Proposal for a certification procedure within the framework of the current partial revision of the Data Protection Act

The new FADP introduces a certification procedure for organisations and products, the purpose of which is to promote self-regulation and to give greater responsibility to the owners of data collections and stimulate competition. The revised implementing regulations for the FADP issued by the Federal Office of Justice are intended to set out the essential conditions applicable to the certification bodies which fall under the responsibility of the Swiss Accreditation Service. At the same time, we are working to develop a standard framework for the evaluation of the required data protection level in order to specify the minimum requirements applicable to data protection management systems.

We have been working with the Federal Office of Justice, which is responsible for drafting the partial revision of the FADP, in order to flesh out the next stage of the certification procedure. The draft revision will introduce the principle of self-regulation so as to give greater responsibility to the owner of data collections, stimulate competition and improve data protection and data security. The project is intended to help develop certification procedures for organisational structures, data evaluation procedures and technical information systems and programmes (e.g. products). Nevertheless, the main focus is the certification of organisations which will probably find the system well suited to their needs.
In the run-up to the revision of the implementing regulations, we developed a close working relationship with the Swiss Accreditation Centre (SAS) which is part of the Swiss Federal Office of Metrology and Accreditation (METAS). Together we considered the essential characteristics that should apply to the certification bodies. As far as the specific and practical aspects of the actual certification procedure are concerned - i.e. the standard evaluation framework for the level of data protection - we are currently looking into the idea of introducing a reference model. The model could be based on audit standard BS 7799-2:2002 which sets out the specifications for information security management systems (ISMS). These in turn are derived from ISO standard 17799:2000 and the code of practice (CoP: 10 chapters with 128 inspections) for information security management. As far as the planned data protection management system (DMS) is concerned, the main focus must be on the principles and methods which can guarantee or improve data protection. These particularly include reference or other models which are used by national and international bodies in similar procedures.

[July 2005]