14th Report on Activities

Berne, 02.07.2007 - Both the private sector and the federal administration continue to process vast amounts of data. As a result, the Federal Data Protection and Information Commissioner has had to intervene on numerous occasions during the past year to prevent the infringement of citizens’ privacy rights. In his 14th Annual Report, the Commissioner addresses issues that range from military information systems, such as reconnaissance drones, to the planned introduction of the health insurance card, to video surveillance in stores, and to biometric access control in sports stadiums and leisure facilities. Furthermore, he has also assumed a new role as mediator relating to transparency and public information.

The Federal Data Protection and Information Commissioner (FDPIC) has repeatedly demanded that the principle of legality be respected scrupulously when the administration processes data, and more particularly when surveillance measures are used. Severe encroachments into the private lives of citizens must be legitimized by the democratic process, and therefore must be formally regulated in a corresponding law. Last year, the Commissioner pointed out on more than one occasion that there was still no formal legal basis governing the use of army reconnaissance drones by the border police. After much dithering, the Federal Council finally agreed to remedy this legal shortcoming and thus to also regulate the use of surveillance equipment for civilian purposes. The Commissioner has pointed out that the legal rules covering military information instruments need to be highly specific, in other words they should cover not just the actual surveillance devices, but also the type and purpose of the surveillance.

Concerning the revision of the customs ordinance, and in particular the question about which biometric data may be processed for which purpose, the Commissioner has called for transparent rules that respect the principle of proportionality. For example, he rejects the idea of allowing customs to collect iris patterns in order to have a large reserve pool, because he believes that this would not be appropriate.

The FDPIC has once again addressed various police and national security-related issues. He has adapted his practice relating to the so-called indirect right of access – i.e. the disclosure of information not by the Office for the Protection of the State directly but by the FDPIC – as demanded by the Federal Data Protection Commission. As a result, persons who submit an indirect request for information may, under certain conditions, now obtain adequate information about whether data are being processed by the Federal Office of Police (fedpol). In the past, they had to content themselves with a standard letter. In reaction to the draft bill on police information systems and ex post facto information about persons whose data have been processed by fedpol, the Commissioner used his influence to obtain a strengthening of the rights of data subjects.

The health sector was a further area in which the FDPIC has been active. The future application of so-called diagnosis-related groups (DRG) which will serve as a basis for treatment invoicing means that highly detailed medical personal data will be passed on by the service provider to the insurer. The Commissioner notes that the required legal basis is missing. A corresponding law will have to be adopted before the entry into force of the DRG.

Furthermore, the Commissioner has drawn attention to the fact that basic data protection requirements must be respected scrupulously during the introduction of the health insurance card. At the moment, however, there are some doubts about this, particularly with regard to the (voluntary) storage of medical data on the card. As long as there is no clarity regarding the purpose of these data, it is impossible to determine whether they are really appropriate and thus whether their storage respects the principle of proportionality. More importantly, there is no way to guarantee that patients fully understand the consequences of their agreeing to, or refusing of, the storage of such data. Thus, the Commission has asked the Federal Office of Public Health to forego storing medical data on the health insurance card for the time being.

In 2006, the FDPIC checked the video surveillance equipment in use at ALDI Switzerland as part of the clarification procedure. He drew attention to a number of important points which need to be respected by other firms operating in this sector as well. For example, the Commissioner noted that the surveillance device must be set up in a way that affords maximum protection to employees’ rights to privacy. The Commissioner has come out in favour of surveillance technologies that respect data protection requirements. Aldi accepted the Commissioner’s recommendations and has pledged to implement them.

The inspection carried out at KSS Sports and Leisure Facility has also led to some improvements. The point at issue here was the data protection conformity of the biometric access control system. The FDPIC has asked and obtained that biometric data – in this case digital finger prints – be stored on the individual membership cards and not on a central database. Again, at the Commissioner’s request, KSS has agreed to provide customers that refuse the registration of their biometric data with alternative solutions at the same price.

On 1 July 2006, the Freedom of Information Act (BGÖ) came into effect. Its adoption gives the FDPIC new responsibilities, and he now acts as an Advisory, Conciliation and Arbitration Service in support of the principle of transparency in the federal administration. He has already made several recommendations in this new area. It is becoming clear that the general awareness of the principle of transparency and information is steadily growing, and therefore the Commissioner has to deal with an increasing number of requests for arbitration. In view of the limited resources available to him, it is becoming impossible to deal with those requests in a timely manner.

Other issues addressed in the 14th annual report are covered in the attached summary.