CNIL (France) - 2023-089

From GDPRhub
Revision as of 19:04, 26 September 2023 by Samy (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=2023-089 |ECLI= |Original_Source_Name_1=LEGIFRANCE |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000048085572?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT |Original_Source_Language_1=French |Original_Source_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - 2023-089
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 14(5)(b) GDPR
Article 32 GDPR
Article 89 GDPR
law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms
Type: Advisory Opinion
Outcome: n/a
Started: 22.05.2023
Decided: 14.09.2023
Published: 19.09.2023
Fine: n/a
Parties: National Institute of Demographic Studies (INED)
National Case Number/Name: 2023-089
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: LEGIFRANCE (in FR)
Initial Contributor: Samuel Uzoigwe

This is a CNIL opinion on a scientific research survey project sought to be implemented by a data controller, that would entail the processing of sensitive personal data of data subjects. The CNIL considered the basis for processing legitimate.

English Summary

Facts

The National Institute of Demographic Studies (INED) - the data controller – intends to implement a “Families and Employers longitudinal survey project” (FamEmp) which would involve the processing of sensitive personal data of data subjects. The data controller founded the legal basis for the processing on public interest (article 6.1.e of the GDPR). FamEmp involved the observation of economic, social, demographic and political changes which increase tensions and erase the boundaries between private and professional life. The survey was aimed at making available to the scientific community statistical survey data relating to the balance between professional, family and personal life in order to analyze the impact of these interrelations on life courses and factors of risks according to professional and family characteristics.

The data controller requested for an opinion from the CNIL on May 22, 2023 regarding the first wave (2023 - 2024) of the FamEmp survey. The basis for this request was article 44(6) of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (the Information and Freedoms law). This provision mandated any data controller seeking to process sensitive personal data within the meaning of the regulations, for public research purposes to obtain a published opinion of the CNIL. In support of this request, the data controller had carried out and transmitted an impact analysis relating to the envisaged processing.

The CNIL issued its opinion in that regard.

Holding

Legal Basis for Processing The survey involved the processing of sensitive data relating to health, sexuality and religion of the data subjects. According to data controller, the processing of sensitive personal data is essential for studying the family trajectory, professional career and behavior of the respondent. The CNIL held in this respect that the personal data processing project relating to the implementation of the longitudinal family and employer survey (FamEmp) is legitimate and the processing permissible in law in the public’s interest.

Data minimization and purpose limitation The data controller stated that the results of the survey will be transmitted to third parties in pseudonymized form. The CNIL held that the results of the research to be disseminated must be absolutely necessary for its presentation. It also held that the data to be disseminated must equally be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Storage and retention period The data controller stated that the personal data contained in “Study File” and the “Production and Research File” – will be pseudonymized and made available for access by third parties. It also noted that the personal data will be archived ten years after the last request for access to the file by a researcher. In this regard, the CNIL held that, the personal data must first be anonymized prior to dissemination and not merely pseudonymized, unless the interest of third parties in this dissemination prevails over the interests or fundamental rights and freedoms of the data subjects. The CNIL in holding the above, referenced article 89 of the GDPR which mandates the implementation of appropriate safeguards archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and article 78 of the “information and freedoms” law which mandates the implementation of state-of-the-art standards for electronic archiving. The CNIL also advised the data controller to immediately delete health data after recoding by category. It equally reminded the data controller of the importance of having a defined retention period for pseudonymized data as such data cannot remain available for an unlimited period. Furthermore, the data controller also outlined that it would archive personal data after the expiration of the retention period be archived on its secure server, and then transfer the original personal data to the Archives of France. The CNIL objected to the data controller’s intention to retain personal data after they are transferred to the Archives of France.

Security of personal data The CNIL recommended that all tools, used to conduct the study, and the security measures applied to the data processing should comply with the state of the art, and in particular, security measures equivalent to the requirements of the CNIL “data warehouse in the health field” standard. The CNIL also recommended automatic or manual monitoring of any data transfer outside the controller, in order to systematically verify its anonymity of the data at all times and ensure compliance with security requirements at all stages of processing carried out by the various participating organizations. The CNIL also held that security measures, must be operational during the implementation of the processing, in line with Articles 5(1)(f) and 32 of the GDPR. It also recommended that the transmission of any encrypted data must be done via communication channels different from those that already contain the encrypted data.

Access to personal data and recipients of personal data The CNIL advised the data controller to restrict as much as possible the number of third parties authorized to access personally identifiable information of the data subjects. The CNIL reminded the data controller that access to personal data by a person in a country outside the European Union constitutes a transfer of data outside the European Union, and must be carried out in accordance with the principles of personal data transfer outside the EU mandated in Chapter V of the GDPR.

