AP (The Netherlands) - z2018-02009: Difference between revisions

From GDPRhub
mNo edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 48: Line 48:
}}
}}


A Dutch employer portal UWV, handling employee health data is investigated for use of one-factor authentication (email address and password) to grant access to the portal. The Dutch Data Protection Authority considers this insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative.
The Dutch DPA fined €150,000/month (until requirements are met) the employer portal UWV, handling employee health data, due to insufficiently secure access control to its portal.


==English Summary==
==English Summary==


===Facts===
===Facts===
to be added
The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.


===Dispute===
===Dispute===


 
Is single factor authentication sufficient given the sensitive nature of data stored on the portal?
===Holding===
===Holding===
to be added
The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.


==Comment==
==Comment==
Line 69: Line 69:
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
 
                                                             Dutch Data Protection Authority
<pre>
                                                             PO Box 93374, 2509 AJ The Hague
                                                             Authority Personal data
                                                             Bezuidenhoutseweg 30, 2594 AV The Hague
                                                             P.O. Box 93374, 2509AJ The Hague
                                                             T 070 8888 500 - F 070 8888 501
 
                                                             Bezuidenhoutseweg 30,2594AV The Hague
                                                             T0708888500-F0708888501
                                                             authoritypersonal data.nl
                                                             authoritypersonal data.nl
 
      Registered
      Registered
      UWV
      UWV
      Board of Directors
      Board of Directors
      P.O. Box 58285
      P.O. Box 58285
      1040HGAmsterdam
      1040HGAmsterdam
 
 
 
 
 
 
 
      Date
      Date
      July 31, 2018 Our reference
      July 31, 2018                                             Our reference
                                z2018-02009
                                                                z2018-02009
 
 
                                Contact
                                                                Contact
                                [CONFIDENTIAL]
                                                                [CONFIDENTIAL]
                                0708888500
                                                                0708888500
      Topic
      Topic
      Cease and desist
      Order subject to a penalty
 
 
 
      Resume
      Resume
 
 
1. The Dutch Data Protection Authority (hereinafter: the AP) on 27 March 2017 on the basis of Article 60 of the
1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV).
 
   
      Personal Data Protection Act (hereinafter: the Wbp), such as the time gold, an investigation is instituted
2. In the employer portal, the UWV processes, among other things, personal data relating to the
      to the use of multi-factor authentication in the employers' portal of the Implementing Institute
employee health. In view of this, access to the employer portal must take place via the internet
      Employers' insurance (hereinafter: the UWV).
find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal.
 
2. The UWV processes in the employer portal, among other things, personal data relating to the
3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing.
 
      healthofworkers
4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the
      find through multi-factor authentication. TheUWV follows this moment with one-factor authentication.
UWV information provided at the request of the Dutch DPA
      providing access to the employer portal.
 
5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018
 
become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13
3. The AP has noted in the report definitive findings (hereinafter: the investigative report) that the
      UWV that acts contrary to Article 13 of the Wbp, such as that the time gold, on the basis of which, for
6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way
      insofar as this is important, a responsible person must take measures against personal data
when granting access to the employer portal. The date on which UWV
 
expects that you can only log in to the employer portal by using eHerkenning
      protect against loss or any form of unlawful processing.
since the first request by the AP by letter of25 November 2015 has been moved to
 
November 1, 2019
4. The AP based on the compulsory decision in the research report, given by the UWV orally
      view on the intention of the AP to be subject to a burden to add and by it
7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end.
      UWV at request of the AP provided information
 
 
8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate
5. On May 25, 2018, the General Data Protection Regulation (hereinafter: the GDPR) applies
security level, whereby logging into the portal is only possible by means of a
      The AVG states in Article 32, first paragraph, the same obligation, as that gold on the basis of Article 13.
appropriate form of multi-factor authentication. Part of that burden is that the UWV required it
 
confidence level by performing a risk analysis based on the
 
most recent version of the Guide 'Reliability levels for digital services, one
 
guidelines for government organizations' (version 4).
 
  Attachment (es) 2 1 Date Our reference
      July 31, 2018 z2018-02009
9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of
 
EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum
 
from EUR 900,000.
 
      This violation continues, violates the UWV Article 32, first member, of the
      GDPR.
      Course of procedure
 
6.Wishes to connect the UWV to the system of Recognition to this way more factor authentication.
10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV.
 
The public version of the report was published on the AP's website on November 14, 2017.
      when granting access to the employer's portal
      expect only to continue using the Recognition to be logged on the employer's portal
11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal.
      since the first question by the AP by letter of 25 November 2015, meanwhile moved to
 
12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated.
      November 1, 2019.
 
13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV
7. As a result of the above, the AP has decided to use Article 16, first paragraph, of the
states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level
      General Data Protection Regulation (hereinafter: UAVG) in conjunction with
substantial.
 
      Article 5:32, first paragraph, of the General Administrative Law Act (hereinafter: the AWB)
      With the charge under penalty, the AP intends to insure that the detected violation
14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation
      an end is being made.
of eRecognition.
 
 
15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing.
8. By 31 October 2019, the access to the employers' portal must be provided by an appropriate
      security levels are provided, where logging into the portal is only possible through one
16. The hearing took place on 6 February 2018. A report was made of the hearing, which if
      Appropriate form of multi-factor authentication. Part of the last is the UWV requirement
Annex I is attached to this Decree.
 
      confidence level must again determine by performing a risk analysis using the
17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February
      most recent version of the Guide "Reliability levels for digital services, a
2018 provided additional information and further documents, including the project plan
      guidelines for government organizations "(version 4).
eRecognition.
 
 
18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018.
9. In the event of non-compliance with the grace period, your period is subject to a penalty of
      EUR 150,000 payable for each month that the load is not (fully) executed, with a maximum
19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis).
      from EUR900.0000.
 
20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018.
 
      Course of procedure
21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.
 
10. On August 29, 2017, the AP sent the study report to the UWV.
      Research report
      The public version of the report was published on November 14, 2017 on the AP website.
 
22. In the investigation report, the AP found that the UWV in the employer portal
11. By letter of August 15, 2017, the AP has now given some cause for the study to theUWV.
processes personal data about health. Access to the employer portal is obtained by
 
entering an email address and password. This is a form of one-factor authentication.
      questioned about the size of the employer portal.
 
