Privacy in lab/unit administration

Large amounts of personal data (relating to employees, students, PhD assistants and visitors) are processed daily in the management of EPFL labs and units. 

The applicable legal bases and the most common use cases can be found in the EPFL Privacy Policy.

In this section, you will find various situations you may face and best practices to adopt.

Here is an overview of the different subject:

 How to handle the personal data of EPFL employees and job applicants

Disclaimer: This section will form part of EPFL’s data protection regulations, which will be published during 2024.

The content below has been validated by HR and Legal Affairs departments.

Introduction

When we refer to employees’ personal data, we mean the data collected on job applicants and on employees for the entire period they work for EPFL – from the time these data are entered into our system to when they are archived or destroyed.

The personal data guidelines outlined below relate to the data of all current and former EPFL employees (including honorary professors) and to people who apply for a position at EPFL.

  1. first name, last name
  2. birth date
  3. mother tongue
  4. nationality
  5. SCIPER
  6. unit name
  7. position and salary
  8. number of years of experience
  9. non-wage benefits
  10. all information required to implement the Family Allowances Act of 24 March 2006
  11. parental leave
  12. any medical examinations required to ensure occupational health and safety and their results
  13. dates of absence, reason
  14. behavioral and technical skills as well as training
  15. assessment level
  16. official documents concerning any employment-related disputes or disciplinary investigations
  17. extracts from the criminal and debt enforcement registers
  18. offsetting of salary payments against debts owed to employer
  19. retirement due to illness
  20. reasons for departure
  21. other data mentioned in the implementing provisions.
 

Purpose of processing

  • To administer personal data relating to employees and to manage these data
  • To process salary data and conduct evaluations, budget simulations and personnel cost planning
  • To incorporate data management into the financial and accounting management system
  • To administer relevant data for manager training and development.

Legal basis

Art. 36a of the Swiss Federal Act on the Federal Institutes of Technology (ETH Act) and the Federal Act on the Personnel of the Swiss Confederation (Pers Act)

Who manages employees’ and job applicants’ personal data at EPFL?

Human Resources (HR) is the EPFL department authorized to manage these data. Faculty Affairs is also authorized to manage personal data when it comes to hiring professors, as well as Legal Affairs in the event of a disciplinary investigation.  

These departments act as data controllers designated by the Presidency.  

The heads of HR, Faculty Affairs and Legal Affairs are listed on the corresponding records of processing activities and are responsible for keeping those records up to date. In the event of a personal data breach, they will be called on to work with EPFL’s data protection officer (DPO) and serve on the corresponding crisis unit.

Managers can view the personal data of their staff and of job applicants only to the extent required for the managers to perform their duties.

Data protection principles

Why are the personal data being collected and processed? The main purposes of processing are listed above. Any EPFL unit wishing to request an employee’s or job applicant’s personal data from HR, Faculty Affairs or Legal Affairs must have a valid reason for doing so; that is, the data must be necessary for the unit to carry out its activities.

Only the personal data directly relevant to and required for the stated objective should be collected and processed.

  • The appropriate organizational and technical measures must be set up to protect personal data from being accessed, viewed or modified by unauthorized individuals.
  • A record should be kept of who accesses these data, and the log files should be kept for one year.
  • We suggest the log files be made available to the DPO and to EPFL’s IT security department, consistent with the need-to-know principle.
  • EPFL’s IT department will be responsible for keeping the log files.
  • Any personal data in paper format must be stored under lock and key.
  • If the documents provided by a job applicant don’t contain all the information needed to evaluate their application, then personality tests or other kinds of assessments may be conducted in order to gauge the applicant’s potential. Decisions on which assessments to perform should be made by the relevant manager, in collaboration with the HR Responsible.
  • Any such assessments can only be performed with the written consent of the job applicant, who must also be informed of the selection process being used to fill the position. Job applicants have the right to refuse an assessment and view their assessment results.
  • Only those people whose names are provided by a job applicant can be contacted for references about the applicant.
  • When filling professorship positions (through either a new hire or a promotion), the applicant’s general consent to contact references must be obtained. The applicant is not permitted to view files related to promotions or contested hiring decisions.
  • Employees’ personal data can only be communicated to third parties (i.e., outside EPFL) with the express written consent of the employee in question, and any such data transfer can only be done to the extent strictly necessary for the stated objective.

