AP (The Netherlands) - z2018-02009: Difference between revisions

From GDPRhub
Line 103: Line 103:
   
   
   
   
  1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the
  1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV).
The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation
   
to the use of multi-factor authentication in the employers' portal of the Implementation Institute
Employers' insurance (hereinafter: the UWV).
 
  2. In the employer portal, the UWV processes, among other things, personal data relating to the
  2. In the employer portal, the UWV processes, among other things, personal data relating to the
  employee health. In view of this, access to the employer portal must take place via the internet
  employee health. In view of this, access to the employer portal must take place via the internet
  find through multi-factor authentication. The UWV currently applies one-factor authentication to the
  find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal.
granting access to the employer portal.
   
   
  3. The AP has noted in the report definitive findings (hereinafter: the investigative report) that the
  3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing.
      UWV that acts contrary to Article 13 of the Wbp, such as that the time gold, on the basis of which, for
      insofar as this is important, a responsible person must take measures against personal data
   
   
      protect against loss or any form of unlawful processing.
4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the
UWV information provided at the request of the Dutch DPA
   
   
  4. The AP based on the compulsory decision in the research report, given by the UWV orally
  5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018
      view on the intention of the AP to be subject to a burden to add and by it
become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13
      UWV at request of the AP provided information
   
   
6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way
when granting access to the employer portal. The date on which UWV
expects that you can only log in to the employer portal by using eHerkenning
since the first request by the AP by letter of25 November 2015 has been moved to
November 1, 2019
   
   
  5. On May 25, 2018, the General Data Protection Regulation (hereinafter: the GDPR) applies
  7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end.
      The AVG states in Article 32, first paragraph, the same obligation, as that gold on the basis of Article 13.
   
   
   
   
8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate
security level, whereby logging into the portal is only possible by means of a
appropriate form of multi-factor authentication. Part of that burden is that the UWV required it
confidence level by performing a risk analysis based on the
most recent version of the Guide 'Reliability levels for digital services, one
guidelines for government organizations' (version 4).
   
   
   
   
    Attachment (es) 2 1 Date Our reference
  9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of
      July 31, 2018 z2018-02009
EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum
from EUR 900,000.
      This violation continues, violates the UWV Article 32, first member, of the
      GDPR.
6.Wishes to connect the UWV to the system of Recognition to this way more factor authentication.
      when granting access to the employer's portal
      expect only to continue using the Recognition to be logged on the employer's portal
      since the first question by the AP by letter of 25 November 2015, meanwhile moved to
      November 1, 2019.
7. As a result of the above, the AP has decided to use Article 16, first paragraph, of the
      General Data Protection Regulation (hereinafter: UAVG) in conjunction with
      Article 5:32, first paragraph, of the General Administrative Law Act (hereinafter: the AWB)
      With the charge under penalty, the AP intends to insure that the detected violation
      an end is being made.
8. By 31 October 2019, the access to the employers' portal must be provided by an appropriate
      security levels are provided, where logging into the portal is only possible through one
      Appropriate form of multi-factor authentication. Part of the last is the UWV requirement
      confidence level must again determine by performing a risk analysis using the
      most recent version of the Guide "Reliability levels for digital services, a
      guidelines for government organizations "(version 4).
  9. In the event of non-compliance with the grace period, your period is subject to a penalty of
      EUR 150,000 payable for each month that the load is not (fully) executed, with a maximum
      from EUR900.0000.
   
   
   
   
       Course of procedure
       Course of procedure
   
   
  10. On August 29, 2017, the AP sent the study report to the UWV.
  10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV.
      The public version of the report was published on November 14, 2017 on the AP website.
The public version of the report was published on the AP's website on November 14, 2017.
11. By letter of August 15, 2017, the AP has now given some cause for the study to theUWV.
      questioned about the size of the employer portal.
12. By letter of August 30, 2017, theUWV has responded to the questions that the AP by letter of August 15.
      2017.
13. By letter of 11 September 2017, theUWV has given its response to the research report.
      indicates, among other things, that the security level does not meet the requirements of
      article13oftheWbpanditwant toclarifytheimplementationoftheRecognitionlevel
      substantial.
                                                                                                  2/12 Date Our reference
      July 31, 2018 z2018-02009
   
   
11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal.
   
   
  14. By letter of 9 November 2017, the UWV informed the AP about the progress of the implementation.
  12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated.
      vaneRecognition.
   
   
  15. The AP has notified the UWV by letter of December 14, 2017 of its intention to charge a charge.
  13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV
states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level
substantial.
   
   
      subject to a penalty sumandtheUWFindisplaced orallyorwrittenher
      to bring opinions about it.UWVisinvitedfor a hearing.
   
   
  16. The hearing took place on February 6, 2018.
  14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation
of eRecognition.
   
   
      Annex 1 to this Decision is attached.
15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing.
   
   
  17. On the basis of what was discussed during the hearing, the UWV sent a letter of 28 February
  16. The hearing took place on 6 February 2018. A report was made of the hearing, which if
      2018 additional information data and additional documents provided, including the project plan
Annex I is attached to this Decree.
      eRecognition.
   
   
17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February
2018 provided additional information and further documents, including the project plan
eRecognition.
   
   
  18. As a result of the information received by the letter of 28 February 2018, the AP has given to the UWV at
  18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018.
      letter of 15 March 2018 asked questions.
   
   
  19. By letter of April 3, 2018, theUWV has responded to the questions of the AP of March 15, 2018 and here
  19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis).
   
   
      "Risk analysis absenteeism report" (hereinafter: the risk analysis).
  20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018.
  20. Based on the information received by the letter of April 3, 2018, the AP has given to the UWV by letter.
      of May 14, 2018 asked questions.
   
   
  21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.
  21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.
   
   
       Research report
       Research report
   
   
  22. In the research report, the AP found that the UWV in the employers' portal
  22. In the investigation report, the AP found that the UWV in the employer portal
      personal data about health. Access to the employer's portal is obtained by
processes personal data about health. Access to the employer portal is obtained by
entering an email address and password. This is a form of one-factor authentication.
   