23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a
12. By letter of August 30, 2017, theUWV has responded to the questions that the AP by letter of August 15.
responsible must take appropriate measures to protect personal data against loss or
      2017.
any form of unlawful processing. The term 'appropriate' also indicates proportionality
 
between security measures and the nature of the data to be protected. Given the sensitivity of
13. By letter of 11 September 2017, theUWV has given its response to the research report.
the personal data processed in the UWV employer portal, namely data about
 
health workers, should gain access to the portal via the Internet, given the
      indicates, among other things, that the security level does not meet the requirements of
state of the art, to take place through at least multi-factor authentication.
      article13oftheWbpanditwant toclarifytheimplementationoftheRecognitionlevel
      substantial.
24. The UWV has indicated that it has taken measures to prevent unauthorized access to the
 
employer portal, such as annual penetration and security tests and the
 
continuous logging and monitoring of usage. These measures are regarding authentication
 
not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way
 
has taken appropriate measures with regard to accessing the data in the
 
employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time.
 
                                                                                                2/12 Date Our reference
      Legal framework
      July 31, 2018 z2018-02009
 
25. The relevant legal framework is included as Annex 2 to this Decision.
 
 
14. By letter of 9 November 2017, the UWV informed the AP about the progress of the implementation.
      GDPR
      vaneRecognition.
 
26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp
15. The AP has notified the UWV by letter of December 14, 2017 of its intention to charge a charge.
noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn.
 
      subject to a penalty sumandtheUWFindisplaced orallyorwrittenher
27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from
      to bring opinions about it.UWVisinvitedfor a hearing.
article 13 of the Wbp.
 
16. The hearing took place on February 6, 2018.
28. This means that, given that the facts under examination and the relevant circumstances after the emergence
 
of the investigation report have not been changed to date, as of25 May 2018
      Annex 1 to this Decision is attached.
violation of Article 32, paragraph 1, of the GDPR.
 
17. On the basis of what was discussed during the hearing, the UWV sent a letter of 28 February
      2018 additional information data and additional documents provided, including the project plan
Viewpoint
      eRecognition.
 
29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has
 
expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes
18. As a result of the information received by the letter of 28 February 2018, the AP has given to the UWV at
view boils down to the UWV recognizing that the security of the employer portal does not comply with the
      letter of 15 March 2018 asked questions.
requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV
 
does not apply multi-factor authentication to granting access to the portal.
19. By letter of April 3, 2018, theUWV has responded to the questions of the AP of March 15, 2018 and here
 
30. In April 2017, the UWV decided to start with the implementation of eRecognition level
      "Risk analysis absenteeism report" (hereinafter: the risk analysis).
3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13
 
of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining
20. Based on the information received by the letter of April 3, 2018, the AP has given to the UWV by letter.
the confidence level the fact that the employer portal only contains health data
      of May 14, 2018 asked questions.
processes related to reporting sick or the fact that someone is pregnant.
 
The nature of the sick report is not processed.
21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.
 
31. The UWV has put forward that it has investigated other solutions, but the connection to
 
To see eRecognition as the only real possibility to achieve multi-factor authentication. With the
      Research report
The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act.
 
22. In the research report, the AP found that the UWV in the employers' portal
32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties
      personal data about health. Access to the employer's portal is obtained by
a number of problems, which means that implementation is taking longer than the UWV had
 
hoped.
      Entering an email address and password. This is a form of one-factor authentication.
 
      Review
23. From article 13 of the Wbp- now article 32, first paragraph, of the AVG- ensues that a
      responsibleappliesmeasures to protect personal data from loss or
      Assessment framework
 
      any form of unlawful processing. The term "appropriate" also means a proportionality
33. In the investigation report, the AP established that the UWV in the employer portal
      Intermediatesecuritymeasuresthe nature oftheprotecteddata
processes personal data, including special personal data. This includes NAWdata,
      the personal data that is processed in the employer portal of the UWV, namely data about
citizen service number, financial data and data on disability, dismissal and childbirth.
 
Employers can log in to the portal via the internet by entering an email address and password
      the health of employees, it should be given access to the portal via the internet, given the
feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing
      state of the art, places find means and at least multi-factor authentication.
showed that this situation has not changed at present.
 
24. The UWV has taken specified measures to allow unauthorized access to the
34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and
 
must take organizational measures to protect personal data against loss or
      employer portal, such as conducting annual penetration and security tests and
unlawful processing. Guarantee these measures, taking into account the state of the art
      continuous logging and monitoring of use. These measures are due to authentication
and the costs of implementation, an appropriate level of security given the risks posed by the
      not fit because they can provide an appropriate level of protection for gaining access
processing and the nature of the data to be protected.
 
 
35. This means that the controller, in this case the UWV, must translate the risks
 
for the data subject whose personal data are processed according to the reliability requirements
 
the service that is offered (the employer portal) must comply and that within the field
                                                                                                  3/12 Date Our reference
information security is seen as the most recent and representative implementation thereof.
      July 31, 2018 z2018-02009
 
36. In determining the risk to the data subject include the nature of the personal data and the
 
nature of processing matters: these factors determine the potential harm to the individual
      to the application.Because theUWV does not apply more factor authentication, nor in any other way
data subject in the event of, for example, loss, modification or unlawful processing of the data. When making
 
The UWV can use the translation to the reliability level of the employer portal
      Appropriate measures has affected victims to obtain access to the data contained in the
making the Guide 'Reliability levels for digital services, a guide for
      employers' portal, trade the UWV in conflict with article 13 of the Wbp, as it was gold at the time.
government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide).
 
      Legal framework
37. Although the use of this Guide is not mandatory, it offers an assessment framework for it
 
government organizations for determining reliability levels for digital services
25. The relevant legal framework is included as Annex 2 to this Decision.
1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent.
 
