AP - AP-Employee Insurance Agency (UWV)
|AP - Employee Insurance Agency (UWV)|
|Authority:||AP (The Netherlands)|
|Relevant Law:||Article 32 GDPR|
|National Case Number/Name:||Employee Insurance Agency (UWV)|
|European Case Law Identifier:||n/a|
|Original Source:||AP (in NL)|
|Initial Contributor:||GDPR MASTer Project|
The Dutch DPA fined €150,000/month (until requirements are met) the employer portal UWV, handling employee health data, due to insufficiently secure access control to its portal.
English Summary[edit | edit source]
Facts[edit | edit source]
The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.
Dispute[edit | edit source]
Is single factor authentication sufficient given the sensitive nature of data stored on the portal?
Holding[edit | edit source]
The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority PO Box 93374, 2509 AJ The Hague Bezuidenhoutseweg 30, 2594 AV The Hague T 070 8888 500 - F 070 8888 501 authoritypersonal data.nl Registered UWV Board of Directors P.O. Box 58285 1040HGAmsterdam Date July 31, 2018 Our reference z2018-02009 Contact [CONFIDENTIAL] 0708888500 Topic Order subject to a penalty Resume 1. The Dutch Data Protection Authority (hereinafter: the Dutch DPA) has on 27 March 2017 pursuant to Article 60 of the The Personal Data Protection Act (hereinafter: the Wbp), as it applied at the time, initiated an investigation to the use of multi-factor authentication in the employers' portal of the Implementation Institute Employers' insurance (hereinafter: the UWV). 2. In the employer portal, the UWV processes, among other things, personal data relating to the employee health. In view of this, access to the employer portal must take place via the internet find through multi-factor authentication. The UWV currently applies one-factor authentication to the granting access to the employer portal. 3. In the final findings report (hereinafter: the investigation report), the AP has established that the In doing so, the UWV is acting in violation of Article 13 of the Wbp, as it applied at the time, on the basis of which, for insofar as relevant here, a controller must take appropriate measures to discard personal data protect against loss or any form of unlawful processing. 4. The AP bases the compulsory payment decision on the investigation report, given orally by the UWV view on the DPA's intention to impose an order subject to a penalty and the subsequent by the UWV information provided at the request of the Dutch DPA 5. The General Data Protection Regulation (hereinafter: the GDPR) applies on 25 May 2018 become. The GDPR imposes the same obligation in Article 32, paragraph 1, as it applied under Article 13 6. The UWV wishes to connect to the eHerkenning system for multi-factor authentication in this way when granting access to the employer portal. The date on which UWV expects that you can only log in to the employer portal by using eHerkenning since the first request by the AP by letter of25 November 2015 has been moved to November 1, 2019 7. In response to the above, the DPA has decided on the basis of Article 16, first paragraph, of the General Data Protection Regulation Implementation Act (hereinafter: UAVG) viewed in conjunction with Section 5:32, subsection 1, of the General Administrative Law Act (hereinafter: the Awb) imposes an order subject to a penalty to lay. With the order subject to a penalty, the AP aims to ensure that the violation has been established is brought to an end. 8. By 31 October 2019 at the latest, grant access to the employer portal of an appropriate security level, whereby logging into the portal is only possible by means of a appropriate form of multi-factor authentication. Part of that burden is that the UWV required it confidence level by performing a risk analysis based on the most recent version of the Guide 'Reliability levels for digital services, one guidelines for government organizations' (version 4). 9. In case of non-compliance with the order after the expiry of the beneficiary term, UWV will be subject to a penalty of EUR 150,000 payable for each month that the order is not (fully) executed, with a maximum from EUR 900,000. Course of procedure 10. On August 29, 2017, the Dutch DPA adopted the investigation report and sent it to the UWV. The public version of the report was published on the AP's website on November 14, 2017. 11. In a letter of 15 August 2017, the AP has a few more as a result of the investigation at the UWV questions about the size of the employer portal. 12. In a letter of August 30, 2017, the UWV responded to the questions asked by the AP in a letter of August 15 2017 has stated. 13. In a letter dated 11 September 2017, the UWV responded to the investigation report. The UWV states that it acknowledges, among other things, that the security level does not meet the requirements of Article 13 of the Wbp and wanting to remedy this by implementing eHerkenning level substantial. 14. In a letter of9 November 2017, the UWV informed the AP about the progress of the implementation of eRecognition. 15. In a letter dated 14 December 2017, the Dutch DPA informed the UWV of its intention to file an order subject to a penalty and the UWV given the opportunity orally or in writing point of view. The UWV was invited to a hearing. 16. The hearing took place on 6 February 2018. A report was made of the hearing, which if Annex I is attached to this Decree. 17. In response to what was discussed during the hearing, the UWV submitted a letter of28 February 2018 provided additional information and further documents, including the project plan eRecognition. 18. In response to the information received in a letter of28 February 2018, the AP has submitted to the UWV letter dated March 15, 2018. 19. In a letter of April 3, 2018, the UWV responded to the questions of the AP of March 15, 2018 and hereby the 'risk analysis absenteeism report' (hereinafter: the risk analysis). 20. In response to the information received in a letter of3 April 2018, the AP has sent a letter to the UWV of 14 May 2018. 21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018. Research report 22. In the investigation report, the AP found that the UWV in the employer portal processes personal data about health. Access to the employer portal is obtained by entering an email address and password. This is a form of one-factor authentication. 23. It follows from Article 13 of the Wbp - now Article 32, first paragraph, of the GDPR - that a responsible must take appropriate measures to protect personal data against loss or any form of unlawful processing. The term 'appropriate' also indicates proportionality between security measures and the nature of the data to be protected. Given the sensitivity of the personal data processed in the UWV employer portal, namely data about health workers, should gain access to the portal via the Internet, given the state of the art, to take place through at least multi-factor authentication. 