   
      Entering an email address and password. This is a form of one-factor authentication.
23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a
responsible must take appropriate measures to protect personal data against loss or
any form of unlawful processing. The term 'appropriate' also indicates proportionality
between security measures and the nature of the data to be protected. Given the sensitivity of
the personal data processed in the UWV employer portal, namely data about
health workers, should gain access to the portal via the Internet, given the
state of the art, to take place through at least multi-factor authentication.
   
   
  23. From article 13 of the Wbp- now article 32, first paragraph, of the AVG- ensues that a
  24. The UWV has indicated that it has taken measures to prevent unauthorized access to the
      responsibleappliesmeasures to protect personal data from loss or
  employer portal, such as annual penetration and security tests and the
continuous logging and monitoring of usage. These measures are regarding authentication
      any form of unlawful processing. The term "appropriate" also means a proportionality
not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way
      Intermediatesecuritymeasuresthe nature oftheprotecteddata
  has taken appropriate measures with regard to accessing the data in the
      the personal data that is processed in the employer portal of the UWV, namely data about
employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time.
      the health of employees, it should be given access to the portal via the internet, given the
      state of the art, places find means and at least multi-factor authentication.
24. The UWV has taken specified measures to allow unauthorized access to the
   
      employer portal, such as conducting annual penetration and security tests and
      continuous logging and monitoring of use. These measures are due to authentication
      not fit because they can provide an appropriate level of protection for gaining access
                                                                                                  3/12 Date Our reference
      July 31, 2018 z2018-02009
      to the application.Because theUWV does not apply more factor authentication, nor in any other way
   
      Appropriate measures has affected victims to obtain access to the data contained in the
      employers' portal, trade the UWV in conflict with article 13 of the Wbp, as it was gold at the time.
   
   
       Legal framework
       Legal framework
Line 270: Line 201:
       GDPR
       GDPR
   
   
  26. In the investigation report, the AP has a violation of the standard from Article 13 of the Wbp
  26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp
      As of May 25, 2018, AVG and UAVG of applications, the Wbp, has been withdrawn.
noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn.
27. When assessing whether there is also a violation of the GDPR standard, it is important that the standard
      under the AVGmaterial does not change significantly with regard to the standard under the Wbp.
      The norm from Article 13 of the Wbpisthans laid down in Article 32, first and second part, of the AVG.
      The latter article states that the controller, taking into account the situation of the
      technique, implementation costs, as well as with nature, scope, context and processing purposes
      and the likelihood and severity of the risks to the rights and freedoms of persons,
      appropriate technical and organizational measures must be taken to suit the risk
      security level safeguards. This obligation is materially consistent with the obligation
      Article 13 of the Wbp.
28. This means that, since the investigated facts and the relevant circumstances arose
      of the research report until some of the things are not changed, as of May 25, 2018.
      violation of Article 32, first paragraph, of the GDPR.
      Viewpoint
   
   
  29. As a result of the APS's intention to place a burden under penalty, the UWV has
  27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from
      During the hearing of February 6, 2018 orally, I saw your way
article 13 of the Wbp.
   
   
      noteworthythatYourExpects thatthe employer's portal security is inadequate
28. This means that, given that the facts under examination and the relevant circumstances after the emergence
      requirements arising from Article 13 of the Wbpentans Article 32, first member, of the AVG, because theUWV
of the investigation report have not been changed to date, as of25 May 2018
      no more factor authentication applies to the granting of access to the portal.
violation of Article 32, paragraph 1, of the GDPR.
   
   
   
   
  30. The UWV has decided in April 2017 to start the implementation of the Recognition level
  Viewpoint
      3 / Substantial, where multi-factor authentication is applied so that the violation of Article 13
      The Wbpentansarticle32, first, oftheAVGis deleted.
   
   
      the confidence level, the fact that in the employer portal only health data are displayed
29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has
      who see the sick report or the fact that someone is pregnant.
expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes
      The nature of the sickness report is not processed.
view boils down to the UWV recognizing that the security of the employer portal does not comply with the
requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV
does not apply multi-factor authentication to granting access to the portal.
   
   
30. In April 2017, the UWV decided to start with the implementation of eRecognition level
3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13
of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining
the confidence level the fact that the employer portal only contains health data
processes related to reporting sick or the fact that someone is pregnant.
The nature of the sick report is not processed.
   
   
31. The UWV has put forward that it has investigated other solutions, but the connection to
To see eRecognition as the only real possibility to achieve multi-factor authentication. With the
The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act.
   
   
32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties
a number of problems, which means that implementation is taking longer than the UWV had
hoped.
   
   
       Review
                                                                                              4/12 Date Our reference
       July 31, 2018 z2018-02009
31. The UWV has advanced and explored other solutions but how to connect to it
      eRecognition of any real possibility to achieve more factor authentication.
      The arrival of the Digital Government Act (hereinafter: Wdo) is primarily the intention that all government parties
      make use of the means contained in this law.
32. In the implementation of the Recognition of the UWV, it depends in part on others and that the UWV is
      a number of problems, causing the implementation to wait longer than the UWV had
      hoped.
      Rating
   
   
       Assessment framework
       Assessment framework
   
   
  33. In the research report, the AP noted that the UWV in the employer's portal
  33. In the investigation report, the AP established that the UWV in the employer portal
      processes personal data, including special personal data.
processes personal data, including special personal data. This includes NAWdata,
   
  citizen service number, financial data and data on disability, dismissal and childbirth.
      data, citizen service number, financial data and data about disability, dismissed childbirth.
Employers can log in to the portal via the internet by entering an email address and password
      Employers can log in via the internet to the portal and by e-mail address and password
feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing
                                                      1
showed that this situation has not changed at present.
      It is a form of one-factor authentication.
      It is known that this situation has not changed.
34. Article 32, first paragraph, of the GDPR stipulates that the controller applies the technical and
      Organizational measures must be taken to protect personal data from loss or
      unlawful processing. These measures guarantee, taking into account the state of the technology
      and costs of food implementation, an appropriate security level eliminating the risks that
   
   
      processing the nature of the protection data bring to it.
34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and
must take organizational measures to protect personal data against loss or
unlawful processing. Guarantee these measures, taking into account the state of the art
and the costs of implementation, an appropriate level of security given the risks posed by the
processing and the nature of the data to be protected.
   
