AP (The Netherlands) - z2018-02009: Difference between revisions

AP - Employee Insurance Agency (UWV)
Authority:	AP (The Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	31.07.2018
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	Employee Insurance Agency (UWV)
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Dutch
Original Source:	AP (in NL)
Initial Contributor:	GDPR MASTer Project

The Dutch DPA fined €150,000/month (until requirements are met) the employer portal UWV, handling employee health data, due to insufficiently secure access control to its portal.

English Summary

Facts

The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.

Dispute

Is single factor authentication sufficient given the sensitive nature of data stored on the portal?

Holding

The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                            Dutch Data Protection Authority
                                                            PO Box 93374, 2509 AJ The Hague
                                                            Bezuidenhoutseweg 30, 2594 AV The Hague
                                                            T 070 8888 500 - F 070 8888 501
                                                            authoritypersonal data.nl

      Registered
      UWV
      Board of Directors
      P.O. Box 58285
      1040HGAmsterdam







      Date
      July 31, 2018                                             Our reference
                                                                z2018-02009


                                                                Contact
                                                                [CONFIDENTIAL]
                                                                0708888500
      Topic
      Order subject to a penalty



      Resume


1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV).  
   
2. In the employer portal, the UWV processes, among other things, personal data relating to the
employee health. In view of this, access to the employer portal must take place via the internet
find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal.

3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing.

4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the
UWV information provided at the request of the Dutch DPA

5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018
become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13

6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way
when granting access to the employer portal. The date on which UWV
expects that you can only log in to the employer portal by using eHerkenning
since the first request by the AP by letter of25 November 2015 has been moved to
November 1, 2019

7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end.


8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate
security level, whereby logging into the portal is only possible by means of a
appropriate form of multi-factor authentication. Part of that burden is that the UWV required it
confidence level by performing a risk analysis based on the
most recent version of the Guide 'Reliability levels for digital services, one
guidelines for government organizations' (version 4).


9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of
EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum
from EUR 900,000.


      Course of procedure

10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV.
The public version of the report was published on the AP's website on November 14, 2017.

11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal.

12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated.

13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV
states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level
substantial.


14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation
of eRecognition.

15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing.

16. The hearing took place on 6 February 2018. A report was made of the hearing, which if
Annex I is attached to this Decree.

17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February
2018 provided additional information and further documents, including the project plan
eRecognition.

18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018.

19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis).

20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018.

21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.

      Research report

22. In the investigation report, the AP found that the UWV in the employer portal
processes personal data about health. Access to the employer portal is obtained by
entering an email address and password. This is a form of one-factor authentication.

23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a
responsible must take appropriate measures to protect personal data against loss or
any form of unlawful processing. The term 'appropriate' also indicates proportionality
between security measures and the nature of the data to be protected. Given the sensitivity of
the personal data processed in the UWV employer portal, namely data about
health workers, should gain access to the portal via the Internet, given the
state of the art, to take place through at least multi-factor authentication.

24. The UWV has indicated that it has taken measures to prevent unauthorized access to the
employer portal, such as annual penetration and security tests and the
continuous logging and monitoring of usage. These measures are regarding authentication
not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way
has taken appropriate measures with regard to accessing the data in the
employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time.

      Legal framework

25. The relevant legal framework is included as Annex 2 to this Decision.


      GDPR

26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp
noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn.

27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from
article 13 of the Wbp.

28. This means that, given that the facts under examination and the relevant circumstances after the emergence
of the investigation report have not been changed to date, as of25 May 2018
violation of Article 32, paragraph 1, of the GDPR.


Viewpoint

29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has
expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes
view boils down to the UWV recognizing that the security of the employer portal does not comply with the
requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV
does not apply multi-factor authentication to granting access to the portal.

30. In April 2017, the UWV decided to start with the implementation of eRecognition level
3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13
of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining
the confidence level the fact that the employer portal only contains health data
processes related to reporting sick or the fact that someone is pregnant.
The nature of the sick report is not processed.

31. The UWV has put forward that it has investigated other solutions, but the connection to
To see eRecognition as the only real possibility to achieve multi-factor authentication. With the
The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act.

32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties
a number of problems, which means that implementation is taking longer than the UWV had
hoped.

      Review

      Assessment framework

33. In the investigation report, the AP established that the UWV in the employer portal
processes personal data, including special personal data. This includes NAWdata,
citizen service number, financial data and data on disability, dismissal and childbirth.
Employers can log in to the portal via the internet by entering an email address and password
feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing
showed that this situation has not changed at present.