The designated data controllers are responsible for correcting any inaccurate personal data.

  • The personal data of employees working under permanent contracts are kept for ten years after the end of the employment relationship with EPFL or after the employees’ death. The retention period is two years for auxiliary personnel.
  • Personal data are destroyed at the end of the retention period (unless there’s a reason for them to be archived), in accordance with Article 38, paragraph 2, of the Federal Act on Data Protection.
  • Job applications are kept for three months unless agreed otherwise with the applicant.
  • An applicant’s personal data may be kept for longer than the retention period given above if the data are needed to resolve a complaint filed by the applicant under Article 13, paragraph 2, of the Federal Act on Gender Equality of 24 March 1995.
  • Personal data used in a disciplinary or administrative investigation or a dispute will be kept for ten years after the investigation or proceeding has ended. These data will be kept with EPFL’s legal department or in the upper management’s archives.

An EPFL unit may access the personal data of the employees and job applicants of other EPFL units only if this access is required for the unit’s activities, and only if the unit complies with all principles set forth in the data protection law (in particular, the principles of valid purpose, data minimization and security).

We advise against saving personal data exported from HR’s system on a local hard drive or on a unit’s shared drive, since these drives may not provide sufficient data protection and since the data could become obsolete. In addition, because storing these data would constitute a form of data processing under the law, you would have to keep a record of processing activities for these data and keep the record up to date. We therefore advise against exporting personal data from HR’s system unless absolutely necessary and, if you do export such data, deleting them as soon as you are done.

FAQ

In accordance with the principles of proportionality and valid purpose, interviewers can only ask questions that are relevant and necessary in view of the stated objective, which in this case is hiring an employee with the skills needed to perform the tasks outlined in the job description. Interviewers cannot ask questions about your personal life, such as whether you plan to have children.

The results of a Google search often include information that has nothing to do with the position being filled, and that isn’t relevant or necessary in the hiring process. Google search results would not be consistent with the principles of proportionality and valid purpose. What’s more, the search results could be incorrect or incomplete, or relate to someone else with the same name.

This relates to an individual’s right to access their personal data, and this right remains valid even after they have left EPFL. Any individual whose personal data are collected by EPFL – whether an employee, student, research-project participant or visitor to our website, for example – has a right of access. EPFL must reply to an individual’s request within 30 days. If you receive such a request, you should quickly contact EPFL’s DPO, who is the person authorized to fulfill the request.

Health data are sensitive personal data. Only those health data necessary to determine whether an individual is capable of performing a given job can be collected during the hiring process. As a rule, health data, and especially the results of any diagnoses, should only be viewed by people subject to medical confidentiality requirements.

No. But two employees who are married or living together, or who are close family members or in-laws, should be assigned jobs where they neither work together nor have a direct reporting line, as set forth in Article 53a of the Personnel Ordinance for the ETH Domain.

 Conduct a questionnaire survey

In this section we will analyze the good practices to be adopted in the case of launching surveys.

Before launching a questionnaire, please answer the following questions:

In the first case, the advantage you have is that the data protection law does not apply.  Often people confuse anonymous and pseudonymous data.  Pay attention to this aspect, as it is a common mistake (see basic definition section).

There are many tools (e.g. RedCap) that allow you to process data anonymously. Note that despite that of tools, someone may be identified by its answers only.
The disadvantage is that if someone shared the link to the questionnaire, anyone could answer. For example, if you target EPFL employees, it could be that anyone, including people outside EPFL, could answer.
Therefore, you do not have control over the audience. 
On the other side, the complete anonymity may encourage a person to respond more willingly.

In conclusion, the complete anonymity depends on your needs.

If you need to process personal data, then the Federal Act on Data Protection (FADP) applies in this case.

As federal body, EPFL must have a legal basis to process personal data.

