Key Benefits:
The National Commission on Informatics and Liberties,
Seizure by the Minister of Labour, Employment, Vocational Training and Social Dialogue of a request for advice on the implementation of Personal data named " Personal training account information system " ;
Having regard to Convention 108 of the Council of Europe for the protection of persons with regard to the automatic processing of personal data;
Having regard to Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of natural persons with regard to the processing of personal data and the free movement of such data;
Seen the Job, including its articles L. 6323-1 and later;
Seen Law n ° 78-17 of January 6, 1978 as amended relating to computers, files and freedoms, in particular its Articles 27-1-1 ° and 27-11-4 °;
Seen Law n ° 2014-288 of 5 March 2014 on vocational training, employment and social democracy;
Seen Order No. 2005-1309 of October 20, 2005 modified Taken for the application of Law n ° 78-17 of 6 January 1978 relating to computers, files and freedoms;
After hearing Mr. Eric PERES, Commissioner, in his report, and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his observations,
Emet the following opinion:
The Minister for Labour, Employment, Vocational Training and Social Dialogue appealed to the National Commission on Informatics and Freedom of a Request for an Opinion, prior to the implementation of a processing of data of a character Personnel named " Personal training account information system " (Sl-CPF).
In terms of its characteristics and purposes, the treatment " SI-CPF " Is a treatment implemented on behalf of the State, which includes, inter alia, registration numbers of persons in the national directory for the identification of natural persons, and which also includes the making available of users of the The administration of a teleservice of electronic administration.
On the purposes of processing:
Under Articles 1 and 2 of the draft decree submitted for examination by the Commission, the treatment " SI-CPF " Is created to implement the device " Training personnel account " (CPF), which will enter into force on January 1, 2015, as set out in the Labour Code.
This processing must allow:
-to manage the rights listed or mentioned in the personal training accounts;
-to offer the holders of a personal training account, through an Internet access portal, the possibility of Consult the number of hours credited to their accounts and to benefit from information on eligible training and the complementary abundances that may be requested;
-make available to each holder of a CPF sound Orientation, training and skills passport;
-to analyze Statistical point of view on the use of the CPF and evaluate its implementation.
The Commission considers that these purposes are determined, explicit and legitimate.
It nevertheless wishes to draw the attention of the Department to the fact that Persons may not have access to the Internet, their place of work and their homes, or may encounter difficulties in using the services available from that network.
In order to meet the obligations of the Provisions of job code, it appears that the department should provide, in parallel to the Internet access portal, a process that allows people to Able to access the Internet, or encounter difficulties in using the services offered from this network, to enjoy the same rights and opportunities as those available to people who can access the Internet.
On the Nature of Data Processed:
Article 8 of the draft decree submitted to the Commission's opinion mentions that the " SI-CPF " Can be powered by the relative automated processing:
-National Identity Management System;
-social data collected by the National Social Data Processing Centre;
-social data collected by the Agricultural Social Mutuality;
-data Social data collected under the activities referred to in articles L. 6331-55 (intermittent employees of the show) and L. 6331-65 (performing artists) of the Job ;
-automated processing of organizations Authorized collectors' forwarders (OPCA) to supply the number of overtime and corrective hours account;
-to the interdepartmental monitoring and support system for young people leaving the initial training systems without a diploma or Professional qualification.
The II of Article 8 of the draft decree provides for the treatment " SI-CPF " May be connected, solely in the context of the fulfilment of its purposes, with automated processing of the communities and bodies responsible for the financing of training (recognised joint collecting body, joint body Approved under the individual leave for training, region, employment, development funds for the vocational integration of the disabled) and those of the professional development consulting organisations mentioned in article L. 6111-6 of the job code.
These relationships are subject to the Commission's advance information, in Application of Article 30 of the Act of 6 January 1978 amended, and, if necessary, the modification of the formalities performed with the Commission prior to the implementation of such processing.
The data collected and processed in The treatment framework " SI-CPF " Are annexed to the draft decree submitted to the Commission. These data correspond to five categories and are relative:
1. To the personal information of the account holder:
-National physical person identification number (NIR or social security number) registration number;
-creation date in CPF repository;
-sex;
-civility;
-business name, common, Married, given names;
-date and place of birth;
-indication of persons with disabilities;
-personal addresses in France and abroad;
-address of workplace;
-telephone (s) and e-mail address ;
-date and certified or assumed character of death.
2. To the data corresponding to the hours accounts:
-hours acquired under the individual right to training;
-hours entered on the training personal account;
-information on the nature of the rights period And inactivity (with reason for inactivity), date taken into account;
-Employer's Siret number;
-occupation code;
-working time;
-working time rate;
-compensation for the incumbent.
