AP (The Netherlands) - z2018-02009

From GDPRhub
AP - Employee Insurance Agency (UWV)
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.07.2018
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Employee Insurance Agency (UWV)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: GDPR MASTer Project

A Dutch employer portal UWV, handling employee health data is investigated for use of one-factor authentication (email address and password) to grant access to the portal. The Dutch Data Protection Authority considers this insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative.

English Summary

Facts

to be added

Dispute

Holding

to be added

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                             Authority Personal data
                                                             P.O. Box 93374, 2509AJ The Hague

                                                             Bezuidenhoutseweg 30,2594AV The Hague
                                                             T0708888500-F0708888501
                                                             authoritypersonal data.nl

      Registered
      UWV
      Board of Directors
      P.O. Box 58285
      1040HGAmsterdam







      Date
      July 31, 2018 Our reference
                                z2018-02009


                                Contact
                                [CONFIDENTIAL]
                                0708888500
      Topic
      Cease and desist



      Resume


1. The Dutch Data Protection Authority (hereinafter: the AP) on 27 March 2017 on the basis of Article 60 of the

      Personal Data Protection Act (hereinafter: the Wbp), such as the time gold, an investigation is instituted
      to the use of multi-factor authentication in the employers' portal of the Implementing Institute
      Employers' insurance (hereinafter: the UWV).

2. The UWV processes in the employer portal, among other things, personal data relating to the

      healthofworkers
      find through multi-factor authentication. TheUWV follows this moment with one-factor authentication.
      providing access to the employer portal.


3. The AP has noted in the report definitive findings (hereinafter: the investigative report) that the
      UWV that acts contrary to Article 13 of the Wbp, such as that the time gold, on the basis of which, for
      insofar as this is important, a responsible person must take measures against personal data

      protect against loss or any form of unlawful processing.

4. The AP based on the compulsory decision in the research report, given by the UWV orally
      view on the intention of the AP to be subject to a burden to add and by it
      UWV at request of the AP provided information


5. On May 25, 2018, the General Data Protection Regulation (hereinafter: the GDPR) applies
      The AVG states in Article 32, first paragraph, the same obligation, as that gold on the basis of Article 13.




   Attachment (es) 2 1 Date Our reference
      July 31, 2018 z2018-02009



      This violation continues, violates the UWV Article 32, first member, of the
      GDPR.

6.Wishes to connect the UWV to the system of Recognition to this way more factor authentication.

      when granting access to the employer's portal
      expect only to continue using the Recognition to be logged on the employer's portal
      since the first question by the AP by letter of 25 November 2015, meanwhile moved to

      November 1, 2019.

7. As a result of the above, the AP has decided to use Article 16, first paragraph, of the
      General Data Protection Regulation (hereinafter: UAVG) in conjunction with

      Article 5:32, first paragraph, of the General Administrative Law Act (hereinafter: the AWB)
      With the charge under penalty, the AP intends to insure that the detected violation
      an end is being made.


8. By 31 October 2019, the access to the employers' portal must be provided by an appropriate
      security levels are provided, where logging into the portal is only possible through one
      Appropriate form of multi-factor authentication. Part of the last is the UWV requirement

      confidence level must again determine by performing a risk analysis using the
      most recent version of the Guide "Reliability levels for digital services, a
      guidelines for government organizations "(version 4).


9. In the event of non-compliance with the grace period, your period is subject to a penalty of
      EUR 150,000 payable for each month that the load is not (fully) executed, with a maximum
      from EUR900.0000.


      Course of procedure

10. On August 29, 2017, the AP sent the study report to the UWV.
      The public version of the report was published on November 14, 2017 on the AP website.

11. By letter of August 15, 2017, the AP has now given some cause for the study to theUWV.

      questioned about the size of the employer portal.

12. By letter of August 30, 2017, theUWV has responded to the questions that the AP by letter of August 15.
      2017.

13. By letter of 11 September 2017, theUWV has given its response to the research report.

      indicates, among other things, that the security level does not meet the requirements of
      article13oftheWbpanditwant toclarifytheimplementationoftheRecognitionlevel
      substantial.






