France Travail will create a huge database for beneficiaries, including particularly sensitive information, including some relating to their state of health. Enough to seriously worry the CNIL…
Since the start of the 2024 school year, the situation has been particularly electric for French companies and organizations! Whether hospitals, banks, operators or public institutions, absolutely no one is spared from the wave of hacking which does not seem to end. Serial attacks which raise many questions about data security. And government agencies are no exception!
In March 2024, France Travail announced that it had suffered a cyberattack which affected no less than 43 million people (see our article). Furthermore, theThe hold-up was made possible by a “simple” impersonation of advisors from Cap Emploi, the organization in charge of job searches for disabled people. This had put highlight an insufficient, or even absent, compartmentalization within the service, which would have made it possible to avoid too wide consultation of the data or massive operations on it by malicious people.
Things are not getting better with the new rules that France Travail will have to follow. As revealed Nexta decree published on January 1 now authorizes the organization to centralize and process a large quantity of data on all its beneficiaries. This information may concern the RSA, the activity bonus, the disabled adult allowance, but also data relating to their economic and financial situation, their family situation, their education or even their state of health. A decision which does not fail to alert the National Commission for Information Technology and Liberties (CNIL)…
France Travail collection: particularly sensitive data
We owe this change to the law called ‘For full employment’promulgated in December 2023. The decree of January 1 authorizes France Travail to modify its information system to adapt it to its new missions, and therefore to store and share with its “partners” new personal data, some of which are particularly sensitive.
The France Travail Information System will therefore be able to gather information concerning the RSA, the activity bonus, as well as data relating to the particular difficulties encountered in accessing employment, education, the training course and the level qualifications and diplomas as well as skills and “reading abilities”. So far, it seems pretty logical. But data relating to the Allowance for Disabled Adults (AAH), the state of health of job seekers, as well as identification data, nationality and residence permit, economic data are also concerned. and financial, fiscal, banking, prison situation, data relating to the personal training account, data relating to guardianship, curatorship or family habilitation measures, those relating to the diagnosis, the contacts of the person in charge of the legal protection, relative data the family situation or the type and origin of the disability. And this is a non-exhaustive list…
The Ministry of Labor justifies the use of this data for six processing purposes. Thus, they must serve the new missions such as the management of the RSA and the activity bonus, but also give France Travail new means to fight against fraud, enable it to manage the missions previously falling to Pôle Emploi, and to carry out transmissions between the organization and the National Family Allowance Fund, the evaluation of the partial activity system created by law and the inclusion platform. All these data aim to establish a “new renovated pathway to support job seekers“.
According to the decree, this data may be recorded “to the extent that they are necessary for the pursuit of the purposes” provided for by law and kept for six, ten, or even twenty years in certain cases. During the last massive leak from France Travail, some of the stolen data was also twenty years old. In the detailing document she policy and its framework regarding the protection of personal data, the organization refers to Labor Code (R.5312-44). Such a duration mustallow job seekers to reconstruct their career over time, to assert their rights. To do this, you must be able to keep different elements over a long period. This can in particular be useful for asserting his right to retirement, by recovering elements linked to his period of unemployment, which he would not necessarily have kept.
France Travail data: a CNIL more than mixed, but powerless
In accordance with the law, the Government asked the CNIL for its opinion on its draft decree, except that it published the latter immediately. The digital policeman therefore hardly had time to study the file in depth, and clearly indicates this from the start: “With regard to the conditions of referral and in particular the deadlines left for its analysis, the opinion of the CNIL and the absence of observation on its part on certain provisions of the draft decree cannot prejudge the legality of the whole treatments concerned”.
Just that! In its deliberation dated December 5, 2024the organization is concerned that the massive opening of new access to the France Travail information system, within extremely tight deadlines, is not accompanied by security measures adapted to the risks, particularly in the short term. . His fears relate in particular to the use of the social security number, the proportionate nature of retention periods, as well as possible data leaks.
Faced with the short time it had to study the file, the CNIL can only recall the founding principles of data protection, namely “ensure the necessary nature of the data collected with regard to the purposes pursued” And “collect and process this data with the greatest care and providing special guarantees”.