AP (The Netherlands) - 19.01.2023
| AP - AP (The Netherlands) - Boete Sociale Verzekeringsbank | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 01.11.2019 |
| Decided: | 19.01.2023 |
| Published: | 13.04.2023 |
| Fine: | 150,000 EUR |
| Parties: | Sociale verzekeringsbank |
| National Case Number/Name: | AP (The Netherlands) - Boete Sociale Verzekeringsbank |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | AP (in NL) |
| Initial Contributor: | kv33 |
TO BE UPDATED
The SVB, a Dutch institution which handles different forms of social security, was fined €150,000 by the Dutch DPA for violations of Articles 32(1) and 32(2) GDPR. The SVB did not verify the identity of callers in phone conversations sufficiently.
English Summary
Facts
TO BE UPDATED
The controller in this decision is The ‘Nederlandse Sociale Verzekeringsbank’ (SVB), a Dutch government institution which handles different forms of social security. This institution is responsible to inform data subjects about different forms of social security and inform about social security when requested. According to the controller, it receives around 20,000 calls a week requesting information. The controller has around 1500 employees. (7 – 9).
On 1 November 2019, the Dutch DPA received a complaint from a data subject, who claimed that her family member had been able to receive personal data from an employer of the controller over the phone without the data subject’s consent (1). The controller had acknowledged this and had also reporter this incident as a data breach (1)
On 15 November 2019, the Dutch DPA decided that it would not continue to investigate her complaint. The reason for this was not specified in this decision. The data subject objected to this, after which the DPA decided to start an investigation after all. (2)
At the request of the DPA, the controller provided two documents from 2006 and 2007, in which its policy was outlined, and it had made a risk assessment (55).
The investigation service of the DPA determined violations of Articles 32(1) and 32(2) GDPR because of a lack of technical and organizational measures. (3) In its report, the investigation service determined that ….. the controller used different systems and applications.
System 1 (confidential) – Uitvoeringen van sociale regelingen – Distribution of social services – also administration – controller receives personal data from another institution, BRP (11)
System 2 Document Management system – All documents containing personal data, such as send and received letters, notes of phone conversations and internal notes. (12)
System 3 – Application, which allowed employees of the controller to search files of elderly data subjects who are receiving their form of pension social security, called AOW. (13 – 14)
In these systems, a lot of (categories) of personal data were saved. These categories were data such as NAW-data, mail address, data about nationallity and marital status. There was also criminal personal data. Clear which data subjects were convicted of a crime, suspicion of fraud
The investigation service also found that all 1500 employees of the controller had access to the files of data subjects who received AOW. (17) When these employees were on the phone with data subjects, they had access to all personal data concerning data subjects in the controller’s internal systems. (19)
The controller had two internal policies in place for its employees in order to identify data subjects on the phone. (21) However, the investigation service concluded that these policies contained some differences concerning the manner in which data subject should be identified on the phone, which caused confusion for the employees. Also, much of the questions in both policies concerned personal information which was relatively easy to uncover. In one of the policies, employees were even discouraged to ask for really specific information regarding the identity of the data subject on the phone. In short, it was not clear which questions and how many questions should be asked on the phone to verify the identity of the data subject. (24)
The investigation service also concluded that the controller did not have a sufficient policy to ensure that employees actually verified the identity of data subjects on the phone. (25) It also concluded that employees did not always follow the policies which were in place, and that the identity verification was in practice often left to the own assessment and interpretation of the employee answering the phone. (26)
Holding
TO BE UPDATED
Confirmation DPA existence criminal data and personal data
The DPA determined that the controller had violated Articles 32(1) and 32(2) GDPR. (…) The DPA held that the controller did not make a propper risk assessment of its operations, considering the fact that the provided documents from 2006 and 2007 were already 14 years old at the time the investiagtion was concluded. Also, the controller did not re-assess the risks in the meantime. (55-57). The notes were also lacking as risk assessments due to their contents. The controller did not properly assess the risks for data subjects and did not identity all the risks that were present according to the DPA. (58)
The DPA determined that the risk of providing personal data over the phone was high, looking at the scale of the processing, the nature of the personal data in question, the amount of employees that could access the data en the frequency at which data subjects would contact the controller. (59).
The DPA also concluded that the measures of the controller were insufficient to mitigate this high risk. The DPA singled out two aspects that were insufficient: the identity verification over the phone (66 – 72) and the lack of awareness in the controllers' organization (73-76). (conclusion, all measures in 77-79).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Fine for SVB after faulty identity check Press release/April 13, 2023 The Dutch Data Protection Authority (AP) has imposed a fine of 150,000 euros on the Social Insurance Bank (SVB) for inadequate identity checks by the telephone helpdesk. As a result, clients with a state pension benefit ran the risk that sensitive information would end up with persons who are not entitled to it. The SVB has now taken measures. In 2019, data from an SVB client came into the hands of someone who should not have received that data. The client discovered that someone had managed to request benefit information via the telephone helpdesk of the SVB. The client then filed a complaint with the AP. Privacy risks insufficiently weighed In an average week, the SVB answers up to 20,000 people who have questions about social security laws, including the state pension. In addition, the approximately 1,500 SVB service employees all have access to client data. In such a situation it is very important that the rules for the provision of information by telephone are clear. However, research by the AP shows that the SVB did too little to map out the privacy risks of telephone services. In practice, the system for verifying the identity of callers was inadequate. Control questions were often about things that are fairly easy to find out for outsiders (such as someone's first name, address and zip code). The SVB also insufficiently checked whether service employees actually adhered to the inspection policy. The SVB did not make employees sufficiently aware of the importance of the secure management of personal data. These violations lasted from May 2018 to May 2022. Very personal information The SVB pays benefits to more than 5 million people. With so many Dutch people relying on the SVB for benefits, it is very important that the privacy policy is in order,' says AP director Katja Mur. 'Information about benefits is very personal, such information tells a lot about someone's life. Callers must therefore be able to assume that the SVB checks whether they have the right person on the line.' Immediately after the AP's findings, the SVB improved its telephone services. A new, unambiguous work instruction prescribes exactly how service employees must check the identity of callers. The SVB will evaluate the new policy every two years. Broader interest "Agencies with telephone helplines can learn from this," says Mur. “Privacy policy is not only about digital services, but also about telephone services. People do more and more via the internet, of course, but telephone helpdesks are also widely used. So make sure that you also arrange privacy protection for telephone services.
