If you are developing online applications in Switzerland which process personal information, what does Swiss Data Protection Legislation require you do to?
This post looks at the major technical items and some of the implications that it may have for your online development project. There are two main items:
- Federal Act on Data Protection
- Ordinance to the Federal Act on Data Protection (OFADP)
Federal Act on Data Protection
The main piece of legislation is the "Federal Act on Data Protection". There are 39 articles divided into 8 sections. This blog reviews some of these articles and what it may mean for your development. It is not comprehensive but just a guide. It does not consider the later sections such as those dealing with processing by Federal Bodies
Art. 3 Definitions
Implications: Use the definitions section to decide if the legislation applies to your application and whether you are processing personal or sensitive personal information
Art. 4 Principles
Implications: The development should have a privacy statement or similar, which describes how personal data is used.
Art. 5 Correctness of the data
Implications: The application should somehow allow users view and update their personal information. This can be done either directly (by the user) or indirectly (e.g by an administrator).
Art. 6 Cross-border disclosure
Implications: You need to be careful about transferring personal data outside of Switzerland. In particular be wary of development teams and test teams who are based outside the country. "Test data" that they are using might still be real personal data.
Art. 7 Data Security
Implications: This is the main artcile on security. It states that: "Personal data must be protected against unauthorised processing through adequate technical and organisational measures". This is where good security practices such as the OWASP Top 10 come into play
Art. 8 Right to information
Implications: The application will need to allow persons to view their information.Typically the user be able to logon and view their information. The other main method is that the user can request to see their information from the data controller. The controller must then be able to retrieve the information from the application and make it available to the user.
Art. 10a Data processing by third parties
Implications: You may outsource processing to a third party. However the third party must have adequate levels of security in place.
Art. 11a Register of data files
Implications: Under certain circumstances you may need to register with the commissioner. For example, if you process sensitive personal information.
Ordinance to the Federal Act on Data Protection (OFADP)
The OFADP is the second major element of Data Protection legislation. From a security perspective there are two significant articles: 8 and 9.
Art. 8 General measures
Implications: Article 8 (general measures) states that people who process personal information:
- shall ensure the confidentiality, availability and the integrity of the data in order to ensure an appropriate level of data protection
Art. 9 Special measures
Implications There are 8 (a-h) special measures.These talk about typical security controls such as security during transmission and storage, authentication, access control, etc. Of particular interest is clause h which states:
- input control: in automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.
So if you are implementing a system which processes personal information, then it is worth while reading down through the information in the following links.
Useful Links:
- Ordinance to the Federal Act on Data Protection (OFADP)
- Art. 8 General Measures
- Art 9 Special Measures
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot
No comments:
Post a Comment