Principle 1: Legal basis
The first principle is related to the legal validity of the data processing. What legal basis is required if we want to process data?
The quiz in the previous step would obviously have taken data collection too far. But how can we know what kinds of data processing are possible and permissible? As a governmental institution, we must act on a legal basis. That is the constitutional principle of legality. This principle also applies to data processing. Unlike private institutions, public institutions are not permitted to process data simply because they can show an overriding interest in doing so. With regard to data processing, this principle is laid down in § 9 IDG:
Section 9 Prerequisites for the Processing of Personal Data
A public institution may process personal data if/when
a) there is a legal basis for doing so or
b) it is necessary to fulfill a legal task.
Sensitive personal data may be processed if/when
a) a law explicitly permits or requires it or
b) it is absolutely necessary to fulfill a task clearly defined by law.
The processing of personal data must be carried out in good faith and must be proportionate.
This legal basis may appear in two forms: as a direct legal basis or as an indirect legal basis. What do each of these mean?
Direct and indirect legal basis
We speak of a direct legal basis if the data processing is explicitly regulated in a law. On the other hand we speak of an indirect legal basis, if laws or ordinances only describe a task which requires that personal data is processed in order to fulfill it, but do not contain any direct guidelines on how to process the data. This is also a legal basis, but it does not directly regulate the data processing; rather, it affects it only indirectly.
However, these two bases are not simply interchangeable. An indirect legal basis does not always suffice. It depends what kind of personal data is being processed. There is yet another distinction in § 9 IDG, namely that between regular personal data and special personal data.
Regular and special personal data
There has to be a legal basis for processing regular personal data. This basis can be a law or an ordinance. However, in order to process special personal data, § 9 Para. 2 requires a law; that is, a basis in a law in the formal sense. An ordinance, which is typically issued by the Executive Council of a canton, does not suffice in this case. Instead, it requires as its basis a law passed by the parliament, and in certain cases may even have been subjected to a referendum. Let’s take a look now at the requirements for legal bases in two examples.
Example 1: Collecting data on religious affiliation
In our first example, let’s examine the question of whether or not the residents’ registration office is permitted to collect religious affiliation data from persons registering in the canton. As we have learned, this requires a valid legal basis. But because religious affiliation is considered special personal data, it requires a direct legal basis; that is, a law in the formal sense. We refer here to § 9, Para. 2. Such a legal basis for the collection of data by the residents’ registration office can be found in the sectoral laws governing resident registration, namely in the Canton of Basel-Stadt’s Settlement and Residence Act (NAG). However, § 10 IDG does not directly specify whether and how the residents’ registration office may collect religious affiliation data. Instead, it refers to Art. 6 and 7 of the Federal Act on the Harmonization of the Register of Residents and of other Official Registers of Persons, the so-called Register Harmonization Act (RHA).
So the Settlement and Resident Act does not itself specify what data the residents’ registration office is permitted to collect, but instead refers us to a federal law. And that is where we finally find our answer: this federal law describes the minimum required contents of the resident register and stipulates that affiliation with a religious community that is recognized under public law or otherwise recognized by the canton is to be recorded therein. Thus, we have what is required by § 9 Para. 2: namely, a legal basis in a law in the formal sense; in this case, a basis for recording religious affiliation in the resident register. Please note, however: the Register Harmonization Act only speaks of religious communities that are recognized under public law or otherwise recognized by the canton. Therefore, it would also have to be checked which religious communities the canton has recognized it its constitution or via an order of the Executive Council.
What does this example demonstrate? When there is a direct legal basis, it is relatively easy to determine what a public institution is allowed to do: whatever there is a legal basis for. It is somewhat more difficult in the case of an indirect legal basis because it is not the data processing itself that is regulated in the law or ordinance, but only the task. In such cases, it must be determined which data processing operations are truly necessary to fulfil this legal task.
Example 2: School law and combating infectious diseases among children
The coronavirus pandemic has brought the practice of contact tracing into the public eye. However, Child and Youth Health Services already has many years of experience with contact tracing, since working together with other offices to combat infectious diseases is one of their duties. This requires them to collect health data, which counts as special personal data (§ 3 Para. 4 IDG). In order to process this special personal data, a basis in a law in the formal sense is required. For this, we can refer to § 140 Para. 4 Letter f of the School Law, in which this task of combating infectious diseases among children is described.
Unlike cases of direct legal basis, however, we still don’t have a clear answer as to what exactly the public health office is permitted to do to accomplish this task. Since there are no guidelines in this indirect legal basis of the School Law, we turn now to § 9 Para. 2 Letter b IDG: according to this, the public health office is only permitted to process personal data as is absolutely necessary to accomplish this legal task. With this, the IDG refers to a second principle, namely the principle of proportionality, which we will examine below.
University of Basel