Key Benefits:
The National Commission on Informatics and Liberties,
Seizure by the Ministry of Social Affairs, Health and Women's Rights of a request for an opinion on a draft order in Council of State relating to the Creation of a processing of personal data concerning a programme for monitoring the health of workers named " COSET " ;
Having regard to Convention 108 of the Council of Europe for the protection of persons with regard to the automatic processing of personal data;
Having regard to Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of natural persons with regard to the processing of personal data and the free movement of such data;
Given the Social security, including article L. 161-28-1;
Seen law n ° 78-17 of January 6, 1978 as amended relating to computers, files and freedoms, including its article 27-1 (1 °);
Seen Decree No. 98-37 of 16 January 1998 authorizing access to data relating to the death of persons registered in the national directory for the identification of natural persons in the Framework for research in the area of health;
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to data processing, files and freedoms;
In view of decision DR-2010-321 of 19 October 2010 authorising the Institute of Health Care to implement data processing for access to system data Information as part of the pilot phase of the COSET-MSA project;
In view of decision DR-2012-091 of 11 April 2012 authorising the Institute of Health Watch to implement data processing for the purpose of implementing a pilot under the COSET programme (Cohortes for the Epidemiological surveillance in relation to work), national programme for epidemiological surveillance in the workplace, relating to the inclusion of assets under the social system of the self-employed;
In view of decision DR-2014-471 of 28 October 2014 allowing the Institute of Health Watch to implement treatment Data with the purpose of follow-up of cohorts for epidemiological surveillance in relation to work (COSET) to describe the health status of the assets under the Agricultural Social Mutuality (COSET-MSA) and the Social Regime of the Independent (COSET-RSI) at the national level;
After hearing Mr. Alexandre LINDEN, Commissioner, in his report and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his observations,
Emet the following opinion:
On 26 February 2015, the Ministry of Social Affairs, Health and Women's Rights submitted a request for an opinion on a draft decree to the Council of State (hereinafter 'the'). Project ") The creation of an automated processing of personal data relating to a programme for the supervision of the health of workers named " COSET ".
This treatment for health research purposes relating to data including the registration number of persons in the national directory of identification of natural persons or" NIR ", in this capacity, reports to the Council of State, taken after the reasoned and published opinion of the CNIL, in application of the provisions of Article 27-1 (1 °) of the law of 6 January 1978, as amended
A research protocol, in particular on the modalities for the organisation of the study and the collection of the individual data of the persons concerned, from the National Interagency Information System for Health Insurance (SNIIRAM) put into effect By the National Health Insurance Fund for Employed Workers (CNAMTS) And the National Career Management System (NCMS) implemented by the National Old Age Insurance Fund (CNAV), involving the use of the NIR.
Presentation and conditions of implementation of the study:
The COSET cohort program, The objectives of the Institute of Health Surveillance (InVS) are to describe the health status of persons working according to their professional activity and to analyse their evolution over time. It is based on the exploitation of cohort data belonging to the three main social security schemes of the general system, the system of agricultural social mutuality (MSA) and the social system of self-employed persons (RSI)
General scheme, the COSET programme will rely on data from the assets of the cohort " Circumstances ", currently being set up by the University of Versailles-Saint-Quentin-en-Yvelines and the Institut national de la santé et de la recherche médicale (INSERM) in collaboration with the CNAMTS, which plans to recruit a sample of 200,000 Individuals over five years to study the occupational and social determinants of health.
The InVS follows two cohorts of individuals from each of these two groups: Regimes the COSET-MSA cohort and the COSET-RSI cohort.
The COSET-MSA cohort Consists of a sample of approximately 35,000 people covering all occupations and sectors of the agricultural world. It concerns the entire labour force, aged between 18 and 65, which is affiliated with the MSA in France, whether in activity or in periods of inactivity (unemployment, for example), agricultural workers, including the service sector and non-employed persons (operators Agricultural, collaborating partners, family aids), irrespective of the socio-professional category, the sector of activity and the type of employment contract. The persons participating in the study will be monitored after the cessation of their professional activity.
The COSET-RSI cohort consists of a sample of approximately 30,000 people covering all of the Independent professions reporting to the IHR. It concerns the whole of the working population aged between 18 and 65, which is affiliated with this scheme in France, whether it is in fact active or in a period of inactivity, including collaborating spouses, irrespective of the category Socio-professional, sector of activity and work situation. Individuals participating in this cohort will also be subject to follow-up after the cessation of their professional activity.
