Home Content Area

Home Navigator

breadcrumb navigation

End Navigator



The SDPC's 11th Annual Report

5 July 2004 - The fight against international terrorism, the communication of personal data to the US authorities by airline companies, the Tarmed medical tariffs, the planned introduction of sectoral personal identifiers as well as the amendment of the Swiss Criminal Code to bring about the decriminalisation of the recording of telephone conversations in business are the main issues that occupied the Federal Data Protection Commissioner (SDPC) over the past year.
In his 11th Annual Report, covering the period from 1 April 2003 to 31 March 2004, the SDPC expresses his views on risks and problems that can result when a federal authority publishes personal data on the internet; he calls for data protection principles to be taken into account from as early as the organisational phase of work on E-Government projects; he criticises the lack of consideration given to the differences between administrative and statistical data processing in relation to data protection regulations; he points out the data protection issues and risks that have to be resolved in connection with facial recognition systems at sports stadiums; he demands strict compliance with the rules of professional confidentiality by doctors when instructing debt collection agencies or when taking debt collection proceedings against patients; and he appeals to computer and internet users to tackle the potential security risks that they face and to take effective precautions.
Lastly, he draws attention to the decision of the Federal Data Protection Commission (FDPC) in the case of drugs tests for apprentices, which largely follows the requests that the SDPC formulated in his recommendation and the submission against the Roche pharmaceutical company.

The SDPC demanded that in combating international terrorism, the issue to be raised is not just the effectiveness of the measures that are under discussion and which at times involve serious intrusions into the private domain. What must be examined above all is the effec-tiveness of existing legislation. Even in times of crisis, new legislation should be enacted only if it has been established that the existing law is inadequate, and not simply that it has been inadequately enforced.
The SDPC is demanding that the communication of personal data by airlines to the US authorities should only take place on condition that the personality of the air passengers is protected. He has criticised measures that are being planned by the US authorities in connection with civil air traffic in order to combat international terrorism, because these fulfil neither the principles of proportionality nor of proper purpose. Passenger data may be passed on only on the basis of an agreement that guarantees the general principles of data protection. In particular, any such agreement must indicate the reason why the data is being passed on, the safekeeping period and the rules relating to the deletion of the data, and it must clearly state that the data must not be used for other purposes. An agreement of this type is currently being drafted by an interdepartmental working group under the supervision of the Federal Office for Civil Aviation. Until this bilateral agreement comes into force, an interim solution can be used that is based on the information passed on to the persons concerned.
In connection with the Tarmed Master Agreement, which came into force in relation to health insurance on
1 January 2004, the SDPC already indicated last year that many questions relating to the law of data protection were still to be answered. He conducted an investigation and in his report in June 2004 he argued that the data processing in its current form is not reasonable and therefore violates the Federal Act on Data Protection (FADP). He has issued recommendations in order to remedy the situation, and has called on the agencies responsible to devise a data protection strategy.
In relation to the planned introduction of sectoral personal identifiers (SPINs), the SDPC also expects that data protection concerns will be taken into consideration in the phases that are now imminent. To do this will first of all require a detailed analysis of the individual processes, which should be simplified in the case of administrative personal identifiers. The SDPC will examine the draft Act during the consultative committee stage and make his views known.
In relation to the amendment of Article 179quinquies of the Swiss Criminal Code (SCC), the SDPC has indicated that the planned decriminalisation of the recording of certain telephone conversations in business without the consent of the participants in the conversation constitutes an exception. As a result, in related cases a strict interpretation of such exceptions must always be made. The recordings may only be used as evidence in court proceedings, and passing the recordings on to third parties remains a criminal offence.
The SDPC expressed his views on the risks and problems that can result when a federal authority publishes personal data on the internet. This data can be traced by electronic search engines from anywhere in the world and, more importantly, for an unlimited period of time. It is the duty of the federal authorities involved to give basic consideration to the protection of personal rights, as the state in particular has a special obligation to uphold the constitutionally protected right of every individual to protection against the abuse of their personal data.
In the field of E-Government, the SDPC has demanded that those commissioning projects should appoint a person to be responsible for data protection and should ensure that adequate knowledge of data protection is made available to those involved in the projects. The authority commissioning the project is itself responsible for compliance with data protection provisions.
The SDPC criticised the fact that no specific consideration has been given to the relationship between administrative and statistical data processing, even though this relationship is a key aspect of data protection in statistics. The SDPC indicated clearly that the possibility of connecting personal data posed a significantly greater risk to personal rights than was justified by the mere processing of statistics.
The use of facial recognition systems in stadiums should take place only if clear notification is provided to those concerned, and in particular if reference is made to the possibility of exercising the right of access. In addition, the SDPC drew attention to the fact that the allocation of responsibilities and tasks between private organisations, which are responsible for certain security measures, and the police, who are responsible for upholding public order, must be clearly defined.
The SDPC has called for the strict preservation of professional confidentiality in cases in which doctors instruct third parties to recover debts or themselves initiate debt collection proceedings against defaulting Patient. In such cases, the doctor generally requires the consent of the person concerned before passing on personal data. In cases where the person concerned does not give consent, but the doctor in his personal interest depends on an exemption from the duty of confidentiality, the Act makes it possible for a senior or supervisory authority to lift the obligation of professional confidentiality.
The SDPC is appealing to PC and internet users to pay close attention to security when using their computers and working with data and to take action to deal with the possible risks. Recognising the potential dangers is the first step toward self-protection, which can normally be guaranteed by using software programs that are supplied free of charge.
Finally, the SDPC drew attention to the decision of the Federal Data Protection Commission in the case of drugs tests during apprenticeships. According to the ruling of the Federal Data Protection Commission, the Roche pharmaceutical company will have to adapt its drugs strat-egy to ensure that drugs tests are carried out only in the event of justified suspicion in an individual case and where consent to this particular testing has been obtained. In reaching its decision, the Federal Data Protection Commission has largely followed the wishes of the SDPC in his recommendations relating to Roche.
Back to overview 2004

End Content Area