Key Benefits:
(Saisine no. 08030953)
The National Commission for Computer Science and Freedoms,
Seizure for advice by the Ministry of Health, Youth, Sports and Associative Life on 24 December 2008 of a draft decree in the Council of State concerning the Common National Repertory of Social Welfare (RNCPS) accompanied by the associated technical file;
Considering the Council of Europe Convention No. 108 for the Protection of Persons with regard to the automated processing of personal data;
Considering Directive 95 / 46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free flow of such data;
Vu la Act No. 78-17 of 6 January 1978 relating to computing, files and freedoms, as amended by Act No. 2004-801 of 6 August 2004 on the protection of natural persons with respect to personal data processing, including section 27-1;
Vu le Decree No. 2005-1309 of 20 October 2005 taken for application of Act No. 78-17 of 6 January 1978 relating to computing, files and freedoms, as amended by Decree No. 2007-401 of 25 March 2007;
Given the Social Security Code, including its article L. 114-12-1 ;
After hearing, on March 12, 2009, M. M. Pierre Morange, M. Dominique Libault, Director of Social Security, and Mr. Benoît Parlos, National Delegate to Combat Fraud;
After hearing Mr. Jean Massot and Mr. Philippe Gosselin, commissioners, in their report, and Ms. Pascale Compagnie, Government Commissioner, in her comments,
Provides the following notice:
The commission was seized by the Ministry of Health, Youth, Sports and Associative Life of the draft decree in the Council of State concerning the Common National Repertory of Social Protection (RNCPS) provided for in article L. 114-12-1 of the Social Security Code and a technical record specifying, inter alia, the operation of the directory, the details of data categories processed, and the security measures envisaged.
Section L. 114-12-1 of the Social Security Code provides for the creation of a "common national directory to the organizations responsible for the management of a mandatory social security regime, to the funds providing the service of paid leave, to the institution referred to in Article L. 311-7 (1) of the Labour Code, relating to beneficiaries of benefits and benefits of any kind they serve".
Access to the repertoire is also available to organizations of the recovery branch, the territorial authorities for the social aid allocation procedures and, since the amendment of the Social Security Financing Act for 2008, the communal and intercommunal social action centres.
The directory contains "common data for the identification of individuals, information about their affiliation with the various regimes concerned, their connection to the organization that serves the services, their nature, the address declared to the organizations to collect them".
The identifier used by the directory is the registration number on the national directory for the identification of natural persons (NIR), the law referring to the implementing decree the care to determine the conditions for the identification of persons without having as well as the content and modalities for the management and use of this directory.
The draft decree submitted to the commission inserts ten articles after theArticle R. 114-18 of the Social Security Code (R. 114-19 to R. 114-28).
It authorizes the creation, by the Ministry of Social Security (Social Security Directorate), of a personal data processing referred to as "Common National Social Protection Repertory" implemented by the Caisse Nationale d'assurance vieuxsse des travailleurs wages.
The Commission notes, however, that the law already sets out the nature of the data contained in the directory, the recipients of the data and the principle of the use of the NIR as a directory identifier, on which the decree cannot return.
It therefore considers that article R. 114-19 resulting from the draft decree should make explicit reference to article L. 114-12-1 of the social security code for transparency. It takes note of the Government's commitment to amend the draft decree in this sense.
The Commission notes that the directory is likely to allow access to personal data concerning the entire French population and persons residing in a stable way in French territory. Indeed, as long as a person has open rights (malaria, unemployment, retirement...) or benefits from social security or social assistance, it appears as such in the directory. It also notes that the number of agents that can access the directory is likely to be particularly high.
Therefore, it considers that the creation of a new personal data processing of a national scale, including identity, the NIR, the address and data on the nature of the rights and benefits of beneficiaries must be accompanied by special guarantees, particularly in terms of security and confidentiality.
On the finals:
The NRCPS has a comprehensive purpose of controlling and combating fraud, which the draft decree contains four purposes:
1° The simplification of the rights and benefits beneficiaries' approaches through the sharing of information among organizations that is guaranteed reliability;
2° The optimization of the conditions for the opening, management and control of the rights and benefits of beneficiaries of social protection, including by: the identification of beneficiaries, the information of organizations on all of their connections, rights and benefits, and assistance in the detection of missing rights and benefits, as well as anomalies and frauds;
3° Rationalization and retention of data exchanges between social protection agencies and tax administrations mentioned in particular articles L. 114-12 and L. 114-14 of the Social Security Code, as well as those provided by the same Code with tax administrations;
4° The production of anonymous statistics for the purposes of quality control of procedures or enumerations relating to all the information contained in the NPSN.
According to information provided by the department, the officers responsible for instructing the files may, as appropriate, conduct audits in the NCPR as soon as they are duly authorized. Thus, in the course of an application requiring the consideration of rights opened by other organizations, the agent may verify that there has been no forgetting or anomaly.
The Commission notes that the NRCPS includes a decision aid module to detect "missing rights and benefits as well as anomalies and frauds".
The commission takes note of:
― that the NRCPS consultation is only an aid that complements the review of the situation on a case-by-case basis by an officer; no decision that produces legal effects on a person may be taken on the sole basis of the NCPR in accordance with section 10 of the amended Act of 6 January 1978;
– that it only detects anomalies in the cumulative benefits and missing entitlements and benefits;
– that the results obtained do not result in any automatic update of the directory or information system data of the organizations concerned.
Reliable identification of recipients and nationals is also one of the purposes of the NRCPS. The identification device must allow organizations to acquire elements that enable them to ascertain the identification of the person concerned in order not to omit the consideration of rights or benefits to which it may benefit or not to pay undue benefits as a result of an identification error. This concern is as much in the context of the directory consultation as in the context of exchanges made through the service proposed by the directory.
Within the NRCPS, the National ID Management System (SNGI) owned by the NRCAVTS will be used to certify the NIR of persons and verify their identity.In each consultation of the directory, the identification data of an individual held by an organization will be verified from the NIR by the SNGI to ensure that it is the right person.
The Commission considers that the certification of recipient NIRs, although not a purpose in itself, should be expressly mentioned in article R. 114-19 (2°) of the draft decree.
On recorded data:
Articles R. 114-20 and R. 114-21 resulting from the draft decree determine, respectively, the categories of personal data available through the NPSC and the modalities for collecting such data.
The draft decree distinguishes three main categories of personal data from several personal data processing:
― the common identification data including names and names, sex, dates and places of birth, if any mention of death, and NIR. These data are forwarded by the NSMS managed by CNAVTS in connection with INSEE during each NSPR consultation;
― centralized linking data with the identifiers of the organizations to which an individual is or has been attached in the past five years and, where appropriate, the areas of risk for the services managed by these organizations, the dates of start and end of tie-up, and the reasons for termination. These data are transmitted by each of the organizations concerned and updated under their responsibility;
― the additional benefit data for each of the rights or benefits:
the nature of the rights or benefits and their effective date;
the quality of the beneficiary in respect of each of these rights or benefits;
- the status of each of the rights or benefits, as well as the date of effect and the reason for that condition;
– the registered address for the opening of the law or the payment of the benefit, the mention of incidents on that address if the organization is aware of it, and if provided by the recipient, telephone numbers and email addresses.
The Commission notes that the additional delivery data remain localized in the information systems of the NCPR feeding agencies and are forwarded to the NCPR in real time to each consultation.
It notes that the directory does not contain any sensitive data, within the meaning of section 8 of the Act of 6 January 1978, as amended by the Act of 6 August 2004 and notes that the state of each of the rights or benefits, as well as the reason for this, does not disclose any mention of fraud.
On the NIR:
The Commission notes that all social welfare agencies are allowed to use the NIR within their missions in accordance with Articles R. 115-1 and following of the Social Security Code. The Assédic and the ANPE and today Pôle emploi can also use this issue in full legality since a decree of 17 December 1987 taken after favourable opinion of the commission.
With regard to the territorial authorities, she recalled that they were only allowed to use the NIR as part of the legal or regulatory mandates for social assistance and authorizing the collection of the NIR (e.g., RMI, social assistance to the elderly or disabled). However, with regard to "optional" assistance (not supervised by texts), the commission has always been reluctant to the generalization of NIR use.
The Commission takes note of the fact that the legislator has heard the imposition of the NIR as the NRCPS identifier for territorial authorities and CCAS. However, the Commission considers that this use of the NIR within the NRCPS framework should not lead to the systematic collection of this issue, particularly where no text warrants it or its collection is not relevant.