Security standards then specify, after determining the applicable
 
confidence level, guidance in taking appropriate measures. 2
      GDPR
 
38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of
26. In the investigation report, the AP has a violation of the standard from Article 13 of the Wbp
the personal data to be protected, which translates into a minimal handling
      As of May 25, 2018, AVG and UAVG of applications, the Wbp, has been withdrawn.
security level. The assessment in this decision is therefore based solely on the nature of the te
 
protect personal data. It is not excluded that factors other than the nature of the
27. When assessing whether there is also a violation of the GDPR standard, it is important that the standard
personal data require a higher level of security. However, the AP cannot, as hereafter with the
 
before or in place of the UWV, all relevant ones included in the Guide version 4
      under the AVGmaterial does not change significantly with regard to the standard under the Wbp.
assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so
      The norm from Article 13 of the Wbpisthans laid down in Article 32, first and second part, of the AVG.
determine the correct security level. 3
      The latter article states that the controller, taking into account the situation of the
 
      technique, implementation costs, as well as with nature, scope, context and processing purposes
      Information about a person's health
      and the likelihood and severity of the risks to the rights and freedoms of persons,
      appropriate technical and organizational measures must be taken to suit the risk
39. Article 4 (15) of the GDPR gives the following definition: 'health data
 
are personal data related to the physical or mental state of a natural
      security level safeguards. This obligation is materially consistent with the obligation
person, including data about health services provided with which information about his
      Article 13 of the Wbp.
health status is given '. The term remains unchanged under the GDPR
 
'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a
28. This means that, since the investigated facts and the relevant circumstances arose
medical examination or medical treatment, but all data that the mental or
      of the research report until some of the things are not changed, as of May 25, 2018.
affect a person's physical health. For example, it is only a given that someone has become ill
 
reported a data about health, even though that says nothing about the nature of the condition. 4
      violation of Article 32, first paragraph, of the GDPR.
The following data is processed in the employer portal: the date of commencement
 
sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or
      Viewpoint
organ donation, the date of childbirth and the date of commencement of maternity leave.
 
29. As a result of the APS's intention to place a burden under penalty, the UWV has
40. In view of the nature of the personal data, data is therefore included in the employer portal
      During the hearing of February 6, 2018 orally, I saw your way
concerning a person's health, which is considered a special category of personal data as
 
referred to in Article 9, fust paragraph, of the GDPR.
      noteworthythatYourExpects thatthe employer's portal security is inadequate
      requirements arising from Article 13 of the Wbpentans Article 32, first member, of the AVG, because theUWV
      Increased risk
      no more factor authentication applies to the granting of access to the portal.
 
 
41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data.
30. The UWV has decided in April 2017 to start the implementation of the Recognition level
The AP indicates that for certain categories of personal data the consequences ofloss or
      3 / Substantial, where multi-factor authentication is applied so that the violation of Article 13
unlawful processing can be serious. These are the data with a higher or high risk.
      The Wbpentansarticle32, first, oftheAVGis deleted.
These categories in any case include special personal data.
 
      the confidence level, the fact that in the employer portal only health data are displayed
      who see the sick report or the fact that someone is pregnant.
      2 See also CBP Guidelines, Security of personal data, February 2013
      The nature of the sickness report is not processed.
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
 
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102
 
 
                                                          5
 
42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the
 
assurance levels based on the eIDAS regulation for digital identifiers
 
trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation).
                                                                                              4/12 Date Our reference
The eIDAS regulation distinguishes three assurance levels of authentication means: low,
      July 31, 2018 z2018-02009
substantial and high. The Guide offers a classification model with which a simplified
 
risk analysis of the digital service can be made. The main criterion here is the nature of
 
the personal data to be protected. Four classes of personal data are distinguished here: class
 
0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a
31. The UWV has advanced and explored other solutions but how to connect to it
require higher security level.
      eRecognition of any real possibility to achieve more factor authentication.
 
43. The AP has established that the data processed in the employer portal is in accordance with the Guide
      The arrival of the Digital Government Act (hereinafter: Wdo) is primarily the intention that all government parties
so-called class II personal data because it concerns special personal data. In front of
      make use of the means contained in this law.
Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III
 
data, given the nature of the data processed in the portal is out of the question.
 
Multi-factor authentication
32. In the implementation of the Recognition of the UWV, it depends in part on others and that the UWV is
      a number of problems, causing the implementation to wait longer than the UWV had
44. According to the Guide, there is a minimum reliability level for processing class II data
      hoped.
'substantially' applies. s Also when answering the question what with regard to this
 
reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR
 
the Guide offers a framework: both for reliability level 'substantial' and
      Rating
confidence level 'high', as type of authenticator, multi-factor authentication is required. 9
 
      Assessment framework
45. The requirement of multi-factor authentication when granting access to a system in which
 
health data is additionally endorsed by security standards such as
33. In the research report, the AP noted that the UWV in the employer's portal
NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code
      processes personal data, including special personal data.
27002 in health care:
 
      data, citizen service number, financial data and data about disability, dismissed childbirth.
      Employers can log in via the internet to the portal and by e-mail address and password
        5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
                                                      1
        6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
      It is a form of one-factor authentication.
        trust services for electronic transactions in the internal market
      It is known that this situation has not changed.
        7 A guide for government organizations, version 4, Forum for Standardization, p. 33
 
        8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
34. Article 32, first paragraph, of the GDPR stipulates that the controller applies the technical and
        based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
 
        You will have to make this assessment yourself, see also margin number 54 and further.
      Organizational measures must be taken to protect personal data from loss or
        9
      unlawful processing. These measures guarantee, taking into account the state of the technology
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
      and costs of food implementation, an appropriate security level eliminating the risks that
        Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
 
        on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
      processing the nature of the protection data bring to it.
        (EU) No. 910/2014, on which the Guide is based.
 
35. This means that the controller, in the case of the UWV, must translate the risks
Health information systems that process personal health information include the identity of users
      for the data subject whose personal data are processed according to the reliability requirements against which
and this should be done through authentication involving at least two factors
 
to become. ' 10
      the service offered (the employer portal) must satisfy that within the field
      information security if the most recent and representative interpretation thereof is seen.
 
46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing
 
access to the employer portal, thus using multi-factor authentication.
36. In determining the risk of the data subject, the nature of the personal data among others
Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this.
      Nature of processing of importance: these factors determine the potential damage for individual
      For example, loss, alteration, or illegal processing of data
      Offender
 
      From the translationstroke to the confidence level of the employers portalcan use the UWV
47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the
      making the Guide "Reliability levels for digital services, a guide for
employers' portal is a service of the UWV and is made available by the UWV to
      government organizations, version 4 of the Forum Standardization (hereinafter: the Guide).
employers, whereby the purposes of the data processing are determined by the UWV.
 
The UWV also has the power to end the violation.
 
37. The use of this Guide is not mandatory, but provides an assessment framework for
      The solution from the UWV: eRecognition
      government organizations for determining reliability levels for digital services
 
48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the
      1
Wbp recognized. The UWV indicated its intention to use the employer portal
      Authenticate the process of verifying that a user who will log into an application / system is actually who
create eHerkenning, which provides for the use of multi-factor authentication in the
      he / she claims to be.
granting access to the employer portal.
 
