Alain Bensoussan
 
The CNIL issued in May 2012 a press release to provide a quick reminder of the personal data that could be contained public records published online.
 
The French data protection authority, the CNIL issued in May 2012 a press release (read here in French) on the personal data that could be contained public records published online.
 
In France, the different services of the Public Records Office (such as the records of towns or of the Ministry of Defense) can post online archived documents, such as birth, marriage and death certificates that contain personal data, i.e. documents relating to individuals potentially still alive and/or individuals who are deceased but whose data may have consequences on the privacy of their heirs.
 
The personal data concern may be data on: last name, first name, pseudonym, date of birth, adoption, divorce, civil partnership, nationality…
Some of these data may be sensitive (data that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of persons, or which concern their health or sexual life).
 
e.g. birth and marriage certificates can be disclosed after 75 years
death certificate after 25 years
 
The online publication of such documents is regulated by CNIL’s Single Authorization AU-029 on Public Records (Deliberation No. 2012-113 of April 12, 2012).
 

Single Authorization AU-029

 
Governmental records offices are authorized to process (namely digitalize, circulate or otherwise make available) public records containing person data:
       historical, statistical and scientific purposes; or
       the purposes of allowing the general public to access to the cultural heritage.
 
Sensitive data (Article 8 of the French Data Protection Act) must be omitted, via an irreversible process, from documents dated less than 150 years.
 
However, where the public records are published exclusively for historical, statistical and scientific purposes, sensitive data may not be omitted provided that a restricted access to sensitive data is put in place (e.g. mandatory user account with history of each and every records consulted; regular monitoring to detect any fraud).
 
Excluded from the scope of the Unique Authorization:
       All documents related to offences, convictions and security measures within the meaning of Article 9 of the French Data Protection Act. Such documents must be subject to a specific authorization
 

Security measures to be taken

 
3 key security measures
 
1. Ensure that a minimum security level is implemented. The data controller shall especially ensure the implementation of the security and confidentiality measures, and, in particular, prevent their alteration and damage,
or access by non-authorized third parties
 
2. Prevent the massive download of documents, e.g. visual or sound Captcha or limit the number of documents accessible from the same IP.
 
3. Regulate the re-use of documents.
 

Right of data subjects

 
The data controller must provide clear and complete information on the websites offering the consultation of public records about the right for individuals (or their heirs) whose personal data appear in said records to obtain, without any condition, the removal of such online publication.