RIGHTS OF DATA SUBJECTS

4.2

Individuals’ right to information about and access to their own data

Individuals about whom data are being processed must not only be actively informed of this by the public body; they can also request information on and access to the data themselves.

When a public body collects data about an individual, it has an obligation to inform this person. Conversely, however, the data subjects also have a right to information about and access to their own personal data. The rules in this regard are set out in § 26 of the Information and Data Protection Act (IDG). According to this, data subjects have the option to find out whether and what data about them a public body is processing.

The right to information and access of the data subject must be differentiated from the general right of access to information (§ 25 IDG) under the principle of public access to official records. The aim of this principle is to bring transparency to administrative procedures/the actions of public bodies. Essentially, it is about making the actions of the public bodies transparent and verifiable. The general right of access to information is for everyone; it is also spoken of as a universal right (“Jedermanns-Anspruch”).

Conversely, a person’s right to information about and access to their own personal data under § 26 IDG only applies to that person. As a product of the basic right to informational self-determination, the individual has the right to know what data about them are being processed, and the right to access these data.
The law does not attach other conditions to the right of the individual to access their own personal data. In particular, the person requesting the information does not have to give a reason why they are asking for it. Neither is the request for information tied to a specific form; information can be requested in writing or verbally. In addition, the public body may not charge a fee for providing the information, even if a complex process is required for this.

To ensure that the public body even knows where to look for data on the person making the request, the person should specify as precisely as possible which data they are seeking or suspect the public body of holding. The law states that the requested information “should be identified with sufficient precision” (§ 31 IDG).

For example: if a cantonal agency with six subdivisions which each have different statutory tasks to perform has filed paper forms from the last ten years chronologically in file folders, the search for data concerning a requesting party will be a difficult one. The search will proceed more quickly and reliably if the requester shares the information that they had contacted a specific department about a specific matter four years previously. The search will be easier still if there are electronic systems which can be searched by name.

As an individual’s right to access their own personal data is only open to the data subject themselves, the public body will first need to confirm the requester’s identity. To do this it is permitted to request identification (passport, ID card, driver’s license) if the person’s identity is not established beyond doubt. In this event, the public body is permitted to keep the copy of the identity document on file as well, to allow it to defend itself should it be subsequently accused of releasing the data to an unauthorized third party.

After the successful identity check, the public body will give the requester the information on whether it holds data concerning them or not. If yes, the data subject is entitled to access these data. However, before granting access the public body must check whether the access needs to be restricted, refused or deferred under § 29 IDG.

In what cases can access to an individual’s own personal data be refused?

First, a legal confidentiality obligation could prohibit disclosure (§ 29 para. 1 IDG), although there is currently no known legal secrecy obligation that would from the outset prohibit a body from disclosing to the data subject what data concerning them are being processed.

Second, it is conceivable that disclosure might need to be refused or deferred for overriding public interest reasons (§ 29 para. 2 IDG). Under some circumstances a regulatory body may need to withhold information temporarily to ensure that its investigation is not obstructed.

Third, the requester is only entitled to access data about themselves. In the case of documents containing information on more than one person, the data of the other individuals must be excluded before disclosure takes place, for example by redaction.
Data on a specific person may, however, also have a connection to other people. For example, if Helen Müller says something about Peter Huber, then the data refer to both Peter Huber and Helen Müller. What did she say? In what form? For what reason? If Peter Huber now wants to access his personal data, we need to weigh up whether the source of the information (Helen Müller) can also be named or whether private (confidentiality) interests of Helen Müller override Peter Huber’s access interests (§ 29 para. 3 IDG), for example because he is known to go after and threaten informants at a later time.

If at least one of these three reasons for restriction is present, the public body must refuse, restrict or defer access to all or part of the information.

If there is no argument against releasing the information to the person requesting it, the public body will grant access without further ado. If it does not do this, it must give reasons for its partial or full refusal to grant access and make the requester aware that they can request a ruling on the refusal, which can then be appealed in court.

Access may be granted in two ways: by the public body handing over the information to the data subject in writing in the form of copies or on a data medium, or – but only with their consent – communicating the information to the data subject verbally or allowing them to view it in situ.