In order to fight against the COVID-19 epidemic the government has created the file SI-DEP and Contact Covid, has delivered TousAntiCovid and has implemented the informatic system Vaccine COVID. The CNIL has done an assessment of these systems, in the light of the expressed opinions and the 25 controls.
The essential.
The CNIL detects that it has been implemented changes to systems in the health crisis in order to make them in compliance with the personal data protection legislation. They are mostly respectful of the personal data.
Anyway, it has also detected new practices in contrast with the GDPR and it has asked the organizations to comply as soon as possible with the GDPR; it has been issued a desist to a regional health agency (ARS) in the field of Contact COVID. Talking about the utility and the efficiency of the TousAntiCovid app about the global health strategy, the CNIL thinks that it is essential to develop initiatives and markers in order to assess the medical efficiency of the device in the fight against the COVID-19.
A third phase of controls will start in January 2021. The results will be communicated in the next public report of the CNIL on interested processing operations.
The context
In the context of the fight against the COVID-19 epidemic, there are been implemented four operations of data processing: the SI-DEP files and Contact COVID, to which we can add deploy of the mobile app TousAntiCovid and more recently the implementation of the informatic system Vaccine COVID for the control and managing of the COVID-19 vaccinations.
The legislator wanted to implement this process, which included a great amount of personal data, including health data. It has implement a monitoring committee and connection COVID-19 and has planned that the government sends to the Parliament a detailed report on the implementation of these measures each three months since the entrance in force of the legislation, till the disappearance of COVID-19.
It has also been issued a public opinion of the CNIL based on the article 11 of the legislation of the 11 of May 2020 which extends the health emergency state.
The first opinion of the CNIL has been sent to the Parliament on the 10 of September 2020. This is the second opinion of the CNIL on the functioning of this informatic systems.
The opinion of the CNIL.
About SI-DEP file.
Reminder: the SI-DEP file is a national informatic system implemented by the Minister of Social Solidarity and Health which permits the centralization of results of tests of SARS-CoV-2 done by public or private laboratories by health operators.
The CNIL has detected that there have been taken into account the comments done at the end of the first phase of control in September 2020. It has also detected a satisfactory level of compliance talking about the respect of data storage period.
Currently, the CNIL believes that the conditions for the implementation of the SI-DEP file do not ask any additional measures on its part.
Talking about the Contact COVID file
Reminder: the Contact COVID implemented by the National Health Insurance Fund (CNAM) recollects information on the contact cases and on the chains of contaminations. It has the aim to detect contact cases on three different levels: doctor citizens / health institutes / health center (level 1), authorized personnel of the health insurance (level 2), regional health agency (ARS) (level 3).
CNAM processing in the Contract COVID field.
The CNIL has taken into account the deployment of a plan of action which has improved the methods of implementation of the processing and has corrected the bad practices which have been detected in the previous opinion.
Anyway, it has detected some bad practices about conditions of authentication, traceability and transmission of personal data to an authorized third party to have health data.
The president of the CNIL has decided to send a letter in order to remember to CNAM its obligations and outline the deficiencies found in order to improve.
ARS processing in the context of COVID Contact.
The CNIL has detected a lot of disparities in about ARS practices in the field of the investigation activity of contact of the third level.
If it can observe the implementation by ARS of a lot of measures in order to guarantee in a good way the respect of personal data, it has also detected some deficiencies in another ARS in the managing of data, in particular about their period of storage and their security.
Those results bring the president of the CNIL to warn ARS in order to conform to the GDPR requirements in one month.
The CNIL wants to address recommendations to all the ARS about the practices not in compliance with the GDPR underlined during the controls and specifies that it has been sent to them a letter of sensibilization in order to remember them the necessary measurements in order to protect personal data of data subject by the instrument Contact COVID.
At the end, it has been sent also a letter to the Ministry of Social Solidarity and Health in order to warn them on results.
Talking about the mobile app TousAntiCovid.
Reminder: TousAntiCovid (ex StopCovid) is an app of control of contact, based on people who offer themselves on a voluntary basis by using the Bluetooth technology. Offered by the government, permits to users to be warned of the risk of contamination when they are next to a user who became positive to Covid-19.
After some controls in June 2020, it has been issued an injunction against the Ministry of Social Solidarity and Health. Fulfillment of the Ministry within the term, CNIL President has declared closed the injunction closed on the 3rd of September 2020.
On the 22th October 2020, the Ministry of Social Solidarity and Health has published a new version of the StopCovid app, called TousAntiCovid. The CNIL has done new investigations which have been centred in particular on the sustainability of the measures after the injunction and on the compliance of the new functions of the app.
The app now offers new functions like the access to factual information and health one’s on the epidemic and a simpler access to the exceptional travel certificate.
It has been detected that no one of processed data in the field of these new functions is processed in the central server, in a view of minimization of data and privacy by default and design.
During controls in November 2020, the Ministry of Social Solidarity and Health has shown that the development of new functions was under investigation.
The CNIL remembers that it can do new controls, if necessary, and that it will decide again if the data processing may suffer of substantial changes.
It also issued an urgent opinion on 17th December 2020 on a draft decree amending Decree No. 2021-650 of 29th May 2020 on data processing called “StopCovid”, which can only be published after publication. of the aforementioned decree.
Regarding the usefulness and effectiveness of the TousAntiCovid application, the CNIL recalls that it requested that the actual impact of the system on the overall health strategy be studied and documented by the Government throughout its period of use.
In its opinion, the CNIL notes in particular
- the increase in the number of downloads of the application and the number of people notified;
- the addition of functionalities useful for managing the epidemic and greater support from the population, which is likely to participate in the strengthening of its health utility, once it has been activated;
- carrying out two studies on the effectiveness of the application in the overall health strategy.
The CNIL considers that it is essential to develop initiatives and indicators to fully evaluate the health effectiveness of the system in the context of combating the COVID-19 epidemic.
Other controls:
Reminder notebooks
The CNIL recalls that it also carries out checks on day-to-day practices related to pandemic monitoring. It therefore carried out checks on the keeping of “reminder notebooks”, implemented from October 2020 by certain catering establishments and drinking establishments located in high alert areas.
Several violations of the GDPR were detected, in particular the re-use of data collected for prospecting purposes. Having indicated to the organisations concerned that they had deleted the data and had not used it for commercial purposes, the CNIL decided to call them to order by inviting them to comply in the future in the event that “reminder books” were again required.
A continuous control procedure
The CNIL emphasises that the controls will continue throughout the period of use of the files, until the end of their implementation and the deletion of the data they contain.
It specifies that checks will be carried out in the coming weeks to ensure the conditions for implementing COVID vaccination treatment and that the third phase of checks will begin in January 2021. The next CNIL public notice will report the results.
Finally, it is announced that a final wave of controls will be carried out at the end of the treatment operations in order to verify in particular the effective deletion of data.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL