The processing of personal data involves certain risks, which should be prevented by technical and organisational measures. You can find out here how private individuals and organisations can implement these measures to keep their data processing compliant with the DPA.
The Federal Data Protection and Information Commissioner (FDPIC) has published a new guideline that specifically outlines technical and organisational data protection measures (TOM) and is intended to support private individuals and organisations in implementing data protection and data security in accordance with the FADP and DPA. With the introduction of the new DPA last year, this replaces the FDPIC guidelines published in 2015.
Although the 2015 guide focussed heavily on data access, the life cycle of data, data exchange and the right to information, the new guide is much more comprehensive in terms of topics. This can also be seen from the 25 pages that have been added to the 2015 version.
General principles of data protection law
When personal data is processed, the general principles set out in Art. 6 FADP must be observed.
- Principle of lawfulness: Personal data must be processed lawfully and in accordance with the legal provisions. The personality of the data subject must be protected. There are specific justifications for a possible violation, such as the consent of the data subject or a basis in the law.
- Processing in good faith: Personal data must be processed in good faith and proportionately. This means that the data collection must fulfil the intended purpose.
- Principle of purpose limitation: Personal data must be processed as announced or as was recognisable to the data subject.
- Principle of accuracy: When processing personal data, you must ensure that it is accurate and complete with regard to the purpose of the processing.
Rights and obligations of the data subject
When personal data is processed, the data subject has special rights and obligations. This includes the duty to provide information in accordance with Art. 19-21 FADP in order to ensure transparent data processing. Accordingly, the data subject must first and foremost be informed clearly and comprehensibly about how they can exercise their rights. In order for this information to be provided, companies and organisations should set up a procedure and train employees accordingly. To this end, the system must be organised in such a way that the request for information can be followed up and the relevant personal data can be found. There is a right to restrict information in accordance with Art. 26 FADP, for example if the law provides for this, if it is necessary due to the overriding interests of third parties or if the request for information is manifestly unfounded.
In addition to the right to information, the data subject also has a right to data disclosure and transfer. To this end, it should be ensured that a common format is selected for data processing in order to simplify data extraction. In addition, protocols should be drawn up for the release of personal data and employees should be trained accordingly.
Data processing instruments
Two instruments for protecting data subjects and assessing the risk to them are the data protection impact assessment and the register of processing activities. The FDPIC also addresses these in his new guidelines.
Data protection impact assessment
The data protection impact assessment in accordance with Art. 22 FADP provides information on how the risks are assessed and how they are dealt with. An impact assessment only needs to be carried out if data is processed that may entail a high risk to the personality or fundamental rights of the data subject. A high risk may result from the scope, nature, circumstances or purpose of the processing. An impact assessment may be dispensed with if either a system/product is used that is certified in accordance with Art. 13 FADP or a code of conduct in accordance with Art. 11 FADP is followed.
Register of processing activities
A register of processing activities must be kept by the controller and the processor in accordance with Art. 12 FADP. This register must contain information such as the identity of the controller, the purpose of the processing and a description of the categories of data subject. This obligation may be waived if a company has fewer than 250 employees. However, this exemption from the obligation does not apply if particularly sensitive personal data is processed on a large scale or if high-risk profiling (automatic data processing to assess personal aspects) is carried out.
Technical and organisational measures
Technical and organisational measures must be implemented to safeguard these principles and the rights of the data subjects and to reduce the general risks of data processing. Technical measures relate to the technical aspect of the information system. These can be anonymisation, encryption or authentication, for example. Organisational measures, on the other hand, are more comprehensive and relate to the environment, the people and the type of use. These include, for example, authorisation rules and the register of processing activities.
These two types of measures must be combined and applied throughout the entire data processing life cycle and at every level.
Data protection through technology and data protection-friendly default settings
To a certain extent, the technical and organisational measures go hand in hand with the requirement to set up the technology and default settings in such a way that proportionality is maintained in data processing. Above all, it is important to consider the use, management, organisation and security of the personal data to be processed prior to data processing and to set up an appropriate solution that is proportionate to the type of data and processing.
Technical measures
According to Art. 7 para. 1 FADP, the principles of data protection should be taken into account from the planning stage of the system. This means that from the moment the data is obtained, measures should be taken to ensure that only the necessary data is obtained and used by default. The person responsible must clearly separate the processing of necessary and unnecessary data and label it accordingly.