   
  35. This means that the controller, in the case of the UWV, must translate the risks
  35. This means that the controller, in this case the UWV, must translate the risks
      for the data subject whose personal data are processed according to the reliability requirements against which
for the data subject whose personal data are processed according to the reliability requirements
the service that is offered (the employer portal) must comply and that within the field
information security is seen as the most recent and representative implementation thereof.
   
   
      the service offered (the employer portal) must satisfy that within the field
36. In determining the risk to the data subject include the nature of the personal data and the
      information security if the most recent and representative interpretation thereof is seen.
nature of processing matters: these factors determine the potential harm to the individual
data subject in the event of, for example, loss, modification or unlawful processing of the data. When making
The UWV can use the translation to the reliability level of the employer portal
making the Guide 'Reliability levels for digital services, a guide for
government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide).
   
   
37. Although the use of this Guide is not mandatory, it offers an assessment framework for it
government organizations for determining reliability levels for digital services
1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent.
Security standards then specify, after determining the applicable
confidence level, guidance in taking appropriate measures. 2
   
   
  36. In determining the risk of the data subject, the nature of the personal data among others
  38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of
      Nature of processing of importance: these factors determine the potential damage for individual
the personal data to be protected, which translates into a minimal handling
      For example, loss, alteration, or illegal processing of data
security level. The assessment in this decision is therefore based solely on the nature of the te
protect personal data. It is not excluded that factors other than the nature of the
personal data require a higher level of security. However, the AP cannot, as hereafter with the
before or in place of the UWV, all relevant ones included in the Guide version 4
assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so
determine the correct security level. 3
   
   
      From the translationstroke to the confidence level of the employers portalcan use the UWV
      making the Guide "Reliability levels for digital services, a guide for
      government organizations, version 4 of the Forum Standardization (hereinafter: the Guide).
   
   
      Information about a person's health
   
   
  37. The use of this Guide is not mandatory, but provides an assessment framework for
  39. Article 4 (15) of the GDPR gives the following definition: 'health data
      government organizations for determining reliability levels for digital services
are personal data related to the physical or mental state of a natural
person, including data about health services provided with which information about his
health status is given '. The term remains unchanged under the GDPR
'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a
medical examination or medical treatment, but all data that the mental or
affect a person's physical health. For example, it is only a given that someone has become ill
reported a data about health, even though that says nothing about the nature of the condition. 4
The following data is processed in the employer portal: the date of commencement
sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or
organ donation, the date of childbirth and the date of commencement of maternity leave.
   
   
      1
  40. In view of the nature of the personal data, data is therefore included in the employer portal
        Authenticate the process of verifying that a user who will log into an application / system is actually who
  concerning a person's health, which is considered a special category of personal data as
      he / she claims to be.
referred to in Article 9, fust paragraph, of the GDPR.
                                                                                                      5/12 Date Our reference
      July 31, 2018 z2018-02009
      of which it can be accepted that it reflects in so far as most recent insights and demands.
      Provide security standards then, after determining the application
                                                                                2
      confidence level, guidance in taking appropriate measures.
38. The AP has investigated whether the UWV has taken the appropriate measures regarding authentication.
      when logging into the employer's portal.
      theprotectingpersonal data, which translates to a minimum to handle
      The assessment in this decision, then, is based only on the nature of the issue
      protect personal data. Not excluded that other factors and nature of the
      personal data require a higher level of security. However, the AP cannot, as in the present case
      order will come, for or in the place of theUWVall –inHandReachVersion4included-relevant
      assessing factors. It is up to the UWV to include these factors in a risk analysis and thus
      Determine the correct security level. 3
      Person's health data
39. In Article 4, section 15, of the GDPR, the following definition is given: "Health information.
      hispersonal data related to the physical or mental state of a natural
      person, including data about health services provided with which information is about
      health status is given. Under AV, remain unchanged that concept
      "Health data" should be understood: it does not include only the data that a doctor
      medical research or medical treatment, but all data that the spiritual or
      physical health of a person.
      reported a given about the health, even though it does not say anything about the nature of the condition. 4
      In the employer portal, the following data are processed: the date entry
      sick leave, the date of termination sick leave, illness due to pregnancy, childbirth or
      organ donation, date of births and date of maternity leave.
  40. In view of the nature of the personal data, the employer's portal entails half data
   
      concerning a person's health, which is considered a special category of personal data as
      referred to in Article 9, first paragraph, of the AVG is noted.
   
   
       Increased risk
       Increased risk
   
   
   
   
  41. In the Guidelines for the security of personal data, the AP has elaborated the requirements regarding security.
  41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data.
      The AP indicates that in certain categories of personal data, the consequences of loss or
The AP indicates that for certain categories of personal data the consequences ofloss or
   
  unlawful processing can be serious. These are the data with a higher or high risk.
      illegal processing can be serious.this are data with a higher or high risk.
These categories in any case include special personal data.
      In any case, these categories cover special personal data.
   
   
   
   
Line 439: Line 310:
       3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
       3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
       4 Chamber documents II1997 / 98, 25892, No. 3, p. 102
       4 Chamber documents II1997 / 98, 25892, No. 3, p. 102
                                                                                                        6/12 Date Our reference
        July 31, 2018 z2018-02009
   