 
49. EHerkenning is a system that offers companies electronic access to government and
 
government services. Entrepreneurs or employees of an organization can join one
                                                                                                    5/12 Date Our reference
identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The
 
development of eHerkenning is a public-private partnership directed by the
      July 31, 2018 z2018-02009
Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations.
 
EHerkenning has five different confidence levels. At these confidence levels
 
sought alignment with the three assurance levels distinguished by the eIDAS regulation and the
 
requirements imposed on the resources in that Regulation. The government organization itself determines it
      of which it can be accepted that it reflects in so far as most recent insights and demands.
confidence level that is applied.
      Provide security standards then, after determining the application
                                                                              2
50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the
      confidence level, guidance in taking appropriate measures.
light of the Wdo currently in preparation. The Wdo aims to be safe and reliable
 
can log in for Dutch citizens and companies with the (semi-) government. Deploys
38. The AP has investigated whether the UWV has taken the appropriate measures regarding authentication.
The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the
      when logging into the employer's portal.
Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to
 
eRecognition.
      theprotectingpersonal data, which translates to a minimum to handle
      The assessment in this decision, then, is based only on the nature of the issue
51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV
 
has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor
      protect personal data. Not excluded that other factors and nature of the
was the most viable and safe alternative option. However, the technical implementation of this would be just
      personal data require a higher level of security. However, the AP cannot, as in the present case
take as long as the implementation of eRecognition and would furthermore take the implementation of
 
Delay eRecognition because it must be performed by the same team. Besides, it wouldn't
      order will come, for or in the place of theUWVall –inHandReachVersion4included-relevant
be efficient and proportional to go through two far-reaching implementation processes in quick succession:
      assessing factors. It is up to the UWV to include these factors in a risk analysis and thus
this leads to additional administrative burdens for employers and the ineffective use of public resources.
      Determine the correct security level. 3
 
      Time course / planning
 
      Person's health data
52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of
 
the UWV, however, are the availability of the RSIN (Legal entities and Partnerships
39. In Article 4, section 15, of the GDPR, the following definition is given: "Health information.
Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because
 
without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this
      hispersonal data related to the physical or mental state of a natural
extension of the system dependent on third parties and has made this extension a condition for the
      person, including data about health services provided with which information is about
switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning
 
because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the
      health status is given. Under AV, remain unchanged that concept
users of the employer portal are identified with RSIN). In its opinion of June 21, 2017
      "Health data" should be understood: it does not include only the data that a doctor
the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018
      medical research or medical treatment, but all data that the spiritual or
to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it
 
eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP.
      physical health of a person.
      reported a given about the health, even though it does not say anything about the nature of the condition. 4
53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a
 
one year rollout period during which the users of the portal can switch. At the hearing
      In the employer portal, the following data are processed: the date entry
the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To
      sick leave, the date of termination sick leave, illness due to pregnancy, childbirth or
The BSN is also expected to be added to the system in the second half of 2018. For this group
 
the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have
      organ donation, date of births and date of maternity leave.
can use eHerkenning and for which no solution is available yet. The UWV has
 
indicated that if no solution is found, this group will no longer be able to use it on I November 2019
40. In view of the nature of the personal data, the employer's portal entails half data
making the employer portal.
 
      concerning a person's health, which is considered a special category of personal data as
      Confidence level; application Guide version 4
      referred to in Article 9, first paragraph, of the AVG is noted.
 
54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV
      Increased risk
version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate.
 
The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018.
 
41. In the Guidelines for the security of personal data, the AP has elaborated the requirements regarding security.
                                                                                               
      The AP indicates that in certain categories of personal data, the consequences of loss or
55. Version 4 of the Guide was published in November 2016. This version no longer relies on it
 
STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this
      illegal processing can be serious.this are data with a higher or high risk.
however, saw no reason to reconsider the 2015 risk analysis
      In any case, these categories cover special personal data.
of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the
 
risk analysis of2015 UWV has included the eIDAS system as proposed legislation.
 
The new version of the Guide has therefore not given rise to a new one
      2 See also CBP Guidelines, Security of personal data, February 2013
carry out a risk analysis'.
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102
56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to
 
eRecognition level 3. This corresponds substantially to eIDAS level.
 
 
57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide.
 
The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the
                                                                                                      6/12 Date Our reference
(controller) responsible for taking appropriate technical and organizational measures
      July 31, 2018 z2018-02009
in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then
 
located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to
 
based on the most recent version of the Guide. Failure to do so creates a risk
 
the end of the implementation period of, in this case, eHerkenning, may no longer be
                                                          5
an appropriate security level.
42. In addition, the AP uses the Guide version4.
      confidence levels based on the IDAS regulation for digital identifiers
58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS
                            6
assurance level substantial from version 4 of the Guide, both versions of the
      trust services, which are in force from 1 July 2016 (hereinafter: the eIDAS regulation).
Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this
      The eIDAS regulation distinguishes three levels of trustworthiness of authentication tools: low,
possibly until the outcome that a higher assurance level must be assumed than the UWV
 
has done so far on the basis of version 3 of the Guide. Ultimately, this determines the
      substanceandhigh.The Guideprovidesaclassificationmodelwithinhasimplified
choice of the measures to be taken to ensure an appropriate level of security
      risk analysis of the digital service can be made.
guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV
 
assess factors.
      theprotectpersonaldata.In thisfourclassespersonaldata are distinguished: class
      0, I (basic), II (increased risk) and III (high risk), where data with increased risk also has a
       Order subj ect to penalty and term of grace
 
      higher security level requirements.
59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows
 
that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of
 
the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating
43. The AP ascertains that the data processed in the employer's portal, according to the Guide
the violation found and the prevention of recurrence.
      so-called class II personal data is because it concerns special personal data
                                                    7
60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32,
      class II data is an increased risk. Of a high risk, as in the so-called class III-
first paragraph of the GDPR. This means that the UWV is within the beneficiary period
      data, see the nature of the data that are processed in the portal.
must take measures to ensure an appropriate level of security with regard to the provision
 
of access to the employer portal, where logging in is only possible through an appropriate form of
 
multi-factor authentication (for example by using eHerkenning). Because the UWV in determining
      Multi-factor authentication
has made use of the confidence level for the employer portal
 
outdated version of the Guide, the UWV must revise the assurance level
44. Processing of Class II data is according to the Guide to Minimum Confidence Level
by performing a risk analysis on the basis of version 4 of the Guide.
                                    8
      "Substantial" of application. Also when answering the question about this
61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during
      confidence levels appropriate measures are as referred to in Article 32, first paragraph, of the GDPR
which the offender can execute the order without a penalty being forfeited '. The term
 
during which an order can be executed without a penalty being forfeited should be so short
      The Guide offers a framework: both for reliability level "substantial" and
as possible. The term must be long enough to be able to carry out the burden.
      confidence level "high", if type authenticator, multi-factor authentication is required. 9
 
62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest
 
meet. The AP has taken the planning into account when determining the grace period
45. The requirement of multi-factor authentication when granting access to a system in which
of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein
      health data is processed, in addition, it is not complied with by security standards such as
one year after implementation on November I , 2018.
 