                                                                                                 2/12 Date Our reference
      July 31, 2018 z2018-02009



14. By letter of 9 November 2017, the UWV informed the AP about the progress of the implementation.
      vaneRecognition.

15. The AP has notified the UWV by letter of December 14, 2017 of its intention to charge a charge.

      subject to a penalty sumandtheUWFindisplaced orallyorwrittenher
      to bring opinions about it.UWVisinvitedfor a hearing.

16. The hearing took place on February 6, 2018.

      Annex 1 to this Decision is attached.

17. On the basis of what was discussed during the hearing, the UWV sent a letter of 28 February
      2018 additional information data and additional documents provided, including the project plan
      eRecognition.


18. As a result of the information received by the letter of 28 February 2018, the AP has given to the UWV at
      letter of 15 March 2018 asked questions.

19. By letter of April 3, 2018, theUWV has responded to the questions of the AP of March 15, 2018 and here

      "Risk analysis absenteeism report" (hereinafter: the risk analysis).

20. Based on the information received by the letter of April 3, 2018, the AP has given to the UWV by letter.
      of May 14, 2018 asked questions.

21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.


      Research report

22. In the research report, the AP found that the UWV in the employers' portal
      personal data about health. Access to the employer's portal is obtained by

      Entering an email address and password. This is a form of one-factor authentication.

23. From article 13 of the Wbp- now article 32, first paragraph, of the AVG- ensues that a
      responsibleappliesmeasures to protect personal data from loss or

      any form of unlawful processing. The term "appropriate" also means a proportionality
      Intermediatesecuritymeasuresthe nature oftheprotecteddata
      the personal data that is processed in the employer portal of the UWV, namely data about

      the health of employees, it should be given access to the portal via the internet, given the
      state of the art, places find means and at least multi-factor authentication.

24. The UWV has taken specified measures to allow unauthorized access to the

      employer portal, such as conducting annual penetration and security tests and
      continuous logging and monitoring of use. These measures are due to authentication
      not fit because they can provide an appropriate level of protection for gaining access




                                                                                                  3/12 Date Our reference
      July 31, 2018 z2018-02009


      to the application.Because theUWV does not apply more factor authentication, nor in any other way

      Appropriate measures has affected victims to obtain access to the data contained in the
      employers' portal, trade the UWV in conflict with article 13 of the Wbp, as it was gold at the time.

      Legal framework

25. The relevant legal framework is included as Annex 2 to this Decision.


      GDPR

26. In the investigation report, the AP has a violation of the standard from Article 13 of the Wbp
      As of May 25, 2018, AVG and UAVG of applications, the Wbp, has been withdrawn.

27. When assessing whether there is also a violation of the GDPR standard, it is important that the standard

      under the AVGmaterial does not change significantly with regard to the standard under the Wbp.
      The norm from Article 13 of the Wbpisthans laid down in Article 32, first and second part, of the AVG.
      The latter article states that the controller, taking into account the situation of the

      technique, implementation costs, as well as with nature, scope, context and processing purposes
      and the likelihood and severity of the risks to the rights and freedoms of persons,
      appropriate technical and organizational measures must be taken to suit the risk

      security level safeguards. This obligation is materially consistent with the obligation
      Article 13 of the Wbp.

28. This means that, since the investigated facts and the relevant circumstances arose
      of the research report until some of the things are not changed, as of May 25, 2018.

      violation of Article 32, first paragraph, of the GDPR.

      Viewpoint

29. As a result of the APS's intention to place a burden under penalty, the UWV has
      During the hearing of February 6, 2018 orally, I saw your way

      noteworthythatYourExpects thatthe employer's portal security is inadequate
      requirements arising from Article 13 of the Wbpentans Article 32, first member, of the AVG, because theUWV
      no more factor authentication applies to the granting of access to the portal.


