S 2.512 Regulation of linkage and usage of data regarding the processing of personal data

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Specialists Responsible, IT Security Officer

In typical IT applications, the computer guides the user on screen through a "menu" by means of "masks". These masks facilitate the use of the program for the user through pre-defined "questionnaires" where the user can, for example, "tick" the queries. They only allow such queries and evaluations which are specified by the application program and verified and approved under data protection aspects. Other queries are rejected. This is different for database languages ("free query languages") and modern office software: They allow the users to formulate their own queries about the database without being bound by the restrictions of a strict menu guidance. This could be used to make evaluations which are not required and therefore not admissible.

Since, in the meantime, technical options are available to reduce the risks connected to a "free query language", the restricted use of "free query languages" may be acceptable in justified cases. However, any interference with the personal rights of the individuals concerned must be excluded. In addition, the consent of the staff and works councils must be obtained. The possibility for use of "free query languages" and/or the functionality of office software must be restricted wherever possible. Data evaluations which are foreseeably required on a regular basis in order to perform a task should be made available via menu control and/or screen masks. The use of "free query languages" should remain reserved for exceptional cases.

Before admitting so-called free query languages in connection with personal data processing, it must be checked whether this is compatible with the degree to which the data is worth protecting. If it is generally compatible, the following requirements should be taken into account: The system must have a technical restriction, similar to a filter that ensures that the "free query language" can only be used in the agreed scope. The scope can be defined, for example, by an access restriction to certain less sensitive data fields. A program must be in place that prevents users from bypassing the filter.

The data to be accessed by means of such a query language and the query types to be opened must be checked beforehand. Applicable criteria are in particular

• the necessity in order to perform a task,
• evidence that an anonymised evaluation is not sufficient for the respective purpose to be achieved,
• the sensitivity of the individual data in the intended linkage and system environment, and
• the relevant purpose and context of the data use.

No data protection concerns with regard to the use of a "free query language" exist if the evaluation only leads to anonymised results, i.e. inferences about individuals are not possible.

Review questions:

• Are there rules regulating the linkage and use of data regarding the processing of personal data?
• Is the admissibility with respect to data protection checked before processing personal data?