Usually, Art. 39 (revised) FADP (processing for research, planning and statistics ) is used as the legal basis. It allows federal bodies as EPFL to process personal data for purposes not related to specific persons, and in particular for research, planning and statistics, if:

  1. the data is rendered anonymous, as soon as the purpose of the processing permits
  2. the federal body communicates sensitive data to private persons only in a form that does not allow the persons concerned to be identified
  3. the recipient only discloses the data with the consent of the federal body 
  4. the results are published in such a manner that the data subjects may not be identified.

If you are running a research project, Art. 36c ETH Act is another applicable legal basis, with similar requirements. EPFL is required to inform the persons affected regarding the collection and processing of personal data in connection with a research project.

Are you lost ? Please contact the DPO.

Before launching the survey, if you plan to delegate the data processing, you must determine if you keep the role of data controller or not. You need to enter into a data processing or data transfer agreement.

If you cannot answer, please contact the DPO.

Note that, in this case, you must ensure that consent is freely given and sufficient information has been provided.

If you process identifying or pseudonymous data, you must not only have a legal basis, but also respect the principle of proportionality, both in the choice of questions (only necessary data) and in the means of analysis used, ensure data security, not process data for other purposes, and act in good faith.

When you collect data, even for research purposes, you must inform the target audience about what data is collected and for which purpose, who is the data controller and with whom it may be shared, how long it will be retained, whether data is transferred outside Switzerland or the European Union (EU) if applicable.

Survey’s Privacy Checklist

  • Determine if and what personal data you need to process
  • Only collect data that is strictly necessary for the purpose of your survey (data minimization)
  • Determine who needs to have access to the data (need to know principle)
  • Check if it is possible to pseudonymize (at least) data or better anonymize it
  • Ensure that you have a legal basis to process personal data
  • Check if you delegate some processing (e.g. for collecting or analyzing data). Sign a data processing agreement that includes the duty of confidentiality and the respect of the FADP if it is a data processor. If it is an independent data controller, sign a data transfer agreement with adequate warranties.
  • Anonymize data as soon as the purpose permits it
  • Provide participants with a clear and exhausting information
  • Check if participants consent is needed, and in such case if it has been freely given
  • Use a survey tool compliant with FADP 
  • Don’t forget to destroy the data collected when it is no longer needed
  • Publish data only in a manner that the data subjects may not be identified.

 Holding conferences and other events

If you decide to hold a conference or other type of event, you will most likely need to collect participants’ personal data (e.g., their first and last name, email address, phone number, job title, dietary restrictions and food allergies).

Because we do not have a formal legal basis for this data processing, you must ask for participants’ consent.

You must also tell them who the data controller is, whether their personal data could be transferred to a subcontractor (data processor), how long their personal data will be retained and other information. To help you, we have developed a privacy policy template (download).

Please note that EPFL is required to complete a record of processing activities for any processing of personal data. To make this task easier, Mediacom will take care of entering in EPFL’s official record the processing of personal data in association with a conference or other event.

All you will need to do is fill in this google form which will be used in the event of a data breach or if someone wants to exercise their rights concerning their personal data.

Event’s Privacy Checklist

  • Determine what personal data you need to process for your event
  • Request only those data that are strictly necessary (data minimization).
  • Determine who needs to access the data (need-to-know principle).
  • Check if you will need to transfer personal data to a subcontractor (e.g., for meals or hotels). In this case, have the subcontractor sign an agreement containing clauses on data confidentiality and FADP compliance.
  • Download and fill out the privacy policy template, adapting it to your event as needed.
  • Create a registration form for participants. If you will collect non-sensitive personal data, you can use cloud-based programs like Google Forms; otherwise, you can use a WordPress form (where the data are stored and processed on EPFL servers). If you have any questions, contact your Head of IT or IT administrator.
  • Put a PDF of your data protection policy on your event website with a link to the registration form.
  • Don’t forget to destroy the personal data you collect as soon as they are no longer needed.
  • Fill in the google form for EPFL’s record of processing activities.

In Practice

The Guidelines for research involving personal data.