   
                                                           5
                                                           5
  42. In addition, the AP uses the Guide version4.
  42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the
        confidence levels based on the IDAS regulation for digital identifiers
assurance levels based on the eIDAS regulation for digital identifiers
                              6
trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation).
        trust services, which are in force from 1 July 2016 (hereinafter: the eIDAS regulation).
The eIDAS regulation distinguishes three assurance levels of authentication means: low,
        The eIDAS regulation distinguishes three levels of trustworthiness of authentication tools: low,
  substantial and high. The Guide offers a classification model with which a simplified
   
risk analysis of the digital service can be made. The main criterion here is the nature of
        substanceandhigh.The Guideprovidesaclassificationmodelwithinhasimplified
  the personal data to be protected. Four classes of personal data are distinguished here: class
        risk analysis of the digital service can be made.
0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a
   
  require higher security level.
        theprotectpersonaldata.In thisfourclassespersonaldata are distinguished: class
        0, I (basic), II (increased risk) and III (high risk), where data with increased risk also has a
   
        higher security level requirements.
43. The AP ascertains that the data processed in the employer's portal, according to the Guide
        so-called class II personal data is because it concerns special personal data
                                                    7
        class II data is an increased risk. Of a high risk, as in the so-called class III-
        data, see the nature of the data that are processed in the portal.
        Multi-factor authentication
44. Processing of Class II data is according to the Guide to Minimum Confidence Level
                                      8
        "Substantial" of application. Also when answering the question about this
        confidence levels appropriate measures are as referred to in Article 32, first paragraph, of the GDPR
   
   
        The Guide offers a framework: both for reliability level "substantial" and
43. The AP has established that the data processed in the employer portal is in accordance with the Guide
        confidence level "high", if type authenticator, multi-factor authentication is required. 9
so-called class II personal data because it concerns special personal data. In front of
Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III
data, given the nature of the data processed in the portal is out of the question.
Multi-factor authentication
   
   
44. According to the Guide, there is a minimum reliability level for processing class II data
'substantially' applies. s Also when answering the question what with regard to this
reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR
the Guide offers a framework: both for reliability level 'substantial' and
confidence level 'high', as type of authenticator, multi-factor authentication is required. 9
   
   
  45. The requirement of multi-factor authentication when granting access to a system in which
  45. The requirement of multi-factor authentication when granting access to a system in which
        health data is processed, in addition, it is not complied with by security standards such as
health data is additionally endorsed by security standards such as
NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code
27002 in health care:
   
   
        NEN-7510, which indicates the application of the Code for information security ISO / IEC
        27002 in health care:
   
   
         5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
        6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
         5
        6 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
        Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
         trust services for electronic transactions in the internal market
         trust services for electronic transactions in the internal market
         7 A guide for government organizations, version 4, Forum for Standardization, p. 33
         7 A guide for government organizations, version 4, Forum for Standardization, p. 33
Line 510: Line 353:
         (EU) No. 910/2014, on which the Guide is based.
         (EU) No. 910/2014, on which the Guide is based.
   
   
Health information systems that process personal health information include the identity of users
and this should be done through authentication involving at least two factors
to become. ' 10
   
   
   
   
                                                                                                              7/12 Date Our reference
  46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing
      July 31, 2018 z2018-02009
  access to the employer portal, thus using multi-factor authentication.
Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this.
      Health information systems that process personal health information, belonging to user identities
      determine this should be done by means of authentication in which at least the two factors are involved
      be. "0
  46. As appropriate the measure referred to in Article 32, first paragraph, of the AVG must be
   
      access to the employer's portal to use multi-factor authentication.
      Access to the portal takes place through a form of one-factor authentication, trading theUWVin
      contrary to Article 32, first member, of the AVG.UWV has also recognized this.
   
   
       Offender
       Offender
   
   
  47. Notice theUWVis as an offender, because it is the controller in the sense of the AVG.
  47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the
employers' portal is a service of the UWV and is made available by the UWV to
      The UWV establishes the purpose of the means for the processing of personal data: the
employers, whereby the purposes of the data processing are determined by the UWV.
      The employer portal is a service of the UWV and is made available by the UWV
  The UWV also has the power to end the violation.
      employers, for which purposes of data processing are determined by the UWV.
   
      The UWV also has it in its power to end the violation.
   
   
       The solution from the UWV: eRecognition
       The solution from the UWV: eRecognition
   
   
  48. By letter of January 25, 2016, the UWV has already addressed the violation of Article 32, first member, of the
  48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the
   
  Wbp recognized. The UWV indicated its intention to use the employer portal
      Wbp recognized. TheUWV indicated that they intend to be used for the employer's portal
create eHerkenning, which provides for the use of multi-factor authentication in the
      Make of Recognition, which feature provides for the use of multi-factor authentication in the
  granting access to the employer portal.
   
      providing access to the employer portal.
49. ERecognition is a system that companies provide electronic access to the government
      government facilities. Entrepreneurs or employees of an organization can go together
      login and easy identification at different organizations. Government organizations need
      do not develop their own authentication system, but can connect to the system
      The development of Recognition is a public-private partnership that is directed under the direction of the
      Ministries of Economic Affairs and Climate and Domestic Affairs and Kingdom Relations.
      ERecognition recognizes five different confidence levels. At these reliability levels is
      A connection sought to the three reliability levels that distinguish each IDAS regulation
      requirements that are imposed on the means by the regulation. The government organization determines it itself
      confidence level that is applied.
   
   
  50. TheUWVhas indicated thattheintroductionofRecognitionbytheUWVshould be viewed in the
  49. EHerkenning is a system that offers companies electronic access to government and
      light of the Wd is currently in preparation.
government services. Entrepreneurs or employees of an organization can join one
identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The
development of eHerkenning is a public-private partnership directed by the
Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations.
EHerkenning has five different confidence levels. At these confidence levels
sought alignment with the three assurance levels distinguished by the eIDAS regulation and the
requirements imposed on the resources in that Regulation. The government organization itself determines it
confidence level that is applied.
   
   
      can log in for Dutch citizens and companies with (semi-) government
50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the
      The Netherlands the EU directive on accessibility of government websites and apps. 1 Ahead of the
light of the Wdo currently in preparation. The Wdo aims to be safe and reliable
can log in for Dutch citizens and companies with the (semi-) government. Deploys
The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the
Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to
eRecognition.
   
