Certification procedure within the context of the revision of the Federal Data Protection Act (FADP)

The revision of the FADP makes provision for a voluntary data protection certification procedure. As far as the certification of organisations is concerned, certification bodies will be presented with a two-part reference model for appraisal. The first part concerns the requirements to be met by a data protection management system, while the second focuses on a conformity inspection tool, that is to say on the data protection requirements that can be derived directly from the FADP.

As part of the FADP revision process, we have pursued our cooperation with the FOJ (Federal Office of Justice) and SAS/Metas (Swiss Accreditation Service) (cf. our 12th Annual Report 2004/2005, Section 1.1.2). Our main concern in this respect has been to define minimum requirements that must be met before an organisation or a data processing procedure can obtain data protection certification. We have sought to produce a more precise description of a standard reference model which can be used to verify the existence and correct functioning of a data management system (DMS) in the audited organisation. We also need to ensure that the level of data protection at the time of the inspection complies with current legal requirements. To this end, we felt it appropriate to subdivide the reference model into two different parts: the first concerns the DMS itself, the second the actual specification of the data protection requirements.

As far as defining the requirements for a DMS is concerned, we were guided by the conditions for an information security management system (ISMS) as set out in the new ISO/IEC 27001:2005 standard (formerly BS 7799-2:2002). Article 7 paragraph 1 of the FADP (data security) says that personal data must be protected against unauthorised processing through the appropriate organisational and technical measures. We should remember that the ISO/IEC 27001:2005 audit standard is entirely based on the ISO/IEC 17799:2005 standard which contains 15 chapters and covers 134 individual inspections. Section 15.1.4 specifically sets out the conformity requirements applicable to personal data processing. It is precisely this aspect which we have sought to flesh out within the context of the FADP and which we have now integrated into the second part of the reference model under the heading “conformity inspection tool”.

Our working hypothesis is based on the assumption that provided that the level of data protection is shown to be in conformity at the time of the inspection and that a DMS has been put in place to maintain or preferably improve that level of protection, data protection requirements will be durably fulfilled. A data protection certification could thus be issued for a period of several years subject to periodic intermediate audits and a full audit at the end of the period.

We now intend to present a draft of our reference model to the certification bodies that have experience with the ISO 900x and/or ISO 17799 standard in order to verify the integrity and applicability of this model.

[July 2006]