Key Benefits:
National Computer and Liberties Commission,
Entering by the Minister of Social Affairs and The health of a request for an opinion on a draft decree in the Council of State establishing the processing of personal data for the purpose of carrying out a medical-economic study on the protocol of the Cooperation " ASALEE ", implemented by the IRDES, the CNAMTS and the Association ASALEE;
In view of the Council of Europe Convention 108 for the protection of persons with regard to the automatic processing of personal data;
In view of the Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data;
Seen Public Health Code, in particular articles L. 4011-1 and following;
Given the social security code, including its article L. 161-28-1;
Seen Law n ° 78-17 of January 6, 1978 as amended relating to computers, files and freedoms, including its article 27-1 (1 °);
Seen section 44 of Law No. 2007-1786 of December 19, 2007 of Social Security Funding for 2008 modified;
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to computers, files, and Freedoms;
In view of the Decree of 6 February 2009 establishing the processing of personal data, Shared Directory of Health Professionals " (RPPS);
In view of the decree of 12 July 2012 on the establishment of a personal data processing operation called ADELI for the management of registration and departmental lists of certain professions and professional titles ;
In view of the decree of 19 July 2013 on the implementation of the National Intersystem Information System for Health Insurance;
After hearing Mr Nicolas COLIN, Commissioner, in his report, and Mr Jean-Alexandre SILVY, Commissioner of the Government, in its observations,
Emet the following opinion:
The protocol for cooperation between general practitioners and nurses called " ASALEE " (team liberal health action) is implemented in accordance withArticle 44 of Law No. 2007-1786 of 19 December 2007 Social security funding (LFSS) for 2008 as amended. The economic model associated with this protocol is based on two assumptions:
-a delegation of tasks, initially reporting to physicians, to nurses, which would allow physicians to focus on other medical care and activities;
-the quality of screening and/or follow-up of patients would be Improved, which would result in better health and less health care in the medium term.
The Committee was referred by the Minister for Social Affairs and Health for an opinion on a draft Council of State decree on the evaluation of this protocol.
This draft The decree provides that this medical-economic evaluation is entrusted to the IRDES (Institute for Research and Documentation in Health Economics). The objective is to allow the public authorities to assess the efficiency of the device and to rule on the conditions for a possible generalization.
To this end, it is expected that two data sources will be matched:
-the Information system implemented by the Association ASALEE (hereinafter ' IF ASALEE "), which contains the patient health data tracked as part of the experiment;
-SNIIRAM (National Intersystem Information System for Health Insurance) to retrieve patient care data Follow up with this device.
In order to allow the matching of these two data sources, the draft order under review by the Commission provides for the use of the national identification number registration number Natural persons (or " NIR ") Patients affected by the experiment.
In accordance with Article 27-1 (1) of the Act of 6 January 1978, as amended, " Are authorised by decree in the Council of State, taken after reasoned opinion and published by the National Commission on Informatics and Freedoms ", the processing of personal data implemented on behalf of the State" Which relate to data including the registration number of persons in the national directory for the identification of natural persons ".
On the purpose of processing:
Article 1 of the draft decree provides for the purpose
" carry out a study on the effects of the ASALEE cooperation protocol on:
-release of available medical time by effective substitution of patient follow-up between physicians and nurses;
-improved quality of patient tracking;
-health status and care consumption of patients Patients. "
The Commission considers that this processing of personal data, implemented for the purposes of carrying out the evaluation, would serve a public health purpose.
The Commission considers that this purpose is As determined, explicit and legitimate within the meaning of Article 6-2 ° of the law of 6 January 1978, as amended.
However, it notes that the draft decree submitted to it is entitled: Decree [...] authorising the creation of an automated treatment for experiments in new modes of remuneration provided for in Article 44 of the LFSS for 2008 (ENMR) ".
The Commission questions the relevance of this title with regard to Purpose described in Article 1 of the aforementioned draft decree. The processing of personal data does not apply to all the experiments provided for in Article 44 of the LFSS 2008 but relates to the evaluation of Module No 3 of the NCMs, relating to cooperation between professionals
this case, the Commission recommends that the title of the order be defined more precisely.
On the nature of the data processed:
Article 2-1 of the draft decree lists the various categories of personal data necessary for the assessment
1. In the case of data relating to health professionals.
The draft decree refers to the data referred to in Article 2 of the orders " RPPS " (Order of 6 February 2009 establishing the processing of personal data referred to as " Shared Directory of Health Professionals ") And " ADELI " (order of 12 July 2012 on the establishment of a personal data processing operation called ADELI for the management of registration and departmental lists of certain professions and professional titles), namely Personal identification data (RPPS or ADELI number, surname, first name, date and place of birth, ...), and data relating to the exercise of the profession (diplomas, occupation, entry in order, contact details, activities and structure ...).
The Commission notes that the technical file attached to the application Notice provides for the treatment of a more restrictive list of health professional data than the one set out in the draft order.
