En Suisse, le traitement des données personnelles et sensibles est soumis à la Loi fédérale sur la Protection des Données (LPD) ainsi qu'aux lois cantonales (Loi cantonale vaudoise sur la protection des données personnelles - LPrD).
La loi définit les données personnelles comme « toutes les informations qui se rapportent à une personne identifiée ou identifiable ».
Les données personnelles peuvent contenir des identifiants directs (nom, date de naissance, adresse etc.) ou indirects (susceptibles de révéler l'identité d'une personne lorsqu'ils sont regroupés).
Les données sensibles sont des données personnelles portant sur :
Un profil de personnalité est quant à lui un assemblage de données qui permet d'apprécier les caractéristiques essentielles de la personnalité d'une personne physique (art.3, let.d, LPD).
La collecte des données personnelles et sensibles n'est possible qu'avec le consentement préalable et éclairé de la personne concernée ou lorsque cette collecte figure explicitement dans une loi.
Ces données ne peuvent être traitées que dans le but qui est indiqué lors de leur collecte.
A noter que les données anonymes ne sont pas considérées comme des données personnelles puisqu'elles ne correspondent pas à une personne identifiée ou identifiable. Attention toutefois à ce que l'anonymisation soit complète et irreversible afin de pouvoir se prévaloir de cette possibilité de traitement.
Une donnée pseudonymisée (codée) n'est pas anonyme et doit donc être traitée comme une donnée personnelle et être accompagnée de mesures de sécurisation.
In general, the processing of personal data, in order to comply with the law, must comply with a number of principles, namely :
The law defines personal data as "all information relating to an identified or identifiable person".
Personal data may contain direct identifiers (name, date of birth, address, etc.) or indirect identifiers (which may reveal a person's identity when aggregated).
Sensitive data is personal data relating to :
A personality profile is a collection of data that makes it possible to assess the essential characteristics of a natural person's personality (art. 3, lit. d, LPD).
The collection of personal and sensitive data is only possible with the prior and informed consent of the person concerned or when such collection is explicitly provided for in a law.
These data may only be processed for the purpose indicated at the time of collection.
It should be noted that anonymous data are not considered as personal data since they do not correspond to an identified or identifiable person. However, be careful that anonymization is complete and irreversible in order to take advantage of this processing option.
Pseudonymized (coded) data is not anonymous and must therefore be treated as personal data and be accompanied by security measures.
The General Data Protection Regulations (GDPR) regulate data protection and privacy for any individual residing within the EU, as well as the communication of personal data outside the EU. In the field of research, this Regulation applies to all institutions and companies operating internationally that collect and process personal data from EU residents or send data from Swiss nationals abroad (EU).
Like the Swiss and cantonal laws on personal data, the GDPR does not apply to the processing of personal data of deceased persons or legal entities.
Article 9 of the GDPR lists a set of so-called "special categories" of data whose processing is prohibited in principle :
Nevertheless, the article then lists a series of 10 exceptions under which these types of data may be processed, one of which concerns scientific research :
The GDPR also provides that personal data may only be collected for "specified, explicit and legitimate purposes" which should in principle be defined prior to processing and brought to the attention of the data subjects (Articles 13 and 14). However, recital 33 acknowledges that it is not always possible to determine in advance the exact purpose of a processing operation carried out for scientific research purposes. In terms of research, there is therefore some scope for formulating the purposes of processing data collected in a less precise way than required by the GDPR. It may be accepted, for example, that this purpose may be broadened or clarified over the course of the research project and according to its needs.
The European legal framework for the management of personal data must be taken into account when conducting research in collaboration with European researchers or on the personal data of EU residents.
It should also be noted that the GDPR (Art. 35) provides that before any processing activity "likely to generate a high risk for the rights and freedoms of individuals", the controller must carry out a data protection impact assessment (DPIA). For more information, please refer to the CNIL website.
The current European standard embodied by the GDPR is more "protective" and demanding than that expressed in the Personal Data Protection Act of the canton of Vaud (LPrD). Article 12 of the LPrD provides that: "Where the processing of personal data requires the consent of the data subject, the latter shall not validly consent unless he freely expresses his will and after having been duly informed. In the case of sensitive data and personality profiles, his or her consent must also be explicit".
Article 4 of the DGPS defines the data subject's consent as "any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a clear declaration or positive act, that personal data relating to him/her may be processed".
Consent is one of the 6 legal bases provided for by the RGPD in order to allow the processing of personal data. The other legal bases are : a contract (processing is necessary for the conclusion or execution of a contract), a legal obligation (processing is necessary for compliance with a legal obligation), a vital interest (processing is necessary for the protection of the vital interests of the individual), a public task (processing is necessary for the performance of a public interest task), a legitimate interest (processing is necessary for the purposes of the legitimate interests of the controller).
As the CNIL in France points out in its document entitled Régime juridique applicable aux traitements poursuivant une finalité de recherche scientifique : "The consent of individuals constitutes the first legal basis to be considered in application of the general principle of informational self-determination".
Consent will only constitute an appropriate legal basis if the person concerned has a real control and choice as to whether or not to accept the proposed conditions or to refuse them without prejudice. Valid consent can only be obtained before the controller starts processing the data.
Valid consent under European law therefore implies an expression of will :
In addition, the controller must keep proof of consent in the event of an inspection.
It should be noted that the processing of sensitive data must also be subject to the collection of explicit consent. Oral consent is therefore not sufficient to process sensitive personal data.
To help you understand the crucial issues of consent, FORS, the Swiss Competence Centre for Social Sciences, has developed a guide entitled : The informed consent as legal and ethical basis of research data production - january 2019.
In the context of scientific research, the collection of personal data must be accompanied by technical and organisational measures capable of ensuring the security and confidentiality of the data. These measures are the responsibility of the data controller.
The following safeguards should therefore be put in place :