CNIL (France) - 2023-089: Difference between revisions

From GDPRhub
No edit summary
m (Ar moved page CNIL (France) - SAN-2023-089 to CNIL (France) - 2023-089 over redirect)
 
(2 intermediate revisions by 2 users not shown)
Line 71: Line 71:
}}
}}


On the basis of Article 36 GDPR, the French DPA issued an opinion finding a scientific research survey project to be implemented by a data controller legitimate as its processing of sensitive personal data was necessary for scientific research purposes in the public interest.
On the basis of [[Article 36 GDPR]], the French DPA issued an opinion finding a scientific research survey project to be implemented by a data controller legitimate as its processing of sensitive personal data was necessary for scientific research purposes in the public interest.


== English Summary ==
== English Summary ==

Latest revision as of 17:12, 6 December 2023

CNIL - 2023-089
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 14(5)(b) GDPR
Article 32 GDPR
Article 89 GDPR
law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms
Type: Advisory Opinion
Outcome: n/a
Started: 22.05.2023
Decided: 14.09.2023
Published: 19.09.2023
Fine: n/a
Parties: National Institute of Demographic Studies (INED)
National Case Number/Name: 2023-089
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: LEGIFRANCE (in FR)
Initial Contributor: Samuel Uzoigwe

On the basis of Article 36 GDPR, the French DPA issued an opinion finding a scientific research survey project to be implemented by a data controller legitimate as its processing of sensitive personal data was necessary for scientific research purposes in the public interest.

English Summary

Facts

The National Institute of Demographic Studies (INED) (the controller) – intended to implement a “Families and Employers longitudinal survey project” (FamEmp), which would involve the processing of sensitive personal data of data subjects. The data controller founded the legal basis for the processing on public interest under Article 6(1)(e) GDPR. The survey was aimed at making available to the scientific community statistical survey data relating to the balance between professional, family and personal life to analyse the impact of these interrelations on life courses and factors of risks according to professional and family characteristics.

The data controller requested an opinion from the the French DPA (CNIL) on 22 May 2023 regarding the FamEmp survey, as on the basis of Article 44(6) of French law no. 78-17 of 6 January 1978 and Article 36 GDPR, any data controller has to obtain a published opinion of the DPA when seeking to process sensitive personal data for public research purposes. In support of this request, the data controller carried out an impact assessment relating to the envisaged processing.

Holding

The CNIL issued its opinion as follows.

On the legal basis for data processing, the DPA acknowledged that the survey involved the processing of sensitive data relating to the health, sexuality and religion of the data subjects and held that such processing for the FamEmp is legitimate and the processing permissible in law in the public interest.

Secondly, the data controller stated that the survey results would be transmitted to third parties in pseudonymised form, to which the DPA replied that the data must be anonymised before being disseminated and not pseudonymised. It also reminded the controller that the disseminated data must be equally adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Thirdly, on the storage and retention period, the data controller stated that the personal data would be archived ten years after the last access request by a researcher. In this regard, the DPA referenced Article 89 GDPR, which mandates the implementation of appropriate safeguards for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The DPA also reminded of the importance of having a defined retention period for pseudonymised data, and it objected to the controller’s intention to retain personal data after they are transferred to the Archives of France.

For the security of personal data, the DPA recommended automatic or manual monitoring of any data transfer outside the controller to systematically verify the anonymity of the data at all times and ensure compliance with security requirements at all stages of processing. The DPA also held that security measures, must be operational during the implementation of the processing, in line with Article 5(1)(f) GDPR and Article 32 GDPR.

Additionally, regarding the access to personal data and recipients of personal data, the DPA advised the controller to restrict as much as possible the number of third parties authorised to access personally identifiable information of the data subjects. It reminded that access to personal data by a person in a country outside the EU must be carried out in accordance with the principles of personal data transfer outside the EU mandated in Chapter V GDPR.

