Lifting of lockdown: the CNIL’s opinion on the draft decree governing the information systems implemented to monitor COVID-19 contaminated persons
The Government has provided that the lifting of the lockdown measures, starting on 11 May, will be followed by a national testing policy and health surveys related to COVID-19. On 8th May 2020, the CNIL issued an emergency decision on a draft decree governing the two information systems, SI-DEP and Contact Covid, enabling this health policy to be implemented.
- The CNIL gave its opinion on Friday 8 May 2020 on a draft decree governing two files, SI-DEP and Contact Covid. They will be used in the context of COVID-19 screening and the conduct of health investigations, the purpose of which is to determine who may have been contaminated by a person who has tested positive.
- The CNIL considers the system to be compliant with the GDPR provided that certain guarantees are met. It notes that these files are necessary for the implementation of the health policy envisaged by the Government for the lifting of lockdown measures. It requests that this need be regularly reassessed.
- Given the sensitivity of the system, the CNIL has called for additional guarantees. It asked for the decree to be clarified on several points, in order to minimize data, limit access to processing to what is strictly necessary and guarantee the rights of individuals over their personal data. These requests were taken into account by the decree published in the Journal Officiel. The CNIL also made a series of recommendations for the implementation of these information systems, particularly with regard to the security of the system and the accountability of persons accessing the databases.
- The Chairwoman of the CNIL announced that inspections would be carried out in the first few weeks following the implementation of these new systems.
As part of the overall strategy of "progressive lockdown exit" set up as of 11 May, the law extending the state of health emergency of the same day authorized the temporary creation of two national files: the SI-DEP file and the Covid Contact file. They must make it possible to identify contaminated persons ("patients 0"), the persons they are likely to have contaminated ("case contacts") and the chains of contamination. They aim to ensure the health care and support of people contaminated with the virus or likely to be contaminated because they have been in contact with them, as well as the epidemiological surveillance of the virus. These files will include health data and other personal data (identity, accommodation, travel, participation in gatherings, etc.). They will be available for consultation by a wide range of actors, including health investigators, as the legislator has authorised the lifting of medical confidentiality.
In particular, the SI-DEP file will centralise the results of COVID-19 tests, while the Covid Contact file will collect information on case contacts and contamination chains.
Information systems that are compliant with the GDPR, provided that certain safeguards are in place
Even before the adoption of the law extending the state of health emergency, the CNIL issued an urgent ruling on the draft decree governing the conditions for implementing these processing activities. In the exceptional context of managing the health crisis, the CNIL considers that the system presented is generally in line with the GDPR. It notes that, in light of the scientific analyses gathered by the Government, the planned system of health investigations and epidemiological monitoring is necessary for the lockdown exit. It notes that a number of guarantees are provided by the Government's plan, such as the voluntary nature of participation in the surveys, the limitation of the health data processed under the scheme and its temporary nature.
However, in its opinion of 8 May, the CNIL considered necessary for the draft decree to be clarified on certain points, detailed below, and called for certain legal, technical and organisational safeguards to be provided in order to protect the privacy of the French people. The decree published on 12 May followed the recommendations of the CNIL. A certain number of additional recommendations from the CNIL will follow the implementation of the system, such as security measures relating to the password authentication policy, or the traceability of certain actions.
The main requests of the CNIL
The CNIL calls for great vigilance whenever health data and data relating to certain aspects of private life (identity, accommodation, profession, travel, people met, cohabitation, etc.) are collected, processed or stored. They will be recorded in two national files accessible to a large number of people.
- The CNIL asked for the draft decree to be clarified on certain points, in particular to provide a more precise framework for the data to which each category of user of the two databases will have access, depending on their function in the health system. The decree published on 12 May provides such a framework. As far as possible, it will have to be translated into technical measures limiting users’ access to what is needed.
- It also called for the decree not to provide for the collection, without further specification, of information on the "links" existing between a "patient 0" and a "case contact". The decree published on 12 May removed this mention and provides only for the collection of precise and circumscribed information on this point (whether or not they know each other, the existence of cohabitation, the date of the last contact).
- The CNIL calls on investigators and other persons (analytical laboratory staff, doctors and other health professionals, pharmacists, researchers, etc.) to provide information on the results of the survey. The CNIL also calls for appropriate training for investigators and other persons (analytical laboratory staff, doctors and other health professionals, pharmacists, researchers, etc.) who will use the database, and for a traceability system for consultations so that abuses can be detected and punished.
- The CNIL asked for a more detailed consideration of data retention periods. It notes that the Act of 11 May 2020, subsequent to its deliberation, provided strong guarantees on this point by limiting the retention of data in the information system to three months from the date of collection.
- The CNIL also noted that the Government's draft essentially ruled out the right to object, except to allow the "patient 0" not to have his name revealed to his "contact cases" and for certain transmissions of his data for research purposes. It asked that the restriction of the right to object to the files to be reduced to a minimum and notes that a right to object has been opened by the decree to "case contacts" for the processing of their data in Contact Covid. The rights to be informed, the right of access and the right to rectification will also be guaranteed.
Finally, the CNIL has announced that it will closely monitor the system. An inspection will be carried out in the first few weeks following its implementation.