On the NIA (Numero waiting identifier):
In order to allow the identification, within the NRCPS, of persons pending the assignment of a NIR, it is planned to modify the SNGI to allow centralized management of the waiting ID numbers (NIA) and related identification files.
From the perspective of this very important functional development, it is already planned to include in the NCPR data on the benefits of the beneficiaries identified with an NIA.
The Commission notes that it will be seized by the CNAVTS of a formality file within one year.
On the address, telephone number and e-mail address:
According to section R. 114-20 (3°, d) resulting from the draft decree, for each of the rights or benefits of an individual, it is collected "the address declared for the opening of the right or the payment of the benefit, the date of effect of that address and the mention of incidents on that address if the organization is aware of it, as well as, if provided by the recipient, telephone numbers and email addresses".
If it does not belong to the commission to decide on the relevance of the collection of the address that is expressly provided for by law, it must nevertheless give an opinion on its modalities of collection and conservation as described in the draft decree in the Council of State.
The Commission notes that addresses are not registered in a centralized database and remain in the information systems of each of the contributors. In addition, there is no history of these addresses (only the last registered address is transmitted via the NRCPS). Thus, when an agent questions the NCPR, he or she can only obtain for a given individual the last address declared by that person to the organizations that serve him or her rights or benefits at the time of the consultation.
With respect to the telephone number and e-mail address, the draft Order specifies that these data are transmitted to the NCPR if provided by the recipient to the agency concerned.
However, the Commission notes that no specific information of the insured is considered with respect to the transmission of their contact information to other social welfare agencies and local authorities as well as with respect to the purpose of this transmission.
The Commission notes that the Government is committed to clearly informing individuals that the communication of their telephone number and e-mail address is optional and that, in the event of the communication of these data to a social security agency, they will be consulted by all NPSRC partners.
It would like this information to be general, including those who have already communicated their e-mail address and telephone number.
On the list of risks, rights and benefits, as well as organizations that manage them, entering the scope of the decree:
Article L. 114-28 resulting from the draft decree refers to an order to establish "the list of risks, rights and benefits as well as the organizations that manage them, entering the field of the decree".
The commission observes that it is not envisaged that this order be submitted to it for advice. The ministry proposes to publish these lists on the official "social security" portal. fr » to the extent that these changes in time. It states that, in any case, it can only be organizations or benefits within the scope of the law.
However, the Commission considers that this order should be submitted to it for advice in order to give its full effect to the last paragraph of Article L. 114-12-1 of the Social Security Code, which states that it is the decree made after CNIL's opinion that sets the contents of the directory.
It notes that the Government has only committed itself to sending the draft decision to the Government.
On shelf life:
The common identification data transmitted to the NNCPS by the SNGI are retained only during the consultation period. They are transmitted only when an individual is at least linked to one of the NCPR's partner organizations. Otherwise, the individual is not included in the NNCPS and no data from the NMS is then transmitted.
Centralized attachment data are retained for five calendar years following the end date of attachment. This period is justified by a generally applicable limitation period for social security benefits to all organizations.
In principle, additional benefit data are temporarily recorded during the consultation period. By exception, where a contributor is not in a position to transmit this data in real time, it may opt for data hosting by CNAVTS. The retention period of data and the updating modalities are determined by an agreement between the organization concerned and the CNAVTS.
The periodicity of updates to additional performance data cannot exceed one month.
The Commission notes that most national agencies have committed themselves to transmitting their data "in real time".
It notes, however, that article R. 114-22 resulting from the draft decree provides that "the content of the consultations, updates and exchanges as well as the traces of these operations are kept in a newspaper for one year from these operations". These newspapers are registered and maintained by the CNAVTS.
The Department had specified that the consultation log would have provided an opportunity to track the completeness of the data transmitted by the NCPR during an agent consultation. In particular, it would have been recorded: the identity of the person consulted, the data relating to the services and the corresponding analysis (detection of anomalies and missing rights) and the traces of connections (original request, date and time, operations performed, etc.).
When asked about the purpose of this conservation, the department had indicated that this journal would have facilitated the detection of errors. In the application and identify abnormal uses of the NCPR. This data will also be retained to respond, where appropriate, to requests from the judicial authorities.
The commission takes note of what the Government has finally waived to store the contents of the consultations and is committed to amending accordingly article R. 114-22 of the draft decree.
