Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FRENCH SUPERVISORY AUTHORITY: Automated Fingerprint Database – memo from the Interior Ministry

FRENCH SUPERVISORY AUTHORITY: Automated Fingerprint Database – memo from the Interior Ministry

On 24 September 2021, the Resitrcted Formation of the French Data Protection Authority (CNIL) sanctioned the Ministry of the Interior for its mismanagement of the Automated Fingerprint Database (FAED).

The FAED is a judicial police identification file that contains the fingerprints of people involved in criminal proceedings. These fingerprints are mainly used by law enforcement agencies in their investigations.

Checks and decision of the CNIL

Following checks carried out on the technical and scientific police services and on the courts (judicial courts and courts of appeal), the Ristretta Formation, the CNIL body in charge of imposing sanctions, decided to publicly call the Ministry of the Interior to order.

The CNIL found five shortcomings in the way the FAED data were handled:

  • the storage of data in the archive which was not foreseen in the texts;
  • the conservation of data for a period longer than that provided for by law
  • the retention of data on persons who were acquitted, acquitted, discharged or dismissed without trial;
  • insufficient data security due to a weak password
  • lack of information to the persons concerned.

Although the Ministry of the Interior had started to work on most of the deficiencies, it still considered the means used to be insufficient. Consequently, it also decided to take several injunctions against the Ministry.

The CNIL therefore ordered the Ministry of the Interior to

  • delete the records of an old “manual file” that should have been destroyed
  • delete the data whose collection is not provided for by the FAED decree
  • delete files whose retention period has been reached;
  • ensure that decisions to acquit, acquit and correct (when a crime is reclassified as a misdemeanour) are reflected in the FAED;
  • ensure that decisions to dismiss a case or close it without further action are reflected in the FAED only in the case of an explicit decision by the prosecutor;
  • Strengthen the security of the connection to the FAED;
  • Provide information to persons whose fingerprints are entered into the FAED.

The Ministry must comply with these points by 31 December 2021 at the latest, with the exception of the abolition of the “manual file”, which must be completed by 31 December 2022.

Details of the shortcomings committed by the Ministry of the Interior

Retention of data in the file not provided for in the texts

The decree of 8 April 1987 creating the FAED sets out a restrictive list of information that can appear in the file. However, the CNIL noted that in some cases the name of a victim or the registration number of a vehicle are recorded in the file, even though this information is not among those that can be collected.

The CNIL also noted that despite the dematerialisation of the FAED, which began in 1987, several million report forms are still kept in paper format in a ‘manual file’. While acknowledging the considerable efforts made by the Ministry of the Interior to sort and delete these papers, the CNIL nevertheless pointed out that the text that had established the ‘manual file’ had been repealed in 2001. Consequently, there was no longer any legal basis for keeping these files.

Retention of data for longer than the period provided for in the texts

The FAED decree provides that, depending on the case, the registration files may be kept for up to 15 or 25 years. However, the CNIL noted that the starting point for retention periods was calculated from the last report for each person concerned and not from the establishment of each record relating to that person, with the result that each new report for the person concerned triggered a new period for all his reports. Nevertheless, the Ministry of the Interior has undertaken work to align the processing operation on this point.

Retention of data on persons who have been acquitted, discharged, dismissed or suspended

The Decree on FAED states that record sheets must be deleted in the event of a final discharge or acquittal. In addition, in the event of a decision to dismiss or close the case, the records must be deleted, except in the case of a reasoned decision by the public prosecutor. However:

  • Many courts did not automatically transmit decisions of acquittal, discharge, dismissal and discontinuation of proceedings to the AEDF operator, so the corresponding records were not deleted;
  • in the event of a decision to close the case, the records were kept despite the absence of an explicit decision by the prosecutor. The restricted formation therefore recalled in its decision that, as a matter of principle, the records must be deleted.

Inability to guarantee data security due to an insufficiently strong password

The CNIL noted that the police forces can access the FAED using an 8-character password. However, given the sensitivity of the data contained in the FAED, the CNIL considered that this type of password was not strong enough.

Failure to inform individuals

The CNIL noted that, apart from a notice on the websites of the Ministry of the Interior and the ‘public service’ website, no information is given individually to the individuals whose fingerprints are taken and then entered into the FAED. Therefore, the persons concerned are probably unaware of the very existence of this file.

Deliberation of the Restricted Formation n°SAN-2021-016 of 24 September 2021 concerning the Ministry of the Interior:

Délibération SAN-2021-016 du 24 septembre 2021 - Légifrance

SOURCE: FRENCH DATA PROTECTION AUTHORITY – CNIL 

Recommended to you

Advanced Research