34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and
must take organizational measures to protect personal data against loss or
unlawful processing. Guarantee these measures, taking into account the state of the art
and the costs of implementation, an appropriate level of security given the risks posed by the
processing and the nature of the data to be protected.

35. This means that the controller, in this case the UWV, must translate the risks
for the data subject whose personal data are processed according to the reliability requirements
the service that is offered (the employer portal) must comply and that within the field
information security is seen as the most recent and representative implementation thereof.

36. In determining the risk to the data subject include the nature of the personal data and the
nature of processing matters: these factors determine the potential harm to the individual
data subject in the event of, for example, loss, modification or unlawful processing of the data. When making
The UWV can use the translation to the reliability level of the employer portal
making the Guide 'Reliability levels for digital services, a guide for
government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide).

37. Although the use of this Guide is not mandatory, it offers an assessment framework for it
government organizations for determining reliability levels for digital services
1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent.
Security standards then specify, after determining the applicable
confidence level, guidance in taking appropriate measures. 2

38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of
the personal data to be protected, which translates into a minimal handling
security level. The assessment in this decision is therefore based solely on the nature of the te
protect personal data. It is not excluded that factors other than the nature of the
personal data require a higher level of security. However, the AP cannot, as hereafter with the
before or in place of the UWV, all relevant ones included in the Guide version 4
assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so
determine the correct security level. 3


      Information about a person's health

39. Article 4 (15) of the GDPR gives the following definition: 'health data
are personal data related to the physical or mental state of a natural
person, including data about health services provided with which information about his
health status is given '. The term remains unchanged under the GDPR
'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a
medical examination or medical treatment, but all data that the mental or
affect a person's physical health. For example, it is only a given that someone has become ill
reported a data about health, even though that says nothing about the nature of the condition. 4
The following data is processed in the employer portal: the date of commencement
sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or
organ donation, the date of childbirth and the date of commencement of maternity leave.

40. In view of the nature of the personal data, data is therefore included in the employer portal
concerning a person's health, which is considered a special category of personal data as
referred to in Article 9, fust paragraph, of the GDPR.

      Increased risk


41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data.
The AP indicates that for certain categories of personal data the consequences ofloss or
unlawful processing can be serious. These are the data with a higher or high risk.
These categories in any case include special personal data.


      2 See also CBP Guidelines, Security of personal data, February 2013
      3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
      4 Chamber documents II1997 / 98, 25892, No. 3, p. 102

                                                          5
42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the
assurance levels based on the eIDAS regulation for digital identifiers
trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation).
The eIDAS regulation distinguishes three assurance levels of authentication means: low,
substantial and high. The Guide offers a classification model with which a simplified
risk analysis of the digital service can be made. The main criterion here is the nature of
the personal data to be protected. Four classes of personal data are distinguished here: class
0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a
require higher security level.

43. The AP has established that the data processed in the employer portal is in accordance with the Guide
so-called class II personal data because it concerns special personal data. In front of
Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III
data, given the nature of the data processed in the portal is out of the question.
Multi-factor authentication

44. According to the Guide, there is a minimum reliability level for processing class II data
'substantially' applies. s Also when answering the question what with regard to this
reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR
the Guide offers a framework: both for reliability level 'substantial' and
confidence level 'high', as type of authenticator, multi-factor authentication is required. 9

45. The requirement of multi-factor authentication when granting access to a system in which
health data is additionally endorsed by security standards such as
NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code
27002 in health care:


       5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
       6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
       trust services for electronic transactions in the internal market
       7 A guide for government organizations, version 4, Forum for Standardization, p. 33
       8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
       based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
       You will have to make this assessment yourself, see also margin number 54 and further.
       9
        A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
       Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
       on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
       (EU) No. 910/2014, on which the Guide is based.

Health information systems that process personal health information include the identity of users
and this should be done through authentication involving at least two factors
to become. ' 10


46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing
access to the employer portal, thus using multi-factor authentication.
Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this.

      Offender

47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the
employers' portal is a service of the UWV and is made available by the UWV to
employers, whereby the purposes of the data processing are determined by the UWV.
The UWV also has the power to end the violation.

      The solution from the UWV: eRecognition

48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the
Wbp recognized. The UWV indicated its intention to use the employer portal
create eHerkenning, which provides for the use of multi-factor authentication in the
granting access to the employer portal.

