Key Benefits:
The National Computer and Liberties Commission,
Seized by the Department of Defense of a Request for an Order in Council Relating to the creation of an automated processing of personal data with the purpose of managing the pensions of military personnel, officials and workers of the Ministry of Defence;
In view of the Council's Convention No 108 Europe for the protection of people with regard to treatment Automated personal data;
In view of Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and free Circulation of this data;
Given the defence code ;
Given the Civil and military pensions ;
Seen Code for Military Disability Pensions and Victims of War ;
Seen Social Security Code ;
Due to Act No. 78-17 of January 6, 1978 , as amended Computer, files and freedoms, including sori article 27-I-1D;
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to information technology, files and freedoms;
In view of the Pension Reform Act No. 2010-1330 of 9 November 2010
Seen decree n ° 2001-963 of 23 October 2001 on the compensation fund for victims of asbestos instituted by the section 53 of Law No. 2000-1257 of December 23, 2000 of Social Security Funding for 2001;
Seen Order No. 2004-1056 of October 5, 2004 Amendments relating to the pension scheme for workers in industrial establishments in the State;
Having regard to the file and its additions;
On the proposal of Mrs Marie-France MAZARS, Commissioner, and after hearing the comments of Mr Jean-Alexandre SILVY, Commissioner of the Government;
Formula:The
was seized by the Ministry of Defence of a request for an opinion on a draft decree on the creation of an automated processing of personal data for the management of pensions of the The
the decree is to supervise the administrative and financial management of civil and military pension files in order to propose to the service The state pensions the plans for the liquidation of pensions and of the balances of Reserves granted to military personnel or employed under contract, to officials under the Ministry of Defence and, where appropriate, to their successors in title.
The management of civil and military pension files involves the Management of pension applications for staff under the Ministry of Defence and the preparation and monitoring of the clearance of retirement pensions.
In this context, this treatment also enables management and monitoring Records of service accidents, accidents at work and diseases As well as the management of applications for post-professional medical supervision of officers who have been exposed to a professional risk during the performance of their duties.
The Commission notes that the agent in operation is a pensioner Potential to parameterize retirement pension rights throughout his or her career.
Thus the treatment " PIPER " The purpose of which is to organise the collection of individual administrative data on an ongoing basis upon entry into service of the agent in order to make the due date, the liquidation of his pension rights by the transmission of the data collected in the The
considers the intended purpose as determined, explicit and legitimate.
In addition, it considers that the provisions of Article 27-1 (1 °) of the Law of 6 January should be applied. 1978 amended which provides that, authorised by decree in the Council of State, taken After reasoned and published opinion of the committee, the treatments carried out on behalf of the State, a legal person under public law or a legal person under private law managing a public service, which relate to data among which Figure is the person's registration number in the national identification directory for natural persons.
About the data collected
The annex to the draft decree lists the categories of data collected:
-the data Relating to the administrative management of pension applications:
-National physical person identification number (NIR) registration number;
-name, first name;
-sex;
-date and place of birth;
-nationality and dates of acquisition;
-home addresses and addresses Successive and current tax;
-personal and professional email;
-personal and professional telephone and fax numbers;
-identifying and identifying the applicant;
-marital status or other union ;
-date and place of death;
-name, first name, date and place of Birth, address and telephone number of spouses, guardians, children, assignees and other successors in title, possible adoption, kinship, dependent or not, disability or disability qualification;
-military situation: situation in the eye National service, position under flags, on-reserve assignment, link to service;
-professional life: Articles, contracts, administrative positions, periods of service, study or non-activity, army, corps, grades, scales, levels, categories, groups, assignments, occupation, duties performed, occupation or specialty, work Unsafe, date and reason for termination of service, accidents, exposure to risks, beneficiary of employment obligation (yes/no);
-diplomas, patents, certificates, certificates, level of education and other skills, training, decorations, Awards;
-benefit of Early termination of asbestos activity;
-nature, date, application number, origin, recipient of response elements and follow-up to the pension application;
-file number.
-data relating to the Financial management of retirement pensions:
-National Physical Person Identification Number (NIR) registration number;
-pension assignment;
-compensation items, indices, allowances, premiums, deductions, contributions;
-date and title number, Nature, rates, amounts, deductions, dates of liquidation and enjoyment, services, subsidies and calculation elements of pensions, allowances, annuities, capital;
-carrying out the acts of everyday life with or without the assistance of a third party Person;
-bank coordinates;
-crystallization and Decrystallization of the pension;
-income of the person entitled, the spouse or the successors in title, if applicable;
-benefit of the early termination allowance for asbestos.
-management data Post-professional medical follow-up, accidents of service, work or travel, and occupational diseases:
-National Physical Person Identification Number (NIR) registration number;
-health: Pathologies, family history, care data;
-date, place and nature of the circumstances of the events causing the injury or death;
-means of transport used in the event of a travel accident;
-accountability to the Service of accidents at work, service, or travel and occupational diseases;
-the nature and the seat of the injuries or pathologies resulting from the accident of service or work, or occupational disease;
- Temporary incapacity for work, consolidation of sequelae and disability rates;
- Conduct of everyday life with or without the help of a third party;
-extrapatrimonial damage;
-medical expertise;
-post-professional medical examinations;
-opinion of the Consulting doctor;
-opinion of the reform commission;
-beneficiary of the employer's inexcusable fault (yes/no).
The Commission considers that it is not necessary to collect the date of acquisition of nationality. On this point, the Committee took note of the Ministry's commitment to delete this information from the draft decree.