   
  51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV
      10
  has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor
      11 NEN-7510 (2017), p. 57
was the most viable and safe alternative option. However, the technical implementation of this would be just
        <nowiki>https://www.digitaleoverheid.nl/ilisi/identification-en-authenticatie/eid/wet-gdi/</nowiki>.
  take as long as the implementation of eRecognition and would furthermore take the implementation of
Delay eRecognition because it must be performed by the same team. Besides, it wouldn't
be efficient and proportional to go through two far-reaching implementation processes in quick succession:
  this leads to additional administrative burdens for employers and the ineffective use of public resources.
                                                                                                      8/12 Date Our reference
      July 31, 2018 z2018-02009
      Wdo has been developed by the government.
      eRecognition.
  51. TheUWV has indicated the implementation of the Recognition to see any real solution.
   
      has explored possible between solutions, where multi-factor authentication with smsalst second factor
      The most feasible and safe alternative option was.
   
      as long as the implementation of the Recognitions is in addition the implementation of
      Delay recognition, because this must be done by the same team.
      be effective and proportionate in short on the map two drastic implementation pathways go through:
   
      This leads to textbook administration tasks for employers and ineffective use of public resources.
   
   
       Time course / planning
       Time course / planning
   
   
  52. TheUWV has indicated that it was already in use in 2015 to connect to Recognition.
  52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of
   
  the UWV, however, are the availability of the RSIN (Legal entities and Partnerships
      However, the UWV is the availability of the RSIN (Legal Entities and Partnerships
Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because
      Information number) and the BSN for sole proprietorships in the system of Recognition necessary, because
without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this
      withoutthese numberstheUWVeRecognitioncan'tlinktohersystems.
  extension of the system dependent on third parties and has made this extension a condition for the
   
switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning
      Expansion of the systemdepending on third parties and has set this expansion as a condition for the
because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the
      In April 2017, the UWV has concluded the implementation of Recognition.
  users of the employer portal are identified with RSIN). In its opinion of June 21, 2017
      because of the moment view is linked from the RSIN to the Recognition (87.7% of the
  the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018
   
  to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it
      Users of the Employer Portal is identified by RSIN).
eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP.
      has theUWVindicatedconnection toRecognitiontoexpectationrealized inMay2018
      In November 2017, around theUWV, the preliminary research.In February 2018, theUWV has
      projectplane Recognition Employer Portal determined upon request from the AP the AP do.
   
53. According to this project plan, the UWV will take place on November 1, 2018 as the implementation date, followed by a
      rollout period of one year that users can switch from the portal.
      has indicated the UWV now assumes implementation in the fourth quarter of 2018.
      The BSN is also expected to be added to the system in the second half of 2018.
   
      The same implementation date applies with rollout period. There is also no group of users (0.7%) who are not
      Can make use of Recognitions for which no solution is available yet. TheUWV has
      indicated that if no solution is available, this group cannot use any more by 1 November 2019
   
   
      makingthe employer portal.
53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a
one year rollout period during which the users of the portal can switch. At the hearing
the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To
The BSN is also expected to be added to the system in the second half of 2018. For this group
the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have
can use eHerkenning and for which no solution is available yet. The UWV has
indicated that if no solution is found, this group will no longer be able to use it on I November 2019
making the employer portal.
   
   
       Confidence level; application Guide version 4
       Confidence level; application Guide version 4
   
   
  54. In 2015, the US has made the hand of the available Guide of Forum standardization,
  54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV
              12
version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate.
      version 3 performed a risk analysis. This version of the guide is based on European
  The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018.
      12A guide for government organizations: assurance levels for authentication at
      electronic government services, version 3, Forum Standardization
                                                                                                  9/12 Date Our reference
      July 31, 2018 z2018-02009
      STORFramework.This risk analysis showed that levelSTORK3 is appropriate.
   
      The UWV has carried out the AP for this risk analysis upon request by letter of 3 April 2018.
55. In November 2016, version 4 of the Guide appeared. This version is no longer based on the
      STORK framework but, as previously shown, on the IDAS regulation.
      However, there is no reason to keep the risk analysis of 2015 against the light again
      The newest version of the Guide.
      Risk analysis of 2015 UWV's hot IDAS system has taken into account as proposed legislation.
   
   
      Therefore, the new version of the Guide has not given any reason for a new one
                                                                                               
      perform risk analysis ".
55. Version 4 of the Guide was published in November 2016. This version no longer relies on it
STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this
however, saw no reason to reconsider the 2015 risk analysis
of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the
risk analysis of2015 UWV has included the eIDAS system as proposed legislation.
The new version of the Guide has therefore not given rise to a new one
carry out a risk analysis'.
   
   
  56. According to the project plane Recognition Employers Portal, the UWV has chosen to connect
  56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to
eRecognition level 3. This corresponds substantially to eIDAS level.
   
   
      eRecognition level3 This corresponds to the IDAS level substantial.
57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide.
The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the
(controller) responsible for taking appropriate technical and organizational measures
in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then
located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to
based on the most recent version of the Guide. Failure to do so creates a risk
the end of the implementation period of, in this case, eHerkenning, may no longer be
an appropriate security level.
   
   
  57. The AP establishes that the risk analysis of the UWV from 2015 is based on version 3 of the Guide.
  58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS
      The norm from article 32, first paragraph, of the AVG, and previously article 13 of the Wbp, write before the
assurance level substantial from version 4 of the Guide, both versions of the
      (processing) responsible for taking appropriate technical and organizational measures
Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this
possibly until the outcome that a higher assurance level must be assumed than the UWV
has done so far on the basis of version 3 of the Guide. Ultimately, this determines the
choice of the measures to be taken to ensure an appropriate level of security
guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV
assess factors.
   
   
      in order to ensure appropriate security level, including taking into account the situation
      Order subj ect to penalty and term of grace
      It is decided, among other things, that a risk assessment has already been carried out from time to time again.
      must be updated using the currently valid standards.
   
   
      on the way of the UWV, because the risk analysis is carried out again in 2015
59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows
      The most recent version of the Guide.
that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of
      at the end of the implementation period of, in this case, eRecognition, it is possible that there is no
the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating
the violation found and the prevention of recurrence.
   
   
      appropriate security level.
60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32,
first paragraph of the GDPR. This means that the UWV is within the beneficiary period
must take measures to ensure an appropriate level of security with regard to the provision
of access to the employer portal, where logging in is only possible through an appropriate form of
multi-factor authentication (for example by using eHerkenning). Because the UWV in determining
has made use of the confidence level for the employer portal
outdated version of the Guide, the UWV must revise the assurance level
by performing a risk analysis on the basis of version 4 of the Guide.
   
