AP (The Netherlands) - 19.01.2023

From GDPRhub
Revision as of 09:40, 17 April 2023 by 217.121.207.122 (talk)
AP - AP (The Netherlands) - Boete Sociale Verzekeringsbank
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 01.11.2019
Decided: 19.01.2023
Published: 13.04.2023
Fine: 150,000 EUR
Parties: Sociale verzekeringsbank
National Case Number/Name: AP (The Netherlands) - Boete Sociale Verzekeringsbank
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: kv33

TO BE UPDATED

The SVB, a Dutch institution responsible for different forms of benefits, was fined €150,000 by the Dutch DPA for violations of Articles 32(1) and 32(2) GDPR. The SVB did not have a sufficient identity verification procedure, resulting in the unauthorised disclosure of personal data.

English Summary

Facts

TO BE UPDATED

The controller in this decision is The ‘Nederlandse Sociale Verzekeringsbank’ (SVB), a Dutch government institution responsible for different forms of social security and benefits. According to the controller, it received around 20,000 telephone calls a week. The controller had around 1500 employees. (7 – 9).

On 1 November 2019, the Dutch DPA received a complaint from a data subject, who claimed that a family member had been able to receive personal data of the data subject from an employee of the controller over the phone, without the data subject’s consent (1). The controller had acknowledged this incident and had also reported it as a data breach. DATE? (1)

On 15 November 2019, the Dutch DPA decided that it would not continue to investigate the complaint. The reason for this was not clear. The data subject objected to this, after which the DPA decided to start an investigation after all. (2)

At the request of the DPA, the controller provided the DPA with two documents from 2006 and 2007. These documents contained standard working procedures. These documents also contained a risk assessment of the controller's processing, specifically regarding identity verification over the phone. (55)

The investigation service of the DPA determined violations of Articles 32(1) and 32(2) GDPR because of a lack of technical and organizational measures. (3) In the systems of the controller, a lot of (categories) of personal data were saved, such as name - and address data, mail address, data about nationality and marital status, but also criminal personal data, which indicated which data subjects were convicted of a crime or were suspected of fraud. The investigation service found that all 1500 employees of the controller had access to the files and personal data of data subjects who received AOW, the basic government pension. (17)

The controller had two internal policies in place for its employees in order to identify data subjects on the phone. (21) However, the investigation service concluded that these policies contained some differences between them concerning the manner in which data subject should be identified, which caused confusion among employees. Also, much of the identity verification questions in both policies concerned personal information, which was relatively easy to uncover in practice. In one of the policies, employees were even discouraged to ask for really specific information regarding the identity of the data subject on the phone. In short, it was not clear which questions - and how many questions, should be asked on the phone to verify the identity of the data subject. (24)

The investigation service also concluded that the controller did not have a sufficient policy to ensure that employees actually verified the identity of data subjects on the phone. (25) It also found that employees did not always follow the policies which were in place, and that the identity verification was in practice often left to the own assessment and interpretation of the employee answering the phone. (26)

Holding

TO BE UPDATED

The DPA determined that the controller had violated Articles 32(1) and 32(2) GDPR. (…) The DPA held that the controller did not make a proper risk assessment of its processing operations, considering the fact that the documents from 2006 and 2007 were already 14 years old at the time the investigation was concluded. Also, the controller did not re-assess the risks of the processing once in these 14 years. (55-57). Also, the controller did not properly assess the risks for data subjects and did not identity all the risks that were present according to the DPA. (58)

The DPA determined that the risk of providing personal data over the phone was high, looking at the scale of the processing, the nature of the personal data in question, the amount of employees that could access the data en the frequency at which data subjects would contact the controller. (59).

The DPA also concluded that the measures of the controller were insufficient to mitigate this high risk. The DPA singled out two aspects that were insufficient: the identity verification over the phone (66 – 72) and the lack of awareness in the controllers' organization (73-76). (Conclusion, all measures in 77-79).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Fine for SVB after faulty identity check
Press release/April 13, 2023
The Dutch Data Protection Authority (AP) has imposed a fine of 150,000 euros on the Social Insurance Bank (SVB) for inadequate identity checks by the telephone helpdesk. As a result, clients with a state pension benefit ran the risk that sensitive information would end up with persons who are not entitled to it. The SVB has now taken measures.

In 2019, data from an SVB client came into the hands of someone who should not have received that data. The client discovered that someone had managed to request benefit information via the telephone helpdesk of the SVB. The client then filed a complaint with the AP.

Privacy risks insufficiently weighed
In an average week, the SVB answers up to 20,000 people who have questions about social security laws, including the state pension. In addition, the approximately 1,500 SVB service employees all have access to client data.
In such a situation it is very important that the rules for the provision of information by telephone are clear. However, research by the AP shows that the SVB did too little to map out the privacy risks of telephone services.
In practice, the system for verifying the identity of callers was inadequate. Control questions were often about things that are fairly easy to find out for outsiders (such as someone's first name, address and zip code).
The SVB also insufficiently checked whether service employees actually adhered to the inspection policy. The SVB did not make employees sufficiently aware of the importance of the secure management of personal data. These violations lasted from May 2018 to May 2022.

Very personal information
The SVB pays benefits to more than 5 million people. With so many Dutch people relying on the SVB for benefits, it is very important that the privacy policy is in order,' says AP director Katja Mur.
'Information about benefits is very personal, such information tells a lot about someone's life. Callers must therefore be able to assume that the SVB checks whether they have the right person on the line.'
Immediately after the AP's findings, the SVB improved its telephone services. A new, unambiguous work instruction prescribes exactly how service employees must check the identity of callers. The SVB will evaluate the new policy every two years.

Broader interest
"Agencies with telephone helplines can learn from this," says Mur. “Privacy policy is not only about digital services, but also about telephone services. People do more and more via the internet, of course, but telephone helpdesks are also widely used. So make sure that you also arrange privacy protection for telephone services.