      NEN-7510, which indicates the application of the Code for information security ISO / IEC
63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is
      27002 in health care:
It is important that a penalty payment must provide such an incentive that the order is complied with.
 
 
64. If the UWV does not end the established violation within the beneficiary period, it forfeits it
 
a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the
 
load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the
 
the amount of these amounts in reasonable proportion to the gravity of the violation
 
importance - the protection of special personal data and of the privacy of
 
those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the
 
structural additional costs per year.
 
      5
      6 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV
        Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
assigns a confidence level to the employer portal. This remains unaffected
      trust services for electronic transactions in the internal market
that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so
      7 A guide for government organizations, version 4, Forum for Standardization, p. 33
useful.
      8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
      based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
Operative part
      You will have to make this assessment yourself, see also margin number 54 and further.
      9
The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
penalty with the following content:
      Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
- The UWV must grant access to the employer portal of a
      on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
provide an appropriate security level, whereby logging in is only possible from that moment on via a
      (EU) No. 910/2014, on which the Guide is based.
appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement
 
confidence level by performing a risk analysis based on version 4
 
of the Guide.
 
-The UWV forfeits a penalty of € 150,000 at the end of this period (in words:
                                                                                                              7/12 Date Our reference
      July 31, 2018 z2018-02009
one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum
 
of € 900,000 (in words: nine hundred thousand euros).
 
The Dutch Data Protection Authority,
 
On their behalf,
      Health information systems that process personal health information, belonging to user identities
signed
 
      determine this should be done by means of authentication in which at least the two factors are involved
      be. "0
 
46. As appropriate the measure referred to in Article 32, first paragraph, of the AVG must be
Mr. A. Wolfsen
 
Chairman
      access to the employer's portal to use multi-factor authentication.
      Access to the portal takes place through a form of one-factor authentication, trading theUWVin
 
      contrary to Article 32, first member, of the AVG.UWV has also recognized this.
 
      Offender
 
47. Notice theUWVis as an offender, because it is the controller in the sense of the AVG.
 
      The UWV establishes the purpose of the means for the processing of personal data: the
      The employer portal is a service of the UWV and is made available by the UWV
      employers, for which purposes of data processing are determined by the UWV.
If you do not agree with this decision, you can send it within six weeks
 
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
      The UWV also has it in its power to end the violation.
stating “Awb objection” on the envelope.
 
      The solution from the UWV: eRecognition
 
48. By letter of January 25, 2016, the UWV has already addressed the violation of Article 32, first member, of the
 
      Wbp recognized. TheUWV indicated that they intend to be used for the employer's portal
      Make of Recognition, which feature provides for the use of multi-factor authentication in the
 
      providing access to the employer portal.
 
                                                                                      12/12
49. ERecognition is a system that companies provide electronic access to the government
      government facilities. Entrepreneurs or employees of an organization can go together
 
      login and easy identification at different organizations. Government organizations need
      do not develop their own authentication system, but can connect to the system
 
      The development of Recognition is a public-private partnership that is directed under the direction of the
      Ministries of Economic Affairs and Climate and Domestic Affairs and Kingdom Relations.
      ERecognition recognizes five different confidence levels. At these reliability levels is
 
      A connection sought to the three reliability levels that distinguish each IDAS regulation
      requirements that are imposed on the means by the regulation. The government organization determines it itself
 
      confidence level that is applied.
 
50. TheUWVhas indicated thattheintroductionofRecognitionbytheUWVshould be viewed in the
      light of the Wd is currently in preparation.
 
      can log in for Dutch citizens and companies with (semi-) government
      The Netherlands the EU directive on accessibility of government websites and apps. 1 Ahead of the
 
 
      10
      11 NEN-7510 (2017), p. 57
        https://www.digitaleoverheid.nl/ilisi/identification-en-authenticatie/eid/wet-gdi/.
 
 
 
                                                                                                    8/12 Date Our reference
      July 31, 2018 z2018-02009
 
 
 
      Wdo has been developed by the government.
      eRecognition.
 
51. TheUWV has indicated the implementation of the Recognition to see any real solution.
 
      has explored possible between solutions, where multi-factor authentication with smsalst second factor
      The most feasible and safe alternative option was.
 
      as long as the implementation of the Recognitions is in addition the implementation of
      Delay recognition, because this must be done by the same team.
      be effective and proportionate in short on the map two drastic implementation pathways go through:
 
      This leads to textbook administration tasks for employers and ineffective use of public resources.
 
      Time course / planning
 
52. TheUWV has indicated that it was already in use in 2015 to connect to Recognition.
 
      However, the UWV is the availability of the RSIN (Legal Entities and Partnerships
      Information number) and the BSN for sole proprietorships in the system of Recognition necessary, because
      withoutthese numberstheUWVeRecognitioncan'tlinktohersystems.
 
      Expansion of the systemdepending on third parties and has set this expansion as a condition for the
      In April 2017, the UWV has concluded the implementation of Recognition.
      because of the moment view is linked from the RSIN to the Recognition (87.7% of the
 
      Users of the Employer Portal is identified by RSIN).
      has theUWVindicatedconnection toRecognitiontoexpectationrealized inMay2018
 
      In November 2017, around theUWV, the preliminary research.In February 2018, theUWV has
      projectplane Recognition Employer Portal determined upon request from the AP the AP do.
 
53. According to this project plan, the UWV will take place on November 1, 2018 as the implementation date, followed by a
 
      rollout period of one year that users can switch from the portal.
      has indicated the UWV now assumes implementation in the fourth quarter of 2018.
       The BSN is also expected to be added to the system in the second half of 2018.
 