The two cohorts follow the same organization, first an inclusion phase in which a Mail is sent to the home of the persons selected by random draw, in order to provide them with their confidential code and their temporary password necessary to register them on the application hosting the online questionnaire. For the purpose of monitoring health status and career path, people will then be asked periodically by e-mail, possibly followed by a mail item, to respond to an online follow-up questionnaire.
In addition, Further information will be collected indirectly, from health insurance bodies (reimbursement of medicines and consultations, hospitalisations, accidents at work and occupational diseases) and old-age insurance (periods Employment, occupation, type of activity), relating to respondents The inclusion questionnaire, as well as 60 to 70 000 persons drawn from among non-respondents to the questionnaire.
With respect to the processing of personal data consisting of health research, cohorts COSET is subject to the formalities laid down in Chapter IX of the Act of 6 January 1978 as amended. Thus, the Commission first authorised the completion of two pilot studies in 2010 for COSET-MSA (Decision No. DR-2010-321 of 19 October 2010) and in 2012 for COSET-RSI (Decision No. As a result of this pilot phase, the national extension of the cohorts was authorised by the Commission in its decision No. DR-2014-471 of 28 October 2014.
The InVS now wishes to be able to match the data of the COSET-MSA cohorts And COSET-RSI with SNIIRAM and the SNGC for follow-up " Liability " People, through the processing of their NIR.
On the name and purpose of the processing:
Article 1 of the project specifies that the treatment " Relating to the national cohort programme for epidemiological surveillance in relation to the work called " COSET [...] is intended to describe the health status of active workers according to their professional activity and to analyse its development Over time. "
The Commission considers that these purposes are determined, explicit and legitimate within the meaning of Article 6-2 of the Data Protection Act.
On the nature of the data processed:
Article 2-II of the project specifies the categories of personal data recorded.
This is, on the one hand, the data collected directly from the persons participating in the study, and, on the other hand, the data collected in the Existing databases.
For inclusion in the COSET-MSA and COSET-RSI cohorts, the following credentials are collected from the national databases of the MSA and RSI sickness insurance schemes: Family name, use name, first name, sex, month and year of birth, mailing address.
The following information will then be collected through a self-administered questionnaire:
-the e-mail address to contact the person as part of the follow-up;
-socio-demographic data (sex, month and year of birth, nationality);
-health data for general health status (weight, Size, personal history, prevailing pathologies) as well as the situation of the person in relation to particular pathologies (asthma, musculoskeletal disorders, depressive syndromes) and his health behaviours (tobacco consumption and Alcohol);
-family status and employment status Spouse;
-professional data describing current employment (status, type of contract, working conditions), career history (education, occupation, possible interruptions in employment) and Exposure to certain nuisances (organisational constraints, pentability, professional noise, chemical, physical or biological nuisance).
Other data " Auxiliary " From the various existing information systems will be collected to document, on the one hand, health events and, on the other hand, socio-professional events:
- (II [3 °] of Article 2) from the SNIIRAM: Data on patient care consumption, the hospital data referred to inarticle R. 6113-1 of the Code Public health and data relating to long-term care, occupational disease, injury or disability;
- (II [4 °] of Article 2) from the CNAV files: Pension rights and socio-professional courses (including periods of activity, unemployment, remuneration);
- (II [5 °] of Article 2) with the sickness insurance scheme of the person concerned: Socio-demographic data, data relating to health (including the management of long-term conditions, occupational accidents and occupational diseases and daily allowances), data on occupational activity (in particular the periods of activity, the nature and conditions of that activity and, where appropriate, the perception of an agricultural retirement);
- (II [6 °] of Article 2) the medical causes of death with the Centre of Epidemiology on the Medical causes of death (CepDc).
To enable tracking Of each participant in the COSET programme, a number of " "Violist" ("NC-DST") Is assigned to it. The Commission takes note of the term " Anonymized identifier " Has been replaced by " Privacy code " To designate this number of " "Violist"
application of Article 6 [3 °] of the Data Protection and Data Protection Act, the Commission considers that the categories of personal data recorded are adequate and relevant to the purposes of the study, such as The
notes, however, that the NIR of the study participants is not included among the data processed in Article 2 of the project, whereas the NIR is used for matching purposes with different bases Of existing data. It therefore requests that the list of categories of personal data recorded be completed in order to mention the NIR.
