Key Benefits:
La Commission nationale de l' informatique et des libertés,
Seizure by the Minister of Social Affairs, Health and Women's Rights, on 28 July 2014 and by way of corrective action on 10 October 2014, of a request for an opinion on a project Decree in the Council of State authorising the processing of personal data by the managing bodies of compulsory basic sickness insurance schemes for the performance of the tasks of their social services,
Council of Europe Convention No 108 for the Protection of Persons to The automatic processing of personal data;
In view of Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of character data Personnel and the free flow of this data;
Seen the Social Action and Family Code ;
Seen code Criminal, including section 226-13;
Given the Maritime Code and Rural Fishing Code ;
Seen Social Security Code ;
Due to Act No. 78-17 of January 6, 1978 modified Relating to computers, files and freedoms, in particular Article 27-I (1 °);
Vu Order No. 2005-1516 on electronic exchanges between users and administrative authorities and between administrative authorities;
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to computers, files, and Freedoms;
After hearing Mr Alexandre LINDEN, Commissioner, in his report and Mr Jean-Alexandre SILVY, Commissioner of the Government, in its observations,
Emet the following opinion:
The draft decree in the Council of State (hereinafter " The project ") Submitted to the committee for opinion aims to create a category of processing of personal data necessary for the exercise of the tasks of accompanying persons weakened by problems of health, disability or ageing The social services of health insurance. These treatments include the registration number in the national directory for the identification of natural persons (NIR) of insured persons.
they will be implemented by the National Health Insurance Fund for employees (CNAMTS), the Agricultural Social Mutuality (MSA) and the Social Regime of the Independents (RSI).
The draft submitted to the Committee is taken pursuant to Article 27-I (1 °) of the amended Act of 6 January 1978 which provides that " Are authorised by decree in the Council of State, taken after reasoned opinion and published by the National Commission on Informatics and Freedoms ", the processing of personal data implemented on behalf of a legal person Public " Data, which includes the registration number of individuals in the national directory for the identification of natural persons ".
article R. 115-1 of the social security code ( CSS) provides that " The bodies and administrations responsible for the management of a compulsory basic social security system and, where appropriate, the bodies authorised by law or by a convention to participate in the management of such schemes " Are authorized to use the NIR. These provisions are supplemented by those of Article R. 115-2 which states that " The authorisation given in Article R. 115-1 shall apply exclusively to the treatment carried out in accordance with the provisions of Act No. 78-17 of 6 January 1978 " And for purposes not included in the management of the social follow-up of insured persons.
Since these treatments are substantially different from those permitted by the existing regulations, they must be Authorised by a new decree in the Council of State taken after notice of the CNIL, pursuant to Article 27-I (1 °).
On the purposes of the treatments:
The project is concerned with the implementation of personal data processing intended for the performance of the social services missions of the managers of compulsory basic health insurance schemes.
Article 1 The scope and purposes of the treatments implemented in the context of the abovementioned activities of the health insurance.
These treatments are intended to enable:
" 1 ° The care and follow-up of the records of insured persons and their beneficiaries of the action of the social services of the basic health insurance bodies;
2 ° Management of the relationship with insured persons and their successors in title Beneficiaries of the action of the social services of the basic health insurance bodies, through:
-management of individual or collective service offerings;
-management of contacts, by mail or e-mail, by telephone or physical reception, and by teleservices;
3 ° Support for Populations exposed to a risk of precariousness referred to inArticle L. 262-1 of the Social Security Code, through Social assistance to the person, operations Collective interest or local social development operations;
4 ° Communication between the funds of the same scheme and between those funds and other social protection bodies, as well as, where they have competence in matters relating to Social services, the territorial authorities and their public establishments, the other bodies and associations, the information necessary for the performance of their tasks;
5 ° The piloting of the social service activity at the levels National, regional and local level and quality of service assessment To beneficiaries and their successors in title. "
With regard to Article 1 (4) of the draft, the Committee notes that the concept of" Communication " May cover the mere transmission of information to partner organisations which contribute to a common social action mission in the context of the implementation of the treatment or the creation of a special mechanism for sharing Information between these bodies.
In the first case, the Committee questions the advisability of mentioning this transmission to the number of purposes of the treatments.
In any event, the Commission takes note of the commitment of the Ministry to include the bodies referred to in Article 1 (4) to the number of
With regard to Article 1 (5), the Commission considers that, to the extent that the conduct of the activity of the social service is part of the production of statistics, as indicated by the Ministry, it must be Expressly mentioned in order to remove any ambiguity.
The committee does not dispute the legitimacy of putting in place statistical tools for social observation in order to better understand the populations assisted and to follow up the interventions Social policy to develop social action policies Appropriate. It takes note of the Ministry's commitments that the statistical analyses will cover previously anonymized data and that the draft decree will be completed on this point.
