L AST U PDATE

After the review of the different stakeholders, namely the specialised colleges and the vari-ous departments involved, the document has been finalised on the 18^th December 2020 and finally approved in January 2021. The table in the appendix provides an overview of the document’s content of the June version. Below are presented the main differences with the final draft delivered in June 2020, at the end of my internship:

The target audience has been added at the beginning of the document: The document ap-plies to the personnel of the cantonal administration of Geneva and has been distributed to the HR specialised college, OCSIN, the HR departmental direction and the State per-sonnel office.

There have been several adaptations because the information was incorrect or ambiguous.

For instance, responsibilities for the end or modification of a contract have been better defined and specified. Some paragraphs have been cut and others condensed in order to gain efficiency.

In some instances, formulations have been softened to enable compliance with require-ments in a reasonable time and at the State-level. They have also been adapted according to the capacity of IT and HR. Thus, the data protection controller requires that all personnel files be reviewed every two years to delete all data and documents no longer required or necessary, which is unmanageable with the computer tools available. For example, the per-sonnel files would have to be printed again, the non-necessary parts removed, and then the rest of the file would be scanned again, thereby constituting a heavy and inefficient work-load. Moreover, the objective of sorting the personnel files every two years seems excessive for an institution with a low turnover rate, 5% for the State of Geneva and 10% for the university hospital of Geneva.

Figure 5, the life cycle of HR data, has been removed from the final version document as it has been considered excessively simplistic, thereby resulting in irrelevant by the stake-holders. Several corrections have been brought, such as in chapter 4. Sécurité liée à l’exploita-tion: Journalisation et suveillance: the process has been placed in the specific context of the State (taken from ISO, the information written in the final draft were too general). Responsibili-ties and activiResponsibili-ties have been specified, issued from the good practices and adapted to the data protection law. Chapter 5.2, entitled Sécurité dans les accords avec les fournisseurs has been simplified and shorten: the part explaining the elements that could be included in the con-tracts has been removed. Furthermore, chapter 3.1.2 Accès et services relatifs au réseau has been deleted since the process is entirely managed by the OCSIN. Concerning chapter 7.1 of information transfer, the information communication has been detailed and explained, based on annexe 8.6. In summary, those improvements and adaptations have been released according to the demand of the different stakeholders.

document will be reviewed every year by the governance tools service of the State personnel office.

The specialised colleges of internal control, which also approved the brochure, is consti-tuted by the persons in charge of risks management and internal control of every State department. They integrated the controls mentioned in the brochure in their control plan according to the severity evaluated in risks assessments. However, the infrastructures de-partment, which hosts the State information and digital systems (OCSIN), will have to do more controls than other departments. This also concerns the departments where the com-pliance issues with the LIPAD have been found and for which recommendations have been released from the Internal Auditing Service. The implementation will be verified by the IAS within the follow-up of the recommendation and ordinary functions.

5. D

Through the document entitled the HR life cycle information, we could address the recom-mendations made by the internal auditing service. It constitutes the main guideline for data treatment within the HR departments, including the regulations and laws related to data protection. The life cycle information has been clarified, and measures have been explicitly included in the guideline in order to provide better guidance in terms of HR data protection.

The principles of the GDPR, which are also followed by the LIPAD, lead implicitly to data quality as it requires collecting the minimum amount of data necessary for a defined pur-pose and the data accuracy, therefore acting as a filter for data collection and treatment. In addition, data quality allows to reduce administrative mistakes and adopt appropriate measures for public employees and the cantonal administration. With accurate data, statis-tics and survey also become more reliable, thereby reflecting better the reality.

We provided a comprehensive discussion about the definition of personal data and the applicability of proposals found in the literature. The definition of personal data provided by the data protection commissioner of Geneva is aligned with the one provided by the GDPR. Therefore, personal data are clearly defined and practical-oriented, hence limiting the possibility of interpretations by the different stakeholders. On the other hand, the clas-sification of personal data by degrees of identifiability, as mentioned in the literature review (Purtova, 2018), would be highly complex to apply in public administration and would lead to frequent mistakes and defiance. For this reason, we did not include it in the framework.

When basing a guideline on an international standard such as the ISO/IEC 27002, consid-ering the local context and the current process of the public administration is fundamental for adopting adequate practices related to data protection. As compliance with the rules included in this type of document should be feasible in the relatively short term, the balance between the legal requirements and the technical capacity of the administration should be considered. When objectives are technically impossible to reach, a lack of compliance with the norms would persist, thereby reducing the pertinence of the guideline, which should be accompanied by other measures to ensure the implementation of the HR guideline for data protection.

Firstly, defining the responsibilities and defining internal controls, as it is the case of the cantonal administration. Then, the training through e-learnings, an approach already ap-plied in the State administration, constitutes an individualistic method, which consequently aims at encouraging the individual itself. As Switzerland might be a mixed society, further initiatives would be adopting collectivistic methods, namely by organising regular meetings where information is exchanged, and valuable insights are provided to increase compliance with the norm. As referred in the literature (Topa & Karyda, 2019), the managers should demonstrate to their team that they adopt appropriate measures in order to encourage

em-aspects imply investing in additional resources, which might be challenging considering the financial limitations. Finally, the HR information life cycle guideline constitutes itself a start-ing point for compliance with the LIPAD.