17th Report on Activities
Bern, 28.06.2010 - Over the course of last year, the Federal Data Protection and Information Commissioner (FDPIC) dealt with a number of recent developments which included: the controversy surrounding SAKE, the mandatory Swiss labour force survey, the demand for an online system of naming and shaming drivers accused of speeding, and the storm unleashed by online services such as Google Street View. After being alerted by a third party source, he also sought clarification from a provider of genetic test services, evaluated the legality of video recordings obtained by means of drones, requested an opinion on the data processing of creditworthiness tests, published some explanatory notes on the duties of corporate data protection officers, and adopted a position on the transfer of personal data to third parties by clubs for marketing purposes. One of the FDPIC’s main concerns during the year under review, which ran from 1 April 2009 to 21 March 2010, was to make children and teenagers more aware of data protection issues. The FDPIC carried out a number of Schengen-related inspections and deepened his cooperation with the cantonal authorities. Furthermore, the FDPIC expressed his reservations regarding the preliminary draft of the revision of the Federal Post and Telecommunications Monitoring Act, evaluated the architecture that has been recommended for eHealth Switzerland, and gave a lecture at the Federal Institute of Technology (ETH) in Zurich on the use of RFID chips from a data protection perspective. Other recurring subjects for the FDPIC included data protection at the workplace, i.e. the question of the proper use of fingerprinting for attendance control, and the problem posed by spyware. The issue raised last year regarding the practice of an old-age pension fund to send membership cards to the employer instead of the insured persons, which does not comply with data protection requirements, was referred to a higher authority. The same applied to the KSS sports centre, which had rejected the FDPIC’s recommendations regarding the biometric access control system. The latter has now been ordered to make the necessary modifications by the Federal Administrative Court. On the subject of the Transparency Act, the report summarises the work carried out by the FDPIC over the past year.
Last autumn, participation in the labour force survey SAKE was declared mandatory for the population. This was greeted with a great deal of criticism, as was the fact that the survey was carried out over the telephone by a private institute mandated by the Federal Statistical Office (FSO). The FDPIC recommended that the FSO adopt a number of measures in order to strengthen the population’s trust and reassure it that the data being collected would be processed according to data protection provisions.
After a number of tragic road accidents which were caused by irresponsible driving behaviour, there has been an increasing call for publishing the names of those responsible. The FDPIC, however, doubts whether naming and shaming the drivers in question on the internet would have a dissuasive impact and is worried that this could produce the opposite effect and be seen as a kind of league table. He believes that it would be much more effective to introduce stricter penalties, such as the imposition of a long driving ban.
In August last year, Google introduced its Street View online service. This raised a number of data protection concerns, and many individuals contacted the FDPIC to complain. Google rejected various recommendations made to improve the protection of individual’s privacy. As a result, the FDPIC filed a complaint with the Federal Administrative Court.
Based on indications of a number of citizens about a company in Zurich which is offering paternity tests and origins analysis (also referred to as genealogy testing), the FDPIC carried out an inspection to ascertain the facts. There were found to be some shortcomings in regard of transparency – but the company addressed the issues immediately. As a result, no further steps needed to be taken.
At the request of the Swiss Federal Office of Civil Aviation (FOCA), the FDPIC listed the criteria applicable to the use of video footage obtained from drones and other aircraft. For example, there has to be a valid reason, the process must be made transparent to the person concerned, reasonable protection must be provided to protect the data from unauthorised access, and the data must be erased as soon as possible.
The FDPIC commissioned an expert opinion on the length of time credit agencies were allowed to process data on debt collection and pass them on to third parties. The expertise states that the constraints established by the Federal Debt Collection and Bankruptcy Law (DCBL) were relevant for assessing the proportionality of the processing time, even though the law does not actually impose any particular obligations on the credit agencies. The FDPIC informed the Federal Office of Justice and the credit agencies of his conclusions, and underlined – not for the first time – the significance of debt collection data and their distribution to third parties in today’s economic environment.
Following the Revision of the Data Protection Act, which came into effect in 2008, companies are no longer required to notify the FDPIC of their data files if they appoint a data protection officer and inform the FDPIC that they have done so. The minimum requirements regarding the position and professional aptitude are set out in the FDPIC’s Explanatory Notes on Corporate Data Protection Officers.
