Personal or sensitive data

In general, the processing of personal data, in order to comply with the law, must comply with a number of principles, namely :

• Good faith : the data must be processed fairly. This principle implies, in particular, the transparency of the collection and processing, or the fact that the processing must meet a reasonable interest.
• Proportionality : treatment must be adequate, relevant and not excessive. Only data objectively necessary for a search to achieve the intended purpose may be processed.
• Recognizability : the collection and purpose must be recognizable by the data subject.
• Purpose : personal data must only be processed for the purpose indicated at the time of collection.
• Accuracy : the person processing personal data must ensure that they are correct and up to date.

(source : Sylvain Métille, Internet et droit - Protection de la personnalité et questions pratiques, Schulthess, 2017)

In Switzerland, the processing of personal and sensitive data is subject to the Federal Data Protection Act (DPA) and cantonal laws (Cantonal Personal Data Protection Act - LPrD).

The law defines personal data as "all information relating to an identified or identifiable person".

Personal data may contain direct identifiers (name, date of birth, address, etc.) or indirect identifiers (which may reveal a person's identity when aggregated).

Sensitive data is personal data relating to :

•     religious, philosophical, political or trade union opinions or activities,
•     health, intimacy or ethnicity,
•     social assistance measures,
•     criminal and administrative proceedings or sanctions.

A personality profile is a collection of data that makes it possible to assess the essential characteristics of a natural person's personality (art. 3, lit. d, LPD).

The collection of personal and sensitive data is only possible with the prior and informed consent of the person concerned or when such collection is explicitly provided for in a law.

These data may only be processed for the purpose indicated at the time of collection.

It should be noted that anonymous data are not considered as personal data since they do not correspond to an identified or identifiable person. However, be careful that anonymization is complete and irreversible in order to take advantage of this processing option.

Pseudonymized (coded) data is not anonymous and must therefore be treated as personal data and be accompanied by security measures.

The General Data Protection Regulations (GDPR) regulate data protection and privacy for any individual residing within the EU, as well as the communication of personal data outside the EU. In the field of research, this Regulation applies to all institutions and companies operating internationally that collect and process personal data from EU residents or send data from Swiss nationals abroad (EU).

Like the Swiss and cantonal laws on personal data, the GDPR does not apply to the processing of personal data of deceased persons or legal entities.

Article 9 of the GDPR lists a set of so-called "special categories" of data whose processing is prohibited in principle :

• The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person, are prohibited.

Nevertheless, the article then lists a series of 10 exceptions under which these types of data may be processed, one of which concerns scientific research :

• the processing is necessary for archival purposes in the public interest, for scientific or historical research or for statistical purposes, in accordance with Article 89(1), on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the person concerned.

The GDPR also provides that personal data may only be collected for "specified, explicit and legitimate purposes" which should in principle be defined prior to processing and brought to the attention of the data subjects (Articles 13 and 14). However, recital 33 acknowledges that it is not always possible to determine in advance the exact purpose of a processing operation carried out for scientific research purposes. In terms of research, there is therefore some scope for formulating the purposes of processing data collected in a less precise way than required by the GDPR. It may be accepted, for example, that this purpose may be broadened or clarified over the course of the research project and according to its needs.

The European legal framework for the management of personal data must be taken into account when conducting research in collaboration with European researchers or on the personal data of EU residents.

It should also be noted that the GDPR (Art. 35) provides that before any processing activity "likely to generate a high risk for the rights and freedoms of individuals", the controller must carry out a data protection impact assessment (DPIA). For more information, please refer to the CNIL website.

The current European standard embodied by the GDPR is more "protective" and demanding than that expressed in the Personal Data Protection Act of the canton of Vaud (LPrD). Article 12 of the LPrD provides that: "Where the processing of personal data requires the consent of the data subject, the latter shall not validly consent unless he freely expresses his will and after having been duly informed. In the case of sensitive data and personality profiles, his or her consent must also be explicit".

Article 4 of the DGPS defines the data subject's consent as "any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a clear declaration or positive act, that personal data relating to him/her may be processed".

Consent is one of the 6 legal bases provided for by the RGPD in order to allow the processing of personal data. The other legal bases are : a contract (processing is necessary for the conclusion or execution of a contract), a legal obligation (processing is necessary for compliance with a legal obligation), a vital interest (processing is necessary for the protection of the vital interests of the individual), a public task (processing is necessary for the performance of a public interest task), a legitimate interest (processing is necessary for the purposes of the legitimate interests of the controller).

As the CNIL in France points out in its document entitled Régime juridique applicable aux traitements poursuivant une finalité de recherche scientifique : "The consent of individuals constitutes the first legal basis to be considered in application of the general principle of informational self-determination".

Consent will only constitute an appropriate legal basis if the person concerned has a real control and choice as to whether or not to accept the proposed conditions or to refuse them without prejudice. Valid consent can only be obtained before the controller starts processing the data.

Valid consent under European law therefore implies an expression of will :

• Free : the person must not feel compelled to consent and his or her consent must not be conditional on the granting of an advantage.
• Specific : consent must be obtained for each purpose and not for a set of purposes. This implies that if the controller wishes to process the data for another purpose, he must seek additional consent.
• Informed : Informed consent is closely linked to the principles of transparency and fairness of the processing. This involves knowing the identity of the controller, the purposes of the processing operation and the legal bases, etc.
• Unambiguous : consent must be given by a clear positive act. The silence or inactivity of the data subject, as well as the mere fact that he or she continues to use a service, cannot be considered as an active indication of choice.

In addition, the controller must keep proof of consent in the event of an inspection.

It should be noted that the processing of sensitive data must also be subject to the collection of explicit consent. Oral consent is therefore not sufficient to process sensitive personal data.
Source : www.village-justice.com

Guide for the Social Sciences

To help you understand the crucial issues of consent, FORS, the Swiss Competence Centre for Social Sciences, has developed a guide entitled : The informed consent as legal and ethical basis of research data production - january 2019.

In the context of scientific research, the collection of personal data must be accompanied by technical and organisational measures capable of ensuring the security and confidentiality of the data. These measures are the responsibility of the data controller.

The following safeguards should therefore be put in place :

• the principle of relevance and minimisation of the data processed must be respected ;
• the anonymisation of data or pseudonymisation ;
• a secure and controlled access logic must be developed ;
• lastly, it is highly likely that, in most cases, the processing operations carried out in this framework will require a data protection impact assessment (DPA or DAP) to be carried out pursuant to Article 35 of the GDMP. The DPA must be distinguished from the data management plan.

Source: CNIL - Régime juridique applicable aux traitements poursuivant une finalité de recherche scientifique (Legal regime applicable to processing operations for scientific research purposes).