The Committee considers, subject to the previous observations, The creation of the abovementioned treatments and the purposes thus pursued are determined, explicit and legitimate.
On the categories of personal data recorded:
Article 2 of the draft provides for the treatment of categories of personal data relating to insured persons and their beneficiaries, beneficiaries of the social service. These data relate to:
-identification of individuals (NIR or NIA and date of assignment, family name, use, first name, sex, date and place of birth);
-their personal life (family situation, mailing address, telephone numbers and address Electronic, household composition (family name, name of use, first names, year of birth, relationship with the insured of the members of the household);
-the amount of household members' resources strictly necessary for the examination of situations Precariousness related to illness, disability or loss of autonomy (amount and Type of resources expenses, credits, debts); their employment situation (situation with regard to training, employment, professional status);
-data on the arrangements for taking care of health, where appropriate Their registration in a course of care, their eligibility for the benefit of the disability compensation, their classification according to the grid " Autonomy, gerontology, Iso resource group " (AGGIR), their partial permanent disability rate, the exemption from the user fee and the designation of a attending physician;
-notices of medical services and skills restrictions, where applicable, references to Consolidation, aggravation, unsuitability for work or work;
-their social cover (connecting agencies and affiliation schemes and their identifiers and contact information, benefit of universal health coverage, of the Complementary universal disease coverage or assistance with The acquisition of a health supplement);
-their social situation and the assessment of social difficulties, including family, friendly, neighbourhood or associative relations, strictly necessary for the assessment and treatment of the Problems relating to loss of autonomy and isolation;
-their situation vis-à-vis social bodies in relation to rights and benefits and entitlements;
-the information needed to support the Benefits in the context of health and social prevention and action, Containing the type and conditions of the housing, preventive and compensatory aids such as aid to the person or the household, technical assistance, home care, social action and optional aids;
-the data relating to the In the case of work stoppages, the payment of daily allowances for sickness, maternity, paternity, occupational accidents and occupational diseases and the payment of invalidity pensions, annuities following accidents at work and Occupational diseases or death capital;
-identification of Public and private, medico-social and associative institutional partners of the social worker for the care of the beneficiary of the action of the social service, namely, for legal persons, their type and their social purpose and, for the purposes of Physical persons, their first and last name, as well as postal, telephone and electronic contact information.
The Department indicates that the above data are required by the managing bodies of the mandatory basic systems of Sickness insurance in order to fulfil the tasks assigned to their service
, the Committee notes that the data collected in the context of the treatments envisaged vary according to the characteristics of the social situations encountered, the type of benefit or assistance requested and the nature of the Individual and collective actions to be performed.
It points out that the categories of data processed must be adequate, relevant and not excessive in relation to the strict need for social
. Act of the department's commitment that Article 2 (1) will be Completed as follows: " The salaries authorised by Article 1 of this Decree may relate to the following categories of data as regards social insured persons and their beneficiaries of the social service as soon as they are strictly Necessary and proportionate to the purpose of the treatment referred to in Article ".
The Commission points out that the use of the NIR must be limited to the purposes of Article 1 of the draft for the purposes of exercise By the managing bodies of mandatory basic systems of Health insurance for social security tasks entrusted to them by the law.
As regards the production of statistics, the Committee recalls that the development of statistical information systems from the action files In
, the Committee recalls that in application of the provisions of Article 6 (3 °) of the law of 6 January 1978 amended, the data collected must Be reliable and unambiguous and do not contribute to stigmatising Assisted people. For this reason, the typologies used must avoid any risk of subjective interpretation and be defined in consultation with social workers.
On the recipients or categories of recipients entitled to receive communication from This data:
Article 3 of the project provides that " The data referred to in Article 2 shall be addressed to the agents intervening in the care of insured persons and subject to a confidentiality obligation, individually empowered by the Director of each health insurance body for The exercise of their duties and to the extent necessary for the exercise of their duties. "
The Commission takes note of this and requests that a policy for the rigorous management of access clearances be implemented in this
. It takes note, as noted above, that the bodies referred to in the Article 1 (4) of the project will be targeted as recipients of the data in the context of their competence in social matters.
The exchange of information shall relate only to the data strictly necessary and proportionate to the The
points out that only bodies authorised to use the NIR as a user identifier may be able to do so. Addressees and acknowledges the department's commitment that the project will be completed in
In the case of the statistical analyses referred to in Article 1 (5 °), organisations may only receive pre-anonymized data.
