Key Benefits:
The National Commission for Computer Science and Freedoms,
Seizure by the Minister of Labour, Employment and Social Dialogue of a request for notice concerning a draft decree authorizing the implementation of the automated processing of personal data called "I-MILO";
Considering the Council of Europe Convention No. 108 for the Protection of Persons with regard to the automated processing of personal data;
Considering Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free flow of such data;
Having regard to Commission Regulation (EC) No. 1828/2006 of 8 December 2006 establishing the modalities for the execution of Council Regulation (EC) No. 1083/2006 of 11 July 2006 on general provisions on the European Regional Development Fund, the European Social Fund and the Cohesion Fund;
Having regard to Regulation (EU) No. 1303/2013 of the European Parliament and of the Council of 17 December 2013 on common provisions relating to the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Fund for Ocean Affairs and Fisheries, with general provisions applicable to the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Fund for Ocean Affairs and Fisheries (EC) No. 1083/2006
Having regard to Regulation (EU) No. 1304/2013 of the European Parliament and Council of 17 December 2013 on the European Social Fund and repealing Council Regulation (EC) No. 1081/2006;
Vu le Labour codeincluding articles L. 5131-4 et seq., L. 5134-110 et seq., L. 5311-1 et seq., L. 5314-1 et seq.;
Vu la Act No. 78-17 of 6 January 1978 modified in relation to computing, files and freedoms, including article 27-1 (1°);
Vu le Decree No. 2005-1309 of 20 October 2005 modified for application of Act No. 78-17 of 6 January 1978 related to computing, files and freedoms;
Vu le Decree No. 2007-1303 of 3 September 2007 Amending the national rules for the eligibility of program expenditures co-financed by structural funds for the period 2007-2013;
Vu le Decree No. 2014-580 of 3 June 2014 relating to the management of all or part of European funds for the period 2014-2020;
After hearing -Ms. Laurence DUMONT, Commissioner, in his report and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his comments,
Provides the following notice:
The Minister of Labour, Employment, Vocational Training and Social Dialogue has referred the National Commission on Informatics and Freedoms to a request for advice, prior to the implementation of a personal data processing called "I-MILO".
The "I-MILO" treatment is a unique national information system for the follow-up of young people between 16 and 25 years old, through local missions for the professional and social integration of young people.
This treatment is the new version of the information system, known as "Shortcuts", used by local missions and reception, information, and guidance (PAIO) permanences for several years.
The "Short 1" treatment implemented in 1990, with the goal of monitoring young people in individualized credit-training, has evolved until 2012.
The current version "Parcour 3" has become obsolete.
In addition to the necessary technical improvements, in particular in the context of the dematerialization of assisted contracts, one of the novelties of the "I-MILO" treatment is the use of the registration number of people in the national identification directory (NIR) that will be collected and processed in the tool for the purpose of identifying young people.
The development and operation of "I-MILO" is entrusted to a private operator under a public service delegation agreement.
The management of the relationship with young people remains the sole responsibility of the local missions, since the proposed treatment includes the NIR, its implementation must be authorized by decree, taken after informed and published opinion of the Commission, in accordance with the provisions of Article 27-I (1°) of the amended Act of 6 January 1978.
On the controller and the implementation officers:
Section 1 of the draft decree (hereinafter "the project") authorizes the Minister responsible for employment, in his capacity as responsible for the implementation of the public employment service, to create an automated processing of personal data with the aim of allowing local missions for the professional and social integration of young people to carry out their duties.
It is specified that the local missions are responsible for the implementation of the treatment, so far entrusted to the General Delegation for Employment and Vocational Training (DGEFP).
The Commission notes that PAIOs are also using "I-MILO" and considers that they should be mentioned in the project in the same way as local missions.
The commission recalls that it is the responsibility of the ministry to ensure that the conventions and partnerships entered into at the local level by the local missions are in conformity with the project and, consequently, with the provisions of the computer law and freedoms of 6 January 1978 as amended.
On the end:
According to Article 2 of the draft submitted to the Commission's review, the "I-MILO" treatment is created to allow local missions to "implement a concerted local policy of insertion, as well as actions of insertion, consultation and evaluation, in accordance with the missions that are carried out by them by the provisions of articles L. 5314-2 of the Labour Code "
Local missions must ensure the continuity of youth care throughout their journeys, including effective follow-up. The "I-MILO" treatment therefore aims to improve the orientation and care of young people and the construction of the appropriate insertion paths to drive them to autonomy, taking into account their needs.
The "I-MILO" treatment also responds to the internal management and management needs of the activities of the structures but also to the production of statistics that can be disseminated to third parties such as the state services, as indicated in Article 5 of the project.
It is the result of discussions with the Government that the purpose of the treatment is not to combat fraud, but to provide the guarantee of the absence of duplicates.
The Commission notes that the purposes of the "I-MILO" treatment are identical to those of "Parcours 3", and considers that they are determined, explicit and legitimate.