Furthermore, on the data subject’s right to be informed, the controller outlined that before contacting a data subject, an announcement letter, as well as an email or SMS, should be sent to all selected individuals. The DPA also suggested that all of the information related to the processing as provided for in Article 13 GDPR should be delivered again to the data subject verbally or at the start of the web questionnaire, including the terms and conditions that guide the data subject’s exercise of their rights. Regarding processing the personal data of third parties who cannot be informed, the DPA validated the data controller’s reliance on Article 14(5)(b) GDPR, which exempts third parties from having the right to be informed.

Lastly, on the exercise of data subject rights, the controller stated that data subjects could object to data processing via an email address indicated in the information notices. On which the DPA emphasised that the mechanism for objection should be easy and accessible to anyone, including those who lack access to or knowledge of computer tools.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation 2023-089 of September 14, 2023
National Commission for Information Technology and Liberties
Nature of the deliberation: Opinion
Legal status: In force
Date of publication on Légifrance: Tuesday September 19, 2023
Deliberation No. 2023-089 of September 14, 2023 relating to an opinion on a processing project relating to the implementation of the longitudinal family and employer survey (FamEmp)
Date of notice: September 14, 2023

Deliberation number: No. 2023-089

Opinion request number: 2230110

Organization(s) at the origin of the referral: National Institute of Demographic Studies (INED)

Text concerned: non-health research project relating to the longitudinal family and employer survey

Themes: National Institute of Demographic Studies, non-health research, family and employer survey

Basis for the referral: article 44.6° of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms

The essential :

The CNIL considers the personal data processing project relating to the implementation of the longitudinal family and employer survey (FamEmp) to be legitimate.

However, it invites INED to immediately delete health data after recoding by category and to restrict as much as possible the number of authorized people who can access directly identifying data.

It also recalls the need to set a retention period for pseudonymized data.

The CNIL invites INED to provide a mechanism for opposing data matching that is easy and accessible to anyone, including those who do not have computer equipment and/or do not master computer tools.

Regarding the methods of exercising rights, it recommends raising operators' awareness of attempts at identity theft. It also asks INED to consider solutions combining secrets transmitted to the participant during contact and data collected.

The CNIL reminds that all security measures must be at least equivalent to the requirements of the CNIL “data warehouse in the health field” standard.

THE NATIONAL COMMISSION FOR COMPUTING AND FREEDOMS,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (general data protection regulation or GDPR);

Having regard to law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter the “data processing and freedoms” law), in particular its article 44.6°;

On the proposal of Mr. Claude CASTELLUCCIA, commissioner, and after hearing the observations of Mr. Damien MILIC, Government commissioner,

ADOPTS THE FOLLOWING DELIBERATION:

The referral
The context
The Families and Employers longitudinal survey project (FamEmp) results from the observation of economic, social, demographic and political changes which increase tensions and erase the boundaries between private and professional life. In the sphere of employment, this concerns in particular the increase in precarious positions, atypical hours, digitalization allowing new forms of employment and work (e.g. nomadic, teleworking). In the family and personal sphere, family configurations and representations of the roles of women and men and parenthood are evolving (increase in union breakdowns, family reconstitutions, single-parent families and caregiving situations, etc.).

Also, the FamEmp survey aims to make available to the scientific community statistical survey data relating to the balance between professional, family and personal life in order to analyze the impact of these interrelations on life courses and factors of risks according to professional and family characteristics.

The three collection waves (2023 - 2024, 2026 - 2027 and 2029 - 2030) will be coupled, in part, with the European Generations and Gender Survey (Erfi 2 survey for France) in order to develop international comparisons.

On December 2, 2021, the survey received the favorable opportunity notice from the National Council for Statistical Information (CNIS), attesting to its statistical nature, of public interest and the absence of other sources available to this subject.

On October 5, 2022, it also obtained the label of general interest and statistical quality as well as compulsory status (visa no. 2023X042AU from the Minister of the Economy, Finance and Recovery).

The subject of the referral
The CNIL was asked for its opinion on May 22, 2023 on the first wave (2023 - 2024) of the FamEmp survey.

To the extent that it concerns sensitive data within the meaning of the regulations, the proposed processing must be subject to prior notice from the CNIL in accordance with the provisions of article 44.6° of the “Informatics and Freedoms” law.

