Key Benefits:
National Commission on Informatics and Liberties,
Entering the Ministry of Social Affairs, Health and Women's Rights Request for an opinion on a draft decree in the Council of State authorising the processing of personal data implemented by the managing bodies of the compulsory basic health insurance schemes for the performance of Their missions in the fight against misconduct, abuse and fraud,
In view of the Council of Europe Convention No 108 for the Protection of Persons with regard to the automatic processing of personal data;
Having regard to Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of data Personal character and the free flow of this data
Given the rural code and marine fishery ;
Seen Social Security Code ;
Due to Act No. 78-17 of January 6, 1978 modified Relating to computers, files and freedoms, in particular Article 27-I (1 °);
Seen the Decree n ° 2005-1309 of 20 October 2005 adopted for the application of the Law n ° 78-17 of January 6, 1978 relating to computers, files and freedoms;
After hearing Mr. Alexandre LANDEN, Commissioner, in his report and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his observations,
Emet the following opinion:
The Committee was seized on 28 July 2014 and by the Ministry of Social Affairs, Health and Women's Rights of a request for an opinion on a draft decree in the Council of State on 8 October 2014 (hereinafter " The project ") Authorising the processing of personal data by the managing bodies of compulsory basic health insurance schemes for the performance of their tasks in the fight against misconduct, abuse and fraud
Project aims to create a category of personal data processing under the business process " Fraud " Compulsory health insurance (AMO), including the registration number for the national directory for the identification of natural persons (NIR) of insured persons.
These treatments will be implemented by the National Insurance Fund Sickness des travailleurs salaried (CNAMTS), la Mutualité sociale agricole (MSA) et le régime social des independents (RSI).
The project submitted to the Commission is taken pursuant to Article 27-I (1 °) of the Act of 6 January 1978 amended which Provides that " Are authorised by decree in the Council of State, taken after reasoned opinion and published by the National Commission on Informatics and Freedoms ", the processing of personal data implemented on behalf of a legal person Public " Data, which includes the registration number of individuals in the national directory for the identification of natural persons ".
article R. 115-1 of the CSS provides that " The bodies and administrations responsible for the management of a compulsory basic social security system and, where appropriate, the bodies authorised by law or by a convention to participate in the management of such schemes " Are authorized to use the NIR. These provisions are supplemented by those of Article R. 115-2 which states that " The authorisation given in Article R. 115-1 shall apply exclusively to the treatment carried out in accordance with the provisions of Act No. 78-17 of 6 January 1978 " For purposes not included in the fight against errors, abuse and fraud.
Since these treatments are substantially different from those permitted by the existing regulations, they must be Authorised by decree in the Council of State taken after notice of the CNIL, pursuant to Article 27-I (1 °).
On the name and purposes of the treatments:
The project authorizes the automated processing of personal data intended for the performance of the tasks entrusted by the law to the managing bodies of the basic compulsory health insurance schemes
These treatments for the fight against the mistakes, abuse and fraud of insured persons and their dependants, beneficiaries of rights, employers, third parties, health professionals and institutions, Medical and social institutions, accommodation facilities Dependent elderly persons, medical analysis laboratories, providers and other service providers, or any other natural or legal person authorized to provide care, perform a service or analysis Of medical biology or the provision of medical products or devices, or against internal fraud.
Article 1 of the project explicitly defines the scope and purposes of the processing operations carried out in the context of the aforementioned
. Processing is intended to pursue the following purposes:
-perform queries and produce statistics and analyze and track administrative situations, benefits paid, care products, and goods dispensed, in order to carry out checks, prevent or commit Legal recourse and, where appropriate, to combat suspected or proven misconduct, abuse and fraud;
-carry out the operations necessary for the calculation of the indus and sanctions; develop a mapping of the risks of misconduct, abuse and fraud To better target the folders to be monitored;
-communicate the Information on misconduct, abuse and fraud in the governing bodies of compulsory schemes;
-reporting suspected or proven misconduct, abuse and fraud and, to this end, to transmit:
-information relating to alleged or proven misconduct, abuse or fraud to agents of the State or to the social protection bodies mentioned in article L. 114-16-3 of the Social Security Code, if applicable, to the complementary health insurance body of The insured person concerned pursuant to the second paragraph of Article L. 114-9;
-information relating to alleged misconduct, abuse or fraud or Proved, after anonymization, to the competent authority of the State, in application ofArticle L. 114-9 of the CSS ;
-forward At the health care facility, by any means of determining the date of receipt, the monitoring report referred to inarticle R. 162-42-10 CSS in application article L. 162-22-18 of the CSS ;
-produce the information collected that might constitute a breach of the Rules of conduct on the part of a health professional registered in a professional order and communicate them to the relevant order in accordance with article L. 162-1-19 of the Social Security Code ;
-produce the summary report provided for inArticle L. 114-9 of the Code of Social Security Social security ;
-track reports of suspected misconduct, abuse and fraud in order to carry out checks, conduct investigations and, where appropriate, initiate litigation or accompanying measures;
-follow up Litigation and prevention and control actions Against errors, abuse and fraud.
