Authorization Procedure

Statistical Secrecy Committee

The Statistical Secrecy Committee (CSS) provides council on data related to public statistics. It is recognized for personal data from public or fiscal statistics connected to personal or family information and for economic or financial data. CSS expresses its opinion on data collected by public or private entities tasked with questions of public interest.

The committee namely advises on access requests to data from the following:

For access to sources of data from public statistics, the authorization is issued after favorable opinion of the CSS, Producer Agreement and Archives.

Steps for the procedure to access statistical data are described here below:


Identification of Data Sources, Description of the Project, and contact with Data Producers

01


To apply for confidential data access, you will have to use the Confidential Data Access Portal (CDAP). Through this portal, you will be able to create an account and sign a confidentiality agreement. Then, you will be able to fill your application form, where you will have to indicate the complete list of researchers on your research team, the complete list of sources, and a clear and understandable description of your project.
After filling you applicaiton, you will have to contact through CDAP the data producers for their approval to submit it.
Pay attention to submission deadlines and send your application to the data producer(s) at least two weeks before the submission deadline.
For more information on the procedure, you can refer to the page Procedure on the website of the Statistical Confidentiality Committee.

.



Submission of a complete file to the Committee’s Administration Office (Secretariat)

02


Once data producers agreed, submit your application file to the committee via CDAP portal.
If you have any question regarding the procedure, you can contact the committee’s administration office via CDAP or by email: secretariat@comite-du-secret.fr.



The committee studies your request and your projet is greenlighted

03


The committee conducts its deliberation via plenary sessions or digital consultations. The administration office then sends the extract of the deliberation to the project leader.



Signing the agreement with the Data Producers and the Archives

04


After receiving the green light, agreements are delivered to the data producers and the French Archives for signing. The agreement signed by the Archives is addressed to the project leader and to CASD, which brings to a conclusion the legal procedure.


To access tax data, DGFIP issues communication authorizations. These documents will be sent over directly by DGFIP, after receiving the agreement signed by the Archives.
For the access and processing of personal data, contact your legal correspondent, or your Data Protection Officer if need be, to determine the formalities to be carried out (records of processing activities or CNIL authorization in the case of health data).


Getting an Access Card during an Enrolment Session & contracting with CASD

05


Project members wishing to access data using an SD-Box must attend an enrolment session organized at CASD’s offices (registration). It is a 3-hour orientation session on legal, statistical and IT issues, as well as a fingerprint collecting session, at which we will give you your smartcard. This standard session is valid for 4 years, but, during this period, any other project you will participate in will only require that you come for 30 minutes (the time it takes us to create a card).
In the meantime, CASD will contact you to work out the contracts with your institution. This process can also take place simultaneously with the Statistical Secrecy Committee procedure.



Accessing Data

06


You can access data once all these steps have been completed.


For more information, please consult the CASD user guide.

Granted by the Data Depositor

For some data sources, authorizations are directly granted by the data depositor :


Contact the Data Depositor

01


Start by reaching out to the producer to ask for the right to access.



The Depositor sends CASD the Autorization Document

02


Once the authorization document is produced by the data depositor, it is sent to CASD so CASD can start the process of creating the access.


For the access and processing of personal data, contact your legal correspondent, or your Data Protection Officer if need be, to determine the formalities to be carried out (records of processing activities or CNIL authorization in the case of health data).


Getting an Access Card during an Enrolment Session & contracting with CASD

03


Project members wishing to access data using an SD-Box must attend an enrolment session organized in the CASD building (registration). It is a three-hour orientation on legal, statistical and IT issues, as well as a fingerprint collecting session during which we will give you your smartcard. This standard session is valid for 4 years, but during this period, any other project you will participate in will only require that you come for 30 minutes (the time it takes us to give you your card).
In the meantime CASD will contact you to work out the contracts  with your institution. This process can also take place simultaneously with the Statistical Secrecy Committee procedure.



Accessing Data

04


You can access data once all these steps have been completed.


For more information, please consult the CASD user guide.

Confidentiality breach and sanctions

Please note: in the event of a breach of confidentiality in the processing of the data rendered available, the user is liable to prosecution.

Criminal sanctions according to the following legal dispositions:

• Articles 226-13 and 226-14 of the penal code on professional secrecy breach (statistical secrecy, fiscal secrecy, business secrecy…) stipulate that “the disclosure of secret information by a person who is in possession of it either because of his profession or his status, or because of his function or a temporary mission, is punishable by one year imprisonment and a fine of 15 000 euros”;
• Articles 226-16 to 226-24 of the penal code on the violations of personal rights resulting from computer files or processing in case of information related to individual firms;

Processing prohibited by the GDPR for projects hosted at CASD:

• A processing with the final or intermediate purpose of re-identifying one or more natural persons;
• A processing with the final or intermediate purpose of taking a decision that affects an identified natural person.

Consequences in case of breach according to the Data protection Act: up to 5 years of imprisonment and a fine of 300 000 euros (section 5 of Chapter VI of Title II of Book II of the Penal Code).

Consequences in case of breach according to the GDPR: administrative fines up to 20 000 000 euros or, in the case of companies, 4% of the total annual worldwide turnover of the previous fiscal year.

CASD is obliged to implement contractual rules, which must be respected when users process data, in order to:

– ensure the protection of confidential data to which authorized users have access through their SD-Box,
– fulfil security requirements, ensuring confidence for data producers depositing their data with CASD to make it available to users,
– and to comply with the security standards set out in ISO 27001 and ISO 27701 CASD security certifications.

These rules particularly concern:

– rental of the SD-Box,
– use thereof,
– screen display protection,
– use of the biometric smartcard for authentication,
– the exclusively personal nature of the work session,
– preventing screen copies or photographs (including in the absence of confidential data)
– and any other use which may undermine the protection and confidentiality of data.

In case of non-compliance with these rules, sanctions will be applied, ranging from:

– a reminder of the rules,
– temporary suspension of the offending user’s access until re-enrolment,
– fixed suspensions of 3 to 6 months or even permanent suspensions for the user, the whole project (or the user’s establishment if it was implicated), with notification sent to the producer and to the authorizing authority, depending on the nature of the infraction and its impact.
– legal or criminal proceedings in the event of serious impact on data confidentiality. Provisions are specified contractually with data producers to cover the costs of proceedings.

Repeated failure to comply with the rules will result in increased penalties.

The possibility for users to access confidential data within the framework of their work is a personal exemption from the confidentiality protected by law (in particular via article 6bis of French law No 51-711) and is therefore granted on a personal basis. Consequently, it implies the user’s personal responsibility, which may also have consequences for all users in the case of non-compliance with security instructions.