The referral concerns three components of the treatment project:

a general rehearsal of the questionnaire survey (according to the same protocol as the real survey, with a target of 600 Individual questionnaires and 200 Employer questionnaires);
the actual investigation, comprising two parts:
an Individuals component: a questionnaire administered by telephone or completed on the Internet to a sample of people aged 20 to 65 living in ordinary households in mainland France (objective of 30,250 questionnaires);
an Employers section: a self-administered questionnaire, mainly via the Internet, to individuals' establishments when they include 10 employees/agents or more (objective of 9,000 questionnaires);
matches with administrative data managed by INSEE:
in the Individuals section: socio-fiscal data (from the files of the National Family Allowance Fund, the National Old Age Insurance Fund, the old age and family branches of the MSA, the housing tax and the income tax) and employment (from the “all employees base”, the “non-employee base” and the Sirene directory), making it possible to collect precise and reliable information concerning the employment and income of people selected at the time of the survey and between survey waves and to obtain information concerning non-respondents, unless they object;
in the Employers section: employment data (from the “all employees database”) and companies and establishments (from the Sirene directory).
The National Institute of Demographic Studies (INED) is responsible for this processing, which it implements on the basis of the execution of a mission of public interest (article 6.1.e of the GDPR).

The CNIL’s opinion
On the categories of data collected
Some of the questions in the Individuals section relate to sensitive data relating to health, sexuality and religion. According to INED, this information is essential for studying the family trajectory, professional career and behavior of the respondent. In particular, an open question in the questionnaire aims to collect the existence, among the parents, spouse or children of the respondent, of an illness, pathology or deficiency diagnosed by the medical profession.

The CNIL notes the need for an open question. Indeed, a closed question would be unsuitable both on a technical level (length of an exhaustive list) and on a semantic level (difficulty in listing pathologies, illnesses and deficiencies at the same time by grouping together both medical terms and everyday language terms). . She notes that the responses, optional, pseudonymized and recoded by category, will be stored on secure servers and will not be disseminated unencrypted in the files accessible to the scientific community. The CNIL invites INED to immediately delete the responses after recoding by category and draws its attention to the need for a strictly limited number of authorized persons to be able to access directly identifying data.

On shelf life
The “Study File” and the “Production and Research File” – both containing pseudonymized personal data and made available, respectively, on the Center for Secure Data Access (CASD) and on the network Quetelet Progedo Diffusion - will be archived ten years after the last request for access to the file by a researcher.

The CNIL reminds that the dissemination of data must be carried out in accordance with articles 78 of the “information technology and freedoms” law and 116 of decree no. 2019-536 of May 29, 2019. In particular, the data must first be anonymized to be disseminated and not pseudonymised, unless the interest of third parties in this dissemination prevails over the interests or fundamental freedoms and rights of the person concerned. For the results of the research, this dissemination must be absolutely necessary for its presentation. The data disseminated must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The CNIL reminds that, in the case of dissemination of pseudonymized data, it is essential to set a retention period, as this data cannot remain available for an unlimited period.

Furthermore, after the expiration of the retention period, a copy of all these non-anonymized files will be archived on a secure INED server and the original files will be transferred to the Archives of France. The CNIL questions the need to keep a copy of the files when they will be transferred to the Archives of France. In any case, she recalls that INED must set a retention period for these non-anonymized archives.

On informing people
Prior to contact with the respondent, an announcement letter accompanied by an information leaflet as well as an email or SMS (which will refer to the survey site including all information) if the contact details are available, will be sent individually to all selected individuals. At the start of the questionnaire, a text will remind you of the subject and objectives of the survey as well as the “computer and freedom” rights available to the person.

Article 13 of the GDPR provides that, when personal data relating to a person is collected from them, the data controller provides them with information at the time of collection. The CNIL recommends that, from the start of the investigation, the investigator verifies that the person has received the information. All of the elements provided for in Article 13 should be delivered again to the respondent verbally or at the start of the web questionnaire, if applicable, including concerning the terms of exercise of rights. As a good practice and in order to protect against any risk of fraud, it also recommends setting up a system allowing the respondent to verify that it is indeed an INED survey. For example, an information portal including the verification points that respondents could check before responding to the survey could be put online.