It also states that the relevance of the processing of certain data (such as identity Health professionals, their nationality, the languages spoken, their personal addresses ...), although they appear in the aforesaid orders, is not justified in this case in order to attain the objective pursued by the draft decree, while in Application of the provisions of Article 6 of the Act of 6 January 1978 as amended, The data must be adequate, relevant and not excessive in relation to the purpose of the processing.
As a result, the Commission requests that the data relating to health professionals be more precisely defined by the decree So that only the relevant data for the evaluation is processed.
2. With regard to data relating to the persons affected by the evaluation of the
Protocol With regard to persons monitored under the ASALEE protocol, the draft decree provides for the collection of their NIR and, where appropriate, the collection of their NIR Right, date of birth, gender, ASALEE case number, data relating to their medical follow-up and associated risk factors, and their care consumption data from SNIIRAM.
For other persons who Are not part of the ASALEE protocol while being supported by the As participants in the Memorandum of Cooperation, the draft order provides that they will be included, for comparison, in the assessment of the device. To this end, it is foreseen that no directly identifying data will be processed and only the care consumption data from the SNIIRAM would be collected.
The Commission considers that this data is relevant to the Continued.
On the duration of data retention:
Article 2-II of the draft decree provides that the data will be used for the duration necessary for the evaluation of the ASALEE and the maximum for a period of five years, which corresponds to the expected duration of the evaluation
The Committee considers that such a period of use does not exceed the length of time required for the purposes of processing.
On recipients of the data:
Article 3 of the draft decree describes the circulation of data.
The Commission notes that this article does not specify the use to be made by the CNAMTS of data relating to health professionals transmitted to it By the Association ASALEE.
It recalls that, pursuant to Article 6 of the law of 6 January 1978 amended, the data must not be further processed in a way incompatible with the purposes for which they initially Has been collected and requests that the decree in the Council of State specify which Data relating to these health professionals CNAMTS will then communicate to the IRDES.
On the Rights of Persons:
The information and the exercise of the rights of persons recognised by the law of 6 January 1978 are described in Article 4 of the draft decree.
First, the information of health professionals will be provided by the association ASALEE and patient information by the doctor who takes care of them.
The Commission points out that the prior information of patients included in the ASALEE scheme must specify the voluntary and voluntary nature of their participation in the The assessment and the absence of a consequence on the management or Reimbursement of those who would refuse to participate. In addition, patients must be informed of the possibility of ending their participation at any time as well as the practical arrangements for exercising their rights as provided for by the law of 6 January 1978 amended and, in particular, the rights Access and rectification of data concerning them.
As regards patients not included in the ASALEE scheme, the draft decree provides that they will be informed but does not detail the details of this information. The technical file attached to the request for notification provides for information by way of display in the doctors' waiting rooms. If this arrangement is in fact preferred, the Commission requests that section 4 of the proposed Order-in-Council specify or refer to the above technical file.
The Commission takes note of the fact that the consent of health care professionals will be Collected for use of their RPPS or ADELI ID number. The consent of the patients included in the ASALEE scheme will also be collected if they wish to participate in the evaluation of the ASALEE protocol.
Subject to the previous observations, the Committee considers that the modalities of information
In the second place, the draft decree provides that the rights of access and rectification provided for in Articles 39 and 40 of the Act of 6 January 1978, as amended, shall be exercised with the President of the Association ASALEE, The Director General of CNAMTS and the Director of FIRES.
Finally, The draft order expressly dismisses the application of the right of opposition for persons who, although not part of the ASALEE protocol, are taken care of by the participating health professionals. The Ministry of Social Affairs and Health states, in fact, that all consumption data for these patients are extracted from the SNIIRAM by the CNAMTS with the professional identification number (RPPS or ADELI). Since the NIR of these patients is not treated and their identity is not sought, they remain unknown to the CNAMTS and the IRDES, so that these bodies are unable to make a right to an opposition to the treatment.
The Commission Considers that this argument is admissible and that the Ministry is entitled to apply the last paragraph of Article 38 of the amended Act of 6 January 1978, which provides that the right of opposition may be ruled out by an express provision of the act Authorizing processing. It asks, therefore, that the decree be supplemented in this sense.
Other ways of exercising human rights do not, as a matter of course, require any comments from the Commission.
On data security and traceability Actions:
The Commission wishes, given the sensitivity of the data processed, that particular attention be paid to security measures in order to ensure security and, in particular, the confidentiality of data.
Article 2-Ill of the draft
Committee stresses that the security obligation provided for in Article 34 of the Law of 6 January 1978 is to be maintained and transmitted. Amended to apply to the processing of personal data in its As a whole and not only for the preservation and transmission of data. Thus, the Committee proposes that Article 2-Ill be amended as follows
" In accordanceArticle 34 of Law No. 78-17 of 6 January 1978 amended, the CNAMTS, the IRDES and the ASALEE association, each for its part, process the data under conditions to ensure its safety. "
Draft article 3 describes the modalities for the movement of data. In particular, it provides that the NIR shall be informed in the IF ASALEE " In a secure manner " And can only be accessed by the attending physician or nurses engaged in ASALEE cooperation.