   
  58. Although the reliability level of Stork3 corresponds to version3 of the Guide.
  61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during
      IDAS Confidence Levels Substantial version 4 of the Guide, how to use both versions of the
which the offender can execute the order without a penalty being forfeited '. The term
during which an order can be executed without a penalty being forfeited should be so short
as possible. The term must be long enough to be able to carry out the burden.
   
   
      Guide to various assessment frameworks.
62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest
      possible until the outcome that a higher confidence level should be assumed from the UWV
meet. The AP has taken the planning into account when determining the grace period
      up to now based on version 3 of the Guide.
of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein
one year after implementation on November I , 2018.
   
   
      choice of measures to be taken according to the appropriate security level
63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is
      guarantees. The APcannotfororintoplaceoftheUWValloutHandoverVersion4relevant
It is important that a penalty payment must provide such an incentive that the order is complied with.
      factors.
   
   
64. If the UWV does not end the established violation within the beneficiary period, it forfeits it
a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the
load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the
the amount of these amounts in reasonable proportion to the gravity of the violation
importance - the protection of special personal data and of the privacy of
those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the
structural additional costs per year.
   
   
      Constrained and favored term
59. From article 16, first member, of the UAVG, in conjunction with article 5:32, first member, of the AWB follows
      that the AP is authorized to impose a charge under a penalty if in violation of Article 32, first paragraph
      the AVG. Pursuant to Article 5: 2, first paragraph, bottom b, of the AWB, the cabinet is aimed at the end of
      the violations detected the occurrence of recurrence.
                                                                                              10/12 Date Our reference
      July 31, 2018 z2018-02009
60. The AP orders the US within the time limit for favoring the decision to take the violation of Article 32,
      first member, of the AVG.
      measures must be taken to ensure an appropriate security level with regard to the relationship
      of access to the employer's portal, where logging in is only possible by means of a suitable form of
      multi-factor authentication (for example, by using Recognition).
      of the confidence level for the employer portal has used a meanwhile
      outdated version of the Guide, the UWV should update the confidence level
      determine by performing a risk analysis using version 4 of the Guide.
61. Section 5: 32a, subsection 2, of the AWB provides that a grace period is to be set during
      which the offender can execute without forfeiture of a penalty. "Term
      During which a charge can be carried out without forfeiture of a penalty, it must be short
      The time limit should be long enough to be able to carry out the load.
62. Having regard to the foregoing decision, the AP that the YOUR V must appear at the end of October 31, 2019.
      The AP has taken into account the planning when determining the term of favor
      of the UWV regarding the implementation of the Recognitions of the said roll-out period
      one year after implementation on November 1, 2018.
63. Article 5: 32b, third paragraph, of theAwb prescribes that the penalty amounts are in reasonable proportion.
      to the severity of the violated interest to the intended effect of the penalty.
      It is important that a compulsion must execute such an incentive that the burden is met.
64. If the UWV does not end the detected violation within the beneficiary period, it forfeits the
      The AP fixes the amount of this penalty sum at € 150,000 for each month that the
      load has not been (fully) carried out up to a maximum of € 900,000.
      height of these amounts in reasonable proportion to the gravity of the violation by the violation
      importance - the protection of special personal data and of the personal sphere of life
      those involved –and they are also sufficiently high to end your moving violation.
      This includes the AP cost that is associated with the implementation of Recognition, as well as the
      structurally additional costs per year.
65. The APRequestheUWSimplybefore1October2018the re-performed risk analysisin whichtheUWV
      to the employer portal, to send a reliability level award.
      that the AP is authorized to conduct a study, including an on-site study, if it does
      useful.
                                                                                              11/12 Date Our reference
July 31, 2018 z2018-02009
   
   
65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV
assigns a confidence level to the employer portal. This remains unaffected
that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so
useful.
   
   
  Operative part
  Operative part
   
   
   
  The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR
TheA imposes a charge on the UWV, for violation of Article 32, first paragraph, of the GDPR.
  penalty with the following content:
  penalty with the following content:
  - The UWV must grant access to the employer portal of a
  -TheUWVshould provide access to the employer's portal by 31 October 2019 at the latest.
  provide an appropriate security level, whereby logging in is only possible from that moment on via a
  Appropriate security level provided, whereby logging in from that moment is only possible by means of a
  appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement
  confidence level by performing a risk analysis based on version 4
  appropriate form of multi-factor authentication.
  confidence level to redetermine by performing a risk analysis using version 4
  of the Guide.
  of the Guide.
-The UWV forfeits a penalty of € 150,000 at the end of this period (in words:
   
   
  one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum
-The UWV forfeits a penalty of € 150,000 after expiry of this term (in words:
  one hundred and fifty thousand euros) for each month that the load is not (fully) carried out to a maximum
  of € 900,000 (in words: nine hundred thousand euros).
  of € 900,000 (in words: nine hundred thousand euros).
  The Dutch Data Protection Authority,
  The Authority Personal data,
  On their behalf,
  On their behalf,
   
  signed
Signed
   
   
   
   

Revision as of 10:19, 3 April 2021

AP - Employee Insurance Agency (UWV)
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.07.2018
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Employee Insurance Agency (UWV)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: GDPR MASTer Project

The Dutch employer portal UWV, handling employee health data is fined 150,000€/month (until requirements are met) due to insufficiently secure access control to its portal.

English Summary

Facts

The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.

Dispute

Is single factor authentication sufficient given the sensitive nature of data stored on the portal?

Holding

The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                            Dutch Data Protection Authority
                                                            PO Box 93374, 2509 AJ The Hague
                                                            Bezuidenhoutseweg 30, 2594 AV The Hague
                                                            T 070 8888 500 - F 070 8888 501
                                                            authoritypersonal data.nl

      Registered
      UWV
      Board of Directors
      P.O. Box 58285
      1040HGAmsterdam







      Date
      July 31, 2018                                             Our reference
                                                                z2018-02009


                                                                Contact
                                                                [CONFIDENTIAL]
                                                                0708888500
      Topic
      Order subject to a penalty



      Resume


1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV).  
   
