22nd Report on Activities
Bern, 29.06.2015 - The Federal Data Protection and Information Commissioner (FDPIC) Hanspeter Thür, is presenting his 22nd Report on Activities today. On the data protection front, the period under review (2014 – 2015) was marked by two main activities: the supervision of corporate data processing and providing advice to citizens, the authorities and companies. On the subject of public access to official records, the FDPIC acted as mediator helping to settle disputes between applicants and the authorities and issued a number of recommendations. He also gave his opinion on important draft legislation.
Developments in connection with Big Data and the linkage and analysis of large data collections are also reflected in the FDPIC’s Report on Activities. Last year, for example, Postfinance created something of a stir when it announced that it intended to analyse the payment transactions of account holders conducted via its online banking portal. Customers who refused to authorise the use of their data for evaluation purposes were told that they would be excluded from e-Banking services. After examining the facts, the FDPIC took the issue up with Postfinance, which then agreed to give customers a free choice and to provide them with more detailed information. After seeking further clarifications form the credit reference agency Moneyhouse regarding a range of services offered on its website, which disclosed vast amounts of data about private individuals without their consent, the FDPIC issued a recommendation at the end of the year. Given that Moneyhouse is only willing to implement the recommendation in part, the FDPIC has decided to refer the case to the Federal Administrative Court.
In the area of government surveillance, the focus this year was on the new Intelligence Service Act and the Swiss Federal Law on the Monitoring of Postal and Telecommunications Traffic (BÜPF). The scope of monitoring and data collection measures has been broadened to include the use of government Trojan spyware and IMSI-Catchers, both of which pose serious risks from the perspective of the protection of privacy. The FDPIC has therefore asked that the use of such measures be defined in much greater detail and be subject to a court order.
The FDPIC also addressed outsourcing of data processing by public authorities to companies outside Switzerland. Since there is a very real risk that foreign authorities could get their hands on such data, he recommended that public bodies in Switzerland refrain from using cloud providers headquartered in the USA or in other countries, which do not offer a level of protection equivalent to that in Switzerland.
More and more people are storing data in the cloud rather than on individual computers. Doctors are no exception and since they have an obligation of professional secrecy under the Swiss criminal code, such practices raise a number of serious issues. In response to various requests for information, the FDPIC has said that doctors are required to observe professional secrecy even when patient data is outsourced. He therefore recommended that doctors opt for cloud providers that have their headquarters in Switzerland and that they obtain a contractual guarantee from such providers that patient data will not be transferred abroad. The FDPIC carried out an inspection of twelve data collection points to ensure compliance with patient data protection requirements. With the introduction of a new hospital financing system in 2014, health insurers must use a certified collection point to receive DRG-type invoices. He was able to confirm that the collection points basically functioned well. However, in a few cases he did observe shortcomings. These were notified to the certification centres.Video surveillance in the workplace is another area that is causing the FDPIC considerable concern. In particular, persons working in the catering trade wrote to complain about the use of sound and video recordings. As a result, he inspected two companies. In both cases the cameras have now been removed. The FDPIC must point out in this context that it is forbidden to use video cameras for employee surveillance purposes. Video cameras have also come into widespread use on the roads. Dashcams mounted inside cars allow drivers to record what is happening as they drive, and this involves filming other drivers. As the FDPIC has written on his website, such actions violate individuals’ right to privacy and are only authorised in exceptional circumstances, for instance when they relate to a specific event.
Freedom of Information ActThere is growing demand for access to documents held by the federal authorities: in 2014, there were 100 more requests for access than in the previous year (from 469 to 575), corresponding to a 20% increase. In cases where access was refused, the FDPIC often succeeded in securing at least the partial release of the documents in question. Mediation proceedings for this purpose have increased by 18% (from 76 to 90). The evaluation report on the Freedom of Information Act (FoIA), which was presented to the public by the Federal Council, shows that applicants and the authorities alike welcome the principle of transparency. The FDPIC has been involved in numerous mediation proceedings, and the recommendations he has issued have certainly contributed to such broad acceptance of this principle. Hopefully, the legislator will bear this in mind during the imminent revision of the FoIA and will face down the demands from some authorities that wish to be exempted from its scope.
An overview of the issues covered in the 22nd Report on Activities is provided in the Summary. The full Report on Activities can be found at the following address www.edoeb.admin.ch under Dokumentation (in German).Address for enquiries
Media office of the Federal Data Protection and Information Commissioner
Tel: 058 464 94 10
Publisher
Federal Data Protection and Information Commissioner
https://www.edoeb.admin.ch/edoeb/en/home.html
