to software acquisition, maintenance and training, and ongoing challenges with interoperability between heterogeneous systems), it is nonetheless a real driver of trust, fostering both high-quality support and respect for users’ privacy.

What exactly is the DUI?

The DUI is a software solution that centralises all information relating to the person being supported: administrative, social and medico-social data, assessments, reports, personalised support plans, exchanges between professionals, and the full history of care.

The objective is simple: to improve information sharing between stakeholders, while securing data and placing the user at the centre of their care pathway.

Although Law no. 2002-2 of 2 January 2002 made it mandatory to maintain a user file and ensure traceability of actions carried out, the obligation to computerise this file is more recent. With the latest digital health reforms (instruction of 24 September 2021, order of 21 July 2022, and decree of 31 May 2023), the deployment of the DUI is gradually becoming mandatory as part of the “ESMS Numérique” national programme, led by the National Solidarity Fund for Autonomy (CNSA) and the Ministry of Health and Prevention.

This national plan aims to equip all medico-social structures with a DUI that complies with a reference framework ensuring security, interoperability, data sharing and GDPR compliance.

‍

Personal data protection at the heart of the DUI

The implementation of a DUI fully aligns with the requirements of the General Data Protection Regulation (GDPR). Indeed, the DUI centralises a large amount of personal—sometimes sensitive—information (health status, life history, support reports, social data), requiring heightened vigilance by ESMS.

The DUI supports GDPR compliance through the following:

Technical measures

• Data encryption
• Regular backups
• Secure authentication
• Defined and enforced access authorisations

Organisational measures

• Collecting only the data necessary and ensuring its accuracy
• Implementing retention periods
• Establishing internal confidentiality procedures and providing complete information to users
• Enabling users to exercise their rights

Controlled information sharing

Only with the professionals involved or through secure platforms such as Mon Espace Santé.

Before signing a contract, ESMS must:

• Verify that the software provider uses HDS-certified hosting for health data, in accordance with Article L.1111-8 of the Public Health Code, which requires that electronically stored health data be hosted by a certified Health Data Host or an authorised health institution.
• Check the security features (authentication, traceability, access logs, data encryption, etc.).
• Review the provider’s privacy policies to ensure they meet legal obligations.
• Request evidence of compliance, such as internal audit reports, ISO 27001 certification, or HDS attestations.

The contract with the software provider must specify—not only technical and organisational security measures—but also all obligations set out in Article 28 GDPR regarding data processing by a processor (respective responsibilities, audit rights, data hosting location, downstream processors, cooperation in the event of a data breach within 72 hours, etc.).

GDPR compliance does not stop once the contract is signed. The ESMS must regularly audit the provider and verify that security measures remain up to date and effective.

The Data Protection Officer (DPO) therefore plays a key role in monitoring and advising on the ongoing compliance of the DUI.

Conclusion

Introducing the DUI supports a more coordinated, secure and transparent approach to assisting vulnerable individuals.

This unified digital file has a promising, increasingly connected future, as interoperability is currently being developed with the Shared Medical Record (DMP). This connection, led by the French Digital Health Agency (ANS), will allow healthcare and medico-social professionals to quickly access essential information, improve care coordination and strengthen continuity of support—while respecting GDPR requirements and medical confidentiality.

‍