2. In the employer portal, the UWV processes, among other things, personal data relating to the
employee health. In view of this, access to the employer portal must take place via the internet
find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal.

3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing.

4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the
UWV information provided at the request of the Dutch DPA

5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018
become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13

6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way
when granting access to the employer portal. The date on which UWV
expects that you can only log in to the employer portal by using eHerkenning
since the first request by the AP by letter of25 November 2015 has been moved to
November 1, 2019

7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end.


8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate
security level, whereby logging into the portal is only possible by means of a
appropriate form of multi-factor authentication. Part of that burden is that the UWV required it
confidence level by performing a risk analysis based on the
most recent version of the Guide 'Reliability levels for digital services, one
guidelines for government organizations' (version 4).


9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of
EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum
from EUR 900,000.


      Course of procedure

10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV.
The public version of the report was published on the AP's website on November 14, 2017.

11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal.

12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated.

13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV
states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level
substantial.


14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation
of eRecognition.

15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing.

16. The hearing took place on 6 February 2018. A report was made of the hearing, which if
Annex I is attached to this Decree.

17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February
2018 provided additional information and further documents, including the project plan
eRecognition.

18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018.

19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis).

20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018.

21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.

      Research report

22. In the investigation report, the AP found that the UWV in the employer portal
processes personal data about health. Access to the employer portal is obtained by
entering an email address and password. This is a form of one-factor authentication.

23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a
responsible must take appropriate measures to protect personal data against loss or
any form of unlawful processing. The term 'appropriate' also indicates proportionality
between security measures and the nature of the data to be protected. Given the sensitivity of
the personal data processed in the UWV employer portal, namely data about
health workers, should gain access to the portal via the Internet, given the
state of the art, to take place through at least multi-factor authentication.

24. The UWV has indicated that it has taken measures to prevent unauthorized access to the
employer portal, such as annual penetration and security tests and the
continuous logging and monitoring of usage. These measures are regarding authentication
not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way
has taken appropriate measures with regard to accessing the data in the
employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time.

      Legal framework

25. The relevant legal framework is included as Annex 2 to this Decision.


      GDPR

26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp
noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn.

27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from
article 13 of the Wbp.

28. This means that, given that the facts under examination and the relevant circumstances after the emergence
of the investigation report have not been changed to date, as of25 May 2018
violation of Article 32, paragraph 1, of the GDPR.


Viewpoint

29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has
expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes
view boils down to the UWV recognizing that the security of the employer portal does not comply with the
requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV
does not apply multi-factor authentication to granting access to the portal.

30. In April 2017, the UWV decided to start with the implementation of eRecognition level
3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13
of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining
the confidence level the fact that the employer portal only contains health data
processes related to reporting sick or the fact that someone is pregnant.
The nature of the sick report is not processed.

31. The UWV has put forward that it has investigated other solutions, but the connection to
To see eRecognition as the only real possibility to achieve multi-factor authentication. With the
The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act.

32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties
a number of problems, which means that implementation is taking longer than the UWV had
hoped.

      Review

      Assessment framework

33. In the investigation report, the AP established that the UWV in the employer portal
processes personal data, including special personal data. This includes NAWdata,
citizen service number, financial data and data on disability, dismissal and childbirth.
Employers can log in to the portal via the internet by entering an email address and password
feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing
showed that this situation has not changed at present.

34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and
must take organizational measures to protect personal data against loss or
unlawful processing. Guarantee these measures, taking into account the state of the art
and the costs of implementation, an appropriate level of security given the risks posed by the
processing and the nature of the data to be protected.

35. This means that the controller, in this case the UWV, must translate the risks
for the data subject whose personal data are processed according to the reliability requirements
the service that is offered (the employer portal) must comply and that within the field
information security is seen as the most recent and representative implementation thereof.

36. In determining the risk to the data subject include the nature of the personal data and the
nature of processing matters: these factors determine the potential harm to the individual
data subject in the event of, for example, loss, modification or unlawful processing of the data. When making
The UWV can use the translation to the reliability level of the employer portal
making the Guide 'Reliability levels for digital services, a guide for
government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide).

37. Although the use of this Guide is not mandatory, it offers an assessment framework for it
government organizations for determining reliability levels for digital services
1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent.
Security standards then specify, after determining the applicable
confidence level, guidance in taking appropriate measures. 2

38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of
the personal data to be protected, which translates into a minimal handling
security level. The assessment in this decision is therefore based solely on the nature of the te
protect personal data. It is not excluded that factors other than the nature of the
personal data require a higher level of security. However, the AP cannot, as hereafter with the
before or in place of the UWV, all relevant ones included in the Guide version 4
assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so
determine the correct security level. 3


      Information about a person's health

39. Article 4 (15) of the GDPR gives the following definition: 'health data
are personal data related to the physical or mental state of a natural
person, including data about health services provided with which information about his
health status is given '. The term remains unchanged under the GDPR
'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a
medical examination or medical treatment, but all data that the mental or
affect a person's physical health. For example, it is only a given that someone has become ill
reported a data about health, even though that says nothing about the nature of the condition. 4
The following data is processed in the employer portal: the date of commencement
sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or
organ donation, the date of childbirth and the date of commencement of maternity leave.

40. In view of the nature of the personal data, data is therefore included in the employer portal
concerning a person's health, which is considered a special category of personal data as
referred to in Article 9, fust paragraph, of the GDPR.

      Increased risk


41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data.
The AP indicates that for certain categories of personal data the consequences ofloss or
unlawful processing can be serious. These are the data with a higher or high risk.
These categories in any case include special personal data.


      2 See also CBP Guidelines, Security of personal data, February 2013
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102

                                                          5
42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the
assurance levels based on the eIDAS regulation for digital identifiers
trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation).
The eIDAS regulation distinguishes three assurance levels of authentication means: low,
substantial and high. The Guide offers a classification model with which a simplified
risk analysis of the digital service can be made. The main criterion here is the nature of
the personal data to be protected. Four classes of personal data are distinguished here: class
0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a
require higher security level.

