CNIL Deliberation No. 2020-044: CASD in line with recommendations

Could the data entrusted to CASD be put on a cloud?

We have often been asked this question in recent weeks following a recent CNIL deliberation. Our answer is no, and this is in line with the CASD’s information security policy, which states that it does not subcontract to a third party for the same reasons as the CNIL states:

  • The technical risk of transferring data to a non-Community territory for maintenance, incident or backup.
  • As indicated by the CNIL, the encryption of the source databases is not sufficient to guarantee its confidentiality because the decryption keys will necessarily be available to the third party during the decryption operations that take place in the cloud.
  • The technical obligation to make unencrypted data available to users so that they can analyse them makes them accessible to the third party in unencrypted form, except in the case of the use of recent homomorphic encryption technologies, which remain limited in terms of the possibility of processing.
  • Even with the strong control of the workstation (SD-Box), this would not be enough to guarantee the confidentiality of the data if it is on a cloud.

It is these requirements that make it possible to process highly sensitive data from various fields with maximum security: health, socio-economic data, environmental data and psychological data that are particularly useful to the research community.