This year again, the handling of membership data by federations and clubs has raised a number of issues. The FDPIC advised a number of sports clubs and their national association on aspects relating to the transmission of their membership data for marketing purposes. As a matter of principle, this can only be done with the authorisation of the members concerned. However, in order to free clubs from the constraint of having to obtain such authorisation individually, which would tie up a great deal of capacity, the FDPIC has no objections to the national federation taking over this responsibility to ask each member once to grant authorisation, and thereafter to process only those data for which approval has been given.
A number of offers distributed via the internet and mobile phones specifically target young people; they often constitute an invasion of privacy, because young people do not appreciate the dangers that lurk on the net. Over the last year, the FDPIC focussed his attention on the younger generation, with a view to making them, as well as their parents and teachers, aware of data protection issues. A number of events were organised within the context of the 4th European Data Protection Day. For example, the FDPIC commissioned the development of a training tool for young people and teachers, with the aim of helping schoolchildren to acquire knowledge about data protection principles during their classes. He also posted wide-ranging information on the subject on his website.
The processing of personal data in the Schengen Information System (SIS) was the subject of a number of controls by the FDPIC in his capacity as the supervisory authority of the federal government in matters relating to data protection. For example, he inspected the Swiss diplomatic representation in Cairo and the data processing carried out by the Federal Criminal Police. Furthermore, he convened two meetings of the coordination group of the Swiss Data Protection Authorities.
As part of the interdepartmental consultations on the preliminary draft revision of the federal law on the monitoring of post and telecommunications traffic, the FDPIC noted shortcomings in the handling of the right to information. He also criticized the lack of details about the effectiveness of computer programmes that can be placed on computers without the user’s knowledge. Furthermore, the FDPIC called for a clearer definition of the group of persons to whom the law is intended to apply.
Within the context of eHealth, the Federal Council (Swiss government) sets great store by the respect of data protection standards. The FDPIC is currently participating in the development of standards and architectures, and insists that essential principles, such as informational self-determination, a decentralized structure and the application of the principle of purpose limitation must be reflected in the architecture. During this process, the FDPIC observed that people are sensitive to the data protection issue.
RFID technology has been spreading rapidly in inventory control systems, for example for train tickets, library books or goods that are protected against theft. Data stored on RFID-tags which are not particularly protected, can be read or manipulated by special devices without the knowledge of the person concerned. This raises serious privacy issues, because it allows a profile to be created of a person’s shopping habits or movements. Hence the need for transparency in the use of RFID. Systems must be designed in such a way that they satisfy data protection requirements.
The use of biometric data, for example fingerprinting, is becoming more widespread. In many cases, it would be sufficient to use an extract rather than the whole fingerprint. This would minimize the risks associated with the processing of biometric data. Additionally, in most cases it is not necessary for the data to be stored on a centralized database. The FDPIC has developed a set of guidelines on this subject.
Computer programmes that can be used for the uninterrupted monitoring of employees at the workplace constitute an infringement of the individual’s privacy. Although employers are entitled to control employees’ productivity, they do not have the right to subject them to round-the-clock supervision. The use of computer-based systems (PCs, email, internet, etc.) must be covered in a set of rules of use. It should also be made clear how compliance with the rules will be verified and how violations will be sanctioned.
A pension fund, which sent personal membership cards to employers rather than to the insured persons themselves, are not only infringing the principle of legality, they are also violating the confidentiality to which all social security institutions are bound. The pension fund in question, which had already attracted the attention of the FDPIC last year, rejected his recommendations. As a result, he has notified the Federal Department of Home Affairs (FDHA) and asked for a ruling on the case.
During the course of last year, the FDPIC had to occupy himself once more with the case of the KSS Sport and Leisure Centre, but now a satisfactory outcome has been achieved. The Federal Administrative Court considered the case of the centre’s biometric access system. It upheld the complaint filed by the FDPIC and issued a number of clarifications on the subject of data protection in such cases. The FDPIC welcomed the judgement which has now become legally binding.
During last year, the FDPIC spent a considerable amount of time on cases relating to the question of access to public documents (transparency principle). Whilst the number of requests for access to the documents held by the federal departments (ministries) and federal offices remained more or less at the same level as the previous year, the number of cases in which the FDPIC was asked to mediate increased significantly. Since the introduction of the Freedom of Information Act four years ago, there is an undeniable trend whereby the percentage of outright rejections has steadily decreased, while at the same time, the number of partially granted requests has risen.
Other subjects covered in the 17th Annual Report can be found in the attached summary.
Publisher
Federal Data Protection and Information Commissioner
https://www.edoeb.admin.ch/edoeb/en/home.html