      The same implementation date applies with rollout period. There is also no group of users (0.7%) who are not
      Can make use of Recognitions for which no solution is available yet. TheUWV has
      indicated that if no solution is available, this group cannot use any more by 1 November 2019
 
      makingthe employer portal.
 
      Confidence level; application Guide version 4
 
54. In 2015, the US has made the hand of the available Guide of Forum standardization,
            12
      version 3 performed a risk analysis. This version of the guide is based on European
 
 
      12A guide for government organizations: assurance levels for authentication at
 
      electronic government services, version 3, Forum Standardization
 
 
 
                                                                                                9/12 Date Our reference
      July 31, 2018 z2018-02009
 
 
      STORFramework.This risk analysis showed that levelSTORK3 is appropriate.
 
      The UWV has carried out the AP for this risk analysis upon request by letter of 3 April 2018.
 
55. In November 2016, version 4 of the Guide appeared. This version is no longer based on the
      STORK framework but, as previously shown, on the IDAS regulation.
 
      However, there is no reason to keep the risk analysis of 2015 against the light again
      The newest version of the Guide.
      Risk analysis of 2015 UWV's hot IDAS system has taken into account as proposed legislation.
 
      Therefore, the new version of the Guide has not given any reason for a new one
      perform risk analysis ".
 
56. According to the project plane Recognition Employers Portal, the UWV has chosen to connect
 
      eRecognition level3 This corresponds to the IDAS level substantial.
 
57. The AP establishes that the risk analysis of the UWV from 2015 is based on version 3 of the Guide.
      The norm from article 32, first paragraph, of the AVG, and previously article 13 of the Wbp, write before the
      (processing) responsible for taking appropriate technical and organizational measures
 
      in order to ensure appropriate security level, including taking into account the situation
      It is decided, among other things, that a risk assessment has already been carried out from time to time again.
      must be updated using the currently valid standards.
 
      on the way of the UWV, because the risk analysis is carried out again in 2015
      The most recent version of the Guide.
      at the end of the implementation period of, in this case, eRecognition, it is possible that there is no
 
      appropriate security level.
 
58. Although the reliability level of Stork3 corresponds to version3 of the Guide.
      IDAS Confidence Levels Substantial version 4 of the Guide, how to use both versions of the
 
      Guide to various assessment frameworks.
      possible until the outcome that a higher confidence level should be assumed from the UWV
      up to now based on version 3 of the Guide.
 
      choice of measures to be taken according to the appropriate security level
      guarantees. The APcannotfororintoplaceoftheUWValloutHandoverVersion4relevant
      factors.
 
 
      Constrained and favored term
 
59. From article 16, first member, of the UAVG, in conjunction with article 5:32, first member, of the AWB follows
      that the AP is authorized to impose a charge under a penalty if in violation of Article 32, first paragraph
      the AVG. Pursuant to Article 5: 2, first paragraph, bottom b, of the AWB, the cabinet is aimed at the end of
 
      the violations detected the occurrence of recurrence.
 
 
 
 
 
                                                                                            10/12 Date Our reference
      July 31, 2018 z2018-02009
 
 
 
60. The AP orders the US within the time limit for favoring the decision to take the violation of Article 32,
      first member, of the AVG.
      measures must be taken to ensure an appropriate security level with regard to the relationship
 
      of access to the employer's portal, where logging in is only possible by means of a suitable form of
      multi-factor authentication (for example, by using Recognition).
      of the confidence level for the employer portal has used a meanwhile
 
      outdated version of the Guide, the UWV should update the confidence level
      determine by performing a risk analysis using version 4 of the Guide.
 
61. Section 5: 32a, subsection 2, of the AWB provides that a grace period is to be set during
 
      which the offender can execute without forfeiture of a penalty. "Term
      During which a charge can be carried out without forfeiture of a penalty, it must be short
      The time limit should be long enough to be able to carry out the load.
 
 
62. Having regard to the foregoing decision, the AP that the YOUR V must appear at the end of October 31, 2019.
      The AP has taken into account the planning when determining the term of favor
      of the UWV regarding the implementation of the Recognitions of the said roll-out period
 
      one year after implementation on November 1, 2018.
 
63. Article 5: 32b, third paragraph, of theAwb prescribes that the penalty amounts are in reasonable proportion.
      to the severity of the violated interest to the intended effect of the penalty.
 
      It is important that a compulsion must execute such an incentive that the burden is met.
 
64. If the UWV does not end the detected violation within the beneficiary period, it forfeits the
      The AP fixes the amount of this penalty sum at € 150,000 for each month that the
 
      load has not been (fully) carried out up to a maximum of € 900,000.
      height of these amounts in reasonable proportion to the gravity of the violation by the violation
      importance - the protection of special personal data and of the personal sphere of life
 
      those involved –and they are also sufficiently high to end your moving violation.
      This includes the AP cost that is associated with the implementation of Recognition, as well as the
      structurally additional costs per year.
 
 
65. The APRequestheUWSimplybefore1October2018the re-performed risk analysisin whichtheUWV
      to the employer portal, to send a reliability level award.
      that the AP is authorized to conduct a study, including an on-site study, if it does
 
      useful.
 
 
 
 
 
 
 
 
 
 
                                                                                              11/12 Date Our reference
 
July 31, 2018 z2018-02009
 
 
Operative part
 
 
TheA imposes a charge on the UWV, for violation of Article 32, first paragraph, of the GDPR.
penalty with the following content:
 
-TheUWVshould provide access to the employer's portal by 31 October 2019 at the latest.
Appropriate security level provided, whereby logging in from that moment is only possible by means of a
 
appropriate form of multi-factor authentication.
confidence level to redetermine by performing a risk analysis using version 4
of the Guide.
 
 
-The UWV forfeits a penalty of € 150,000 after expiry of this term (in words:
one hundred and fifty thousand euros) for each month that the load is not (fully) carried out to a maximum
of € 900,000 (in words: nine hundred thousand euros).
 
 
 
 
The Authority Personal data,
On their behalf,
 
 
Signed
 
 
 
 
Mr. A. Wolfsen
Chairman
 
 
 
 
 
 
 
 
 
 
 
If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.
 
 
 
 
 
 
 
 
 
                                                                                    12/12
</pre>

Latest revision as of 17:10, 12 December 2023

AP - Employee Insurance Agency (UWV)
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.07.2018
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Employee Insurance Agency (UWV)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: GDPR MASTer Project

The Dutch DPA fined €150,000/month (until requirements are met) the employer portal UWV, handling employee health data, due to insufficiently secure access control to its portal.