It recalls that the data controller must provide information relating to the recipients of the processing, which will also include the scientific community via the Quetelet Progedo Diffusion and CASD networks.

Paradata - data collected in parallel with a collection device and which describes the process, where metadata describes the data collected - will be recorded. The CNIL invites INED to publish on its website the information according to which these paradata resulting from navigation in the questionnaire, retracing all the actions carried out by the respondents on the web interface as well as their date and time, will be collected.

With regard to the information of third parties whose data could be collected, INED intends to mobilize the exemption provided for in article 14.5.b of the GDPR since, in particular, "obtaining their identities and contact details and the provision of information would require disproportionate efforts, in particular because the data relating to third parties are processed to characterize the respondents and not with a view to collecting precise information on third parties", which the CNIL takes note of.

Furthermore, the survey website containing the required information will remain accessible online at least two years after the study. The CNIL reminds that as long as personal data is not destroyed, even when it is archived, the information must remain accessible to any person wishing to exercise their rights.

On people's rights
Respondents may object to the matching of their responses with administrative data via an email address indicated in the information notices of the advisory letters. The CNIL invites INED to provide an opposition mechanism that is easy and accessible to anyone, including those who do not have computer equipment and/or do not master computer tools.

Regarding the terms of exercising rights, once the "contact file" has been destroyed, people who wish to exercise their rights, in particular their right of access, will be found either with their identifier, or, for those who have agreed to be contacted again, with their name, telephone number or email address. Failing this, INED may ask them a few questions in order to find the questionnaire that concerns them.

The CNIL notes that these methods of exercising rights are based on information which may be public (for example, telephone number). It calls, given the sensitivity of the data processed, for the greatest precaution to avoid any identity theft aimed at accessing the data of a third party. It therefore recommends that operators responsible for implementing these rights exercises be made aware of the possibility of attempted abuse.

It also asks INED to consider solutions combining secrets transmitted to the participant during the process (for example, when informing them of their rights) with identification questions based on the data collected.

On accessors and recipients of data
INED specifies that only data from the “study file”, the “production and research file”, as well as enriched versions of these files with administrative data, will be made available to the scientific community via the Quetelet Progedo Diffusion network or the CASD.

The CNIL draws the attention of INED to the fact that the consultation of its storage system by a person located in the territory of a third country to the European Union constitutes a transfer of data outside the European Union. which must be carried out in accordance with Chapter V of the GDPR.

On security measures
INED has carried out and transmitted, in support of the request for an opinion, an impact analysis relating to data protection specific to the envisaged processing.

Given the sensitivity of the data collected, the CNIL recommends that all tools, in particular the storage and work spaces used to conduct the study, and security measures comply with the state of the art and in particular security measures equivalent to the requirements of the CNIL “data warehouse in the health field” standard.

In this regard, the CNIL recommends monitoring, automatic or manual, of any export of data outside of these spaces, in order to systematically verify its anonymous nature.

Different random pseudonyms are assigned to participants in the files produced from the collection of responses to the two parts of the survey. These will need to be distinct for the different data flows. Any correspondence table must be deleted as soon as possible after consolidation of the database and the generation of new pseudonyms for it. For any provision, pseudonyms dedicated to each workspace must be generated.

Data exchanges are carried out via encrypted communication channels ensuring the authentication of the source and recipient. In order to guarantee the confidentiality of secrets and the effectiveness of data encryption, the CNIL recalls that the transmission of any secret must be done via communication channels separate from those of the encrypted data or their provision link.

The CNIL considers that the nature of the data in the study requires that it be subject to encryption measures in accordance with appendix B1 of the general security framework, both in terms of databases, correspondence tables and backups.

INED must ensure compliance with security requirements at all stages of processing carried out by the various participating organizations.

The security measures, which must be operational during the implementation of the processing, must meet the requirements provided for by Articles 5.1.f and 32 of the GDPR taking into account the risks identified by the data controller. It will be up to him to carry out a regular reassessment of the risks for the people concerned and to update, if necessary, these security measures.

The other provisions of the draft decision do not call for comments from the CNIL.

The president

Marie-Laure DENIS