FDPIC published the latest guidelines on Technical and Organisational Data Protection Measures (TOM)
The “Guide to Technical and Organisational Data Protection Measures (TOM)” is a comprehensive document published on January 23, 2024, by the Federal Act on Data Protection (FADP). The guide is based on the FADP and its related Ordinance, which defines the essential rules to be observed when processing data of private persons with effects in Switzerland, even if the processing originates abroad.
The guide provides an introduction to the risks and solutions associated with data protection in today’s information systems and presents the main themes of data protection from the point of view of possible technical and organizational measures, such as encryption, anonymization, authentication, etc. The guide proposes measures to be taken to protect the content of personal data and provides links to Swiss and international standards for further information.
The data controller is responsible for implementing technical and organizational measures to reduce the risks associated with an information system. The guide is primarily intended for people in charge of information systems, whether in private or federal bodies.
The guide presents some measures to be considered, such as clearly stating the legal basis and reason for any processing of personal data, indicating the personal data affected by the exceptions to the various rights of data subjects, and setting up procedures similar to those recommended in the section on Rights and duties.
The guide is divided into several sections, including an introduction, definitions, general principles, Data Protection Act, technical and organizational measures, access and processing, life cycle of data, and final considerations. Each section provides detailed information on the topic and includes recommendations and tools to ensure an appropriate standard of data protection.
The technical and organizational measures section is particularly important, as it provides guidance on protecting personal data from unauthorized access, use, disclosure, alteration, or destruction. The section covers topics such as physical security, network security, access control, incident management, and data backup and recovery.
The access and processing section provides guidance on ensuring that personal data is processed per the data protection principles. The section covers topics such as access control, data accuracy, data retention, and data sharing.
The life cycle of data section guides how to ensure that personal data remains accurate and reliable throughout its entire life cycle, from the moment it is entered into the system until it is destroyed, anonymized, or archived. The section covers topics such as data processing, data storage, and data destruction.
The final considerations section provides some additional recommendations and tools to ensure an appropriate standard of data protection. The section emphasizes the importance of taking into account the overall context of a project, its sensitivity, the amount of data required, etc.
In conclusion, the “Guide to Technical and Organisational Data Protection Measures (TOM)” is a comprehensive document that guides how to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The guide is based on the FADP and its related Ordinance, which defines the essential rules to be observed when processing data of private persons with effects in Switzerland, even if the processing originates abroad. The guide is primarily intended for people in charge of information systems, whether in private or federal bodies, and provides detailed information on the topic and includes recommendations and tools to ensure an appropriate standard of data protection.