3. Data on training files:
-eligible training;
-history of operations performed on the CPF;
-input input fields by the incumbent;
-training title;
-complete training title;
-date of the agreement Holder for the mobilization of his hours CPF;
-number Siret of the training organization;
-the social reason of the training organization;
-total duration of the training in expected hours/total duration performed;
-total cost of the training Planned euro training/final total cost;
-date of training;
-objective Training;
-highest level obtained by the trainee;
-trainee status;
-socio-professional category of the trainee;
-if salaried trainee: number Siret, employer's name and address, URSSAF, code APE/NAF, employer strength, Enterprise OPCA, IDCC/CCN code, imputation;
-possible compensation on 0.2 %;
-training " Presential " Or remotely;
-partial certification;
-internal/external training;
-training content;
-pace of training;
-contact training;
-training path;
-mandatory input level;
-level code Entry;
-specific conditions;
-support for possible costs
-input-output modality;
-training location;
-registration address;
-organization coordinates;
-contact organization;
-information Specific
-target public code;
-funding:
-balance of rights acquired under the personal training account available in hours;
-balance of individual entitlement to training in hours;
-rights acquired in hours under the training personnel account mobilized for training ;
-hours of individual right to training mobilized for training;
-cost of training in euros, for educational costs, annexes, and amount of remuneration supported;
-for complementary financing, by Funder, and by type of funder, name of funder, number of hours Financed, amount financed in euros, comment.
4. Data for orientation, training and skills passports:
-evading and training followed;
-diplomas and certifications obtained;
-qualifications held and exercised;
-work experience;
- Skills and competencies;
-driver's license;
-foreign languages;
-assertiveness.
5. To the organization managers' technical directory data:
-first and last name;
-employer organization;
-function.
With respect to the use of NIR, the department indicated that the processing of this information is justified in terms of the need for certain identification of the incumbents CPF, estimated at more than 41 million people, under technical conditions to achieve the expected technical performance for the management of 21 million lines for calculation and updating of rights.
The Commission reports The department is aware of the sensitivity of this data and that it has Provided in exchange for the compliant guarantees " To the state of art " As to its use, in particular to ensure security and confidentiality of exchanges and hosting.
Other personal data collected do not require any particular comment.
The Commission considers that the The processing of all the data referred to above is adequate, relevant and not excessive in relation to the purposes pursued.
The Commission wishes, however, to recall that, if it fully measures the concerns of the Government concerning How people are identified and how they are to be disposed of Nevertheless, it remains particularly attentive to the risks associated with the extensive use of a particularly significant national identifier such as the NIR
The application of the provisions of the law led the CNIL to limit the use of NIR to the sphere of health and the social sphere, and to recommend the use of specific identifiers for each business line.
Also, the Commission Invites the Government to reflect on the creation of the Specific sectoral identifiers like the specific identifiers of the Ministry of Education ("NUMEN") And " INE ") And the Tax Administration ("SPI" And " FIP ").
In addition, elf notes that the draft decree submitted to its examination only allows the Minister of Labour, Employment, Vocational Training and Social Dialogue to create a treatment called " SI-CPF ", which is intended to be implemented by the Caisse des depots et consignations.
As a result, the players who are not already authorised to create a treatment bearing in particular NIR in this framework, by a legal provision taken After the opinion of the Commission or by an authorisation of the Commission, must, if they wish to deal with this data, initiate a process of compliance with the law of 6 January 1978 amended, in which they will, in particular, be required to Justify the relevance and necessity of using the NIR in relation to the On
point, the Commission takes note of the fact that the draft decree submitted to the Commission will be amended to allow the bodies referred to in Article 6 and 7 of the project to use the NIR in the course of processing ' SI-CPF ", and for the sole purpose of identification of CPF holders.
It will also be specified that the draft decree constitutes a single regulatory act, in reference to which compliance commitments will have to be addressed to the Commission by Management bodies prior to the implementation of the treatment.
The Commission considers that it would be appropriate for the draft decree to also point out the obligation for each of the bodies to put in place appropriate measures in order to Ensure the security and confidentiality of data collected for the Rights management in CPF.
On data retention time:
Article 9 of the draft order provides that processing data " SI-CPF " Will be retained until the expiration of three years from the death of the CPF holders.
It also provides that this period, in the event of a dispute, will be extended until a final judicial decision is
. Ministry services justified the retention of CPF data until the death of the holders by the existence of the rules of cumulation " Employment I Retirement ", which allows a person to resume or continue to engage in a professional activity after claiming his or her right to retirement, and the fact that new occupational training rights may Therefore intervene after the opening of pension rights and, therefore, justify the non-suppression of the CPF data in order to guarantee the maintenance of the corresponding rights.
About the retention period of 3 years starting at Run from the death of the CPF holders, the department indicated that this is the Time required for the Directorate of Research, Studies and Statistics (DARES) to carry out its tasks, including the conduct of surveys and statistical studies on employment, work and training Professional in France in order to inform the design and implementation of public policies in these areas, in particular through the monitoring and evaluation of the results of the policies
. Indirectly nominative data in the context of a purpose The need to carry out the annual evaluation of the CPF as provided forArticle L. 6323-9 of the Code Work.
To the extent that the report of the National Council on Employment, Training and Vocational Guidance should focus on the consumption of CPF hours, but also on qualitative elements to measure Potential inequalities in access to vocational training (sex, age, diplomas, employment, geographical location, etc.), it is indeed necessary to retain personal data in order to prepare it.