On the duration of data retention:
Article 4 of the project provides that " Information relating to an insured person or a beneficiary of the action of the social service shall be kept for a maximum period of eighteen months after the closure by the social assistant of the individual or collective intervention
Beyond that period, this information may be archived for a maximum of three years in a separate logical environment. "
The Commission observes that the duration normally fixed in the context of Treatment implemented for the management of interventions conducted with Of users by the social services is six months from the end of the file.
When asked about the reasons for the lengthening of the period to 18 months, the Department indicated that this period was justified by the need to ensure the Monitoring of persons in situations of professional disintegration with whom the social service organises collective information meetings and which requires a return to them twelve and eighteen months after them. The committee takes note of this, but points out that the persons concerned must be put in a position to oppose the retention of the data which concern them after the closure of the file and to request the deletion
. In addition, social service assistants are regularly alerted to the need to close a file as of the date on which the social work has ended. However, it considers that, in view of the particularly sensitive nature of the data processed, their shelf life must be strictly limited and therefore asks for automatic alert procedures to be implemented in case of Failure to close the file after a specified period of time.
The Commission takes note that the retention periods provided for in Article 4 of the project are maximum durations and that the data will be archived in an anonymous form or Deleted. It notes the Ministry's commitments to complete the project on this point.
It points out that the preservation and archiving of data must be carried out in accordance with the provisions of Article 34 of the Act. On 6 January 1978, as amended.
On the information of the persons concerned:
The Commission takes note of the fact that, under Article 6 of the project, " The persons to whom the data referred to in Article 2 relate shall be informed of the existence of a treatment concerning them, authorised in accordance with Article 1, of its purposes and the procedures for the exercise of their rights of access, and
Committee notes that the information provided to the persons concerned does not contain all the information referred to in Article 32 of the law of 6 January 1978 as amended. However, it considers that only clear, complete and explicit information is such as to enable users to exercise their rights fully. That is why the committee is asking for the project to be completed on this point. It requests, inter alia, that the persons concerned are clearly informed of the existence of their right of opposition, of the possible consequences of a refusal with regard to the processing of their applications, and of the procedures for the exercise of their Rights.
It points out that user information must be in a language that is understandable and appropriate and appropriate for their state.
Finally, the Commission recalls that the social service cannot be addressed Information necessary for the identification of persons who may be Requests for individual or collective follow-up only after information of the persons concerned who must be able to oppose it.
On the rights of access, rectification and opposition of the persons concerned:
Article 5 of the draft provides that the rights of access and rectification provided for in Articles 39 and 40 of the Law of 6 January 1978, as amended, shall be exercised with the Director of the connecting body of the persons concerned
2, provides that the right of opposition provided for in Article 38 of the amended Act of 6 January 1978 shall be exercised in the same manner.
The Commission shall take note of this.
The Commission considers that these methods of information and exercise of the rights of the People do not call any cases.
Data security and data security Action traceability:
The Commission takes note of the fact that Article 7 of the draft recalls, on the one hand, that those responsible for treatment must take " All measures necessary for the preservation of data security at the time of their collection and consultation "in accordance with Article 34 of the Law" Information technology and freedoms " And, on the other hand, that it is for the processing authorities to attest to the conformity of the abovementioned treatments with the General Security Repository (RGS) provided for in Decree No 2010-112 for the application of Articles 9, 10 and 12 of Order No. 2005-1516 of 8 December 2005 on electronic exchanges between users and administrative authorities and between administrative authorities.
The Committee observes that the technical file attached to the request for an opinion bears Exclusively on the methodology for integrating safety into projects The
takes note of the Ministry's commitment, on the one hand, to produce, prior to the implementation of the treatment by the other AMO schemes, the technical documentation relating to these schemes and, on the other hand, to The
notes that the methodology applied by the CNAMTS is strictly confined to the security risks. The Commission therefore asks that this analysis also address the risks associated with the privacy of social insured persons.
The Commission recommends that each of the managing bodies of the compulsory basic health insurance schemes Develops a methodology enabling it to manage risks in a comprehensive manner, in particular the risks to the freedoms and privacy of their members. In addition, it requests that this methodology be transmitted to it prior to the implementation of the treatments.
Finally, the Commission points out that these methodologies must be regularly updated, in order to take account of developments And that the risk studies carried out for each of the projects should also be reviewed on a regular basis in order, where appropriate, to update the security measures initially foreseen.
On the formalities to be completed:
Article 8 of the draft provides that in application of the provisions of Article 26 of the Law of 6 January 1978 referred to above The person responsible for each of the data processing operations authorised on the basis of this Decree address to the National Information and Freedom Commission, prior to its implementation, a commitment to comply with the provisions of this Decree under conditions fixed to article 8 of Order in Council n ° 2005-1309 of October 20, 2005.
The commission takes note of it.
Other project points do not call Not, as set out in the amended Act of January 6, 1978, other comments.
The President,
I. Falque-Pierrotin
