18.6.2024 - Online access to personal data can cause serious prejudice to the fundamental rights of the data subjects concerned. Federal authorities must therefore plan such access in good time in accordance with the Federal Act on Data Protection and justify it to their political overseers. In a new factsheet, the FDPIC shows how this should be done.
New factsheet on planning and justifying online access
In numerous laws, federal and cantonal legislators instruct the authorities in their own political community to enable the online disclosure of personal data to other authorities in the same or other communities on a self-service basis.
Planning
Since online access can lead to a particularly serious prejudice to the fundamental rights of the person concerned, federal bodies must plan such access and comply with the requirements of the Federal Act on Data Protection (FADP) in good time:
- The principle of legality requires legal provisions to be sufficiently specific and, depending on the sensitivity of the data, to be set out in a formal act or ordinance;
- It must be clear from the legal provisions that, in line with the principle of proportionality, access by an outside authority will be limited to selected categories of data that are required to support the outside authority in achieving its processing purposes, which must be sufficiently defined;
- It must be proven in quantitative terms that the granting of online access is appropriate and necessary. This is the case if a disproportionate number of administrative assistance requests on similar or identical grounds would be required if online access were not granted;
- A data protection impact assessment must be carried out for projects which, in view of the scope and volume of online data sharing and the sensitive nature of the shared data, could potentially compromise the fundamental rights, privacy and legal protection interests of a large number of people.
Substantiation
Federal authorities must demonstrate to the political authorities responsible for approving their work in sufficient detail that they have complied with the requirements of the FADP mentioned above. It is not sufficient under data protection law to justify online access simply by referring to the current need for digitalisation in public administration.
Last modification 23.07.2024