30. The UWV has decided in April 2017 to start the implementation of the Recognition level
      3 / Substantial, where multi-factor authentication is applied so that the violation of Article 13
      The Wbpentansarticle32, first, oftheAVGis deleted.

      the confidence level, the fact that in the employer portal only health data are displayed
      who see the sick report or the fact that someone is pregnant.
      The nature of the sickness report is not processed.






                                                                                              4/12 Date Our reference
      July 31, 2018 z2018-02009



31. The UWV has advanced and explored other solutions but how to connect to it
      eRecognition of any real possibility to achieve more factor authentication.

      The arrival of the Digital Government Act (hereinafter: Wdo) is primarily the intention that all government parties
      make use of the means contained in this law.


32. In the implementation of the Recognition of the UWV, it depends in part on others and that the UWV is
      a number of problems, causing the implementation to wait longer than the UWV had
      hoped.


      Rating

      Assessment framework

33. In the research report, the AP noted that the UWV in the employer's portal
      processes personal data, including special personal data.

      data, citizen service number, financial data and data about disability, dismissed childbirth.
      Employers can log in via the internet to the portal and by e-mail address and password
                                                      1
      It is a form of one-factor authentication.
      It is known that this situation has not changed.

34. Article 32, first paragraph, of the GDPR stipulates that the controller applies the technical and

      Organizational measures must be taken to protect personal data from loss or
      unlawful processing. These measures guarantee, taking into account the state of the technology
      and costs of food implementation, an appropriate security level eliminating the risks that

      processing the nature of the protection data bring to it.

35. This means that the controller, in the case of the UWV, must translate the risks
      for the data subject whose personal data are processed according to the reliability requirements against which

      the service offered (the employer portal) must satisfy that within the field
      information security if the most recent and representative interpretation thereof is seen.


36. In determining the risk of the data subject, the nature of the personal data among others
      Nature of processing of importance: these factors determine the potential damage for individual
      For example, loss, alteration, or illegal processing of data

      From the translationstroke to the confidence level of the employers portalcan use the UWV
      making the Guide "Reliability levels for digital services, a guide for
      government organizations, version 4 of the Forum Standardization (hereinafter: the Guide).


37. The use of this Guide is not mandatory, but provides an assessment framework for
      government organizations for determining reliability levels for digital services

      1
       Authenticate the process of verifying that a user who will log into an application / system is actually who
      he / she claims to be.



                                                                                                     5/12 Date Our reference

      July 31, 2018 z2018-02009



      of which it can be accepted that it reflects in so far as most recent insights and demands.
      Provide security standards then, after determining the application
                                                                               2
      confidence level, guidance in taking appropriate measures.

38. The AP has investigated whether the UWV has taken the appropriate measures regarding authentication.
      when logging into the employer's portal.

      theprotectingpersonal data, which translates to a minimum to handle
      The assessment in this decision, then, is based only on the nature of the issue

      protect personal data. Not excluded that other factors and nature of the
      personal data require a higher level of security. However, the AP cannot, as in the present case

      order will come, for or in the place of theUWVall –inHandReachVersion4included-relevant
      assessing factors. It is up to the UWV to include these factors in a risk analysis and thus
      Determine the correct security level. 3


      Person's health data

39. In Article 4, section 15, of the GDPR, the following definition is given: "Health information.

      hispersonal data related to the physical or mental state of a natural
      person, including data about health services provided with which information is about

      health status is given. Under AV, remain unchanged that concept
      "Health data" should be understood: it does not include only the data that a doctor
      medical research or medical treatment, but all data that the spiritual or

      physical health of a person.
      reported a given about the health, even though it does not say anything about the nature of the condition. 4

      In the employer portal, the following data are processed: the date entry
      sick leave, the date of termination sick leave, illness due to pregnancy, childbirth or

      organ donation, date of births and date of maternity leave.

40. In view of the nature of the personal data, the employer's portal entails half data

      concerning a person's health, which is considered a special category of personal data as
      referred to in Article 9, first paragraph, of the AVG is noted.