On the recipients:
Article R. 114-23 resulting from the draft decree distinguishes two categories of recipients from the data:
1. Individually designated and duly authorized officers of the agencies responsible for the management of a mandatory social security regime, funds providing the service of paid leave, of the institution referred to in theArticle L. 5312-1 of the Labour Code (Pôle emploi), organizations of the branch recovering the general regime. The organisms of the branch recovering the general diet do not contribute to the feed of the directory but may consult it.
2. Agents of the local authorities and communal social action centres, individually designated and duly authorized by the representative of the community or the municipal centre for the procedures for the allocation of any form of social assistance.
Thus, territorial authorities and CCAS can only consult the directory "for the allocation of any form of social assistance".
The Commission considers that the draft decree should specify the nature of the social aids concerned and in particular whether the so-called optional social assistance is included.
In addition, the Commission considers that the draft decree in the Council of State should specify the cases in which the territorial authorities and the CCAS can consult with the NNCPS as part of their social assistance missions.
On the NRCPS consultation modalities and the data exchange device:
The terms of consultation of the directory are set out in article R. 114-24 resulting from the draft decree. They vary according to the profile of the authorized agents and according to the organizations concerned.
The real-time consultation (from a NIR or NIA) may be conducted by all NRCPS partner organizations with the exception of the tax administration that cannot consult the directory.
In addition to the NIR and to secure the consultation, it was noted that the agent should in addition to the NIR enter the name of the person (or the name if the person is without a name). A concordance with the data extracted from the SNGI will be performed, which will have to be perfect on the first letters, up to the l5e if applicable.
The Commission considers that the entry of the completed IIR of the person's name is an important guarantee in terms of the security of the consultation and confidentiality of the data. It therefore considers that this guarantee should be expressly included in theArticle R. 114-24 of the Social Security Code.
The NRCPS consultation from a list of NIRs or NIAs or from pre-established requests can only be carried out by individually designated and duly authorized agents of the bodies responsible for the management of a compulsory social security regime, the funds providing the service of paid leave and employment. Consultations can only cover the population managed by the organization concerned.
When the consultation is made from a list of NIR (or waiting NIR), it is also necessary to provide the name and first name of the insured. A consistency with the data extracted from the SNGI will be achieved. The commission considers that the draft decree should also expressly mention this guarantee.
Consultation on other criteria that the NIR will be done through a catalogue of requests pre-established by the master of work, It is not expected that this pre-established request catalogue will be submitted for advice to the commission. However, the Commission considers that the list of requests should be communicated to it as part of an annual assessment.
The NRCPS also allows organizations to exchange data between them that may be separate from the directory data. This mechanism allows for the exchanges between social security agencies and the tax administration provided for in articles L. 114-12 and L. 114-14 and following of the Social Security Code.
The Commission notes that this device is not accessible by local authorities and CCAS.
It also notes that the NIR is not transmitted to tax administrations as part of these exchanges.
The device can be used either for exchanges already authorized by the commission or for new exchanges including new data or with a new purpose. In the latter case, it was indicated by the department that the commission will then have a formality file.
The Commission considers that section R. 114-25 should recall that new exchanges between tax agencies and administrations will be subject to the commission in accordance with the provisions of sections 22 to 27 of the amended Act of 6 January 1978.
It takes note of the Government's commitment to subject the new exchanges to the commission in accordance with Chapter IV of the amended Act of 6 January 1978.
On security:
The Department's evidence indicates that the physical protection of CNAVTS premises (DSINDS in Tours) provides security assurances that appear in accordance with the state of art.
However, within CNAVTS, the data is not encrypted. Given the magnitude of the NRCPS and the evolution of technologies, the Commission considers that a number of the NRCPS directory should be implemented as soon as possible. This encryption should be preceded by a technical and financial feasibility study that should be communicated to the commission.
The backups of the centralized directory are not encrypted while they are stored on a remote site where the place is kept confidential. As a result, the Commission considers that these backups should also be encrypted using a highly regarded algorithm to avoid access to unauthorized third parties in the event of loss or flight.
The Commission notes that the security of interconnections between partner organizations is based on the implementation of a secure protocol called INTEROPS. It considers that this protocol guarantees the authenticity of the transmitter and also ensures the confidentiality of the exchanges by encrypting communications between the CNAVTS and each agency (SSL 128-bits).
