Can anyone tell me if this situation is normal for Switzerland?

I'm currently doing a course as part of a "professional reintegration" scheme. During the course, we will work on CVs, letters of motivation etc., which of course will be created on computers at the training centre.

We were told that we would all have our own folders in the computer system, and that our files would be saved there. Fair enough. To protect the computers, we cannot save the files directly to USB keys for use outside. We have to give our keys to the trainer, who will transfer the files, and then give us the keys. A bit odd, I thought.

Then we were told that all our files are public. They can be accessed by other staff members... and also by other clients of the organisation.

I found this slightly concerning. So I asked if there was a data protection policy, some kind of agreement that set out how the organisation guaranteed to protect our privacy (and our documents).

I got a blank look, then was pointed to one line in the charter about 'respecting the confidentiality of clients'.

Perhaps it's just me, but that's not really good enough. I would like some assurance that my privacy will be respected... and some assurance that after a certain period of time, my details will be destroyed! And if other clients are going to be able to access my folder, I have expected to be asked to sign some form of undertaking to respect others' privacy...

So, am I overreacting? Is this normal in Switzerland?

No, I think you have a valid point. Normally people here take the issue of data protection quite seriously. In fact the Uni can sometimes drive me mad with their data protection measures - but then again as I've said before: Switzerland has an amazing array of incredibly progressive and extremely conservative areas quite closely interlinked...

I've no idea if this is normal practice in Switzerland but I definitely share your concerns.

Make sure the USB flash drive you give them to upload your data from only contains the necessary information and nothing else.

I'd get in touch with these guys Federal Data Protection and Information Commissioner (FDPIC) for advice.

Also, see the following website - http://www.practicallaw.com/9-502-53...relatedcontent - although some of the information may now have been superseded.

Thanks...

I have now been offered the option of bringing in my laptop and working on that...

But there is no wifi (and we will need the internet), and I have to provide the trainer with my documents anyway, so I'm not sure what that will achieve. I think I will wait until we use the computers, see if there is a technician I can talk to...

She just looked so taken aback when I asked that I thought I'd stumbled upon (another) area where Switzerland is different from the UK (or where a normal business is different from a school...).

So thanks for the reassurance that I'm not totally paranoid to be concerned. Now, what to do?

(I'm not paying for this service - social services are - so I feel a bit 'delicate' about kicking up too much of a fuss...)

I bring my laptop with a USB modem and email them off straight away in there. Some offices in my city have a public terminal that I can attach my USB stick and email them off.

Once I brought in my USB stick to my city´s police station, and the officer did not mind and stuck the USB stick directly into his terminal. I guess the police have better training and protection against malicious attempts.

There are data protection laws in Switzerland. The school is only allowed to hold relevant data about you, and only the data that is necessary. After you finish the course all your data and documents must be deleted.

If you have any further doubts contact your ORP advisor, he should also know the law here. http://www.edoeb.admin.ch/aktuell/index.html?lang=en

Letting the course providers access my information - fine. What about allowing other 'clients' to access my information? Not wanting to sound prejudiced or judgemental, but I'm just not happy with the idea that anyone attending any course at this centre (which I'm not identifying to protect their anonymity) can open up my folder and have a browse...

Add to this the fact that the trainer has already said she will be 'sharing' CVs of past clients with us, and that she constantly tells us 'success stories' which presumably are supposed to inspire us but make me feel uncomfortable because she talks in detail about the people, their past, their issues, and gives their names... I don't like to think that in a few months time she could be talking about 'Madame X'.

Even if it is 'I had this really annoying English girl...'

Thing is, I don't have an ORP advisor... I'm not on unemployment benefits. My psychiatrist referred me to this organisation... but I don't think it's her job to deal with this kind of issue! My social worker, perhaps...

My boss 'left' last Wednesday. She handed in her company laptop etc. A 'new' boss was temporarily in the country on Monday, and told me that IT were not allowed to give her accerss to the laptop, to the e-mail account or anything like that - on account of data protection laws.

I was surprised - the laptop is work issued for work purposes, so I'd expected the company to have access to that.

I think being on this course presumes you have given everyone the right to see your details. I believe you need to write her a note that you do not agree with her behaviour with quoting past client's examples.
Quote this website http://www.bj.admin.ch/content/bj/fr...eistungen.html

There are also telephone numbers there of French speaking officials in Berne

Switzerland has data protection laws - which are considered to be "equivalent" to the EU directive on data privacy.

The thing is - companies are allowed to keep data about you - I mean, just think of all the utilities companies that have your name and address - even your bank details. The point is that what they do with it should be controlled by you.

Under the EU directive you have the right to

• know what personal data a company is storing about you and get a copy of it
• prevent the company from processing of your data if it causes you "damage or distress" (i.e. they can't leave your bank details lying about in an unprotected database)
• prevent companies from using your details for direct marketing (this is directed at stopping unsolicited telesales - although doesn't seem to be working!)

• know exactly what the company is doing with your data (you should be able to see their policies and know exactly who has your data and what is being done with it - simply saying "your data is confidential" is not enough - they need to demonstrate processes that ensure confidentiality is actually implemented and it seems to me that's not the case here).
• correct inaccurate data or have your data erased (some exceptions apply there - obviously for criminal records it's not up to you! Basically this is aimed at stopping/controlling identity theft.)
• have a company prosecuted who doesn't uphold the rules.

So, basically this company whoever they are must tell you exactly what they are doing with your data, and if you don't agree to it then they must delete (or anonymise - that's also allowed) your data. It seems to me that they are not upholding the law - although it could be that you've signed something that says they can use your data in their classes, in which case they may be covered - I'm not convinced on that - would depend on exactly what it said.

Every company dealing with private data should know about the rules - although to be fair usually not every individual knows - often there is a data privacy officer who manages this stuff. It just so happens that I deal with this topic regularly in my line of work, but not everyone does - we do a lot of training in our company tyring to raise awareness of the law because the fines can be massive if you don't adhere.

I would go to the head/manager/whoever is in charge and ask them directly about their policies - I'd be surprised if they don't have something on the subject - if they don't then they have a big problem!

This really doesn't sound right to me at all. This is the 21st Century after all, so surely they must know how easy it would be for anyone so inclined to copy the data for unscrupulous reasons.

Identity theft is a growing global concern, so I'm at a loss to see why any organization - big or small - in this day and age would be willing to literally give away their privileged clientele information in this manner to all and sundry.

I am finishing same sort of course and it's the same sort of thing happening. However, I do this course together with Swiss people, and they expressed their concern as well, and as a response they said that they are going to delete it after the course and also that we have signed the contract which mentions that they can use it this way (and we did).
It is a bit strange, because computers are firewalled to death and block everything remotely unsafe, but within the network everyone in the group can see my files.

Switzerland's data protection laws are (as already stated above) compatible with EU data protection directives. They are also more stringent in some areas than the EU requirements, with the result that some EU companies choose to warehouse their data inside Switzerland for safety(*).

To the OP: Without you paying my godawful ridiculous consulting fees I can't give a professional verdict, but a general rule of thumb is that your confidential data should only be available to people who have a legitimate requirement to view it to perform their duties. So what you describe does not seem, shall we say, quite correct.

(") William Gibson predicted this in Neuromancer already.