DISCLOSURE OF PERSONAL DATA
3.2
Disclosure for an individual-specific purpose
Personal data can be not only processed, but also disclosed.
Preconditions
A disclosure of personal data exists when the data of a third party (a natural or legal person) are made accessible or disclosed to a different public body than the one which had hitherto been processing the information in order to fulfill its statutory task. This disclosure may be made for a purpose that either relates to the specific person (individual-specific disclosure) or does not (non-individual-specific disclosure).
For disclosure of personal data for an individual-specific purpose, § 21 of the applicable Basel-Stadt Information and Data Protection Act (IDG) requires a legal basis to be present. As with processing of personal data, this legal basis can take different forms: it may be either a so-called direct or an indirect legal basis.
In the case of a direct legal basis, a statutory provision allows even personal data to be disclosed, or even requires that it be disclosed (§ 21 para. 1 (a) and 2 (a) IDG). For example, § 139 of the Basel-Stadt Tax Act explicitly allows the tax authority to provide administrative assistance to other tax authorities.
In the case of an indirect legal basis, legislation or a regulation specifies a duty that can only be fulfilled by the responsible public body if it discloses the personal data to another public body or to third parties, or receives them from another public body or private individual (§ 21, para. 1 (b) and 2 (b) IDG). This kind of duty can look, for example, like this:
§ 140 paragraph 4 (f) of the Basel-Stadt Schools Act tasks the Child and Youth Health Services Office with helping to combat infectious diseases in children. The Act itself does not say which personal data may be disclosed to teachers for this purpose; it only specifies the task. The Office itself has to decide which data are necessary for combating disease in each specific case – for example, this could also be data on the siblings of sick children, or even on the children who are in the same class as the sick children or have been playing with them.
As with processing of “general” personal data, disclosure of “general”, simple personal data only requires a (direct or indirect) legal basis in the form of legislation in the material sense (§ 21 para. 1 IDG).
By contrast, for disclosure of “specific” personal data, again as with processing of “specific personal data”, the IDG requires a basis in legislation in the formal sense (§ 21 para. 2 IDG). This basis can likewise allow data to be disclosed directly or indirectly. Legislation in the formal sense must thus authorize or require the data disclosure. In the case of an indirect legal basis, the legislation must clearly describe the duty for which the fulfillment of processing of specific personal data is deemed essential. As shown by the example mentioned of the Child and Youth Health Services Office: the only personal details on the sick children and their siblings which may be disclosed are those which are essential to achieving the purpose – that of combating infectious diseases.
The same rules as for disclosure of specific personal data also apply to disclosure of results of “profiling.” This means any automated evaluation of information aimed at analyzing key personal characteristics of an individual or predicting developments, for example with regard to work performance or health.
As an alternative to a legal basis, disclosure can also be justified if the data subject has given their express consent to this (§ 21 paras. 1 (c) and 2 (b) IDG). However, this does not mean that a public body can always use consent as an alternative just because a legal basis may be lacking: the legislation actually allows disclosure with consent only on a case-by-case basis and only where the data subject has explicitly agreed to this. Presumed consent may also be allowed, namely in cases where the data subject is not capable of giving their consent. For example, this would be the case if a patient is in a coma and therefore cannot give their consent for the hospital treating them to request their X-rays from a hospital where they have been treated before. However, the disclosure of their patient data must be in their interests and the hospital must believe in good faith that consent would have been given. It must not simply be assumed prematurely.
Where can we find the required legal basis?
As in the case of processing of personal data, for disclosures generally speaking this legal basis will be found in the corresponding sectoral legislation of the disclosing or recipient public body. When, for example, there is a need for the tax authorities to disclose personal data to the social welfare office, the authorization or obligation to do so will be set out in the Tax Act or Social Welfare Act. Thus, for example, § 141 of the Tax Act regulates the approach for providing administrative assistance to other authorities. On the other hand, based on § 28 para. 3 of the Social Welfare Act, the social welfare office is entitled to obtain personal data which it needs to fulfill its legal mandate from other public bodies, for example the tax authority, or private individuals.