Although consent does not suffice as a justification for a public institution to process data, it nonetheless plays a role in some cases.
Whenever we, as a public institution, plan to process personal data, we need a legal basis for doing so. Consent from the affected individual does not suffice, nor does it replace the legal basis. However, in certain circumstances, consent is still significant.
- First, a release of data can be justified with consent. This is stipulated in § 21 IDG. If a public institution possesses certain personal data legally, it can disclose this data as long as there is either a further legal basis for doing so or the affected individual has given explicit consent to the individual instance of data sharing.
- Second, consent can play a role when weighing private interests.
- Third, consent can be part of the required legal basis, namely as a prerequisite. This is the case primarily in two fields: medical treatment and research. For medical treatment, the Health Act does specify the fundamental task of treating patients, but simultaneously ties this treatment to their consent. A person may only receive medical treatment without consent in exceptional cases. We will examine the second area, research, more closely below.
Consent in research
Similar to medical treatment, it is also the case for research that the laws permit universities, universities of applied sciences and other institutions to conduct research. Whether my data can be used for research is something I get to decide for myself. In other words, my consent is required. This is set forth in the Human Research Act. The Human Research Act permits the further use of health data for research purposes without the consent of the affected individual only under very limited circumstances: namely, when they are anonymized or, in some cases, pseudonymized. Only then can the consent be revoked via an opt-out option. This means that, if the affected person has not expressly opted out, their (non-genetic) health data may be used in anonymized or pseudonymized form to conduct research.
Even when it comes to questionnaires and surveys, the data can only be collected and processed with the consent of the person being surveyed. Consent in this context means informed consent. This means voluntary consent (to a particular instance of data processing) after receiving sufficient prior information. For such informed consent, the person must be informed about the purpose and risks of the research. They must be informed of what will be done with their data, in what form the data will be processed, and whether it will be anonymized or pseudonymized.
Thus, without consent it is only permissible to conduct research with personal data if there is a legal basis for the use of the data. This is permitted under two conditions, which are outlined in § 10 and 22 IDG. We will now examine them in closer detail. The first such condition is further processing, and the other is the publication of personal data.
§ 10 IDG
The further processing of personal data held by a public institution for the fulfillment of its legal task for a different purpose is regulated in § 10 IDG. Examples of this include statistics, planning and research. But this requires us to take some additional requirements into consideration:
- First, this data may no longer be used or shared for an individual-related purpose.
- Second, this data must be anonymized or pseudonymized as soon as the processing purpose permits.
- Third, the results of this data processing may only be published in a form that makes it impossible to trace the data back to the affected individual.
The Change of purpose is especially important here, as the data was initially collected and processed for an individual-related purpose in order to fulfill the legal task. For a secondary use as laid out in § 10 IDG, however, it can only be used for a non-individual-related purpose. Conversely, however, permission to change the purpose means that the use of data for non-individual-related purposes is included in the use for individual-related purposes. This means that if a public institution is permitted to process personal data for an individual-related purpose, then it may also further process the same data for non-individual-related purposes such as statistics, research or planning without further consent.
The social welfare office, for example, may process someone’s data in order to find out whether that person is in need and to provide them with any necessary social welfare assistance. This is clearly an individual-related purpose: it has to do with the individual and decisions that affect the individual. If this data is then re-used for research purposes, the purpose is no longer individual-related. Instead, it may be a matter of determining, for example, what factors influence people’s needs in general.
§ 22 IDG
The § 22 IDG relates to the publication of personal data, as above, for a non-individual-related purpose. This relates to data that a public institution passes on to third parties for further use. For example, the social welfare office is allowed to share data with researchers who are working on a sociological research project. Here too, certain conditions must be met that are similar to those required for further use of the data by the public institution itself:
- First, there must be no special confidentiality provisions preventing the disclosure of the data. This means that we first have to check where the data is subject to any special governmental or professional secrecy that prohibits its disclosure. We can only release the data to researchers if this is not the case.
- Second, this data must be anonymized or pseudonymized as soon as permitted by the purpose for data processing.
- Third, the data/analysis may only be published in a form that makes it impossible to trace the data back to the affected individual.
These requirements apply to the disclosure of personal data for a non-individual-related purpose to other public institutions in the Canton, in other cantons, or to federal institutions. Additional requirements apply to the release of data to private parties. In such cases, we must oblige these private recipients to:
- first, not process the personal data for other purposes,
- second, not share the personal data with third parties,
- and, third, ensure information security.
These requirements are only needed for release of data to private parties and not to public institutions because the public institutions are already obliged to these requirements.
Anonymization and pseudonymization
Anonymization occurs when the personal reference has been irreversibly removed so that re-identification is no longer possible without disproportionate effort. Simply removing clearly identifying information such as names, birth dates and addresses is generally not sufficient to achieve anonymization. Pseudonymized data, on the other hand, involves retaining the individual reference but replacing it with a key (e.g. a code or ID). Pseudonymized data continues to be considered personal data as long as it remains possible to reverse the anonymization at a later time. If the re-identification key still exists, the pseudonymized data is considered personal data for everyone who has access to the key.
As we have seen, it is important in both cases to anonymize or pseudonymize data as soon as the processing purpose allows. But what does that mean in concrete terms? When does a purpose allow for anonymization or pseudonymization of data? Most of the time, it can be done quite early on. In some circumstances, it can even be the case that a public institution already has to anonymize or pseudonymize data if it doesn’t need the data for an individual-related purpose. It is trickier when the data comes from different sources and one has to be able to match them to each other. Then anonymization is impossible, and pseudonymization is only possible if it is kept the same for every instance of data sharing. In such cases, we have to carefully consider when the purpose allows for the data to be anonymized or pseudonymized (see also the principle of proportionality).
Let’s finish by summing up the key points on consent:
- Consent alone does not provide sufficient justification for a public institution to collect and process data. It can justify the disclosure of data, however, as provided for in § 21 IDG.
- In some cases, special laws require consent in addition to a legal basis. This applies, for example, to health professionals, who have the legal task of treating patients, but who nonetheless require the individual and explicit consent of the relevant individual for each specific instance of treatment.
- The IDG permits further use or release of personal data without consent under certain circumstances, as long as there are no confidentiality provisions. The new purpose must be non-individual-related, the data must be anonymized or pseudonymized as soon as the purpose allows it, and analyses can only be published in a form that makes it impossible to identify the individuals involved.
University of Basel