Thus, the NIR will be encrypted as soon as it is seized by the nurses in the IF ASALEE. Since the encryption system has not been implemented so far, the department has proposed two scenarios:
-a solution that includes the encryption key of the NIR is provided by the MOISE service (Control of IT in the strategy and the Studies) of CNAMTS. The encryption algorithm used would be an asymmetric, public key and private key algorithm;
-the ASALEE association implements a solution to encrypt NIR, the encryption key being managed by the SI ASALEE administrator.
In The first case, since the MOISE service does not have the authority to access the database, it will not be able to decrypt the data.
The Commission then requests that the IF ASALEE only have the public key, the private key being held only By CNAMTS officers entitled to process the NIR in order to generate the identifiers To request data in the SNIIRAM.
In the second case, the SI ASALEE administrator could access and decrypt the data.
In order to comply with the security obligation of section 34 of the law n ° 78-17 of January 6, 1978 modified, the Commission considers that measures should be implemented in order to To prevent clear NNIR access to IF ASALEE administrators. It thus recommends the solution consisting of the CNAMTS provision of the encryption key as described above. It also requests that draft article 3-II be amended to clarify that access to encrypted NIR is reserved for the assumptions needed for the missions of authorized personnel.
In addition, it calls for formalization and implementation Implementation of a key management policy including the creation, retention, protection, access and renewal of encryption keys.
On the management of clearances:
The II of draft Article 3 provides for: That " Only the staff of the association ASALEE specifically designated and entitled to that effect by its President shall be authorised to access the data referred to in b, c and d of 2 ° of I of Article 2 of this Decree to the extent that they are Strictly necessary for the performance of the tasks entrusted to them.
Article 3 IV allows CNAMTS authorised agents to extract data from the SNIIRAM relating to all patients who have consulted a doctor participating in the experiments in the new methods of remunerations, which they do Party to ASALEE or not.
The draft order does not mention the clearances of IRDES staff. The Commission asks for clarification in the draft decree that only the staff participating in the ASALEE protocol evaluations can access the data.
On access control:
Access to the ASALEE IS is done by The use of an electronic certificate and password or the use of an identifier and password coupled with a one-time password received by SMS. The complexity of the passwords is in line with the Commission's recommendations.
As regards access to data by authorized CNAMTS agents, the documents transmitted specify that this is the classic SNIIRAM access.
The Committee recalls that it recommends that passwords be composed of three distinct types of characters, that they must be changed every six months (a simple reminder does not appear sufficient) and that a hash algorithm Robust and containing a secret for password retention (HMAC-SHA-256) Be used. In addition, it recalls that in July 2013 it requested that a risk analysis be carried out to ensure that the SNIIRAM's security measures are adequate. To date, it has not received the results of the risk analysis.
As far as the IRDES staff are concerned, the access control is operated by an identifier and a password consisting of a minimum of eight characters, consisting of three types of Different characters: two uppercase, six lowercase, vowels and consonants, and two numeric values.
On Traceability:
Access and action on data by the staff of the CNAMTS as well as by the staff of the ASALEE association are traced.
In the IRDES, the committee calls for automatic traceability to be implemented. This implementation shall provide for measures to ensure the safety of these traces, in particular their continuity and integrity, as well as the rights of access to these data and their shelf
. To be aware of this traceability.
On data transfers:
The V of draft Article 3 provides for data transmissions by the association ASALEE to the CNAMTS or IRDES. These transmissions are made " Under conditions to ensure its safety ". Thus, the data will be encrypted and made available to the CNAMTS or the IRDES on a server of the approved host for the hosting of health data. In order to retrieve the information, the CNAMTS and IRDES must first retrieve an electronic certificate from the approved host. The encryption keys will be transported in the certificates.
In addition, the confidentiality of data transfers will be ensured by using secure protocols.
The VIII of draft Article 3 provides for the transfer of data between CNAMTS and IRDES. Thus, the data extracted in the SNIIRAM by the CNAMTS is transmitted to IRDES. Under conditions to ensure its safety ". These transfers will be made by CD-ROM or USB stick transmitted by bearer, with the data already encrypted.
On the retention of data:
Draft article 3-V provides that as soon as the association ASALEE has transmitted the data to the CNAMTS and FIRDES, elle " Delete the file transmitted and keep no trace ".
Draft article 3-VIII provides for the deletion of the data received and collected in the SNIIRAM by the CNAMTS after a period of two months in order to verify that they have been
The Commission points out that measures will have to be implemented in order to ensure the permanent removal of the files from storage media in conditions that comply with the state of the art
The IRDES, the data is stored on a server present in the premises, internal and without access Internet. The Commission takes note of the fact that the data will be kept encrypted.
The personal data of the persons included in the survey are only kept within the IS ASALEE. IRDES staff cannot access this information.
Subject to previous observations, the security measures described by the controller are in conformity with the security requirement laid down in Article 34 of the Law of 6 January 1978 as amended.
The Commission points out, however, that this obligation requires the updating of security measures in relation to the regular reassessment of risks.
Other points of the draft decree do not call, as is In the light of the law of 6 January 1978 amended, other observations of the Committee.
For the Chair:
Associate Vice-President,
M.-F.
Mazars