Finally, the Commission notes that the "I-MILO" treatment allows the creation of specific modules to meet possible complementary needs of local administration or missions.
She recalls that if the implementation of these modules made an amendment to the I-MILO treatment that came out of the common framework established by the project, the ministry should amend the decree in that sense.
If the implementation of such modules leads to the creation of a new treatment for the exclusive benefit of one or more local missions, it will be up to these local missions to carry out pre-conditions with CNIL.
The commission recalls that as the person responsible for the treatment the ministry is responsible for the compliance of the amended 6 January 1978, as part of its implementation within the local missions.
Data processed:
Article 3 of the project regulates the categories of information recorded in the "I-MILO" treatment.
The data collected and processed under the "I-MILO" treatment are annexed to the project submitted to the commission. These data correspond to eight categories and relate to:
1. Data relating to the identification of the young person: civility, birth name, usual, marital, patronymic, first names; date and place and birth, INSEE code of the communes and country of birth, if applicable the indication of birth abroad, indication of a parent born abroad, sex; Registration number on the National Register for the Identification of Physical Persons (NIR), personal addresses in France and abroad, nationalities, date of expiry of the residence permit, telephone/fax and e-mail address, professional addresses, registration assigned by the processing, identification number of the young person and type of room.
2. Data on the family situation: marital situation and the household (life in households or single-parent families, number of children or dependants), contacted by legal representatives if the young person is a minor.
3. Occupational life data: training, diplomas, qualifications, labour market status (employment or training), level of training, schooling, last initial training system, last academy or region of origin, driver's license, languages practiced, student's internal registration number in the interdepartmental information exchange system, held and exercised qualifications, previous experiences.
4. Data relating to the situation of the young person following employment: duration without employment, registration in Pôle emploi, identification applicant for employment (IDE), duration of registration in Pôle emploi, information relating to the employer, information relating to the training agency, information relating to legal devices for social inclusion.
5. Data relating to the situation with regard to social assistance: indication of the status of beneficiary of social minima, registration and duration of aids, number of individual contractors, disability status.
6. Data on social difficulties of persons: indication of housing difficulties.
7. Data relating to the follow-up of the young person by the local mission: date, type and terms of maintenance, agent having carried out the maintenance, refer to the young person; data relating to his/her journey: theme and code of action, wording of action, date of creation, realization and status of action, amount of allocation, amount of allowances paid, date and reason of completion of course, information on job offers, information on employers to its training : formacode (reference code for all professional training actors), entitled of training, ROME of the job sought, qualification code of the job sought, specificities of the ROME, end of course date, appellation, validation level of the job sought, qualification level of the job sought.
8. Data relating to local mission personnel, namely: civility, birth name, usual, marital, patronymic, first names, date of birth, primary professional telephone number, fax number, primary professional e-mail, name and address of the local mission, local mission e-mail, local mission telephone, functions.
The Commission notes that the information on the birth of a parent abroad meets the obligations set out in Regulation No. 1304/2013 of the European Parliament and the Council, which imposes on Member States an individual and continuous monitoring of participants, and common indicators for certain populations. The answer to this question is optional.
It notes that, with the exception of the NIR, the data is identical to those processed in "Course 3".
With regard to the use of the NIR, the Department planned to use this data, on the one hand, to allow local missions to manage the implementation of the devices it has in charge of and, on the other, to identify the young people in charge.
The commission takes note that this data is collected directly from the young person at the time of the proposed statute of limitations of the assisted contract and the constitution of the dematerialized file.
It notes that local missions already have this information, even though they are not allowed to process it.
In fact, when enabling assisted contracts, local missions must indicate the NIR in the forms in order to trigger the payment of the aids allocated by the service and payment agency.
In addition, the use of the NIR is desired by the Minister to limit the risk of errors in seizure, homonym, patronymic, doubling cases during the first contact with the young person, in the event of a change in local mission or a merger of two or more local missions, particularly in view of the large number of young people followed (1.4 million young people are monitored each year).
The Commission recalls that, if it fully measures the Government's concerns regarding the identification of persons and its concern for having a reliable and sustainable identifier, it nevertheless remains particularly attentive to the risks that the extensive use of a particularly meaningful national identifier such as the NIR entails for freedoms.
CNIL remains vigilant on the limitation of NIR use to the health and social sphere and recommends the use of identifiers specific to each sector of activity.
The Commission therefore invites the Government to undertake a reflection on the creation of specific sectoral identifiers.
In addition, it notes that the project under consideration only authorizes the Minister of Labour, Employment, Vocational Training and Social Dialogue to create the "I-MILO" treatment implemented by local missions, and emphasizes that it does not take NIR's treatment authorization for other actors involved in the professional integration of young people.
Therefore, actors who are not already authorized to process the NIR by a legal provision or by a CNIL authorization, if they wish to process this data, will have to initiate a process of compliance with the law in which they will be asked to justify the relevant and indispensable nature of this data in the context of the treatment envisaged.