English Summary

Facts

The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.

Dispute

Is single factor authentication sufficient given the sensitive nature of data stored on the portal?

Holding

The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                            Dutch Data Protection Authority
                                                            PO Box 93374, 2509 AJ The Hague
                                                            Bezuidenhoutseweg 30, 2594 AV The Hague
                                                            T 070 8888 500 - F 070 8888 501
                                                            authoritypersonal data.nl

      Registered
      UWV
      Board of Directors
      P.O. Box 58285
      1040HGAmsterdam







      Date
      July 31, 2018                                             Our reference
                                                                z2018-02009


                                                                Contact
                                                                [CONFIDENTIAL]
                                                                0708888500
      Topic
      Order subject to a penalty



      Resume


1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV).  
   
2. In the employer portal, the UWV processes, among other things, personal data relating to the
employee health. In view of this, access to the employer portal must take place via the internet
find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal.

3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing.

4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the
UWV information provided at the request of the Dutch DPA

5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018
become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13

6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way
when granting access to the employer portal. The date on which UWV
expects that you can only log in to the employer portal by using eHerkenning
since the first request by the AP by letter of25 November 2015 has been moved to
November 1, 2019

7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end.


8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate
security level, whereby logging into the portal is only possible by means of a
appropriate form of multi-factor authentication. Part of that burden is that the UWV required it
confidence level by performing a risk analysis based on the
most recent version of the Guide 'Reliability levels for digital services, one
guidelines for government organizations' (version 4).


9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of
EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum
from EUR 900,000.


      Course of procedure

10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV.
The public version of the report was published on the AP's website on November 14, 2017.

11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal.

12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated.

13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV
states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level
substantial.


14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation
of eRecognition.

15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing.

16. The hearing took place on 6 February 2018. A report was made of the hearing, which if
Annex I is attached to this Decree.

17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February
2018 provided additional information and further documents, including the project plan
eRecognition.

18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018.

19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis).

20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018.

21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.

      Research report

22. In the investigation report, the AP found that the UWV in the employer portal
processes personal data about health. Access to the employer portal is obtained by
entering an email address and password. This is a form of one-factor authentication.

23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a
responsible must take appropriate measures to protect personal data against loss or
any form of unlawful processing. The term 'appropriate' also indicates proportionality
between security measures and the nature of the data to be protected. Given the sensitivity of
the personal data processed in the UWV employer portal, namely data about
health workers, should gain access to the portal via the Internet, given the
state of the art, to take place through at least multi-factor authentication.

24. The UWV has indicated that it has taken measures to prevent unauthorized access to the
employer portal, such as annual penetration and security tests and the
continuous logging and monitoring of usage. These measures are regarding authentication
not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way
has taken appropriate measures with regard to accessing the data in the
employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time.

      Legal framework

25. The relevant legal framework is included as Annex 2 to this Decision.


      GDPR

26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp
noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn.

27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from
article 13 of the Wbp.

28. This means that, given that the facts under examination and the relevant circumstances after the emergence
of the investigation report have not been changed to date, as of25 May 2018
violation of Article 32, paragraph 1, of the GDPR.


Viewpoint

29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has
expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes
view boils down to the UWV recognizing that the security of the employer portal does not comply with the
requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV
does not apply multi-factor authentication to granting access to the portal.

30. In April 2017, the UWV decided to start with the implementation of eRecognition level
3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13
of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining
the confidence level the fact that the employer portal only contains health data
processes related to reporting sick or the fact that someone is pregnant.
The nature of the sick report is not processed.

31. The UWV has put forward that it has investigated other solutions, but the connection to
To see eRecognition as the only real possibility to achieve multi-factor authentication. With the
The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act.

32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties
a number of problems, which means that implementation is taking longer than the UWV had
hoped.

      Review

      Assessment framework

33. In the investigation report, the AP established that the UWV in the employer portal
processes personal data, including special personal data. This includes NAWdata,
citizen service number, financial data and data on disability, dismissal and childbirth.
Employers can log in to the portal via the internet by entering an email address and password
feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing
showed that this situation has not changed at present.

34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and
must take organizational measures to protect personal data against loss or
unlawful processing. Guarantee these measures, taking into account the state of the art
and the costs of implementation, an appropriate level of security given the risks posed by the
processing and the nature of the data to be protected.

35. This means that the controller, in this case the UWV, must translate the risks
for the data subject whose personal data are processed according to the reliability requirements
the service that is offered (the employer portal) must comply and that within the field
information security is seen as the most recent and representative implementation thereof.

36. In determining the risk to the data subject include the nature of the personal data and the
nature of processing matters: these factors determine the potential harm to the individual
data subject in the event of, for example, loss, modification or unlawful processing of the data. When making
The UWV can use the translation to the reliability level of the employer portal
making the Guide 'Reliability levels for digital services, a guide for
government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide).

37. Although the use of this Guide is not mandatory, it offers an assessment framework for it
government organizations for determining reliability levels for digital services
1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent.
Security standards then specify, after determining the applicable
confidence level, guidance in taking appropriate measures. 2

38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of
the personal data to be protected, which translates into a minimal handling
security level. The assessment in this decision is therefore based solely on the nature of the te
protect personal data. It is not excluded that factors other than the nature of the
personal data require a higher level of security. However, the AP cannot, as hereafter with the
before or in place of the UWV, all relevant ones included in the Guide version 4
assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so
determine the correct security level. 3


      Information about a person's health

39. Article 4 (15) of the GDPR gives the following definition: 'health data
are personal data related to the physical or mental state of a natural
person, including data about health services provided with which information about his
health status is given '. The term remains unchanged under the GDPR
'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a
medical examination or medical treatment, but all data that the mental or
affect a person's physical health. For example, it is only a given that someone has become ill
reported a data about health, even though that says nothing about the nature of the condition. 4
The following data is processed in the employer portal: the date of commencement
sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or
organ donation, the date of childbirth and the date of commencement of maternity leave.

40. In view of the nature of the personal data, data is therefore included in the employer portal
concerning a person's health, which is considered a special category of personal data as
referred to in Article 9, fust paragraph, of the GDPR.

      Increased risk


41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data.
The AP indicates that for certain categories of personal data the consequences ofloss or
unlawful processing can be serious. These are the data with a higher or high risk.
These categories in any case include special personal data.