      Increased risk


41. In the Guidelines for the security of personal data, the AP has elaborated the requirements regarding security.
      The AP indicates that in certain categories of personal data, the consequences of loss or

      illegal processing can be serious.this are data with a higher or high risk.
      In any case, these categories cover special personal data.


      2 See also CBP Guidelines, Security of personal data, February 2013
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102




                                                                                                       6/12 Date Our reference
       July 31, 2018 z2018-02009



                                                          5
42. In addition, the AP uses the Guide version4.
       confidence levels based on the IDAS regulation for digital identifiers
                             6
       trust services, which are in force from 1 July 2016 (hereinafter: the eIDAS regulation).
       The eIDAS regulation distinguishes three levels of trustworthiness of authentication tools: low,

       substanceandhigh.The Guideprovidesaclassificationmodelwithinhasimplified
       risk analysis of the digital service can be made.

       theprotectpersonaldata.In thisfourclassespersonaldata are distinguished: class
       0, I (basic), II (increased risk) and III (high risk), where data with increased risk also has a

       higher security level requirements.


43. The AP ascertains that the data processed in the employer's portal, according to the Guide
       so-called class II personal data is because it concerns special personal data
                                                    7
       class II data is an increased risk. Of a high risk, as in the so-called class III-
       data, see the nature of the data that are processed in the portal.


       Multi-factor authentication

44. Processing of Class II data is according to the Guide to Minimum Confidence Level
                                     8
       "Substantial" of application. Also when answering the question about this
       confidence levels appropriate measures are as referred to in Article 32, first paragraph, of the GDPR

       The Guide offers a framework: both for reliability level "substantial" and
       confidence level "high", if type authenticator, multi-factor authentication is required. 9


45. The requirement of multi-factor authentication when granting access to a system in which
       health data is processed, in addition, it is not complied with by security standards such as

       NEN-7510, which indicates the application of the Code for information security ISO / IEC
       27002 in health care:









       5
       6 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
        Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
       trust services for electronic transactions in the internal market
       7 A guide for government organizations, version 4, Forum for Standardization, p. 33
       8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
       based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
       You will have to make this assessment yourself, see also margin number 54 and further.
       9
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
       Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
       on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
       (EU) No. 910/2014, on which the Guide is based.



                                                                                                              7/12 Date Our reference
      July 31, 2018 z2018-02009



      Health information systems that process personal health information, belonging to user identities

      determine this should be done by means of authentication in which at least the two factors are involved
      be. "0

46. As appropriate the measure referred to in Article 32, first paragraph, of the AVG must be

      access to the employer's portal to use multi-factor authentication.
      Access to the portal takes place through a form of one-factor authentication, trading theUWVin

      contrary to Article 32, first member, of the AVG.UWV has also recognized this.

      Offender

47. Notice theUWVis as an offender, because it is the controller in the sense of the AVG.

      The UWV establishes the purpose of the means for the processing of personal data: the
      The employer portal is a service of the UWV and is made available by the UWV
      employers, for which purposes of data processing are determined by the UWV.

      The UWV also has it in its power to end the violation.

      The solution from the UWV: eRecognition

48. By letter of January 25, 2016, the UWV has already addressed the violation of Article 32, first member, of the

      Wbp recognized. TheUWV indicated that they intend to be used for the employer's portal
      Make of Recognition, which feature provides for the use of multi-factor authentication in the

      providing access to the employer portal.

49. ERecognition is a system that companies provide electronic access to the government
      government facilities. Entrepreneurs or employees of an organization can go together

      login and easy identification at different organizations. Government organizations need
      do not develop their own authentication system, but can connect to the system

      The development of Recognition is a public-private partnership that is directed under the direction of the
      Ministries of Economic Affairs and Climate and Domestic Affairs and Kingdom Relations.
      ERecognition recognizes five different confidence levels. At these reliability levels is

      A connection sought to the three reliability levels that distinguish each IDAS regulation
      requirements that are imposed on the means by the regulation. The government organization determines it itself

      confidence level that is applied.

