Swissmedic implements new legislation High priority accorded to data protection and information security

The fully revised Data Protection Act (FADP) came into force on 1 September 2023. It is intended to improve data protection, increase the transparency of data capture and processing, and strengthen citizens’ right to self-determination with respect to information. “It takes account of the changes and developments that have happened in technology and society and addresses the challenges that are arising as a result of the greater use of digital solutions,” says Helga Horisberger, Head of the Legal Affairs Sector and member of the Management Board at Swissmedic. “We took a legally compliant approach that was as pragmatic as possible in order to implement the new regulations,” she explains. “As a federal authority, Swissmedic is subject to stricter requirements than private companies, for example, and that makes everything much more complex.”

Efforts to raise awareness among all employees are just as important as the technical implementation to ensure that only data that are really necessary are captured and saved – as much as necessary, as little as possible. As the expert says, “The greatest danger for data protection is not digitalisation but the individual. Individual behaviour and decisions can minimise risks associated with data protection legislation – but they can also potentiate these risks.”

“The biggest danger in terms of data protection legislation is not digitalisation but the behaviour of the individual.”

Transparency and control

In the process of implementing the amendments Swissmedic reviewed and sharpened the focus of its own data protection practices. A data protection policy and a data protection concept were developed. These guiding documents clarify organisational and technical aspects and describe processes and procedures. They also address the rights and obligations of all internal and external employees in all areas in which personal data are handled. Swissmedic has designated an internal office for all questions relating to data protection, and the corresponding individual is the contact for the Federal Data Protection and Information Commissioner (FDPIC). The data protection officers of the Divisions meet regularly, and employees undergo regular training.

The objective of modifying the FADP is to bring Switzerland into line with international standards and, in particular, with the European data protection legislation. This was especially important in enabling Switzerland’s data protection level to be recognised by the EU, which happened in December 2023.

A focus on privacy

Important new features include the principles of “privacy by design” and “privacy by default”; they ensure that data protection is taken into account from the outset when data processing activities are planned. The Act also introduces an obligation to perform a privacy impact assessment (PIA), particularly if the use of new technologies in the extensive processing of particularly sensitive personal data puts the privacy or fundamental rights of the affected persons at great risk. The aim here is to identify and minimise the risks for the individual’s privacy. Swissmedic must consult the FDPIC if required, for example if a new digitalisation project is being planned in which there could be a risk of personal data being captured and saved that are not necessary for completion of the immediate task at hand. In some cases processing rules have to be created which determine and standardise the personal data that are being captured, stored, protected, transferred and deleted.

Continuous expansion of information security

The primary objective of information security is to protect all relevant information within an organisation from unauthorised access, loss or unauthorised changes. “In the language used by security specialists, this means reliably achieving the security objectives of confidentiality, integrity, availability and transparency,” says Daniel Leuenberger, Head of the Infrastructure Sector and member of the Management Board. In some cases this also means very practical concerns such as avoiding damage to computers or communication systems.

The task of ensuring legal compliance with the new FADP and refining information security requires constant vigilance and modifications in order to keep pace with new and emerging threats. One current example of this issue is phishing attacks performed with the aid of artificial intelligence. The use of large language models enables cyber criminals to obtain plausible contextual information from an organisation’s media presence or annual reports with minimal effort and to generate realistic fake communications from it which are almost indistinguishable from genuine messages.

Promote awareness of responsibility – reduce risks

The Information Security Act (ISA), which creates a uniform legal framework for information security within the federal government, entered into force on 1 January 2024. It closes numerous gaps in the previous legislation and provides a basis for sustainable improvement of information security. As a decentralised federal administrative unit, Swissmedic examined the new provisions intensively before the ISA came into effect, and it pro-actively defined rules, processes and measures designed to guide, control, ensure and optimise information security. “As an agile and data-focused authority, trustworthiness is essential for us,” Daniel Leuenberger says. “In the new legal provisions, information security measures are considered as an entire system. This validates our efforts to refine information security continuously and systematically.”

Swissmedic has already launched several related projects in recent years. One central feature is the newly created position of Chief Information Security Officer (CISO) and the CISO office, staffed by two employees, which coordinates, implements and documents information security throughout the entire organisation. A key element here is the establishment of a fully-fledged information security management system (ISMS) based on the ISO/IEC 27001 standard which exceeds the legal requirements.

“This allows us to ensure that all measures throughout the Swissmedic system are implemented in a coordinated fashion,” explains Clemens Chizzali-Bonfadin, CISO at Swissmedic. “In the past, information security was viewed primarily as an IT concern, but now it is increasingly being understood as an all-encompassing task.” The overall system involves all Sectors. A security organisation covering all parts of Swissmedic is being established. “Responsibility for risks and their mitigation resides where their impact is felt,” says Clemens Chizzali-Bonfadin. In other words, the teams that are directly affected by a specific risk are assigned responsibility for dealing with it because they are best placed to comprehend the impact of this risk and to take measures to reduce it. It also means that the people responsible for applications or business processes produce the security documentation concerning objects of protection themselves, with assistance from the CISO office.

The current project to roll out the ISMS at Swissmedic was completed in June 2023. Continuous improvements and adaptations to current framework conditions are being undertaken while the system is in operation. The ISMS includes the compilation of an inventory of all objects of protection, such as various applications, regular risk analyses and reviews of security documentation, and programmed training for employees. A specialised application was introduced in March 2024 to support, standardise and automate the processes and documents in the ISMS.