Data subject’s right to be informed The data controller outlined that prior to contact with a data subject, an announcement letter accompanied by an information leaflet as well as an email or SMS (which directs the data subject to the survey site including all information) if the contact details are available, will be sent individually to all selected individuals. It also noted that at the start of the questionnaire, a text will remind the data subject of the reason for the survey, and the data processing, as well as the rights available to the data subject. The CNIL recommended in that regard that from the start of the survey, the data controller should verify that the data subject indeed received the above information. It also recommended that all of the information related to the processing as provided for in Article 13 of the GDPR should be delivered again to the data subject verbally or at the start of the web questionnaire, if applicable, including the terms and conditions that guide the data subject’s exercise of their rights. In respect of the processing of the personal data of third parties who cannot be informed, the CNIL validated the data controller’s reliance on article 14(5)(b) of the GDPR which exempted third parties from having the right to be informed. This is predicated on the fact that the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The CNIL equally endorsed the data controller’s position in support of the above that the data relating to third parties are processed to characterize the data subjects in the course of the research, and not with a view to collecting precise information on third parties.

Exercise of data subject rights

The Data controller stated that data subjects could object to data processing via an email address indicated in the information notices (privacy notice). The CNIL advised the data controller to provide a mechanism for objection that is easy and accessible to anyone, including those who lack access to or knowledge of computer tools. The CNIL also recommended that the data controller’s operators who are responsible for responding to data subject rights requests, be properly educated of the possibility of identity theft, so as to exercise utmost precaution in verifying the identity of data subjects whose personal data have been deleted, but who seek to exercise a right. The CNIL equally held all data subjects retain the rights to access their personal data that as long as personal data has not been destroyed, even when the personal data is archived.

Comment

This is a CNIL opinion on a research project relating to the longitudinal family and employer survey (FamEmp) project sought to be implemented by a data controller. The survey project would entail the processing of sensitive personal data, and therefore required an opinion of the regulatory authority in line with the provisions of article 44(6) of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms. The CNIL considered the research project legitimate as the processing of sensitive personal data necessary for scientific research purposes in interest of the public. The CNIL recommended the implementation of several safeguards to ensure the protection of personal data during processing. These safeguards include implementing security measures, restricting access to personally identifiable information, setting a retention period for pseudonymized data, providing an easy-to-access mechanism for objection to data processing, raising awareness of identity theft, and adherence to rules governing the transfer of personal data outside the European Union.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

Deliberation 2023-089 of September 14, 2023
National Commission for Information Technology and Liberties
Nature of the deliberation: Opinion
Legal status: In force
Date of publication on Légifrance: Tuesday September 19, 2023
Deliberation No. 2023-089 of September 14, 2023 relating to an opinion on a processing project relating to the implementation of the longitudinal family and employer survey (FamEmp)
Date of notice: September 14, 2023

Deliberation number: No. 2023-089

Opinion request number: 2230110

Organization(s) at the origin of the referral: National Institute of Demographic Studies (INED)

Text concerned: non-health research project relating to the longitudinal family and employer survey

Themes: National Institute of Demographic Studies, non-health research, family and employer survey

Basis for the referral: article 44.6° of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms

The essential :

The CNIL considers the personal data processing project relating to the implementation of the longitudinal family and employer survey (FamEmp) to be legitimate.

However, it invites INED to immediately delete health data after recoding by category and to restrict as much as possible the number of authorized people who can access directly identifying data.

It also recalls the need to set a retention period for pseudonymized data.

The CNIL invites INED to provide a mechanism for opposing data matching that is easy and accessible to anyone, including those who do not have computer equipment and/or do not master computer tools.

Regarding the methods of exercising rights, it recommends raising operators' awareness of attempts at identity theft. It also asks INED to consider solutions combining secrets transmitted to the participant during contact and data collected.

The CNIL reminds that all security measures must be at least equivalent to the requirements of the CNIL “data warehouse in the health field” standard.

THE NATIONAL COMMISSION FOR COMPUTING AND FREEDOMS,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (general data protection regulation or GDPR);

Having regard to law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter the “data processing and freedoms” law), in particular its article 44.6°;

On the proposal of Mr. Claude CASTELLUCCIA, commissioner, and after hearing the observations of Mr. Damien MILIC, Government commissioner,

ADOPTS THE FOLLOWING DELIBERATION:

The referral
The context
The Families and Employers longitudinal survey project (FamEmp) results from the observation of economic, social, demographic and political changes which increase tensions and erase the boundaries between private and professional life. In the sphere of employment, this concerns in particular the increase in precarious positions, atypical hours, digitalization allowing new forms of employment and work (e.g. nomadic, teleworking). In the family and personal sphere, family configurations and representations of the roles of women and men and parenthood are evolving (increase in union breakdowns, family reconstitutions, single-parent families and caregiving situations, etc.).