On the methods of data collection:
The above data will be collected in different ways. Terms. They will be derived:
-people-informed questionnaires;
-health insurance plans for the study participants (RSA or MS1);
-the National Health Insurance Information System (SNIIRAM) managed by The National Insurance Fund for Workers' Compensation (CNAMTS);
-the National Career Management System (SNGC) managed by the National Old Age Insurance Fund (CNAV);
-the Centre for Medical Epidemiology of Death (CepDc), as determined by Order No. 98-37 of January 16, 1998 authorizing access to data relating to the death of persons registered in the National Register of Natural Persons in The framework for health research.
Regarding the collection of data from the SNIIRAM, Article 4 of the project authorts the CNAMTS to use the NIR of the study participants " In order to match data relating to persons participating in the programme (...) with data from the SNIIR-AM ".
As soon as the identifier used in the SNIIRAM, to obtain the consumption of care Individual, comes from the result of a dual hash function of the NIR, the CNAMTS, thanks to the NIR of the people, will be able to extract the relevant data and pass them on to the InVS associated with a privacy code. The InVS will thus be able to link the aforementioned health care consumption to the data collected in the context of the cohort.
The NIR of the people is also the identifier used within the files of the CNAV, the Caisse centrale de la MSA and the National RSI Fund. In order to permit the matching of cohort data with those from these different bases, sections 5 (CNAV) and 6 (health insurance plans) of the project permit the treatment of NIR for this purpose. In particular, Article 5 of the project and the product file in support of the application provide that the NIR shall be exchanged only between the CNAV, the MSA and the RS1 who are entitled to hold it.
The Commission takes note of it.
In addition, it Notes that a " Privacy number " Is assigned to persons by each health insurance plan, the CNAMTS and the CNAV during the inclusion phase and a provider is responsible for maintaining the correspondence between these different identifiers and the identity of the
To the extent that this provision prevents, on the one hand, the InVS from knowing the correspondence between the identity of a person and the associated study data, and, on the other hand, the health insurance plans, the CNAMTS and the CNAV to know the NC-DST Privacy Code, the Commission Considers that this organisation is such as to guarantee the confidentiality of the data.
The collection of the said data Auxiliary " Will be carried out both for those who have completed the inclusion questionnaire and for a sub-sample of non-respondents to the questionnaire, consisting of a random draw among those who did not respond to the questionnaire but did not object to the Processing of their data for the study.
The Commission takes note of the fact that the ancillary data will not be collected, nor with regard to the persons who have expressed their opposition to the collection of this information, nor to those considered As uninformed (plies not given to the recipient).
On retention time Data:
Item 10 of the project indicates that the data will be " Collected and stored for twenty years ". It is specified that " The use of the registration number in the national directory of natural persons is permitted only for a period not exceeding the data collection period ".
Taking into account the necessary investment in the constitution and monitoring The Committee considers that these data retention periods do not exceed the durations necessary for the purposes for which they are collected and processed, as well as the issues of this study in terms of public health. In accordance with Article 6 (5 °) of the Computer and Freedom
. Data recipients:
In accordance with Article 29 (4) of the Data Protection Act, the act authorising processing must specify the recipients or categories of recipients authorised to receive the data.
Thus, Article 8 of the draft specifies that: Only the staff of the Institut de veille sanitaire, named and empowered to that effect by its director, shall be entitled to access the data referred to in Article 2 of this Decree, to the extent that they are necessary to The performance of the tasks entrusted to them. "
The Committee notes that directly identifying data are processed in the framework of the COSET (II [1 °], (a) project) and that a provider is responsible for ensuring their safety and confidentiality (Article 3 [1 °] of the
then, the Committee requests that Article 8 of the draft be amended to clarify that only the provider mentioned in Article 3 (1 °) of the project should have access to the data directly identifying or, if not, the policy Empowerment implemented within the InVS ensures that the staff entitled to access Directly identifying data do not have access to the study data.
On the information of individuals:
Section 2-III of the project provides that " Individuals are individually informed by mail of the possibility of collecting data on their health status and their employment status from their social protection body. In accordance with Article 57, they are specifically informed of the opposition to the collection of such data. "
In addition, the research protocol provides for several modalities of information for individuals, both collective and individual:
Collective information:
A communications campaign for the COSET program was launched by the InVS and The health insurance schemes concerned. A website dedicated to the study informs the public of the characteristics of the COSET study and makes available the documents of the study.
Individual information:
People drawn by lot are informed by mail of the launch of the COSET program. This note shall include information on the identity of the controller, the objectives, the procedures for the implementation of the study and the conditions for the exercise of the rights of persons, in accordance with the provisions of Article 57 of the Law of January 6, 1978 amended.
