Authorization Procedure
Statistical Secrecy Committee
The Statistical Secrecy Committee (CSS) provides council on data related to public statistics. It is recognized for personal data from public or fiscal statistics connected to personal or family information and for economic or financial data. CSS expresses its opinion on data collected by public or private entities tasked with questions of public interest.
The committee namely advises on access requests to data from the following:
- INSEE (National Institute of Statistics and Economic Studies)
- Ministère des Finances – DGFiP (Ministry of Finance)
- Ministère du Travail – DARES (Ministry of Labour)
- Ministère de la Santé – DREES (Ministry of Health)
- Ministère de l’Environnement – SDES (Ministry of Environment)
- Ministère de l’Agriculture – SSP (Ministry of Agriculture)
- Ministère de l’Éducation Nationale – DEPP (Ministry of National Education)
- Ministère de l’Enseignement Supérieur, de la Recherche et de l’Innovation – SIES (Ministry of Higher Education, Research and Innovation)
- Ministère de l’Intérieur – DSED (Ministry of Home Affairs)
- Ministère de l’Éducation nationale, de la Jeunesse et des Sports – INJEP (National institute of youth and popular education)
- Ministère de la Justice – SDSE (Ministry of Justice)
- CEREQ – Centre d’Études et de Recherches sur les Qualifications (French Centre for Research on Education)
- ACOSS – Agence Centrale des Organismes de Sécurité Sociale (Central agency for social security organisms)
- CNAF (National Fund for Family Allowances)
- DGDDI (General Directorate for Customs and Indirect Taxation)
For access to sources of data from public statistics, the authorization is issued after favorable opinion of the CSS, Producer Agreement and Archives.
Steps for the procedure to access statistical data are described here below:
To apply for confidential data access, you will have to use the Confidential Data Access Portal (CDAP). Through this portal, you will be able to create an account and sign a confidentiality agreement. Then, you will be able to fill your application form, where you will have to indicate the complete list of researchers on your research team, the complete list of sources, and a clear and understandable description of your project.
After filling you applicaiton, you will have to contact through CDAP the data producers for their approval to submit it.
Pay attention to submission deadlines and send your application to the data producer(s) at least two weeks before the submission deadline.
For more information on the procedure, you can refer to the page Procedure on the website of the Statistical Confidentiality Committee.
.
Once data producers agreed, submit your application file to the committee via CDAP portal.
If you have any question regarding the procedure, you can contact the committee’s administration office via CDAP or by email: secretariat@comite-du-secret.fr.
The committee conducts its deliberation via plenary sessions or digital consultations. The administration office then sends the extract of the deliberation to the project leader.
After receiving the green light, agreements are delivered to the data producers and the French Archives for signing. The agreement signed by the Archives is addressed to the project leader and to CASD, which brings to a conclusion the legal procedure.
To access tax data, DGFIP issues communication authorizations. These documents will be sent over directly by DGFIP, after receiving the agreement signed by the Archives.
For the access and processing of personal data, contact your legal correspondent, or your Data Protection Officer if need be, to determine the formalities to be carried out (records of processing activities or CNIL authorization in the case of health data).
Project members wishing to access data using an SD-Box must attend an enrolment session organized remotely (registration). It is a 3-hour orientation session on legal, statistical and IT issues, as well as a fingerprint collecting session, at which we will give you your smartcard. This standard session is valid for 4 years.
In the meantime, CASD will contact you to work out the contracts with your institution. This process can also take place simultaneously with the Statistical Secrecy Committee procedure.
You can access data once all these steps have been completed.
For more information, please consult the CASD user guide.
Granted by the Data Depositor
For some data sources, authorizations are directly granted by the data depositor :
- PMSI data (Medicalisation Program of the Information Systems) from ATIH (Agency for Information on Hospital Care) : see PMSI Project on the page Contractualization;
- Data from the Banque de France : applications can be made on CDAP portal;
- Data from the Ministère de la Justice – SDSE (Ministry of Justice) : stat.sdse-sem-sg@justice.gouv.fr;
- Data from DPMA (Directorate of Marine Fisheries) : donnees.dpma@developpement-durable.gouv.fr;
- Data from the DGE – Direction Générale des Entreprises (Directorate General for Enterprise) : xavier.guillet@finances.gouv.fr;
- Data from the Bpifrance (Public Investment Bank) : casd@bpifrance.fr (Matthieu Brun (matthieu.brun@bpifrance.fr) and Alexandre Lekina (alexandre.lekina@bpifrance.fr));
- Data from l’ANIL (National housing information agency) : contact-OLL@anil.org;
- Data from ODR (Observatory for Rural Development) : odr-contact@inrae.fr;
- Data from IRDES (Institute for Research and Information in Health Economics) – HYGIE and ESPS : rochereau@irdes.fr;
- Data from MSA (Mutualité Sociale Agricole) : statistiques_msa.blf@ccmsa.msa.fr;
- Data from Pole Emploi (French employment agency).
