10th annual report 2002/2003

Below you will find a selection of the articles included in the FDIPC's 10th annual report. If you are interested in the complete versions of the reports, please refer to the corresponding pages in German or French.

September 11 2001 was the key theme of my foreword last year. The focus of my thoughts was the question of how a free and democratic state governed by the rule of law can meet this challenge without compromising the basic constitutional rights.

The SDPC is generally in support of the proposals for the amendment of the DPA that have been made in the two dispatches from the Federal Council previously mentioned. As we remarked in our 8th Annual Report (Chapter I.12), we would have favoured a more extensive revision of the DPA and more consistency in bringing the DPA in line with European law. We welcome the introduction of certification and of the data protection seal of approval, which further reinforce the autonomy and responsibilities of the controllers of data files.

An ID number for all Swiss citizens and residents that would remain the same throughout their lives will make it easier to access and exchange information on the persons concerned. Theoretically, this increase in efficiency would be used in a positive way, but it could also be exploited for risky or even improper activities. This is why, like the constitutional expert G. Biaggini, we are calling for a clear definition of the ways in which any personal identification number will be used.

In recent years, photocopiers have developed into multi-function devices with considerable "intelligence" of their own. This has also given rise to data protection risks. If documents are digitally scanned, they remain for a certain time in the memory of the machine. The machine can also be integrated into a computer network. Reason enough to take a closer look at these devices from the point of view of data protection.

The terms "security" and "trust" are commonly used in the advertising of manufacturers and service providers in the IT industry. Despite their highly positive tone, these expressions, unless precisely defined, have little tangible content and this rather impairs their effect.

A member of a club or association is under no obligation to disclose every detail of his personal life to the club committee. If the personal data requested has no direct connection with the objects of the club, the committee must inform its members in advance of the purpose for which the data will be used and advise them that the disclosure of personal data - as there is no direct connection with the objects of the club - is made on a voluntary basis.

In the course of the digitalisation of patient records, we have attempted to formulate a number of basic requirements and recommendations relating to this seemingly inevitable development, and in particular with regard to the procedure to be used for the physical storage of records (centralised, decentralised, patients, cards ...). In relation to this, it may very well be the case that in view of the multitude of methods and projects that are currently being developed in our country, some of our remarks will have to be revised or rephrased due to experience gained in this complex field.

If third parties are commissioned to conduct voluntary surveys, the passing on of information for carrying out the surveys must comply with the principle of reasonableness, i.e. only such data may be passed on as is actually necessary for the conduct of the survey. The person commissioning the survey must first establish who precisely wishes to take part. The passing on of an entire address list is unreasonable.

Companies that wish to sell paternity tests in Switzerland must take steps to ensure that they have the written consent of all the parties affected by the test. They must confirm the legal validity of the consents provided using an effective procedure. This is the only way to prevent tissue samples being taken secretly from children and paternity tests being carried out without the knowledge of a spouse or partner.

In September 2002, the Federal Council approved its dispatch on the Federal Act on the Genetic Testing of Human Beings. The bill will now be debated in Parliament.

Spy programs not only permit the recording of all incoming and outgoing e-mails but also the recording of what appears on screen and the detailed recording of all key strikes and surfing tours. Employers who use this means to check on their employees violate statutory provisions on the protection of privacy and thus commit a criminal offence.

For the smooth accomplishment of management tasks, it is essential that incoming and outgoing business correspondence can be systematically recorded and understood. As there is often no clear external distinction between private and business e-mail, the management of employees' electronic post while they are absent from the workplace can cause data protection problems. If an address that relates to the employee's function rather than to his name is used for business correspondence, this problem can be avoided.

Advertising mails make up a significant percentage of the traffic in electronic post these days. Anyone who does not wish to receive these advertising messages often has great difficulty stopping the mails from some advertisers being sent to their address.

On 6 September 2002, the second sub-committee of the Finance Committee of the National Council paid us a visit. The sub-committee was particularly interested in our organisational procedures, our activities and in the difficulties we have that are due to limited resources and funding. The sub-committee was persuaded that staffing levels are inadequate and that it is impossible for us to fulfil the tasks entrusted to us by law. In the course of the winter session, the National Council decided to discuss the problem in 2003 as part of the debate on the partial revision of the Federal Act on Data Protection.