50. TheUWVhas indicated thattheintroductionofRecognitionbytheUWVshould be viewed in the
      light of the Wd is currently in preparation.

      can log in for Dutch citizens and companies with (semi-) government
      The Netherlands the EU directive on accessibility of government websites and apps. 1 Ahead of the


      10
      11 NEN-7510 (2017), p. 57
        https://www.digitaleoverheid.nl/ilisi/identification-en-authenticatie/eid/wet-gdi/.



                                                                                                     8/12 Date Our reference
      July 31, 2018 z2018-02009



      Wdo has been developed by the government.
      eRecognition.

51. TheUWV has indicated the implementation of the Recognition to see any real solution.

      has explored possible between solutions, where multi-factor authentication with smsalst second factor
      The most feasible and safe alternative option was.

      as long as the implementation of the Recognitions is in addition the implementation of
      Delay recognition, because this must be done by the same team.
      be effective and proportionate in short on the map two drastic implementation pathways go through:

      This leads to textbook administration tasks for employers and ineffective use of public resources.

      Time course / planning

52. TheUWV has indicated that it was already in use in 2015 to connect to Recognition.

      However, the UWV is the availability of the RSIN (Legal Entities and Partnerships
      Information number) and the BSN for sole proprietorships in the system of Recognition necessary, because
      withoutthese numberstheUWVeRecognitioncan'tlinktohersystems.

      Expansion of the systemdepending on third parties and has set this expansion as a condition for the
      In April 2017, the UWV has concluded the implementation of Recognition.
      because of the moment view is linked from the RSIN to the Recognition (87.7% of the

      Users of the Employer Portal is identified by RSIN).
      has theUWVindicatedconnection toRecognitiontoexpectationrealized inMay2018

      In November 2017, around theUWV, the preliminary research.In February 2018, theUWV has
      projectplane Recognition Employer Portal determined upon request from the AP the AP do.

53. According to this project plan, the UWV will take place on November 1, 2018 as the implementation date, followed by a

      rollout period of one year that users can switch from the portal.
      has indicated the UWV now assumes implementation in the fourth quarter of 2018.
      The BSN is also expected to be added to the system in the second half of 2018.

      The same implementation date applies with rollout period. There is also no group of users (0.7%) who are not
      Can make use of Recognitions for which no solution is available yet. TheUWV has
      indicated that if no solution is available, this group cannot use any more by 1 November 2019

      makingthe employer portal.

      Confidence level; application Guide version 4

54. In 2015, the US has made the hand of the available Guide of Forum standardization,
             12
      version 3 performed a risk analysis. This version of the guide is based on European


      12A guide for government organizations: assurance levels for authentication at

      electronic government services, version 3, Forum Standardization



                                                                                                 9/12 Date Our reference
      July 31, 2018 z2018-02009


      STORFramework.This risk analysis showed that levelSTORK3 is appropriate.

      The UWV has carried out the AP for this risk analysis upon request by letter of 3 April 2018.

55. In November 2016, version 4 of the Guide appeared. This version is no longer based on the
      STORK framework but, as previously shown, on the IDAS regulation.

      However, there is no reason to keep the risk analysis of 2015 against the light again
      The newest version of the Guide.
      Risk analysis of 2015 UWV's hot IDAS system has taken into account as proposed legislation.

      Therefore, the new version of the Guide has not given any reason for a new one
      perform risk analysis ".

56. According to the project plane Recognition Employers Portal, the UWV has chosen to connect

      eRecognition level3 This corresponds to the IDAS level substantial.

57. The AP establishes that the risk analysis of the UWV from 2015 is based on version 3 of the Guide.
      The norm from article 32, first paragraph, of the AVG, and previously article 13 of the Wbp, write before the
      (processing) responsible for taking appropriate technical and organizational measures

      in order to ensure appropriate security level, including taking into account the situation
      It is decided, among other things, that a risk assessment has already been carried out from time to time again.
      must be updated using the currently valid standards.

      on the way of the UWV, because the risk analysis is carried out again in 2015
      The most recent version of the Guide.
      at the end of the implementation period of, in this case, eRecognition, it is possible that there is no

      appropriate security level.