The Committee recalls, in accordance with Article 10 of the law of 6 January 1978, as amended, that no decision producing legal effects vis-à-vis the persons concerned by data processed In the context of the fight against fraud cannot be taken solely on the basis of automated processing of data intended to define the profile of the person concerned or to evaluate certain aspects of his personality
Automatically detected must result in a non-automated analysis by the Authorized personnel of the organization to which they belong. Where appropriate, further investigations may be carried out. Finally, the data subject must be able to submit his observations if a decision producing legal effects is taken in respect of the conclusion or execution of a contract.
The Commission considers, under Reserve of the preceding observations, that the creation of the above treatments and the purposes thus pursued are determined, explicit and legitimate.
On the categories of personal data recorded:
The categories of personal data processed concern persons who are or are involved in a suspected or proven fault, abuse or fraud.
Article 2 of the draft lists the categories of personal data which Will be processed:
-the credentials (name, first name, sex, date and place of birth, identification number or residence permit number; agent number, in the context of an internal fraud search; the identification number, the Category, specialty and sector of agreement for health care professionals);
-the National Inventory Identification Number (NIR) and/or those previously reported to be Assigned, or, for persons who are in the process of assigning a registration number To the national directory for the identification of natural persons, an identification number (NIA) assigned by the National Old Age Insurance Fund for employed workers from the civil status data, for all the organisations ;
-coordinates (address, telephone, e-mail address);
-the country where the care was delivered;
-information to describe the characteristics of the fault, abuse or fraud (including the branch, the Service, benefit or right in question; the date of the facts and their Discovery, the methods of detection; the field of risk; the type of fault, abuse or fraud; the nature of the documents in question; the assessment of the amount of the damage suffered or avoided, the identification of the third parties concerned, possibly including the NIR where this information is relevant to the needs of the investigation; all relevant information relating to the benefit or the right served, including the number identifying the stay in institutions under the control of the institutions;
-the Information on actions taken by the managing bodies of the Compulsory basic sickness insurance schemes (in particular the nature of the actions taken; where appropriate, the authority seized; the statement " Current procedure " Or " Fenced " And, where applicable, the closing date; where applicable, the particulars " Ranking without further "," Non-location " Or " Relaxe " ; notices of undue notification, transaction signing, financial penalty notification, amount and, where applicable, their recovery; ordinal sanctions).
The department indicates that the above data are Necessary for the managing bodies of compulsory basic health insurance schemes for the purposes of carrying out their anti-fraud tasks.
It points out that the categories of data processed must be adequate, Relevant and not excessive in relation to the intended purpose, In accordance with the provisions of Article 6 (3 °) of the Act of 6 January 1978 amended and that the use of the NIR shall be confined to the purposes exhaustively listed in Article 1 of the project for the purposes of exercise by the managing bodies Compulsory basic health insurance schemes for social security tasks entrusted to them by the law.
The committee notes the department's commitment to amend the draft decree, in order to remove the NIR from the simple Witnesses to the list of data processed in the course of a fault investigation, an abuse Suspected fraud. It takes note, on the other hand, that the NIR of the third parties concerned as victims or accomplices of fraud is useful in order to relate the benefits due to the right person or to seek unfair benefits.
On the recipients or Categories of recipients authorised to receive this data:
Article 3 of the project provides for the recipients of the following data:
-agents involved in the care of policyholders and subject to a confidentiality obligation, individually empowered by the director of each organization for the performance of their mission and to the strict extent necessary To the exercise of these;
-the agents of the State or social protection bodies referred to inArticle L. 114-16-3 of the Social security code individually Authorised by the director of the body or administration concerned;
-the competent authority of the State, after anonymizing the data pursuant to the first and third paragraph of Article L. 114-9 of the same code.
The
Article 3 states that, where appropriate, only legal practitioners and staff placed under their authority have access to medical data.
The Commission requests that this provision be To clarify that access by these personnel will be carried out in the Compliance with the rules of medical confidentiality and to the extent that they are necessary for the exercise of the tasks entrusted to them.
It also points out that access to personal data requires the implementation of rules Strict clearance and traceability of access associated with an analysis of these traces, so that unauthorized access can be identified.
On the duration of data retention:
Article 4 of the project provides for Separate retention based on data processed:
" I.-The data stored in the alerts management tools will be retained for five years.
II. -The data for the reporting of errors, abuse and fraud and anomalies are kept:
1 ° One year for files classified without further action by the body or having been the subject of a decision not to take place or to relax from the date of this decision ;
2 ° One year for cases filed without further action by the prosecutor of the Republic unless they are still subject to a sanction or convention procedure;
3 ° Five years from the date of closure of the proceedings in the Other cases.