Section 6 of the project provides that the "I-MILO" treatment is intended to be linked to automated treatments of communities and organizations that contribute to the youth's professional integration.
These interrelationships are subject to the prior information of the commission, pursuant to the II of Article 30 of the amended Act of 6 January 1978, and, if necessary, to the modification of the formalities made with the commission prior to the implementation of these treatments, as provided for in Article 12 of the draft.
Finally, the Commission notes that articles 6 and 12 of the project do not mention the territorial authorities that are recipients of the data and whose treatments can be linked with I-MILO as part of the follow-up of young people in their career development path.
The Commission notes that the department has committed to amending these articles in this sense.
Other personal data collected do not call for specific observations.
The Commission considers that the treatment of all previously targeted data is adequate, relevant and not excessive in relation to the purposes pursued.
On data retention period:
Article 7 of the project provides that the information recorded in the treatment of the young person is available until the date of his or her twenty-sixth anniversary, with the exception of those concerning your young people enrolled in a program that is underway on that date and that is regularly monitored in this context. In this case, this data and information is accessible to the end of the program or measure.
They are then directly anonymized with the exception of the data collected under the programmes and measures co-financed by the European Social Fund (ESF) which are subject to intermediate conservation for a period of nineteen years for the sole purpose of monitoring and audits under the SF programmes. These data are then anonymized after this deadline.
Indeed, the FSE national programme of European Union cohesion policy is planned for seven years. Its closure occurs at best two years after the end of the programming period. In addition, the European Commission is in a position to conduct controls on the use of funds allocated for ten years from the close of the programme.
This period is extended by the suspension of a period following a judicial procedure or, in the case of a co-financing by the European Social Fund, at a reasoned request from the European Commission.
With regard to these elements, the Commission considers that these data retention periods do not exceed those necessary for the fulfilment of the purposes pursued.
On the recipients:
Article 5-I of the project mentions the recipients of personal data and Article 5-II lists the recipients of anonymized data.
Access to data is conditioned by the authorization of agents, who have access only to the data required for their mission, as part of their function.
The commission notes that each local mission accesses its data exclusively from which it retains control, even in a shared hosting configuration_
It is of the view that, for reasons of data protection and confidentiality, the transfer of a file from one structure to another must have been authorized by the department, being specified that the department does not access the content of the records.
The Commission also notes that the "I-MILO" treatment allows the transmission to recipients responsible for the control of the management of the FSE funds, pursuant to the new EU Regulation No. 1303/2013 and No. 2014-2013 of Parliament which imposes a strengthening of the monitoring and evaluation systems.
It notes that DARES is among the recipients of the nominal data required for point longitudinal studies and non-nominative data as part of its statistical assessment and development mission.
The Commission recalls that these recipients should receive only the information strictly necessary to carry out their missions.
About the information of people:
The persons affected by the "I-MILO" treatment will be informed, in accordance with section 32 of the amended Act of 6 January 1978, by a mention in the first reception form and by posting in the premises of local missions.
The Commission considers that the measures for information of persons are satisfactory.
On the rights of access, rectification and opposition of persons:
The Bill provides that the rights of access and rectification, as provided for in sections 39 and 40 of the amended Act of 6 January 1978, shall be exercised directly with the Director of the local mission to which the person concerned reports.
It expressly excludes the application of the right of opposition on legitimate grounds, as the last paragraph of section 38 of the amended Act of 6 January 1978 permits.
These provisions of the draft relating to the rights of access, rectification and opposition do not call for observation by the commission.
On treatment safety:
The Commission notes that a registration procedure for the General Security Reference (GRS) is planned and will aim to ensure the security of exchanges between the jurisdictions concerned.
It also notes that "I-MILO" is concerned by the security alert issued on 15 October 2014 by the Government Centre for Monitoring, Warning and Response to Computer Attacks (CERT). The commission was informed by the department that an action plan was under way to address the vulnerability of the SSLv3 Secure Protocol as soon as possible. In this regard, the Commission considers it essential that the patch be applied to the "I-MILO" treatment prior to the opening of access to the application.
Enabling profiles defining functions or types of information accessible to a user have been defined and access to the "I-MILO" treatment is secured by the implementation of an authentication by identifier and password consistent with the commission's preconizations.
Data exchanges are carried out through secure channels and, in particular, the data transmitted is encrypted.
In addition, all consultation operations, creation, updating, removal are traced and retained for seven months.
The Commission recalls that safeguards must be taken to ensure data security and in particular the use of the NIR.
Subject to its comment on the alert issued on 15 October 2014 by the CERT, the security measures described by the controller are in accordance with the security requirement set out in section 34 of the amended Act of 6 January 1978. However, the Commission recalls that this requirement requires the updating of security measures in the context of regular risk reassessment.
The Chair,
I. Falque-Pierrotin
