Advanced Search

Deliberation No. 2015-219 Of July 2, 2015 Opinion On A Draft Decree On The Establishment Of Automated Processing Of Personal Data Entitled 'diploma Of Proficiency In Language' (Opinion No. 1845923 Application)

Original Language Title: Délibération n° 2015-219 du 2 juillet 2015 portant avis sur un projet d'arrêté portant création d'un traitement automatisé de données à caractère personnel intitulé « diplôme de compétence en langue » (demande d'avis n° 1845923)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Text information




JORF n ° 0203 of September 3, 2015
text # 57




Deliberation n ° 2015-219 of 2 July 2015 giving notice of a project d ' an order creating d ' an automated processing of personal data titled " Diploma in language proficiency " (d 'request # 1845923)

NOR: CNIX1520534X ELI: Not available


National Computer and Liberties Commission,
Entering the Minister of National Education, Higher Education and Seeking a request for an opinion on a draft decree establishing an automated processing of personal data entitled ' Diploma in language proficiency ",
Having regard to Council of Europe Convention 108 for the protection of persons with regard to the automatic processing of personal data;
In view of Directive 95 /46/EC of the European Parliament and of the Council Of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data;
Seen education code, including articles D. 338-33 to D. 338-42;
Due to the amended Act No. 78-17 of January 6, 1978 relating to computers, files and freedoms, in particular its Article 27-II (4 °);
Given the decree n0 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to computers, files and freedoms;
Seen decree n ° 2010-112 of February 2, 2010 modified for the application of articles 9, 10 and 12 of Order No. 2005-1516 of 8 December 2005 on electronic exchanges between users and authorities Administrative and administrative authorities;
Having regard to the decree of 7 May 2010 on the diploma of professional foreign language proficiency;
In view of the decree of 12 July 2013 laying down the conditions for the approval of examination centres;
Vu The file and its supplements;
On the proposal of Mr. Nicolas COLIN, Commissioner, and after hearing the comments of Mr Jean-Alexandre S1LVY, Commissioner of the Government,
Emet the following opinion:
The Ministry of National Education, Higher Education and Research seized the Commission of a draft order creating the treatment " Diploma in language proficiency " (DCL), intended to allow for the registration of candidates for the examination of the professional national diploma DCL and the communication of their results, in a dematerialised way.
This treatment constitutes a teleservice from the electronic administration, to the Article 27-II (4 °) of the law of 6 January 1978 amended, it must be authorised by order of the competent minister taken after reasoned and published opinion of the committee.
For purposes:
Under terms of section D. 338-33 of the Education, the language proficiency qualification is " A professional national diploma which attests to skills acquired by adults in the language of common and professional communication, common to all sectors of economic activity ". This diploma, adapted to the needs of the professional world, provides evidence of a level of competence with regard to those defined by the Common European Framework of Reference for Languages (CECRL). The jury for this review consists of inspectors, academics and examiners. The sessions of the national examination are organised by the Academy rectorals and take place in approved local examination centres, in accordance with the decree of 12 July 2013.
The purpose of the DCL treatment is to dematerialize The registration of candidates for the diploma of proficiency in language and, on the other hand, to enable the communication of their results to the examination.
Thus, thanks to the platform dedicated to the DCL, the application for pre-registration is carried out on the Internet. On the DCL portal, the candidate selects the session to which he wishes to register, choosing the language and the academy in which he wishes to write the examination, and populates the data concerning him, which is necessary for writing the examination. Once the pre-registration documents are closed, the candidates will receive a letter of application for confirmation of registration. This confirmation shall be returned, together with the payment of the registration fee, in order to receive the invitation to the examination indicating the place and time of the event.
In addition to the dematerialised completion of the formalities necessary for his Registration of the diploma, the candidate may, at the end of the examination, connect to the platform by means of a triplet identification (registration number generated at the time of pre-registration, name, date of birth) and access, online, at the level of language Obtained from the examination. It can also consult a sheet presenting the detailed profile of its competences according to the level obtained.
The candidate is in any event delivered a formal diploma signed by the Academy Rector mentioning the level obtained.
DCL finally has a statistical purpose, making it possible, for each language, to publish the success rates, by level, for the examination.
The Commission points out that it has The simplification of administrative procedures and The improvement of the relationship between the administration and the administration is a legitimate objective, provided that appropriate security measures are provided and that the rights of the people are respected