Furthermore, the Committee recalls that the envisaged treatment should not have a mandatory field if it does not exist An obligation for jurisdictions to justify data collection.
In this regard, it was indicated by the department that individuals will be informed of the optional nature of the data collection responses to the data collection. E-mails as well as personal telephone and fax numbers; and The
points out that the NIR should be collected only for the purposes of exchange with social security bodies, such as in this case the state pension service for members of the military and civil servants and the credit union. Depots and Consignations for State Workers belonging to the Ministry of Defence.
Finally, the Commission points out that data on the health of the agent can only be collected and processed by the competent medical
. Committee notes that the data related to the health of the people are not Accessible only by a physician in paper format and are not registered in the treatment " PIPER ".
As in the case of postprofessional medical supervision, the administrative and financial management of pension files does not give rise to the collection and processing, by the pensions sub-directorate of the Ministry of Defence, of data from the
the light of the numerous information that may be collected, it should be recalled in the draft decree that the data referred to in the Annex to the draft decree should be collected only Where necessary (principle of relevance) and justified by a Legislative or regulatory provision,
In this regard, the Commission has been informed that section 1 of the proposed Order will be completed as follows: " That processing may not register personal data, in particular the nature of the data referred to in Article 8 and the Href=" /viewTexteArticle.do?cidTexte=JORFTEXT000000886460&idArticle=LEGIARTI000006528112&dateTexte= &categorieLien=cid"> I of Section 27 of the Act of January 6, 1978, above, that to the extent that their operation is necessary to the Continuation of the above-mentioned purposes ".
On the recipients of the data
Article 3 of the draft decree provides that all or part of the data are addressed to Personal character of this decree and can directly access them for their constitution and management, because of their respective powers and the need to know:
-the officers of the Ministry of Defence empowered by The administrative authority responsible for processing;
-the agents authorised by the administrative authority responsible for processing:
-Legal Affairs and Local Legal Services Directorate, for litigation purposes;
-staffs, directorates and services in the management of human resources and management Accounting for accidents, illnesses and post-professional medical surveillance;
-from the Medical Advisory Board as part of its advice on pension files;
-local services The Ministry of Defence and the National Gendarmerie in the framework of the Pensioners' benefit for retirement or disability;
-members of the friendly appeal board and the annuities commission in the context of the investigation of accidents at work or travel, and diseases Work;
-the compensation fund for victims of asbestos in the context of compensation for the damage suffered from the exposure of asbestos;
-the guarantee fund for victims of acts of terrorism and other offences in The compensation framework for victims of terrorism; and
-physicians Experts as part of their mission of medical expertise in pension files, service accountability and compensation for injuries resulting from accidents of service, work or travel, and occupational diseases.
These addressees do not require comments from the Commission.
On the retention period
Article 4 of the draft decree provides that personal data recorded in the processing are kept for Five years after the final termination of the rights of the beneficiaries and Rights of successors in title. In the event of a dispute, that period shall be extended, if necessary, until the intervention of a judicial decision which has become final. In this respect, pursuant to Article 6 (5) of the Act of 6 January 1978, as amended, the Committee recalls that personal data may be kept in a form which permits the identification of the persons concerned only for the purposes of The
considers that the data relating to the beneficiaries must be kept until the definitive extinguishment of the rights of the beneficiaries of pensions and of the rights of the Successors. It notes that the draft decree will be amended to that effect.
Only certain categories of information, in application of legislative and regulatory provisions, may be retained beyond, on an archive support, in accordance with the rules
On the rights of persons
With regard to the right to information of the agents concerned by the processing, Article 7 draft decree provides that the right of opposition provided for in Article 38 of the Law of the January 6, 1978 amended does not apply to this treatment.
Article 8 of the draft decree provides that the rights of access and rectification provided for in Articles 39 and 40 shall be exercised with the sub-directorate of the pensions of the Human Resources Directorate of the Ministry of
. The persons concerned are ensured by the publication of the decree establishing the present processing in the Official Journal, by the reference to Article 32-I of the law of 6 January 1978 amended at the bottom of the collection forms Information and a bulletin published in the framework of the right to information on Retirement.
These provisions do not require comments from the Commission.
On
Interconnections In addition to the transmission of data to the state pension service, processing " PIPER " May be the subject of a relationship with the treatments implemented by:
-the Human Resources Directorates of the Ministry of Defence;
-the Caisse des depots et consignations;
-the interregime pension fund.
The interconnections of these files whose purposes correspond to a Identical public interest does not require comments from the Commission.
On
security measures Enabling profiles are provided to manage access to data as needed.
Password management Follows the committee's recommendations (individual passwords Consist of at least eight characters of the alphabetic, numeric and special categories that are regularly renewed.
The processing includes a functionality for the jounalization of lookup, modification, or creation operations To identify the user who initiated an operation.
Measures are taken by the controller to ensure the confidentiality of the data as soon as they are obtained by transfer from the various information systems in the The army, in order to prevent, in particular, third parties not Allowed access.
Data transfers take place through an encrypted private virtual network.
The specificity of the processing attracts the attention of the Commission on measures to ensure availability and Long-term data integrity
Steps are taken to ensure that information is backed up and information consistency checking is done before each processing.
Finally, backup procedures have been planned And validated to make up for any problems.
The Commission recalls The importance of conducting tests of recovery procedures in the event of an incident.
The Commission also points out that it is appropriate to update the security measures with respect to the regular reassessment of risks
Reservation of the preceding observations, the security measures described by the controller appear to be satisfactory in the light of the provisions of Article 34 of the Law of 6 January 1978 as amended.
For the Chair:
Associate Vice-President,
M.-F.
Mazars
