AP (The Netherlands) - 19.01.2023
AP - AP (The Netherlands) - Boete Sociale Verzekeringsbank | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 01.11.2019 |
Decided: | 19.01.2023 |
Published: | 13.04.2023 |
Fine: | 150,000 EUR |
Parties: | Sociale verzekeringsbank |
National Case Number/Name: | AP (The Netherlands) - Boete Sociale Verzekeringsbank |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | AP (in NL) |
Initial Contributor: | kv33 |
TO BE UPDATED
The SVB, a Dutch institution responsible for different forms of benefits, was fined €150,000 by the Dutch DPA for violations of Articles 32(1) and 32(2) GDPR. The SVB did not have a sufficient identity verification procedure, resulting in the unauthorised disclosure of personal data.
English Summary
Facts
TO BE UPDATED
The controller in this decision is The ‘Nederlandse Sociale Verzekeringsbank’ (SVB), a Dutch government institution responsible for different forms of social security and benefits. The controller is also responsible for providing information. According to the controller, its 1500 employees received around 20,000 telephone calls a week. (7 – 9).
On 1 November 2019, the Dutch DPA received a complaint from a data subject, who claimed that a family member, in a phone call, had been able to receive personal data of the data subject from an employee of the controller, without the data subject’s consent (1). The controller had acknowledged this incident and had also reported it as a data breach on an unspecified date. (1)
On 15 November 2019, the Dutch DPA decided that it would not continue to investigate the complaint. The reason for this decision was not clear. The data subject appealed this decision, after which the DPA decided to start an investigation after all. (2)
The investigation service of the DPA found that a lot of (categories) of personal data were saved in the systems of the controller, such as name - and address data, mail address, nationality and marital status, but also criminal personal data, which indicated which data subjects were convicted of a crime or were suspected of fraud. The investigation service found that all 1500 employees of the controller had access to the files and personal data of data subjects who received AOW, the basic government pension. (17)
At the request of the DPA, which wanted to know how the current policy regarding identity verification questions came to be, the controller provided the DPA with two documents from 2006 and 2007. In the document from 2006, the controller acknowledged the risk that a third party could request personal data of a data subject. After this, the controller decided to introduce verification questions to confirm the identity of the caller. The second document from 2007 was an internal policy note from the controller, in which concerns were raised about the verification questions. The investigation service found that no policy changes had been introduced since 2006 and that no further evaluations had been conducted since 2007. (27 - 28)
The investigation service also found that the controller had two internal policies in place for its employees in order to identify data subjects on the phone. However, the investigation service concluded that these policies contained some differences between them concerning the manner in which data subject should be identified, which caused confusion among employees. Also, much of the identity verification questions in both policies concerned personal information, which was relatively easy to uncover in practice. In one of the policies, employees were even discouraged to ask for really specific information regarding the identity of the data subject. In short, it was not clear which questions - and how many questions, should be asked on the phone to verify the identity of the data subject. (24) It was also not clear which further questions needed to be asked when there were doubt about the identity of the data subject. The investigation service also concluded that the controller had no way of guaranteeing that the identity verification policies were sufficient to actually verify the identity of the data subject. (25) It also found that employees did not always act according to the policies, and that the identity verification was often left to the own assessment and interpretation of the employee in question. (26)
Holding
TO BE UPDATED
The DPA determined that the controller had violated Articles 32(1) and 32(2) GDPR. The DPA held that the controller did not make a proper risk assessment of its processing operations, considering the fact that the documents from 2006 and 2007 were already 14 years old at the time the investigation was concluded. Also, the controller did not re-assess the risks of the processing once in these 14 years. (55-57). Also, the controller did not properly assess the risks for data subjects and did not identity all the risks that were present according to the DPA. (58) EXAMPLES
The DPA determined that the risk of providing personal data over the phone was high, looking at the scale of the processing, the nature of the personal data in question, the amount of employees that could access the data and the frequency at which data subjects would contact the controller. (59).
The DPA also concluded that the measures of the controller were insufficient to mitigate this high risk. The DPA singled out two aspects that were insufficient: the identity verification over the phone (66 – 72) and the lack of awareness in the controllers' organization (73-76). (Conclusion, all measures in 77-79).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Fine for SVB after faulty identity check Press release/April 13, 2023 The Dutch Data Protection Authority (AP) has imposed a fine of 150,000 euros on the Social Insurance Bank (SVB) for inadequate identity checks by the telephone helpdesk. As a result, clients with a state pension benefit ran the risk that sensitive information would end up with persons who are not entitled to it. The SVB has now taken measures. In 2019, data from an SVB client came into the hands of someone who should not have received that data. The client discovered that someone had managed to request benefit information via the telephone helpdesk of the SVB. The client then filed a complaint with the AP. Privacy risks insufficiently weighed In an average week, the SVB answers up to 20,000 people who have questions about social security laws, including the state pension. In addition, the approximately 1,500 SVB service employees all have access to client data. In such a situation it is very important that the rules for the provision of information by telephone are clear. However, research by the AP shows that the SVB did too little to map out the privacy risks of telephone services. In practice, the system for verifying the identity of callers was inadequate. Control questions were often about things that are fairly easy to find out for outsiders (such as someone's first name, address and zip code). The SVB also insufficiently checked whether service employees actually adhered to the inspection policy. The SVB did not make employees sufficiently aware of the importance of the secure management of personal data. These violations lasted from May 2018 to May 2022. Very personal information The SVB pays benefits to more than 5 million people. With so many Dutch people relying on the SVB for benefits, it is very important that the privacy policy is in order,' says AP director Katja Mur. 'Information about benefits is very personal, such information tells a lot about someone's life. Callers must therefore be able to assume that the SVB checks whether they have the right person on the line.' Immediately after the AP's findings, the SVB improved its telephone services. A new, unambiguous work instruction prescribes exactly how service employees must check the identity of callers. The SVB will evaluate the new policy every two years. Broader interest "Agencies with telephone helplines can learn from this," says Mur. “Privacy policy is not only about digital services, but also about telephone services. People do more and more via the internet, of course, but telephone helpdesks are also widely used. So make sure that you also arrange privacy protection for telephone services.