Like private companies, local and regional authorities use, create, share and store a large number of data and documents.
Confidentiality and the protection of data isn’t a new subject, but this year, it is more relevant than ever with the implementation of the European Data Protection Regulation on May 25th and the opening of public data for communities which takes effect from October 2018.
Following numerous data hacking scandals which have erupted around the world and the general public’s growing concern regarding the use of their data, the French government has put in measures aimed at controlling the storage as well as the processing of data and documents from regional and local authorities.
The problem of data storage
Today, communities increasingly use software or platforms that allow them to store all of their documents and data in a single space, which is as easily accessible for officials as it is for users (via the internet). That is what we call cloud computing.
The problem is that this data is stored in vast datacentres which are often physically located abroad and therefore outside French territory. As a reminder, all the local and regional authorities’ documents (digitized paper documents or created by word processing software, databases or emails) fall under the public archives regime as soon as they are created and are considered ‘national treasures’ which can’t ‘leave the French territory customs office’ (source: : la Gazette des communes).
In an information note dating April 2016, the government recalls that it is essential that datum is processed and stored in a sovereign cloud, meaning “which is located in the limits of the national territory, by an entity governed by French law and in application of French laws and norms.
The different types of data
The data managed by local and regional authorities are classified into three main areas:
- internal data necessary for the functioning of the community;
- data concerning trades and services;
- information about their users.
On a day-to-day basis, communities use and process a considerable amount of data ranging from civil status items, to information on the incomes of citizens, through information given by the municipal police, social assistance files, video surveillance, cadastral files etc. And this quantity of information will only increase with the development of e-administration which makes it possible to modernize and accelerate public action.
Sharing documents: what you need to know
Here are 4 pieces of information that communities must know about document sharing and data protection.
1. A sovereign cloud, if not nothing
As specified above, local authorities are therefore obliged to use a sovereign cloud. Indeed, the circular of April 2016 specifies that “the use of a non-sovereign cloud, which, by definition, doesn’t guarantee that all of the data is stored on French territory, is therefore illegal for any institution producing public archives, including local and regional authorities, their associations and public establishments.”
Communities must therefore carefully choose a service provider which meets government requirements and assures that their data is properly processed and stored in France.
Wimi and Wimi Armoured are highly secured, online file sharing tools that host your data in France.
2. The clauses to predict
Amongst the good practices cited in the government’s briefing note, it should be noted that “if a regional authority wants to subscribe to a cloud offer, it can thus focus only on a sovereign cloud offer, taking care to provide for clauses related to the location, security, confidentiality, traceability, audibility, reversibility, portability, and elimination of data in the system. If the chosen offering is a public cloud offering, it will also ensure the logical separation of data from that of other customers is guaranteed.
3. The appointment of a data protection officer
Since May 25th 2018, communities are obliged to appoint a data protection officer. The officer’s duties are the following:
- to inform and advise the communities’ officials on data storing and protection;
- to set up an ‘IT and Freedoms’ culture within the community;
- to carry out audits to check compliance with the regulations and national data protection law;
- cooperate and be in contact with the CNIL;
- to advise the community on carrying out an impact assessment relating to data protection and verify its execution.
In order to do their role effectively, the data protection officer should have a sufficient level of expertise and resources, possess specialized knowledge of data protection law and practice and benefit from the resources and training necessary to carry out their missions.
4. Sanctions
If you notice a personal information breach, you must raise it with the CNIL within the 72 hours following the violation. After this period, the community can be sanctioned with a public warning or an administrative fine of up to 20 million euros.
As an guide, the amount of the fine for a private business can be between 2 and 4% of its annual global turnover, depending on the category of the offense.
To conclude
Today, local and regional authorities have to keep up to pace with the evolution of digital society. Data sharing and protection are now important subjects and it is essential to comply with the new regulations that govern them.