Start by reaching out to the producer to ask for the right to access.
Once the authorization document is produced by the data depositor, it is sent to CASD so CASD can start the process of creating the access.
For the access and processing of personal data, contact your legal correspondent, or your Data Protection Officer if need be, to determine the formalities to be carried out (records of processing activities or CNIL authorization in the case of health data).
Project members wishing to access data using an SD-Box must attend an enrolment session organized in the CASD building (registration). It is a three-hour orientation on legal, statistical and IT issues, as well as a fingerprint collecting session during which we will give you your smartcard. This standard session is valid for 4 years, but during this period, any other project you will participate in will only require that you come for 30 minutes (the time it takes us to give you your card).
In the meantime CASD will contact you to work out the contracts with your institution. This process can also take place simultaneously with the Statistical Secrecy Committee procedure.
You can access data once all these steps have been completed.
For more information, please consult the CASD user guide.
Confidentiality breach and sanctions
Please note: in the event of a breach of confidentiality in the processing of the data rendered available, the user is liable to prosecution.
Criminal sanctions according to the following legal dispositions:
• Articles 226-13 and 226-14 of the penal code on professional secrecy breach (statistical secrecy, fiscal secrecy, business secrecy…) stipulate that “the disclosure of secret information by a person who is in possession of it either because of his profession or his status, or because of his function or a temporary mission, is punishable by one year imprisonment and a fine of 15 000 euros”;
• Articles 226-16 to 226-24 of the penal code on the violations of personal rights resulting from computer files or processing in case of information related to individual firms;
Processing prohibited by the GDPR for projects hosted at CASD:
• A processing with the final or intermediate purpose of re-identifying one or more natural persons;
• A processing with the final or intermediate purpose of taking a decision that affects an identified natural person.
Consequences in case of breach according to the Data protection Act: up to 5 years of imprisonment and a fine of 300 000 euros (section 5 of Chapter VI of Title II of Book II of the Penal Code).
Consequences in case of breach according to the GDPR: administrative fines up to 20 000 000 euros or, in the case of companies, 4% of the total annual worldwide turnover of the previous fiscal year.
CASD is obliged to implement contractual rules, which must be respected when users process data, in order to:
– ensure the protection of confidential data to which authorized users have access through their SD-Box,
– fulfil security requirements, ensuring confidence for data producers depositing their data with CASD to make it available to users,
– and to comply with the security standards set out in ISO 27001 and ISO 27701 CASD security certifications.
These rules particularly concern:
– rental of the SD-Box,
– use thereof,
– screen display protection,
– use of the biometric smartcard for authentication,
– the exclusively personal nature of the work session,
– preventing screen copies or photographs (including in the absence of confidential data)
– and any other use which may undermine the protection and confidentiality of data.
In case of non-compliance with these rules, sanctions will be applied, ranging from:
– a reminder of the rules,
– temporary suspension of the offending user’s access until re-enrolment,
– fixed suspensions of 3 to 6 months or even permanent suspensions for the user, the whole project (or the user’s establishment if it was implicated), with notification sent to the producer and to the authorizing authority, depending on the nature of the infraction and its impact.
– legal or criminal proceedings in the event of serious impact on data confidentiality. Provisions are specified contractually with data producers to cover the costs of proceedings.
Repeated failure to comply with the rules will result in increased penalties.
The possibility for users to access confidential data within the framework of their work is a personal exemption from the confidentiality protected by law (in particular via article 6bis of French law No 51-711) and is therefore granted on a personal basis. Consequently, it implies the user’s personal responsibility, which may also have consequences for all users in the case of non-compliance with security instructions.