AP (The Netherlands) - 19.01.2023

From GDPRhub
AP - AP (The Netherlands) - Boete Sociale Verzekeringsbank
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 01.11.2019
Decided: 19.01.2023
Published: 13.04.2023
Fine: 150,000 EUR
Parties: Sociale verzekeringsbank
National Case Number/Name: AP (The Netherlands) - Boete Sociale Verzekeringsbank
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: kv33

The SVB, a Dutch institution responsible for different forms of benefits, was fined €150,000 by the Dutch DPA for not ensuring a sufficient identity verification procedure, resulting in the unauthorised disclosure of personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller in this decision was The ‘Nederlandse Sociale Verzekeringsbank’ (SVB), a Dutch government institution responsible for different forms of social security and benefits. The citizens can reach out to the controller through a telephone helpdesk to ask questions about social security insurances. According to the controller, its 1500 employees receive around 20,000 telephone calls a week in that regard.

On 1 November 2019, the Dutch DPA received a complaint from a data subject, who claimed that a family member, in a phone call, had been able to receive personal data concerning them from the controller, without the data subject’s consent. The controller had acknowledged this incident and had reported it as a data breach on an unspecified date.

On 15 November 2019, the Dutch DPA decided that it would not continue to investigate the complaint. The reason for this decision was not clear. The data subject appealed this decision, after which the DPA decided to start an investigation after all.

The investigation service of the DPA found that a lot of (categories) of personal data were saved in the systems of the controller, such as name, address, mail address, nationality and marital status, but also criminal personal data, which indicated which data subjects were convicted of a crime or were suspected of fraud. The investigation service found that all 1500 employees of the controller had access to the files and personal data of data subjects who received AOW, the basic government pension.

At the request of the DPA, which wanted to know how the current policy regarding identity verification questions came to be, the controller provided the DPA with documents from 2006 and 2007 showing that it acknowledged the risk that a third party could request personal data of a data subject. After this, the controller decided to introduce verification questions to confirm the identity of the caller. It appears from another document that concerns were raised in 2007 about the verification questions. The investigation service found that no policy changes had been introduced since 2006 and that no further evaluations had been conducted.

The investigation service also found that the controller had two different internal policies in place for its employees in order to identify data subjects on the phone. However, these policies contained some differences concerning the manner in which data subject should be identified, which caused confusion among employees. In short, it was not clear which questions - and how many questions, should be asked on the phone to verify the identity of the data subject. It was also not clear which further questions needed to be asked when there were doubt about the identity of the data subject.

The investigation service concluded that the controller had no way of guaranteeing that the identity verification policies were sufficient to actually verify the identity of the data subject. It also found that employees did not always act according to the policies, and that the identity verification was often left to the own assessment and interpretation of the employee in question.

After the investigation report, in June 2022, SVB drew up an action plan and specified measures to improve the identity checks. For example it updated its mandatory telephone training.

Holding[edit | edit source]

After confirming that the GDPR applied to the facts of this case and that SVB was the controller, the DPA assessed if it ensured an appropriate level of security under Articles 32(1) and 32(2) GDPR.

The DPA held that the controller did not make a proper risk assessment of its processing operations, considering the fact that the documents from 2006 and 2007 were already 14 years old at the time the investigation was concluded. Also, the controller did not re-assess the risks of the processing once in these 14 years and did not properly identified the risks at stake. For example, the DPA notes that no attention was paid to the fact that all 1,500 employees had access to all personal data and that such large-scale access constituted a risk.

The DPA determined that the risk of providing personal data over the phone was high, in view of the scale of the processing, the nature of the personal data in question, the amount of employees that could access the data and the frequency at which data subjects would contact the controller.

The DPA also concluded that the measures of the controller were insufficient to mitigate this high risk. Two aspects were singled out as insufficient: the identity verification over the phone and the lack of awareness regarding the security responsabilities in the controllers' organization.

In conclusion, the DPA considered SVB's security measures as not appropriate in relation to the security risks, in violation of Articles 32(1) and 32(2) GDPR. Taking into account that SVB introduced improvement measures after the investigation, the DPA considered that the violation lasted until June 2022. Regarding the fine, the basic amount was set to €310,000 but considering the presence of mitigating circumstances, for example the fact that only ten data breaches were detected between 2018 and 2021, the DPA reduced the fine to €150,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Fine for SVB after faulty identity check
Press release/April 13, 2023
The Dutch Data Protection Authority (AP) has imposed a fine of 150,000 euros on the Social Insurance Bank (SVB) for inadequate identity checks by the telephone helpdesk. As a result, clients with a state pension benefit ran the risk that sensitive information would end up with persons who are not entitled to it. The SVB has now taken measures.

In 2019, data from an SVB client came into the hands of someone who should not have received that data. The client discovered that someone had managed to request benefit information via the telephone helpdesk of the SVB. The client then filed a complaint with the AP.

Privacy risks insufficiently weighed
In an average week, the SVB answers up to 20,000 people who have questions about social security laws, including the state pension. In addition, the approximately 1,500 SVB service employees all have access to client data.
In such a situation it is very important that the rules for the provision of information by telephone are clear. However, research by the AP shows that the SVB did too little to map out the privacy risks of telephone services.
In practice, the system for verifying the identity of callers was inadequate. Control questions were often about things that are fairly easy to find out for outsiders (such as someone's first name, address and zip code).
The SVB also insufficiently checked whether service employees actually adhered to the inspection policy. The SVB did not make employees sufficiently aware of the importance of the secure management of personal data. These violations lasted from May 2018 to May 2022.

Very personal information
The SVB pays benefits to more than 5 million people. With so many Dutch people relying on the SVB for benefits, it is very important that the privacy policy is in order,' says AP director Katja Mur.
'Information about benefits is very personal, such information tells a lot about someone's life. Callers must therefore be able to assume that the SVB checks whether they have the right person on the line.'
Immediately after the AP's findings, the SVB improved its telephone services. A new, unambiguous work instruction prescribes exactly how service employees must check the identity of callers. The SVB will evaluate the new policy every two years.

Broader interest
"Agencies with telephone helplines can learn from this," says Mur. “Privacy policy is not only about digital services, but also about telephone services. People do more and more via the internet, of course, but telephone helpdesks are also widely used. So make sure that you also arrange privacy protection for telephone services.