Monday, 29 August 2011

Swiss Data Protection and Online Applications

Update:18/9/2011 Major Revision

If you are developing online applications in Switzerland which process personal information, what does Swiss Data Protection Legislation require you do to?

This post looks at the major technical items and some of the implications that it may have for your online development project. There are two main items:
  • Federal Act on Data Protection
  • Ordinance to the Federal Act on Data Protection (OFADP)

Federal Act on Data Protection
The main piece of legislation is the "Federal Act  on Data Protection".  There are 39 articles divided into 8 sections. This blog reviews some of these articles and what it may mean for your development. It is not comprehensive but just a guide. It does not consider the later sections such as those dealing with processing by Federal Bodies

Art. 3 Definitions

Implications: Use the definitions section to decide if the legislation applies to your application and whether you are processing personal or sensitive personal information

Art. 4 Principles

Implications: The development should have a privacy statement or similar, which describes how personal data is used.

Art. 5 Correctness of the data
Implications: The application should somehow allow users view and update their personal information. This can be done either directly (by the user) or indirectly (e.g by an administrator).

Art. 6 Cross-border disclosure
Implications: You need to be careful about transferring personal data outside of Switzerland. In particular be wary of development teams and test teams who are based outside the country. "Test data" that they are using might still be real personal data.

Art. 7 Data Security
Implications: This is the main artcile on security. It states that: "Personal data must be protected against unauthorised processing through adequate technical and organisational measures". This is where good security practices such as the OWASP Top 10 come into play

Art. 8 Right to information
Implications: The application will need to allow persons to view their information.Typically the user be able to logon and view their information. The other main method is that the user can request to see their information from the data controller. The controller must then be able to retrieve the information from the application and make it available to the user.

Art. 10a Data processing by third parties
Implications: You may outsource processing to a third party. However the third party must have adequate levels of security in place.

Art. 11a Register of data files
Implications: Under certain circumstances you may need to register with the commissioner. For example, if you process sensitive personal information.

Ordinance to the Federal Act on Data Protection (OFADP)
The OFADP is the second major element of Data Protection legislation. From a security perspective there are two significant articles: 8 and 9.

Art. 8 General measures
Implications: Article 8 (general measures) states that people who process personal information:
  • shall ensure the confidentiality, availability and the integrity of the data in order to ensure an appropriate level of data protection
The security measures that you take depend on a number of items, including the purpose and extent of processing, current state of the art and "an assessment of the possible risks to the data subjects". So some sort of risk analysis should be undertaken.

Art. 9 Special measures
Implications There are 8 (a-h) special measures.These talk about typical security controls such as security during transmission and storage, authentication, access control, etc. Of particular interest is clause h which states:
  • input control: in automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.
Therefore, Clause h implies that your application must have a proper audit trail.

So if you are implementing a system which processes personal information, then it is worth while reading down through the information in the following links.

Useful Links:
Note: These are English links. As each link says - "English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force."  However you can find links to all four official languages on the top of the HTML pages. This way nobody is offended - or everybody is offended equally.

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a Comment