43. The AP has established that the data processed in the employer portal is in accordance with the Guide
so-called class II personal data because it concerns special personal data. In front of
Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III
data, given the nature of the data processed in the portal is out of the question.
Multi-factor authentication

44. According to the Guide, there is a minimum reliability level for processing class II data
'substantially' applies. s Also when answering the question what with regard to this
reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR
the Guide offers a framework: both for reliability level 'substantial' and
confidence level 'high', as type of authenticator, multi-factor authentication is required. 9

45. The requirement of multi-factor authentication when granting access to a system in which
health data is additionally endorsed by security standards such as
NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code
27002 in health care:


       5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
       6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
       trust services for electronic transactions in the internal market
       7 A guide for government organizations, version 4, Forum for Standardization, p. 33
       8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
       based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
       You will have to make this assessment yourself, see also margin number 54 and further.
       9
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
       Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
       on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
       (EU) No. 910/2014, on which the Guide is based.

Health information systems that process personal health information include the identity of users
and this should be done through authentication involving at least two factors
to become. ' 10


46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing
access to the employer portal, thus using multi-factor authentication.
Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this.

      Offender

47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the
employers' portal is a service of the UWV and is made available by the UWV to
employers, whereby the purposes of the data processing are determined by the UWV.
The UWV also has the power to end the violation.

      The solution from the UWV: eRecognition

48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the
Wbp recognized. The UWV indicated its intention to use the employer portal
create eHerkenning, which provides for the use of multi-factor authentication in the
granting access to the employer portal.

49. EHerkenning is a system that offers companies electronic access to government and
government services. Entrepreneurs or employees of an organization can join one
identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The
development of eHerkenning is a public-private partnership directed by the
Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations.
EHerkenning has five different confidence levels. At these confidence levels
sought alignment with the three assurance levels distinguished by the eIDAS regulation and the
requirements imposed on the resources in that Regulation. The government organization itself determines it
confidence level that is applied.

50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the
light of the Wdo currently in preparation. The Wdo aims to be safe and reliable
can log in for Dutch citizens and companies with the (semi-) government. Deploys
The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the
Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to
eRecognition.

51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV
has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor
was the most viable and safe alternative option. However, the technical implementation of this would be just
take as long as the implementation of eRecognition and would furthermore take the implementation of
Delay eRecognition because it must be performed by the same team. Besides, it wouldn't
be efficient and proportional to go through two far-reaching implementation processes in quick succession:
this leads to additional administrative burdens for employers and the ineffective use of public resources.

      Time course / planning

52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of
the UWV, however, are the availability of the RSIN (Legal entities and Partnerships
Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because
without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this
extension of the system dependent on third parties and has made this extension a condition for the
switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning
because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the
users of the employer portal are identified with RSIN). In its opinion of June 21, 2017
the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018
to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it
eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP.

53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a
one year rollout period during which the users of the portal can switch. At the hearing
the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To
The BSN is also expected to be added to the system in the second half of 2018. For this group
the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have
can use eHerkenning and for which no solution is available yet. The UWV has
indicated that if no solution is found, this group will no longer be able to use it on I November 2019
making the employer portal.

      Confidence level; application Guide version 4

54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV
version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate.
The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018.

                                                                                               
55. Version 4 of the Guide was published in November 2016. This version no longer relies on it
STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this
however, saw no reason to reconsider the 2015 risk analysis
of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the
risk analysis of2015 UWV has included the eIDAS system as proposed legislation.
The new version of the Guide has therefore not given rise to a new one
carry out a risk analysis'.

56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to
eRecognition level 3. This corresponds substantially to eIDAS level.

57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide.
The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the
(controller) responsible for taking appropriate technical and organizational measures
in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then
located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to
based on the most recent version of the Guide. Failure to do so creates a risk
the end of the implementation period of, in this case, eHerkenning, may no longer be
an appropriate security level.

58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS
assurance level substantial from version 4 of the Guide, both versions of the
Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this
possibly until the outcome that a higher assurance level must be assumed than the UWV
has done so far on the basis of version 3 of the Guide. Ultimately, this determines the
choice of the measures to be taken to ensure an appropriate level of security
guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV
assess factors.

     Order subj ect to penalty and term of grace

59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows
that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of
the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating
the violation found and the prevention of recurrence.

60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32,
first paragraph of the GDPR. This means that the UWV is within the beneficiary period
must take measures to ensure an appropriate level of security with regard to the provision
of access to the employer portal, where logging in is only possible through an appropriate form of
multi-factor authentication (for example by using eHerkenning). Because the UWV in determining
has made use of the confidence level for the employer portal
outdated version of the Guide, the UWV must revise the assurance level
by performing a risk analysis on the basis of version 4 of the Guide.

61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during
which the offender can execute the order without a penalty being forfeited '. The term
during which an order can be executed without a penalty being forfeited should be so short
as possible. The term must be long enough to be able to carry out the burden.

62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest
meet. The AP has taken the planning into account when determining the grace period
of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein
one year after implementation on November I , 2018.

63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is
It is important that a penalty payment must provide such an incentive that the order is complied with.

64. If the UWV does not end the established violation within the beneficiary period, it forfeits it
a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the
load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the
the amount of these amounts in reasonable proportion to the gravity of the violation
importance - the protection of special personal data and of the privacy of
those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the
structural additional costs per year.


65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV
assigns a confidence level to the employer portal. This remains unaffected
that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so
useful.

Operative part

The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR
penalty with the following content:
- The UWV must grant access to the employer portal of a
provide an appropriate security level, whereby logging in is only possible from that moment on via a
appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement
confidence level by performing a risk analysis based on version 4
of the Guide.
-The UWV forfeits a penalty of € 150,000 at the end of this period (in words:

one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum
of € 900,000 (in words: nine hundred thousand euros).
The Dutch Data Protection Authority,
On their behalf,
signed




Mr. A. Wolfsen
Chairman











If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.









                                                                                     12/12