Also, the FamEmp survey aims to make available to the scientific community statistical survey data relating to the balance between professional, family and personal life in order to analyze the impact of these interrelations on life courses and factors of risks according to professional and family characteristics.

The three collection waves (2023 - 2024, 2026 - 2027 and 2029 - 2030) will be coupled, in part, with the European Generations and Gender Survey (Erfi 2 survey for France) in order to develop international comparisons.

On December 2, 2021, the survey received the favorable opportunity notice from the National Council for Statistical Information (CNIS), attesting to its statistical nature, of public interest and the absence of other sources available to this subject.

On October 5, 2022, it also obtained the label of general interest and statistical quality as well as compulsory status (visa no. 2023X042AU from the Minister of the Economy, Finance and Recovery).

The subject of the referral
The CNIL was asked for its opinion on May 22, 2023 on the first wave (2023 - 2024) of the FamEmp survey.

To the extent that it concerns sensitive data within the meaning of the regulations, the proposed processing must be subject to prior notice from the CNIL in accordance with the provisions of article 44.6° of the “Informatics and Freedoms” law.

The referral concerns three components of the treatment project:

a general rehearsal of the questionnaire survey (according to the same protocol as the real survey, with a target of 600 Individual questionnaires and 200 Employer questionnaires);
the actual investigation, comprising two parts:
an Individuals component: a questionnaire administered by telephone or completed on the Internet to a sample of people aged 20 to 65 living in ordinary households in mainland France (objective of 30,250 questionnaires);
an Employers section: a self-administered questionnaire, mainly via the Internet, to individuals' establishments when they include 10 employees/agents or more (objective of 9,000 questionnaires);
matches with administrative data managed by INSEE:
in the Individuals section: socio-fiscal data (from the files of the National Family Allowance Fund, the National Old Age Insurance Fund, the old age and family branches of the MSA, the housing tax and the income tax) and employment (from the “all employees base”, the “non-employee base” and the Sirene directory), making it possible to collect precise and reliable information concerning the employment and income of people selected at the time of the survey and between survey waves and to obtain information concerning non-respondents, unless they object;
in the Employers section: employment data (from the “all employees database”) and companies and establishments (from the Sirene directory).
The National Institute of Demographic Studies (INED) is responsible for this processing, which it implements on the basis of the execution of a mission of public interest (article 6.1.e of the GDPR).

The CNIL’s opinion
On the categories of data collected
Some of the questions in the Individuals section relate to sensitive data relating to health, sexuality and religion. According to INED, this information is essential for studying the family trajectory, professional career and behavior of the respondent. In particular, an open question in the questionnaire aims to collect the existence, among the parents, spouse or children of the respondent, of an illness, pathology or deficiency diagnosed by the medical profession.

The CNIL notes the need for an open question. Indeed, a closed question would be unsuitable both on a technical level (length of an exhaustive list) and on a semantic level (difficulty in listing pathologies, illnesses and deficiencies at the same time by grouping together both medical terms and everyday language terms). . She notes that the responses, optional, pseudonymized and recoded by category, will be stored on secure servers and will not be disseminated unencrypted in the files accessible to the scientific community. The CNIL invites INED to immediately delete the responses after recoding by category and draws its attention to the need for a strictly limited number of authorized persons to be able to access directly identifying data.

On shelf life
The “Study File” and the “Production and Research File” – both containing pseudonymized personal data and made available, respectively, on the Center for Secure Data Access (CASD) and on the network Quetelet Progedo Diffusion - will be archived ten years after the last request for access to the file by a researcher.

The CNIL reminds that the dissemination of data must be carried out in accordance with articles 78 of the “information technology and freedoms” law and 116 of decree no. 2019-536 of May 29, 2019. In particular, the data must first be anonymized to be disseminated and not pseudonymised, unless the interest of third parties in this dissemination prevails over the interests or fundamental freedoms and rights of the person concerned. For the results of the research, this dissemination must be absolutely necessary for its presentation. The data disseminated must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The CNIL reminds that, in the case of dissemination of pseudonymized data, it is essential to set a retention period, as this data cannot remain available for an unlimited period.

Furthermore, after the expiration of the retention period, a copy of all these non-anonymized files will be archived on a secure INED server and the original files will be transferred to the Archives of France. The CNIL questions the need to keep a copy of the files when they will be transferred to the Archives of France. In any case, she recalls that INED must set a retention period for these non-anonymized archives.

On informing people
Prior to contact with the respondent, an announcement letter accompanied by an information leaflet as well as an email or SMS (which will refer to the survey site including all information) if the contact details are available, will be sent individually to all selected individuals. At the start of the questionnaire, a text will remind you of the subject and objectives of the survey as well as the “computer and freedom” rights available to the person.