However, the Commission takes note of the fact that Statistical sub-purpose and evaluation of the FPC, NIR and nominative data (names/names) will not be processed, on the one hand, and the department has provided that the organizations responsible for statistics or evaluation of the FPC will not be able to Directly recover the data necessary for these missions from the database containing The entire data of the " S1-CPF ', of the other
. In the light of these elements, the Commission considers that the retention periods for the data provided for in the draft decree do not exceed those which are necessary for the fulfilment of the purposes
. Nevertheless, it is necessary, in particular in the light ofArticle L. 6323-1 of the Labour Code , for a CPF to be closed When the holder is allowed to claim the whole Of his pension rights, that the accounts of the incumbents who have reached the statutory retirement age are closed, without deleting the corresponding data, which will leave the possibility of reactivating accounts in the event of a recovery Vocational training.
On the recipients of the data:
Article 5 of the draft decree examined by the Commission indicates that CPF holders can directly access the data Concerning them, via the Internet site access portal " www.moncompteformation.gouv.fr ", as well as constituting and updating their personal information, training records and orientation, training and skills passports.
Article 6 of this text Then specifies the list of persons entitled to access the processing data directly " SI-CPF ", which is:
-the staff of the Caisse des depots et consignations ensuring the management of the treatment" SI-CPF " For data strictly necessary for the performance of their missions, or for the establishment and updating of data relating to hours and training accounts;
-for the maintenance and updating of data relating to the Hours accounts, training project, sources of funding in hours and amount of training:
-the officers of the communities and bodies responsible for financing the training and mentioned at the 3 ° (recognised joint collecting body), 4 ° (joint body approved for the individual training leave), 7 ° (region), 8 ° (Pôle emploi) and 9 ° (development funds for the vocational integration of persons with disabilities) of the II of Article L. 6323-4 of the Labour Code ;
-Agents of Evolving Consulting Agencies Work referred to inArticle L. 6111-6 of the Labour Code, for data relating to the hours of Training, the history of training followed or the content of the orientation, training and skills passport, where this body has been authorised for that purpose by the account holder;
-the agents of the employers who manage the Financing of training under the individual right to the Training mentioned in Articles L. 6323-1 and following of the Labour Code.
Finally, Article 7 of the draft decree Provides that the personal data strictly necessary for the performance of their tasks are to be addressed by:
-the agents of the National Old Age Insurance Fund as part of the mission to manage the personal pain prevention account vested in it by the article L. 4162-11 of the Labour Code ;
-the agents of the Directorate of Research, Studies and Statistics and the organizations it mandates by means of research agreements, for statistical purposes To evaluate the devices or research;
-the officers of the General Delegation for employment and vocational training, in particular as part of the evaluation provided for in article L. 6323-9 of the Labour Code.
The Commission considers the above bodies to be of interest Legitimate to have direct access or to receive the data provided for in the draft order considered by the Commission
People information:
The people involved in the treatment " SI-CPF " Shall be informed, in accordance with Article 32 of the law of 6 January 197 as amended, by a reference inserted in the access portal to the Internet site " www.moncompteformation.gouv.fr ".
The Commission considers that the measures provided for the information of persons are satisfactory.
On the rights of access, rectification and opposition of persons:
The draft decree provides that the rights of access and rectification, as provided for in Articles 39 and 40 of the Law of 6 January 1978 as amended, shall be exercised directly with the Correspondent Informatique et Libertés de la Caisse des Depots et
It expressly dismisses the application of the right of opposition on legitimate grounds, as the last paragraph of section 38 of the amended Act of January 6, 1978 allows.
These provisions of the draft order in respect of rights Of access, rectification and opposition do not require observation by the Commission.
On data security and action traceability:
The Commission notes that a risk study has been carried out in accordance with the General Safety Repository (RGS) and that a licensing procedure is under
. Commission notes that data exchanges are carried out through secure channels and that access to certain sensitive data, including social security numbers (NIR), has been secured by appropriate technical solutions.
However, The Commission notes that the portal to the website ' www.moncompteformation.gouv.fr " Is concerned with the security alert issued on 15 October 2014 by the government centre for monitoring, alert and response to computer attacks (CERT). The Commission was informed by the Ministry that an action plan was under way to correct the vulnerability of the SSLv3 secure protocol as soon as possible. In this respect, the Commission considers it essential that the correction be applied to the treatment " SI-CPF " Before opening access to the application.
The Commission notes that clearance profiles define the functions or types of information available to users.
In addition, access to the remote service is secured by the implementation Authentication through passwords whose complexity is consistent with the Commission's recommendations.
The Commission also notes that a logging functionality for creation operations, updating And data deletion has been defined, and the duration of the Retention of traces is proportionate to their purpose of detecting fraudulent access.
Subject to its observation relating to the alert issued on 15 October 2014 by the CERT, the security measures described by the controller Are in conformity with the security requirement laid down in Article 34 of the Law of 6 January 1978 as amended.
The Commission points out, however, that this obligation requires the updating of security measures with regard to the regular reassessment of the Risks.
The President,
I. Falque-Pierrotin