49. EHerkenning is a system that offers companies electronic access to government and
government services. Entrepreneurs or employees of an organization can join one
identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The
development of eHerkenning is a public-private partnership directed by the
Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations.
EHerkenning has five different confidence levels. At these confidence levels
sought alignment with the three assurance levels distinguished by the eIDAS regulation and the
requirements imposed on the resources in that Regulation. The government organization itself determines it
confidence level that is applied.

50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the
light of the Wdo currently in preparation. The Wdo aims to be safe and reliable
can log in for Dutch citizens and companies with the (semi-) government. Deploys
The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the
Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to
eRecognition.

51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV
has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor
was the most viable and safe alternative option. However, the technical implementation of this would be just
take as long as the implementation of eRecognition and would furthermore take the implementation of
Delay eRecognition because it must be performed by the same team. Besides, it wouldn't
be efficient and proportional to go through two far-reaching implementation processes in quick succession:
this leads to additional administrative burdens for employers and the ineffective use of public resources.

      Time course / planning

52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of
the UWV, however, are the availability of the RSIN (Legal entities and Partnerships
Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because
without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this
extension of the system dependent on third parties and has made this extension a condition for the
switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning
because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the
users of the employer portal are identified with RSIN). In its opinion of June 21, 2017
the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018
to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it
eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP.

53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a
one year rollout period during which the users of the portal can switch. At the hearing
the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To
The BSN is also expected to be added to the system in the second half of 2018. For this group
the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have
can use eHerkenning and for which no solution is available yet. The UWV has
indicated that if no solution is found, this group will no longer be able to use it on I November 2019
making the employer portal.

      Confidence level; application Guide version 4

54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV
version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate.
The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018.

                                                                                               
55. Version 4 of the Guide was published in November 2016. This version no longer relies on it
STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this
however, saw no reason to reconsider the 2015 risk analysis
of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the
risk analysis of2015 UWV has included the eIDAS system as proposed legislation.
The new version of the Guide has therefore not given rise to a new one
carry out a risk analysis'.

56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to
eRecognition level 3. This corresponds substantially to eIDAS level.

57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide.
The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the
(controller) responsible for taking appropriate technical and organizational measures
in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then
located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to
based on the most recent version of the Guide. Failure to do so creates a risk
the end of the implementation period of, in this case, eHerkenning, may no longer be
an appropriate security level.

58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS
assurance level substantial from version 4 of the Guide, both versions of the
Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this
possibly until the outcome that a higher assurance level must be assumed than the UWV
has done so far on the basis of version 3 of the Guide. Ultimately, this determines the
choice of the measures to be taken to ensure an appropriate level of security
guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV
assess factors.

     Order subj ect to penalty and term of grace

59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows
that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of
the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating
the violation found and the prevention of recurrence.

60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32,
first paragraph of the GDPR. This means that the UWV is within the beneficiary period
must take measures to ensure an appropriate level of security with regard to the provision
of access to the employer portal, where logging in is only possible through an appropriate form of
multi-factor authentication (for example by using eHerkenning). Because the UWV in determining
has made use of the confidence level for the employer portal
outdated version of the Guide, the UWV must revise the assurance level
by performing a risk analysis on the basis of version 4 of the Guide.

61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during
which the offender can execute the order without a penalty being forfeited '. The term
during which an order can be executed without a penalty being forfeited should be so short
as possible. The term must be long enough to be able to carry out the burden.

62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest
meet. The AP has taken the planning into account when determining the grace period
of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein
one year after implementation on November I , 2018.

63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is
It is important that a penalty payment must provide such an incentive that the order is complied with.

64. If the UWV does not end the established violation within the beneficiary period, it forfeits it
a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the
load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the
the amount of these amounts in reasonable proportion to the gravity of the violation
importance - the protection of special personal data and of the privacy of
those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the
structural additional costs per year.


65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV
assigns a confidence level to the employer portal. This remains unaffected
that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so
useful.

Operative part

The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR
penalty with the following content:
- The UWV must grant access to the employer portal of a
provide an appropriate security level, whereby logging in is only possible from that moment on via a
appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement
confidence level by performing a risk analysis based on version 4
of the Guide.
-The UWV forfeits a penalty of € 150,000 at the end of this period (in words:

one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum
of € 900,000 (in words: nine hundred thousand euros).
The Dutch Data Protection Authority,
On their behalf,
signed




Mr. A. Wolfsen
Chairman











If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.









                                                                                     12/12