• Love Wellness Papa
  • Posts
  • the epidemic management IS “for the most part respectful of personal data” (Cnil)

the epidemic management IS “for the most part respectful of personal data” (Cnil)

June 11, 2021

[ad_1]

The Cnil carried out a total of 32 control operations between May 2020 and April 2021, she said.

In detail, 10 concern the IS for monitoring Covid-19 Sidep tests, 12 the IS for tracing Contact Covid contact cases, 7 the TousAntiCovid application, and 3 the IS for monitoring the Covid vaccine.

“The commission’s investment in carrying out these checks is unparalleled in the history of the institution, both in terms of the number of checks carried out, their recurrence or the period of time during which they occur. are unrolled “, she underlined.

The third wave of checks took place from January to April 2021.

Regarding Sidep, implemented by the National Health Insurance Fund (Cnam), the CNIL “noted that the remarks made at the end of the first two control phases have been taken into account”, and therefore that “the conditions of implementation of the file does not call for any particular measure on its part, “she said in a statement accompanying the deliberation.

On the other hand, “data extraction operations with a view to their payment in the portals made available by the Cnam, for the transfer of Sidep processing data [au Health Data Hub], are not carried out in accordance with procedures that ensure, in a fully satisfactory manner, data confidentiality“, we learn in the deliberation.

“Verifications will be carried out soon” on this subject, announced the commission.

The law instituting from Wednesday June 2 to Thursday September 30 a transitional regime of exit from the state of health emergency, published on June 1 in the Official Journal, provides for bringing together within the national health data system (SNDS) the all the data collected in Sidep and Contact Covid “which fall within the scope” of the SNDS, bringing their retention period to 20 years when they were initially to be limited to the duration of the epidemic.

“This centralization induces a substantial change in the legal regime applicable to this data“, commented the CNIL in its opinion.” Without calling into question the essential interest of conservation of data for research purposes “, it” invites the government to provide for adequate methods of informing the persons concerned and making it possible to facilitate the exercise of their rights. ”She“ will be particularly attentive to them, ”she warned.

In addition, “checks carried out in two pharmacies have shown that the ministry has taken satisfactory measures to support pharmacists in their handling” of Sidep, good “sometimes, when the number of patients was important […] personal information and data confidentiality were no longer ensured in such a rigorous manner “.

The Cnil therefore “drew the attention of the National Council of the Order of Pharmacists (Cnop) to the importance of making their members aware of respect for the principles laid down by the GDPR”.

About Contact Covid, she “again noted disparities in the practices of regional health agencies (ARS) “.

Two ARS were checked, but the Cnil did not indicate which ones.

One of them was put on formal notice by the President of the CNIL, Marie-Laure Denis, “to comply with the requirements of the General Data Protection Regulation (RGPD) within two months” after ” several shortcomings concerning the retention period of data and the information of the persons concerned “were noted.

“A letter was sent to the Ministry of Solidarity and Health to alert it to the bad practices identified.”

The other ARS has “implemented numerous measures to optimally guarantee respect for personal data”.

No checks on TousAntiCovid since November 2020

Regarding AllAntiCovid, the Cnil does not have checks carried out since November 2020, but foresees new ones which “should relate in particular to the conformity of the new functionalities” called AllAntiCovid-Carnet and TousAntiCovid-Signal.

Regarding Covid vaccine, the Cnil carried out its first checks in March “with a hearing by the Cnam then two on-site checks in vaccination centers”.

It was generally satisfied, stressing “that the data from the Covid Vaccine treatment are indeed encrypted, that access to the teleservice requires strong authentication” and “that special attention has been paid to the ‘information of persons’.

However, “the teleservice is regularly supplied by administrative staff using the account of a health professional. Although this mode of operation should be compared to the usual work of a medical secretariat, investigations are continuing in order to know whether the requirements in terms of traceability and accountability, that is to say the possibility of attributing responsibility for the action to a person, actions are respected “, we learn in the opinion.

Datas [issues de ce SI] that the Cnam considers ‘de-identified’ are securely transmitted to the digital department of social ministries for the purposes of producing immunization coverage indicators “, it is stated without further details.

A quarantine tracking file

A file, called “Quarantine and isolation“,” aims to ensure the monitoring and control of compliance with individual measures (quarantine, maintenance and placement in isolation) upon the arrival, on the national territory, of people coming from a country or territory confronted with a particularly active circulation of the epidemic “, and this on” all the entry points on the national territory “, we learn in the deliberation.

The Cnil “was seized urgently on April 29 and then on May 4 of a corrective referral of a draft decree aimed at creating” this data processing implemented “under the joint responsibility of the Minister in charge of health and Minister of the Interior”.

On May 12, it issued an opinion, not yet published, in which it “invited the ministries to exercise particular vigilance with regard to the methods of collecting information. […] and to sensitize the people providing information on this information system “.

If this file “were to involve the processing of so-called sensitive data, in particular data concerning health, it must be authorized by decree in the Council of State”, she added.

The Cnil “wondered about the proportionality of the planned device, the ministries having specified that the processing is only implemented at this stage in two airports “, Paris-Orly and Paris-Charles de Gaulle, and estimated that processing “does not fully meet the purposes for which it is implemented“.

It also asked for clarifications concerning the persons who can access the data and the purposes allowing them this access, and “took note of the details of the ministry according to which no interconnection, reconciliation or linking of the ‘Quarantine and isolation’ information system with other treatments are not implemented “.

The commission was not seized of the technical details of the file, she said.

New checks already underway

Finally, a fourth phase of controls concerning all these IS is “already engaged for the second quarter of 2021”, indicated the CNIL.

“Investigations to ensure the conditions for implementing the Covid Vaccine treatment will continue in the coming weeks.”

Other ARSs may in particular be monitored regarding their use of Contact Covid.The Cnil “will also be interested in the different interactions between [Sidep, Contact Covid, Vaccin Covid et TousAntiCovid], in particular the integration of evidence from PCR tests within the sidep.gouv.com site, evidence of vaccination within a Cnam’s specific teleservice and their possible access within the TousAntiCovid application, ”she warned.

The results will be published in its next opinion.

In addition, “a final control campaign will be carried out at the end of the implementation of the processing operations” in order to verify “the retention periods of the data, their deletion and / or their possible anonymization”.

In its previous opinion, published in January, the CNIL was generally satisfied with the implementation of these ISs, it is recalled.

[ad_2]