      2 See also CBP Guidelines, Security of personal data, February 2013
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102

                                                          5
42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the
assurance levels based on the eIDAS regulation for digital identifiers
trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation).
The eIDAS regulation distinguishes three assurance levels of authentication means: low,
substantial and high. The Guide offers a classification model with which a simplified
risk analysis of the digital service can be made. The main criterion here is the nature of
the personal data to be protected. Four classes of personal data are distinguished here: class
0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a
require higher security level.

43. The AP has established that the data processed in the employer portal is in accordance with the Guide
so-called class II personal data because it concerns special personal data. In front of
Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III
data, given the nature of the data processed in the portal is out of the question.
Multi-factor authentication

44. According to the Guide, there is a minimum reliability level for processing class II data
'substantially' applies. s Also when answering the question what with regard to this
reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR
the Guide offers a framework: both for reliability level 'substantial' and
confidence level 'high', as type of authenticator, multi-factor authentication is required. 9

45. The requirement of multi-factor authentication when granting access to a system in which
health data is additionally endorsed by security standards such as
NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code
27002 in health care:


       5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
       6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
       trust services for electronic transactions in the internal market
       7 A guide for government organizations, version 4, Forum for Standardization, p. 33
       8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
       based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
       You will have to make this assessment yourself, see also margin number 54 and further.
       9
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
       Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
       on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
       (EU) No. 910/2014, on which the Guide is based.

Health information systems that process personal health information include the identity of users
and this should be done through authentication involving at least two factors
to become. ' 10


46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing
access to the employer portal, thus using multi-factor authentication.
Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this.

      Offender

47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the
employers' portal is a service of the UWV and is made available by the UWV to
employers, whereby the purposes of the data processing are determined by the UWV.
The UWV also has the power to end the violation.

      The solution from the UWV: eRecognition

48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the
Wbp recognized. The UWV indicated its intention to use the employer portal
create eHerkenning, which provides for the use of multi-factor authentication in the
granting access to the employer portal.

49. EHerkenning is a system that offers companies electronic access to government and
government services. Entrepreneurs or employees of an organization can join one
identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The
development of eHerkenning is a public-private partnership directed by the
Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations.
EHerkenning has five different confidence levels. At these confidence levels
sought alignment with the three assurance levels distinguished by the eIDAS regulation and the
requirements imposed on the resources in that Regulation. The government organization itself determines it
confidence level that is applied.

50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the
light of the Wdo currently in preparation. The Wdo aims to be safe and reliable
can log in for Dutch citizens and companies with the (semi-) government. Deploys
The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the
Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to
eRecognition.

51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV
has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor
was the most viable and safe alternative option. However, the technical implementation of this would be just
take as long as the implementation of eRecognition and would furthermore take the implementation of
Delay eRecognition because it must be performed by the same team. Besides, it wouldn't
be efficient and proportional to go through two far-reaching implementation processes in quick succession:
this leads to additional administrative burdens for employers and the ineffective use of public resources.

      Time course / planning

52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of
the UWV, however, are the availability of the RSIN (Legal entities and Partnerships
Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because
without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this
extension of the system dependent on third parties and has made this extension a condition for the
switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning
because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the
users of the employer portal are identified with RSIN). In its opinion of June 21, 2017
the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018
to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it
eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP.

53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a
one year rollout period during which the users of the portal can switch. At the hearing
the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To
The BSN is also expected to be added to the system in the second half of 2018. For this group
the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have
can use eHerkenning and for which no solution is available yet. The UWV has
indicated that if no solution is found, this group will no longer be able to use it on I November 2019
making the employer portal.

      Confidence level; application Guide version 4

54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV
version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate.
The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018.

                                                                                               
55. Version 4 of the Guide was published in November 2016. This version no longer relies on it
STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this
however, saw no reason to reconsider the 2015 risk analysis
of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the
risk analysis of2015 UWV has included the eIDAS system as proposed legislation.
The new version of the Guide has therefore not given rise to a new one
carry out a risk analysis'.

56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to
eRecognition level 3. This corresponds substantially to eIDAS level.

57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide.
The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the
(controller) responsible for taking appropriate technical and organizational measures
in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then
located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to
based on the most recent version of the Guide. Failure to do so creates a risk
the end of the implementation period of, in this case, eHerkenning, may no longer be
an appropriate security level.

58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS
assurance level substantial from version 4 of the Guide, both versions of the
Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this
possibly until the outcome that a higher assurance level must be assumed than the UWV
has done so far on the basis of version 3 of the Guide. Ultimately, this determines the
choice of the measures to be taken to ensure an appropriate level of security
guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV
assess factors.

     Order subj ect to penalty and term of grace

59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows
that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of
the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating
the violation found and the prevention of recurrence.

60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32,
first paragraph of the GDPR. This means that the UWV is within the beneficiary period
must take measures to ensure an appropriate level of security with regard to the provision
of access to the employer portal, where logging in is only possible through an appropriate form of
multi-factor authentication (for example by using eHerkenning). Because the UWV in determining
has made use of the confidence level for the employer portal
outdated version of the Guide, the UWV must revise the assurance level
by performing a risk analysis on the basis of version 4 of the Guide.

61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during
which the offender can execute the order without a penalty being forfeited '. The term
during which an order can be executed without a penalty being forfeited should be so short
as possible. The term must be long enough to be able to carry out the burden.

62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest
meet. The AP has taken the planning into account when determining the grace period
of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein
one year after implementation on November I , 2018.

63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is
It is important that a penalty payment must provide such an incentive that the order is complied with.

64. If the UWV does not end the established violation within the beneficiary period, it forfeits it
a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the
load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the
the amount of these amounts in reasonable proportion to the gravity of the violation
importance - the protection of special personal data and of the privacy of
those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the
structural additional costs per year.


65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV
assigns a confidence level to the employer portal. This remains unaffected
that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so
useful.

Operative part

The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR
penalty with the following content:
- The UWV must grant access to the employer portal of a
provide an appropriate security level, whereby logging in is only possible from that moment on via a
appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement
confidence level by performing a risk analysis based on version 4
of the Guide.
-The UWV forfeits a penalty of € 150,000 at the end of this period (in words:

one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum
of € 900,000 (in words: nine hundred thousand euros).
The Dutch Data Protection Authority,
On their behalf,
signed




Mr. A. Wolfsen
Chairman











If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.









                                                                                     12/12