Official Secrecy

In the area of data protection, EPFL is subject to other highly restrictive legal requirements, especially with regard to official secrecy. These requirements are designed to protect information that has been entrusted to a person by virtue of his or her function. They apply to all individuals working in the public sector, including EPFL employees. Official secrecy differs from banking secrecy, which is not subject to the same laws.

Information covered by official secrecy requirements (within the meaning of Article 320 of the Swiss Criminal Code) must meet the following four conditions:

  1. The information must be a fact and not an opinion.
  2. The information must be known by a limited number of people, must not have not been made public, and must not be disclosed pursuant to under the Transparency Act.
  3. There is an intention of the authority (i.e., EPFL) to keep the information confidential.
  4. There is a legitimate interest in keeping the information confidential. This interest can be that of the public authority concerned but also, and exclusively, that of the private individuals involved.

Breach of official secrecy

Article 320 of the Swiss Criminal Code

1.  Any person who discloses secret information that has been confided to him in his capacity as a member of an authority or as a public official or which has come to his knowledge in the execution of his official duties or as an auxiliary to a public official or an authority shall be liable to a custodial sentence not exceeding three years or to a monetary penalty.

A breach of official secrecy remains an offence following termination of employment as a member of an authority or as a public official or of the auxiliary activity.

2.  The offender is not liable to any penalty if he has disclosed the secret information with the written consent of his superior authority.

Cloud solutions

A direct consequence of Switzerland’s official secrecy requirements relates to the use of certain (public) cloud storage systems. Before selecting a cloud service provider, you should consider:

  1. What kind of data will be processed – personal, sensitive and/or subject to official secrecy?
  2. Who will be doing the processing (what supplier)?
  3. Where will the data be stored?
  4. Where will the data be processed more generally? (Here, “processed” means not only hosting, but also support or maintenance services, for example.)

For administrative projects, please contact the IT Support Service Desk.

If you have any questions about a research project, please contact the Legal Affairs department.