The department indicated that the candidates for the DCL retain an opportunity to register or receive the results in a non-materialized manner, by contacting the National DCL Centre. Therefore, by choosing to use the teleservice rather than these alternatives to dematerialization, the applicant consents, implicitly but necessarily, to this treatment, in accordance with Article 7 of the law of 6 January 1978 as amended
Of all these elements, the Commission considers that the purposes of DCL are determined, explicit and legitimate, in accordance with Article 6 (2 °) of the law of 6 January 1978 as amended.
On processed data:
DCL records data about candidates for examination, board chairs and board members, reviewers, and test center managers.
As for candidates, data is recorded Relating to his or her identity (surname, given name, date of birth, city of birth, country of birth), to his or her contact information (personal mailing address, e-mail address, personal telephone, telephone, mobile phone), to his or her life Professional (level of training, occupational status, references Employer) as well as its registration number.
The employer's references, which are the only candidates whose examination costs are the responsibility of the employer, cover the name of the employer in That the applicant works, the mailing address and telephone number of that company and the name of the person in charge.
Also recorded data relating to the results of the examination (level of language proficiency and profile) Detail of competences).
Finally, the draft decree provides that it may Be mentioned if the applicant has a disability, without any indication of the nature of the disability, in order to provide for specific accommodation requirements. The Committee recalls that this is therefore not data relating to the health of the applicant within the meaning of Article 8 of the Act of 6 January 1978 as amended. It recommends that the specific accommodation required by a disability should not be freely filled in, but chosen from a drop-down menu to ensure that no health data can be contained in the Processing.
As for the members of the examination board, only data relating to their identity is processed. In the case of board chairpersons, examiners and examination centre managers, are recorded data on their identity (name, first name, status, diploma or degree, only for chairpersons and examiners) and their Personal and/or professional contact information.
Finally, for review centre managers and board chairpersons, they are also registered their login and password credentials to the application that allows them, for the First, to organise the session, for the second part, Inform the results of the candidates examined.
These data are necessary for the candidate to be enrolled in the examination, to communicate his or her results to the test, and to the proper organization of the examination sessions. The Committee therefore considers that the data and information processed are in conformity with Article 6 (3) of the law of 6 January 1978 as amended.
On retention periods:
The draft decree provides that data and information relating to DCL candidates are kept for ten years under the following conditions: Two years on an active basis and then, at the end of that period, the results of examinations shall be made on the basis of an intermediate archiving on a separate medium, with restricted access to the only national centre of the DCL, for the sole purpose of issuing an attestation The
observes that only information relating to the results of the examination of the candidate in the DCL (level of competence and detailed profile of competences), which is necessary for the grant of such certificates, may be retained, On an intermediate basis, over two years and for a maximum total duration of Ten years. It recalls that the other data relating to candidates must be permanently and securely deleted two years after the candidate has passed the examination.
As regards the chairpersons and members of the Selection Boards, the Examination centres and examiners, the data concerning them shall be kept for the duration of their term of office (one year renewable), for the former, and for the duration of the approval of the examination centre to which they are attached, for the latter (three years renewable).
The Commission recalls that in the event of a change in Term of office (transfer of a board member) or during the duration of the approval of the centre the data concerning such staff shall be deleted without delay.
In the light of these elements, the committee considers that the retention periods Do not exceed those necessary for the purposes pursued, in accordance with Article 6 (5 °) of the law of 6 January 1978 as amended.
On persons accessing data and information and recipients:
Move to the data and information stored in DCL the Chairs and Board members as well as the reviewers for the performance of their assessment mission of the candidates. These staff are responsible for recording and validating the results in the application in order to allow for the editing of the diplomas by the exams and competitions.
The candidates for examination naturally access the data And information which affects them, since it is one of the objects of the processing.
In addition, the data and information recorded in DCL are addressed, within the limits of the need to know, the person in charge and the information. Managers of the National Centre for Management Language Proficiency in the Management Language General solar education (DGESCO). In fact, the DCL National Centre, which reports to DGESCO, is in charge of the national supervision of the diploma, the design and the making available of examination subjects. It also responds to requests for hotlines on the day of examination sessions.
