A proactive, legally compliant data protection policy is essential for the reputation of a company. The Bern-based Medicosearch, which specializes in e-health, is convinced of this.
In the autumn of 2020, Parliament adopted a new Federal Act on Data Protection (nFADP), which will come into effect on September 1, 2023. It strengthens the rights of individuals while introducing new obligations for companies. Medicosearch, the leading Swiss platform for booking medical appointments online, is directly affected by this legislative change. The site handles and protects its users' sensitive medical data with a clear privacy policy. Rafael Imboden, member of the management team and head of data protection at the Bern-based company explains the changes introduced by the nFAPD and how Medicosearch is preparing for them.
Can you briefly describe Medicosearch's business model?
Rafael Imboden: Since the creation of the company in 2008, Medicosearch has offered a platform for booking appointments in the health sector. In other words, on medicosearch.ch, a patient can choose from several thousand healthcare professionals the one that suits him/her best and make an appointment directly online. Our customers are service providers in the medical field (doctors, therapists, dentists, pharmacists, hospitals, etc.) who want to offer this online booking service to their patients. In this respect, Switzerland differs from other European countries such as Germany or Spain, where such platforms are mainly used to acquire new customers. In our country, waiting rooms are always full and it is primarily a question of lightening the administrative burden on practices by avoiding unnecessary calls or by allowing reservations to be made in the evenings and at weekends.
How does your company handle personal data?
Imboden: Usually, when a patient books an appointment, certain information is requested. This may be fairly standard (name, address, etc.), or it may be sensitive medical data. Medical practices, hospitals and pharmacies have the option of issuing a form to be filled in when making an appointment, including, for example, information on blood group, health insurance, previous medical examinations... This is the main context in which we record and share sensitive data with care providers.
What changes with the nFAPD?
Imboden: Understanding the details of the revision takes time. But at a very general level, we can say that the new law adapts to today's technological and social changes. A lot has changed since the first law was passed almost 30 years ago. The potential for use, but also for abuse, of personal data has greatly increased. With cloud computing, social networks or the Internet of Things, data protection is not necessarily guaranteed or optimal. The other main motivation for the revision is an adaptation to the European General Data Protection Regulation (GDPR). If Switzerland offered less protection than the EU, it would put Swiss companies at a competitive disadvantage.
In concrete terms, how does the new law adapt to our current times?
Imboden: To give an example, biometric and genetic data are now considered particularly sensitive. In addition, every individual must be informed of the collection of his or her data, whereas previously this duty to inform was only valid for sensitive data. The nFAPD also introduces the concept of "privacy by default". For example, when downloading an application on a smartphone, location-sharing is compulsorily disabled when the application is downloaded. The customer must deliberately tick "I want to activate it" for this to happen. Thanks to the new Swiss law, consumers can be sure that the settings respect their data protection as far as possible.
Does the revision represent a big change for you?
Imboden: As we are already GDPR compliant, we should have very little to do. On the other hand, companies that have so far strictly adhered to the earlier Swiss law may have a great deal of work to do. For example, they will have to carry out structured risk analysis upstream of a sensitive data handling process.
In addition to preventive measures, do you have a precise plan in case of a data protection breach?
Imboden: In the event of a data protection violation, the Federal Data Protection and Information Commissioner (FDPIC) and the persons concerned must be informed in a transparent manner (i. e. how it happened and which data is affected). In addition to communication, damage limitation is also important: the security breach must be resolved as quickly as possible to prevent further data theft. However, should such a scenario occur, it means that we have already failed. In general, we implement security measures that exceed what is required by law. For example, 30 days after a medical appointment we completely delete all data, thus drastically reducing the amount of potentially exposed data. We then conduct "penetration tests". We pay "benevolent" hackers to test our products and IT systems for potential flaws and report them back to us.
What would you advise a young entrepreneur who is launching a platform that processes personal data? Can he implement the new revision on his own without any prior knowledge?
Imboden: A good credo is to handle customer data as if it were your own. It is difficult to implement nFADP without being a specialist in the subject. You need legal knowledge to fully understand the content of the regulations and also to write the data protection declarations on your website. When you are not trained as an IT engineer, it is also difficult to gauge how safe your product is. I would therefore use external IT consultants to green-light the launch.