Briefing of Sub-Committee 2 of the Finance Committee of the National Council at the Office of the SDPC in September 2002

On 6 September 2002, the second sub-committee of the Finance Committee of the National Council paid us a visit. The sub-committee was particularly interested in our organisational procedures, our activities and in the difficulties we have that are due to limited resources and funding. The sub-committee was persuaded that staffing levels are inadequate and that it is impossible for us to fulfil the tasks entrusted to us by law. In the course of the winter session, the National Council decided to discuss the problem in 2003 as part of the debate on the partial revision of the Federal Act on Data Protection.

In the press conference on 1 July 2002 held to mark the publication of the 9th Annual Report, we insisted that the resources available for fulfilling our statutory duties were insufficient. The second sub-committee of the Finance Committee of the National Council requested more detailed information on the matter and made a visit to our permanent secretariat on 6 September 2002 as part of their deliberations on the drafting of a preliminary federal budget for 2003. On the occasion of this visit, we presented a summary of our activities and presented our plans for the future. The sub-committee was particularly interested in our organisational structure, the statutory duties that are entrusted to us, the growth in our activities and the difficulties that result from our lack of resources.

In response to questions on the funds that we have to fulfil our statutory duties, we replied that the Federal Data Protection Commissioner had the support of a permanent secretariat with 16.2 full-time members of staff. These are all the employees we have to monitor the application of federal data protection provisions by federal agencies and private persons. To do this, we look into cases ex officio or at the request of third parties and, where necessary, recommend the modification or discontinuation of data processing. Our duties fall into the categories of advising, monitoring, legislation and information. We pointed out that we are not able with our current staffing levels to fulfil all of the statutory duties incumbent upon us, particularly in the field of monitoring, and to keep up to date with the latest technological developments.

On the basis of our explanations, the sub-committee requested specific examples in relation to certain activities and the funds available to carry them out. We explained that in the field of security and the fight against serious crime, for example, the resources of the federal authorities have been increased, which has led to a corresponding increase in data processing procedures by federal agencies. This trend has continued with the need to strengthen internal security and take increased measures to combat serious crime following the events of September 11, 2001. The increase in federal tasks in policing matters and in law enforcement has led to a marked increase in staffing levels, in particular at the Federal Office for Police. In data protection, on the other hand, there has been no corresponding increase in resources in order to carry out the required supervision and the monitoring of developments in information technology projects.

We also pointed out to the sub-committee that runaway costs in the field of healthcare have given rise to a need for the rationalisation of the processing of medical data and the improved coordination of activities between the various bodies involved in health services. These developments, however, must not prejudice the rights of patients and of health insurance policyholders, and in particular the right to the protection of privacy. The current trend means that the monitoring of certain projects (health cards, electronic patient records, exchange of data between healthcare providers and insurance companies, etc.) is placing every greater demands on our resources. Due to a lack of staff and funding, numerous projects cannot be checked on. For example, we have never been able to fulfil our statutory duties in the field of medical research and to monitor compliance with the requirements for the granting of licences by the committee of experts responsible for professional secrecy in medical research.

Lastly, we drew the attention of the sub-committee to projects relating to developments in information technology, and in particular to e-Government (Guichet Virtuel and e-voting): The federal administration is making substantial funding available for this project, but without increasing our resources for responding to requests to provide input into important projects. The same applies to the introduction of the federal personal identification number, the electronic identity card, the harmonisation of administrative registers or for projects in the private sector, in particular in the fields of e-commerce, e-banking, e-learning and e-marketing (especially the problem of spam).

The members of the sub-committee expressed their surprise at the limited level of resources when compared with the work required and asked what had been done to rectify this discrepancy. As we explained, we have undertaken certain rationalisation measures and have in particular introduced the "SDPC Office" management system, which has brought about an improvement in the fixing of priorities and the pursuit of objectives. In spite of such measures, our staffing levels are not adequate to be enable us to fulfil all our statutory tasks. Incidentally, the Audit Committee of the Council of States has already come to the same conclusion, and in its report of 19 November 1998 on the introduction of online connections in the police, it stressed the following: "The Audit Committee agrees with the assessment of the Data Protection Commissioner that he lacks the resources and particularly the personnel to fulfil his statutory monitoring duties. This problem has already been examined as part of the inspection relating to the introduction of information technology in the federal administration. The Committee has established that this situation remains a concern" (BBl 1999 5895). In its response of 1 March 1999 to the parliamentary question by National Councillor Hans Widmer on data protection (98.1185), the Federal Council acknowledged the validity of the remarks made by the Audit Committee relating to the lack of resources at the SDPC: "The Federal Council is aware of this problem and is prepared to look into how the resources of the Data Protection Commissioner - in terms of planned expenditure on staff - can be increased" (Official Bulletin 1999 I 594). This statement, however, has not as yet led to any increase in numbers of personnel that would place us in a position where we could fulfil our statutory duties.

In comparison with the data protection authorities in other countries, the Permanent Secretariat of the SDPC with 16.2 full-time positions is not as well equipped for a comparable range of tasks as its foreign counterparts. The Netherlands, for example, have 56 members of staff, and Belgium, Greece and Denmark 22, 24 and 26 employees respectively. The Swedish authority employs a 42-person team. The Republic of Slovakia has around 80 members of staff. Italy, Poland and the Czech Republic each have a national data protection authority with a team of over 100 employees. The German Data Protection Commissioner, who is responsible only for the public sector at federal level, has a Secretariat with 63 members of staff, and on top of this the data protection authorities of the Bundesländer each have between 30 to 40 employees. The "Commission Nationale de l'Informatique et des Libertés" in France (CNIL; a 17-member Data Protection Commission) enjoys the support of a Secretariat with 76 members of staff. According to a survey carried out by the European Commissioner for Data Protection, the data protection authorities of all 15 member states of the European Union can muster a total of 586 full-time positions. The corresponds to an average of 40 positions per country.

At the end of the visit, the members of the sub-committee made special mention of the inadequate staffing levels in the Permanent Secretariat of the SDPC and stressed that statutory duties could not be fulfilled under such conditions. The problem was submitted to the finance committee of the National Council and was discussed on 26 November 2002 in the winter session of the National Council during the debate on the preliminary federal budget for 2003. It was decided not to take the discussions on the matter any further at that point, as a debate on the partial revision of the Federal Act on Data Protection was scheduled for the course of 2003. It was proposed that the Federal Council could take up the matter in order to apply for additional funding. Ultimately, however, the Federal Council decided to deal with the question of resources not as an element of the revision of the Act, but as part of the budget discussions for 2004.

[July 2003]