In particular, persons are informed of the voluntary and optional nature of their participation in the study and the absence of consequences of a refusal to participate in the study. They are also informed about the possibility of ending their participation at any time.
A follow up of the undistributed bends that were put in place at the initial invitation is used to identify those who did not receive mail Information. The ancillary data will not be sought for these persons who could not be informed.
The Commission takes note of this information.
On the rights of access, rectification and opposition of persons:
In addition to the specific information relating to The study, the file produced in support of the request for an opinion specifies that the persons affected by the study are informed of the practical arrangements for the exercise of their rights. These may be exercised by post, e-mail or telephone by calling the green number dedicated to the study.
The Commission takes note of these measures, which are such as to ensure the effective exercise of the rights of the
However, section 11 of the project provides that: " The rights of access and rectification of the data provided for in Articles 39 and 40 of the Act of January 6, 1978, are exercised with the Scientific Department of the Institute of Health Surveillance, in COSET program. "
In so doing, the Panel notes that InVS personnel would, therefore, have access to the data directly identifying the study participants if they would exercise their rights.
In order to ensure confidentiality In the light of, inter alia, Article 8 of the draft, the Commission considers that the rights of persons should be exercised with the provider in charge of the management of directly identifying data referred to in Article 8. 3 (1 °) of the project.
This claimant, who would be authorized in this case to dispose Directly identifying data in order to carry out its task of preserving the correspondence between the identity and the confidentiality issues of the persons concerned could thus receive requests from such persons within the framework of The exercise of their rights, and transmit these requests to the InVS after they have expurgated the elements directly identifying them and have associated them with the confidentiality number allowing the InVS to qualify for applications without access to Identity.
Failing this strict separation between data Identification and data of the study must be ensured within the InVS, in particular by setting up a strict enabling policy so that the same people do not access the data of the study and the data directly
Accordingly, the Commission requests that Article 11 of the draft be amended on this point.
On data security and the traceability of shares:
Article 9 of the project provides that the InVS is responsible for the implementation of the security measures of the data recorded in the processing.
Article 8 of the project provides that only persons belonging to the InVS, empowered by the Director of the InVS, may access the data referred to in section 2.
Authentication requires the use of a password of a minimum length of eight characters for the participants. For internal InVS users, managers and administrators, a minimum length of ten characters is imposed, and the password must contain at least one uppercase, a lowercase, and a number. Passwords chosen by participants when activating their account are not stored in plain language in the application.
The Commission points out that it recommends, with regard to the complexity of passwords, the use of passwords Has a minimum length of eight characters for users who do not have high data privileges, and ten characters for others. In addition, passwords must contain three distinct types of characters, including uppercase, digits, or special characters. They should not be stored in plain text in a file or database, including for internal InVS users.
Application access is traced. Traces of participants are used to evaluate and improve the data collection tool and, possibly, to be used in the analysis to take into account non-participation.
The Commission requests that data from Logs are kept for a period of six months slipping.
Data transfers are secured by e-mail transmission of previously encrypted attachments.
The commission specifies that the submitted file does not No elements relating to the measures that will be implemented to ensure The confidentiality of data provided by participants by filling out self-questionnaires directly on the Internet. It recalls in this respect these exchanges must be secured and the SSL protocol in its version 3 is no longer reliable. Therefore, the TLS protocol should be used in its latest version.
The draft decree provides for certain data to be kept encrypted. These are:
-email addresses, retained by the InVS;
-NIR, patronymic name, usage name, first name, sex, date and place of birth of the people drawn by lot, kept by the health insurance plans.
These measures are satisfactory. However, the Commission points out that a procedure must be documented and implemented in order to ensure that only authorised persons will be able to have knowledge of the encryption keys, in particular in the event of the departure of a person who had Clearances for access to these keys, and that the vulnerabilities of the encryption algorithms used should be checked regularly.
Finally, each partner commits to permanently delete the data using software Having first level certification from the National Agency for Security of information systems if a procedure does not already exist in these bodies, or through the procedure already in place.
Subject to the above observations, the security measures described by the controller are Comply with the security requirement laid down in Article 34 of the Act of 6 January 1978, as amended. The Commission points out, however, that this obligation requires the updating of security measures with regard to the regular reassessment of risks.
The other points of the draft decree do not, as regards the law of 6 January 1978, as amended, other comments by the Commission.
The President,
I. Falque-Pierrotin