58. Although the reliability level of Stork3 corresponds to version3 of the Guide.
      IDAS Confidence Levels Substantial version 4 of the Guide, how to use both versions of the

      Guide to various assessment frameworks.
      possible until the outcome that a higher confidence level should be assumed from the UWV
      up to now based on version 3 of the Guide.

      choice of measures to be taken according to the appropriate security level
      guarantees. The APcannotfororintoplaceoftheUWValloutHandoverVersion4relevant
      factors.


      Constrained and favored term

59. From article 16, first member, of the UAVG, in conjunction with article 5:32, first member, of the AWB follows
      that the AP is authorized to impose a charge under a penalty if in violation of Article 32, first paragraph
      the AVG. Pursuant to Article 5: 2, first paragraph, bottom b, of the AWB, the cabinet is aimed at the end of

      the violations detected the occurrence of recurrence.





                                                                                             10/12 Date Our reference
      July 31, 2018 z2018-02009



60. The AP orders the US within the time limit for favoring the decision to take the violation of Article 32,
      first member, of the AVG.
      measures must be taken to ensure an appropriate security level with regard to the relationship

      of access to the employer's portal, where logging in is only possible by means of a suitable form of
      multi-factor authentication (for example, by using Recognition).
      of the confidence level for the employer portal has used a meanwhile

      outdated version of the Guide, the UWV should update the confidence level
      determine by performing a risk analysis using version 4 of the Guide.

61. Section 5: 32a, subsection 2, of the AWB provides that a grace period is to be set during

      which the offender can execute without forfeiture of a penalty. "Term
      During which a charge can be carried out without forfeiture of a penalty, it must be short
      The time limit should be long enough to be able to carry out the load.


62. Having regard to the foregoing decision, the AP that the YOUR V must appear at the end of October 31, 2019.
      The AP has taken into account the planning when determining the term of favor
      of the UWV regarding the implementation of the Recognitions of the said roll-out period

      one year after implementation on November 1, 2018.

63. Article 5: 32b, third paragraph, of theAwb prescribes that the penalty amounts are in reasonable proportion.
      to the severity of the violated interest to the intended effect of the penalty.

      It is important that a compulsion must execute such an incentive that the burden is met.

64. If the UWV does not end the detected violation within the beneficiary period, it forfeits the
      The AP fixes the amount of this penalty sum at € 150,000 for each month that the

      load has not been (fully) carried out up to a maximum of € 900,000.
      height of these amounts in reasonable proportion to the gravity of the violation by the violation
      importance - the protection of special personal data and of the personal sphere of life

      those involved –and they are also sufficiently high to end your moving violation.
      This includes the AP cost that is associated with the implementation of Recognition, as well as the
      structurally additional costs per year.


65. The APRequestheUWSimplybefore1October2018the re-performed risk analysisin whichtheUWV
      to the employer portal, to send a reliability level award.
      that the AP is authorized to conduct a study, including an on-site study, if it does

      useful.










                                                                                              11/12 Date Our reference

July 31, 2018 z2018-02009


Operative part


TheA imposes a charge on the UWV, for violation of Article 32, first paragraph, of the GDPR.
penalty with the following content:

-TheUWVshould provide access to the employer's portal by 31 October 2019 at the latest.
Appropriate security level provided, whereby logging in from that moment is only possible by means of a

appropriate form of multi-factor authentication.
confidence level to redetermine by performing a risk analysis using version 4
of the Guide.


-The UWV forfeits a penalty of € 150,000 after expiry of this term (in words:
one hundred and fifty thousand euros) for each month that the load is not (fully) carried out to a maximum
of € 900,000 (in words: nine hundred thousand euros).




The Authority Personal data,
On their behalf,


Signed




Mr. A. Wolfsen
Chairman











If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.









                                                                                     12/12