Article 13 of the GDPR provides that, when personal data relating to a person is collected from them, the data controller provides them with information at the time of collection. The CNIL recommends that, from the start of the investigation, the investigator verifies that the person has received the information. All of the elements provided for in Article 13 should be delivered again to the respondent verbally or at the start of the web questionnaire, if applicable, including concerning the terms of exercise of rights. As a good practice and in order to protect against any risk of fraud, it also recommends setting up a system allowing the respondent to verify that it is indeed an INED survey. For example, an information portal including the verification points that respondents could check before responding to the survey could be put online.

It recalls that the data controller must provide information relating to the recipients of the processing, which will also include the scientific community via the Quetelet Progedo Diffusion and CASD networks.

Paradata - data collected in parallel with a collection device and which describes the process, where metadata describes the data collected - will be recorded. The CNIL invites INED to publish on its website the information according to which these paradata resulting from navigation in the questionnaire, retracing all the actions carried out by the respondents on the web interface as well as their date and time, will be collected.

With regard to the information of third parties whose data could be collected, INED intends to mobilize the exemption provided for in article 14.5.b of the GDPR since, in particular, "obtaining their identities and contact details and the provision of information would require disproportionate efforts, in particular because the data relating to third parties are processed to characterize the respondents and not with a view to collecting precise information on third parties", which the CNIL takes note of.

Furthermore, the survey website containing the required information will remain accessible online at least two years after the study. The CNIL reminds that as long as personal data is not destroyed, even when it is archived, the information must remain accessible to any person wishing to exercise their rights.

On people's rights
Respondents may object to the matching of their responses with administrative data via an email address indicated in the information notices of the advisory letters. The CNIL invites INED to provide an opposition mechanism that is easy and accessible to anyone, including those who do not have computer equipment and/or do not master computer tools.

Regarding the terms of exercising rights, once the "contact file" has been destroyed, people who wish to exercise their rights, in particular their right of access, will be found either with their identifier, or, for those who have agreed to be contacted again, with their name, telephone number or email address. Failing this, INED may ask them a few questions in order to find the questionnaire that concerns them.

The CNIL notes that these methods of exercising rights are based on information which may be public (for example, telephone number). It calls, given the sensitivity of the data processed, for the greatest precaution to avoid any identity theft aimed at accessing the data of a third party. It therefore recommends that operators responsible for implementing these rights exercises be made aware of the possibility of attempted abuse.

It also asks INED to consider solutions combining secrets transmitted to the participant during the process (for example, when informing them of their rights) with identification questions based on the data collected.

On accessors and recipients of data
INED specifies that only data from the “study file”, the “production and research file”, as well as enriched versions of these files with administrative data, will be made available to the scientific community via the Quetelet Progedo Diffusion network or the CASD.

The CNIL draws the attention of INED to the fact that the consultation of its storage system by a person located in the territory of a third country to the European Union constitutes a transfer of data outside the European Union. which must be carried out in accordance with Chapter V of the GDPR.

On security measures
INED has carried out and transmitted, in support of the request for an opinion, an impact analysis relating to data protection specific to the envisaged processing.

Given the sensitivity of the data collected, the CNIL recommends that all tools, in particular the storage and work spaces used to conduct the study, and security measures comply with the state of the art and in particular security measures equivalent to the requirements of the CNIL “data warehouse in the health field” standard.

In this regard, the CNIL recommends monitoring, automatic or manual, of any export of data outside of these spaces, in order to systematically verify its anonymous nature.

Different random pseudonyms are assigned to participants in the files produced from the collection of responses to the two parts of the survey. These will need to be distinct for the different data flows. Any correspondence table must be deleted as soon as possible after consolidation of the database and the generation of new pseudonyms for it. For any provision, pseudonyms dedicated to each workspace must be generated.

Data exchanges are carried out via encrypted communication channels ensuring the authentication of the source and recipient. In order to guarantee the confidentiality of secrets and the effectiveness of data encryption, the CNIL recalls that the transmission of any secret must be done via communication channels separate from those of the encrypted data or their provision link.

The CNIL considers that the nature of the data in the study requires that it be subject to encryption measures in accordance with appendix B1 of the general security framework, both in terms of databases, correspondence tables and backups.

INED must ensure compliance with security requirements at all stages of processing carried out by the various participating organizations.

The security measures, which must be operational during the implementation of the processing, must meet the requirements provided for by Articles 5.1.f and 32 of the GDPR taking into account the risks identified by the data controller. It will be up to him to carry out a regular reassessment of the risks for the people concerned and to update, if necessary, these security measures.

The other provisions of the draft decision do not call for comments from the CNIL.

The president

Marie-Laure DENIS
Retrieved from "https://gdprhub.eu/index.php?title=CNIL_(France)_-_2023-089&oldid=35004"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki