Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

France assesses privacy implica- tions of a health smart card [1998] PLBIRp 41; (1998) 46 Privacy Laws and Business International Report 20

France assesses privacy implications of a health smart card

PLANS FOR A NATIONWIDE social security/health card pose new privacy threats to individuals. This, and other topical privacy issues, are explored in the 1997 Annual Report, produced by France’s Data Protection Commission, the CNIL.

There are 1.9 million people in Brittany who have health smart cards already, and, although controversial, it is expected that the scheme will be extended to the rest of the population by the end of next year. The new card, named Sesame-Vitale, will that would provide the necessary protection for the sensitive personal health data contained on the card. However, the CNIL points out in its Annual Report that a secure network is not enough if the health profession- als’ own “source” files are not secure. CNIL has proposed that a “security charter” be drawn up, which might incorporate restrictions in relation to software suppliers. The CNIL has already distributed a practical guide for the health care authorities which contains advice and information on

herald a revolution in the French health care system. Initially, it will mainly be used to simplify the process of reimbursing patients who security measures (see CNIL website at www.cnil.fr).

HEALTH DATA ON NETWORKS

are entitled to claim back their medical costs. It will include details of prescriptions and treatment given, including costs. This information will then be transmitted electronically from the health authorities to social security authorities.

As the card will carry a wide range of medical information about the patient, the CNIL, is concerned about possible mistreatment of the data because of its economic value. An additional problem is the possibil- ity of accessing the individual’s medical history. Also, other network operators may enter the market and offer services that are not subject to the the same obligations, particularly in terms of data security, as those imposed on the healthcare profession- als by their franchise contracts.

The CNIL has been actively involved in developing the card, and has informed the Ministry of Health of the privacy risks involved. The CNIL especially wanted to see tech- nical security measures introduced

LAW BACKS THE NEW SYSTEM

A change in the French law (decree of 30th December 1977 implementing the 24th April 1996 Ordinance) backs the transition from the old system, based on patients submitting insur- ance claims in paper form, to the new electronic system. The health care professionals are “made responsible for the proper delivery of the patient treatment form where it is transmit- ted electronically.” The health care authorities now face new tasks of updating the health cards and trans- mitting medical data electronically, which poses particular security risks because it will require recourse to external technical assistance. The The CNIL has also considered the protection of health data on the Internet. It has recommended that all personal health data on the Internet would be encrypted by a crypto- graphic algorithm authorised by the Central Information System Security Department, and that hospital Intranets would be protected by filtering systems (firewalls). The CNIL regards the health issues as one of its major concerns, and in February 1997, published a recom- mendation on the processing of personal health data.

IMPLEMENTING THE DIRECTIVE

The 1997 Annual Report lists several reforms, based on a report by Guy Braibant in February ‘98, that have been proposed by the CNIL with regard to the implementation of the EU Data Protection Directive.

One of them is the suggestion to bring legal persons under the new data protection law. This was already considered in 1978 when the current Act on Data Processing was passed. The CNIL’s view is that the increased amount of company files, which have details of both legal persons and indi- viduals (managers and partners of the company), would suggest that data protection law now needs to apply to legal persons.

The following categories of data processing were thought to pose par- ticular risks for individuals’ rights, and the CNIL recommended that these categories should be subject to prior checking before the processing can start:

1. Where matters of sovereignty such as defence or even immigration control are concerned.

2. Sensitive data, including ethnic origin and political opinion and might include genetic data.

3. International transfers of data outside Europe.

4. Where the whole population is concerned, for example social securi- ty services and France Telecom.

5. Where the consequence of the pro- cessing might exclude individuals from a right, benefit, or a contract, for example, files on overdrawn accounts. Other suggestions to be included in a new law were simplifying or stopping the practice of registration, to be replaced by extending the current system of norms or standard rules for particular sectors.

YEAR OF THE INTERNET

The issuing of the Annual Report almost coincided with the 20th birth- day of the 1978 law. The CNIL emphasised that 1997 has been a year of much progress on information society issues, in particular on how to protect privacy on the Internet. In the spirit of the EU Data Protection Authorities’ resolution of April 1998, which declared that data processing rules also apply to the Internet (p.22) the CNIL has applied France’s data protection law to the specific prob- lems posed by this global network.

REGISTRATION AND COMPLAINTS The year’s statistics showed a clear increase of complaints (+ 15 %). The office received 2,348 complaints, mainly about the banking, credit, insurance, telecommunications and social security sectors. Registrations were at almost 580,000, with more than 67,000 new registrations in 1997.

The CNIL’s 18th Annual Report

1997 is available from Documentation Française (orders can be made via the CNIL website, http://www.cnil.fr), or from book- shops (ISBN: 2-11-004033-5).

Price: 190 FF.