One technical measure is the pseudonymisation of personal data. This has the effect of changing the data so that no conclusions can be drawn about the person without additional information or disproportionate effort.
A second option is the anonymisation of personal data. In this case, the data is irreversibly changed so that it cannot be traced back to the person in question without disproportionate effort. Anonymised data is no longer considered personal data, unlike pseudonymised data. Accordingly, it is recommended to anonymise data if possible, as the FADP is then no longer applicable. If this is not possible, the pseudonymisation of data should at least be considered.
In contrast to the previous guidelines, the FDPIC now mentions further data protection measures, namely generalisation, minimisation, randomisation, homomorphic encryption and synthetic data.
In generalisation, characteristic values are replaced by general values that are less person-specific. For example, the date of birth is replaced by the year of birth.
Minimisation is then the result of data protection through technology and the principle of proportionality. In the case of data minimisation, care must be taken to collect only as little data as necessary.
Randomisation can be used for data that is to produce statistical and not individual results. This involves exchanging and mixing the collected values. This means that the data can no longer be assigned to a person, but statistically the same result is obtained as the data can be assigned to a person.
Homomorphic encryption is a very interesting and rather new method of data protection. With this encryption technique, the data is encrypted in such a way that certain information can be read from this data, while the personal reference and other data remain encrypted.
The last new measure included in the guidelines is the synthesisation of personal data. This involves artificially generated data that is modelled on real personal data in order to train an AI algorithm, for example.
The FDPIC also comments specifically on the risks and measures associated with the use of clouds. The use of a cloud is always associated with an increased risk to data security, as delocalisation weakens the control and monitoring of the data. In the context of Art. 7 and 8 FADP, it is therefore always necessary to ask whether a cloud is really required for processing and, if this is the case, which type of cloud is best suited to data security and proportionality. It is recommended that a comprehensive risk analysis is carried out for the extensive use of cloud solutions and that appropriate settings and adjustments are made.
Organisational measures
Under this aspect, the infrastructure and the persons processing the data are checked in order to guarantee data protection.
The first option is to check the security of the premises and thus specifically regulate access to the building so that only authorised persons have access. If visitors have access to the building, they should not be able to move around the building alone. Those responsible should also consider additionally locking the offices outside working hours and installing an alarm system in particularly sensitive rooms.
One of the most vulnerable rooms is the server room, as data is physically stored there. Special access authorisations should be issued for this, which are only granted to as few people as necessary. It is also advisable to log access for later evidence purposes.
The daily workplace should also be secured and protected. This can include ensuring that screens cannot be viewed or that employees store all sensitive items, such as data carriers and documents, in lockable drawers. An updated antivirus programme should also be installed on every PC.
Access management ensures that it is possible to trace who has access to which data and how it is processed. In concrete terms, this can mean that no user accounts are shared or that the internal organisation defines the access rights for each employee and that this is also differentiated in the information system.
Security during the data life cycle
Data security must be guaranteed throughout the entire life cycle. This starts with data collection and continues until final deletion.
When data is collected, it must be possible to ensure that it is recorded by the authorised person and logged accordingly. This data must then also be appropriately encrypted so that it cannot be misused or altered. This can be done using encryption algorithms. It should be noted that the algorithm and the length of the key are proportional to the sensitivity of the data. If external storage media are used to transfer information between employees or externally, such external data carriers must also have a certain level of security. This can be ensured, for example, with additional encryption and regular checks. Parallel employee training, in which the risks of external data carriers are explained, can support these precautions. With regard to data destruction, a suitable deletion strategy should be defined to ensure complete destruction. This can be guaranteed with the help of specialised software. Data that is stored on paper should be destroyed using a document shredder.
Conclusion
In order to ensure adequate data protection, all relevant factors must be taken into account, including the global environment of a specific project or the level of sensitivity of the relevant data. These points must then be addressed at an early stage during the development of a project.
If you have any further questions about data protection, technical and organisational measures or their specific implementation in your company, we will be happy to advise you personally. Please do not hesitate to contact us.
Sources:
- FDPIC guidelines on technical and organisational data protection measures (TOM) dated 15 January 2024.
- Data Protection Act (DSG, SR 235.1).
- Data Protection Ordinance (DPO, SR 235.11).