The data and information are also addressed, within the limits of the need to know, the managers and managers of the Reviews and competitions of Academy rectorats who are responsible for ensuring the proper organization of sessions within the accredited centres within the competence of their academy.
These people are legitimate to know about data and information And therefore do not call for any special observation of the committee.
On the rights of the data subjects:
As far as the right of information is concerned, the Ministry stated that all the persons concerned are informed through the internal website education.gouv.fr on foot of the page under the heading " Legal notices ". If the Committee takes note of this general information, it recalls that information specific to the registration of the DCL must be put in place. It thus recommends that information be made more visible to the knowledge of the future candidate, by inserting references in accordance with Article 32 of the law of January 6, 1978, as amended, on the first page of the website dedicated to the teleserary DCL. It believed that information should also be included in the summons of the candidates for examination. The members of the jury are informed via their application form.
The Commission also notes that the current functioning of the education.gouv.fr site implies the deposit of cookies which cannot benefit from the exemption from the consent of The user and that the information page relating to the cookies is not accessible without filing them. It recalls that, in accordance with Article 32-II of the law of 6 January 1978, as amended, the consent of the user must be obtained before the filing of cookies relating to operations relating to advertising, social networks and in the case of Certain measurement cookies. As long as the individual has not consented, these tracers should not be deposited or read on their terminal. The page accessed via the link " Learn more and set cookies " To be accessible without the filing of cookies.
The rights of access and rectification shall be exercised at the National Centre for the Language Proficiency in the Directorate-General for School education. The right of opposition may be exercised under the conditions laid down in Article 38 of the Law of 6 January 1978, as amended. These procedures for the exercise of human rights do not require specific comments from the Commission.
On security:
With regard to authentication mechanisms, each staff has an ID and a word of Is assigned by the National DCL Centre. If the password is renewed on the first connection, the format of the password is not imposed. Only a minimum of six characters is expected. The committee points out that a satisfactory password policy implies that they are composed of eight minimum characters, comprising at least three of the following four types of characters: upper case, lower case, digits and characters Special. They must also be regularly renewed and should not be stored in plain language. The Commission takes note of the Ministry's commitment to bring the format and storage of passwords into line with the end of 2015.
The staff of the Academy and examination centres as well as the President of the Jury access the application via the The Virtual Private Network of National Education (RACINE), which reduces the risk of harm to data privacy while reinforcing the authentication of the personnel involved. As regards the access of candidates to the dedicated space to consult their results, they must connect via a randomly generated exam identifier (registration number), their name and date of birth. The Commission points out that the confidentiality of the results is thus limited by the confidentiality of the examination identifier.
DCL being a teleservice of the administration as defined in Order No. 2005-1516 of December 8, 2005, it is subject to compliance with the General Security Repository (RGS). The Department of National Education, which is responsible for processing, must attest to this compliance with the RGS and mention it on the DCL site.
The access of the candidates to the remote service is secured using the HTTPS protocol. The Commission stresses the importance of complying with the state of the art, in particular by not supporting the versions of " Secure Sockets Layer " (SSL), and by preferring the version or versions of " Transport Layer Security " (TLS) as much as possible. It also recommends the implementation of technical recommendations relating to the security of websites published by ANSSI in a technical note " Recommendations for securing web sites ".
Finally, it notes that the physical security of the premises and equipment hosting the treatment follows the current good practices.
Subject to the application of the previous recommendations And of particular vigilance concerning the availability of the service and the confidentiality of the examination identifiers, the safety measures described by the controller are in conformity with the security requirement laid down in Article 34 of the Act of 8 January 1978 amended. The Panel notes, however, that this obligation requires the updating of security measures with respect to the regular reassessment of risks.


For the Chair:

Vice-President Delegate,

M.-F.
Mazars


Download the document in RTF (weight < 1MB) Excerpt from the authenticated Official Electronic Journal (format: pdf, weight: 0.19 MB)