III. -At the expiry of their retention period, the data referred to in I and II shall be archived for a period of five years, with the exception of data relating to files classified without further
. -Data from requests for the targeting of the records to be controlled will be retained until the next targeting on the same type of fault, abuse or fraud or the same person, and for a period not exceeding three years.
V. -Information relating to the identification of the agents who have accessed the data recorded in the treatments referred to in Article 1 or the amended data, as well as the dates, times and types of such access or alteration, shall be kept during The calendar year in which access or modification occurred and the following four calendar years. "
The Commission takes note of the department's commitment to complete the draft of a provision specifying that any alert qualified as" Irrelevant " Should be deleted without delay.
The Commission takes note that the retention periods provided for in Article 4 of the project are maximum durations. It considers that for each of the treatments authorised under this Decree, the data will be kept for a period proportionate to the purpose of the treatment, in accordance with the provisions of Articles 6 (5) and 36 of the The law of 6 January 1978, as amended.
The Committee notes, however, that in the absence of any justification for some of the abovementioned retention periods, in particular those relating to traces of access to registered data, it Is not in a position to assess the proportionality of the periods of Retention in relation to the purposes pursued by the processing.
It nevertheless takes note of the fact that, past the aforementioned retention periods, the data will be archived in an anonymous or deleted form and recalls that these Operations shall be carried out in accordance with the provisions of Article 34 of the Law of 6 January 1978 as amended.
On the information of data subjects:
The Commission takes note of the fact that Article 5 of the draft provides that natural or legal persons shall be informed of the implementation of the processing of personal data concerning them for the control and control of Fraud by dissemination of information on the AMELI health insurance website and on the respective websites of the managing bodies of the compulsory basic health insurance schemes. It recommends that the information of the data subjects be carried out in the various e-mails or e-mails addressed to the persons concerned.
The Committee notes that the persons concerned by the data processed will be informed of the The existence of a treatment concerning them, its purposes and the manner in which their rights are exercised. It recalls that, pursuant to Article 32 of the Act of 6 January 1978, as amended, this information must also relate to the identity of the controller, the recipients or categories of recipients of the data, and requests that the
In addition to this general information, the Commission considers that, for a maximum period of six months of investigation, in the event of confirmation of the anomaly and of decisions producing legal effects, the person Likely to be included on a list of persons who are at risk of fraud Must be informed individually in writing of the said consequences by giving it the opportunity to submit its observations.
On the rights of access, rectification and opposition of the persons concerned:
Article 6 of the draft provides that the rights of access and rectification provided for in Articles 39 and 40 of the Act of 6 January 1978, as amended, shall be exercised with the Director of the connecting body of the persons concerned
Takes note.
Article 8 of the draft provides that the right of opposition provided for in38 of the Law of 6 January 1978 not apply to authorized salaries in this case
On the security of data and the traceability of stocks:
The Commission takes note of the fact that Article 9 of the draft recalls, on the one hand, that treatment managers must take " All measures necessary for the preservation of data security at the time of their collection and consultation "in accordance with Article 34 of the Law" IT and freedoms " And, on the other hand, that it is for the processing authorities to attest to the conformity of the abovementioned treatments with the General Security Repository (RGS) provided for in Decree No 2010-112 for the application of Articles 9, 10 and 12 of Order No. 2005-1516 of 8 December 2005 on electronic exchanges between users and administrative authorities and between administrative authorities.
The Committee observes that the technical file attached to the request for an opinion bears Exclusively on the methodology for integrating safety into projects The
takes note of the Ministry's commitment, on the one hand, to produce, prior to the implementation of the treatment by the other AMO schemes, the technical documentation relating to these schemes and, on the other hand, to The
notes that the methodology applied by the CNAMTS is strictly confined to the security risks. The Commission therefore asks that this analysis also address the risks associated with the privacy of social insured persons.
The Commission recommends that each of the managing bodies of the compulsory basic health insurance schemes Develops a methodology enabling it to manage risks in a comprehensive manner, in particular the risks to the freedoms and privacy of their members. In addition, it requests that this methodology be transmitted to it prior to the implementation of the treatments.
Finally, the Commission points out that these methodologies must be regularly updated, in order to take account of developments And that the risk studies carried out for each of the projects should also be reviewed on a regular basis in order, where appropriate, to update the security measures initially foreseen.
On the formalities to be completed:
Article 7 of the draft provides that in application of the provisions of Article 26 of the Law of 6 January 1978 referred to above The person responsible for each of the data processing operations authorised on the basis of this Decree address to the National Information and Freedom Commission, prior to its implementation, a commitment to comply with the provisions of this Decree under conditions fixed to article 8 of Order in Council n ° 2005-1309 of October 20, 2005.
The commission takes note of it.
Other project points do not call Not, as set out in the amended Act of January 6, 1978, other comments.
The President,
I. Falque-Pierrotin