Given the very large number of agents that are likely to access the NCPR, the Commission considers that the monitoring and control of the authorizations is an essential point to ensure the security and confidentiality of the data.
The Commission notes that all of the authorizations are centralized by the CNAVTS in accordance with what is described in the technical file. However, it notes that it is expected that access to the NRCPS will no longer be through a portal (PARN and e-Service) but is directly integrated into the business applications of each organization. In these cases, CNAVTS would no longer control any authorization. It also takes note of the fact that a new technical file will be sent to it in the event of a change in the enabling management system.
The Commission considers that it should be informed as part of an annual report on the NCPR of the enabling procedures in place, the number of officers authorized by agency, and the precise nature of their use profiles.
The Commission further notes that the record of the consultations is recorded in a newspaper for a period of one year, in particular to allow for automatic monitoring of the interrogations and to detect possible abuse of consultation as well as misappropriation of use of the NRCPS by raising alerts to the qualified technicians of the CNAVTS. If necessary, these newspapers would be transmitted to the competent judicial authorities.
It considers that access to these newspapers that contain all information related to a consultation (the identity of the officer who consulted, the date and time of the consultation) is sensitive and therefore considers that it is necessary to provide appropriate security measures, including restricted access permits.
Finally, with respect to the exchange management service, the Commission notes that the data transmitted is not encrypted, which means that they are clear on the telecommunications provider's infrastructure. The Commission considers that appropriate security measures should be taken such as encryption of data exchanged by a well-known algorithm to ensure the confidentiality of exchanges in accordance with section R. 114-25 of the draft decree.
On the right of access and rectification of data:
The draft decree submitted to the commission states that:
the right of access provided for in section 39 of the amended Act of 6 January 1978 shall be exercised with CNAVTS;
- the right of rectification provided for in section 40 of the amended Act of 6 January 1978 shall be exercised for the common identification data, with the NAVTS and for the centralized linking data and additional benefit data, with the agency serving the benefit concerned;
- the right of opposition does not apply to this treatment, in accordance with the third paragraph of section 38 of the amended Act of 6 January 1978.
The DSS stated that it was not intended that people could access the logs containing the consultation data and in particular the results of the analyses specific to a recipient.
The Commission recalls that, pursuant to section 39 (5°) of the amended Act of 6 January 1978, any natural person justifying his or her identity has the right to question the person responsible for a treatment in order to obtain "the information that allows to know and challenge the logic that underlies the automated treatment in the event of a decision made on the basis of that person and that produces legal effects with respect to the person concerned. However, the information provided to the data subject shall not affect the copyright within the meaning of Book I and Title IV of Book III of the Intellectual Property Code."
If the decision to suspend a right (or open a right) is not automatically derived from the NRCPS consultation, this consultation associated with an analysis of benefits may, however, lead an agent to make a decision producing legal effects on a beneficiary on the basis of information provided by the NRCPS.
In this regard, the Commission emphasizes that any recipient who is opposed to such a decision must be able to access all information collected by the agent to make that decision, in accordance with Article 39 of the Act of 6 January 1978.
About the information of people:
The department plans to inform people in a number of ways:
― by a mention on the website of contributors;
― by adapting the different forms as necessary in the event of a next modification of them;
― by information posted in public places of reception.
The Commission takes note of these commitments. However, it considers that, given the extent of treatment, these measures are inadequate and not appropriate for persons in great social difficulty.
It considers that it would be necessary to strengthen the information of individuals through other measures such as:
― the publication of information documents on the NCPR made available at public reception sites;
– systematic information by organizations on the occasion of sending mail to insured persons.
On the implementation of an annual CNCPS assessment:
The Commission considers that the department should prepare an annual report on the NRCPS in partnership with CNAVTS. This assessment, which was communicated to the commission, should include:
– improvements made and planned in terms of simplification of the approaches for insured persons;
- the results of the control and control of fraud;
― the use statistics of the NNCPS;
― a description of the enabling procedures within partner organizations and the number of officers authorized to consult with the NCPR;
- a description of pre-established requests that have been put in place and to come;
– technical improvements made or to come in particular to ensure safety and monitor technological developments and the state of art;
a table summarizing the exchanges between organizations;
- the actions taken to inform persons of their rights;
― the actions taken to raise awareness and train NRCPS users of the amended Act of 6 January 1978.
The president,
A. Türk