24. The UWV has indicated that it has taken measures to prevent unauthorized access to the employer portal, such as annual penetration and security tests and the continuous logging and monitoring of usage. These measures are regarding authentication not appropriate because they cannot provide an adequate level of protection for gaining access to the application. Because the UWV does not apply multi-factor authentication, nor in any other way has taken appropriate measures with regard to accessing the data in the employer portal, the UWV is acting in violation of article 13 of the Wbp, as it applied at the time. Legal framework 25. The relevant legal framework is included as Annex 2 to this Decision. GDPR 26. In the investigation report, the AP has violated the standard from Article 13 of the Wbp noted. As of25 May 2018, the AVG and UAVG apply and the Wbp has been withdrawn. 27. When assessing whether there is also a violation of the standard from the GDPR, it is important that the standard does not materially change materially under the GDPR compared to the standard under the Wbp. The standard from Article 13 of the Wbp is currently laid down in Article 32, first and second paragraphs, of the GDPR. The latter article states that the controller, taking into account the state of the technique, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals varying in likelihood and severity, take appropriate technical and organizational measures to ensure a risk-based approach level of security. This obligation is materially in line with the obligation from article 13 of the Wbp. 28. This means that, given that the facts under examination and the relevant circumstances after the emergence of the investigation report have not been changed to date, as of25 May 2018 violation of Article 32, paragraph 1, of the GDPR. Viewpoint 29. In response to the intention of the DPA to impose an order subject to a penalty, the UWV has expressed an opinion orally during the hearing on 6 February 2018. In summary, it comes view boils down to the UWV recognizing that the security of the employer portal does not comply with the requirements arising from Article 13 of the Wbp and currently Article 32, first paragraph, of the GDPR because the UWV does not apply multi-factor authentication to granting access to the portal. 30. In April 2017, the UWV decided to start with the implementation of eRecognition level 3 I Substantial, where multi-factor authentication is applied and thus the violation of Article 13 of the Wbp and now Article 32, first, of the GDPR will be repealed. The UWV has in determining the confidence level the fact that the employer portal only contains health data processes related to reporting sick or the fact that someone is pregnant. The nature of the sick report is not processed. 31. The UWV has put forward that it has investigated other solutions, but the connection to To see eRecognition as the only real possibility to achieve multi-factor authentication. With the The advent of the Digital Government Act (hereinafter: W do), it is the intention that all government parties make use of the resources provided for in this Act. 32. In the implementation of eHerkenning, the UWV i s partly dependent on third parties and the UWV runs into difficulties a number of problems, which means that implementation is taking longer than the UWV had hoped. Review Assessment framework 33. In the investigation report, the AP established that the UWV in the employer portal processes personal data, including special personal data. This includes NAWdata, citizen service number, financial data and data on disability, dismissal and childbirth. Employers can log in to the portal via the internet by entering an email address and password feed. This is a form of one-factor authentication 1 • Off the papers and it is traded at a hearing showed that this situation has not changed at present. 34. Article 32, first paragraph, of the GDPR stipulates that the controller will have appropriate technical and must take organizational measures to protect personal data against loss or unlawful processing. Guarantee these measures, taking into account the state of the art and the costs of implementation, an appropriate level of security given the risks posed by the processing and the nature of the data to be protected. 35. This means that the controller, in this case the UWV, must translate the risks for the data subject whose personal data are processed according to the reliability requirements the service that is offered (the employer portal) must comply and that within the field information security is seen as the most recent and representative implementation thereof. 36. In determining the risk to the data subject include the nature of the personal data and the nature of processing matters: these factors determine the potential harm to the individual data subject in the event of, for example, loss, modification or unlawful processing of the data. When making The UWV can use the translation to the reliability level of the employer portal making the Guide 'Reliability levels for digital services, a guide for government organizations, version 4 'of the Standardization Forum (hereinafter: the Guide). 37. Although the use of this Guide is not mandatory, it offers an assessment framework for it government organizations for determining reliability levels for digital services 1 Authentication is the process of verifying whether a user who wants to log in to an application/ system is actually who he / she claims to be. which can be assumed to reflect the most recent insights and requirements to this extent. Security standards then specify, after determining the applicable confidence level, guidance in taking appropriate measures. 2 38. The AP has investigated whether the UWV has taken appropriate measures with regard to authentication when logging into the employer portal. In its investigation, the AP has only focused on the nature of the personal data to be protected, which translates into a minimal handling security level. The assessment in this decision is therefore based solely on the nature of the te protect personal data. It is not excluded that factors other than the nature of the personal data require a higher level of security. However, the AP cannot, as hereafter with the before or in place of the UWV, all relevant ones included in the Guide version 4 assess factors. It is up to the UWV to include these factors in a risk analysis in order to do so determine the correct security level. 3 Information about a person's health 39. Article 4 (15) of the GDPR gives the following definition: 'health data are personal data related to the physical or mental state of a natural person, including data about health services provided with which information about his health status is given '. The term remains unchanged under the GDPR 'health data' should be interpreted broadly: it does not just include the data that a doctor keeps in a medical examination or medical treatment, but all data that the mental or affect a person's physical health. For example, it is only a given that someone has become ill reported a data about health, even though that says nothing about the nature of the condition. 4 The following data is processed in the employer portal: the date of commencement sick leave, the date of termination of sick leave, sick as a result of pregnancy, childbirth or organ donation, the date of childbirth and the date of commencement of maternity leave. 40. In view of the nature of the personal data, data is therefore included in the employer portal concerning a person's health, which is considered a special category of personal data as referred to in Article 9, fust paragraph, of the GDPR. Increased risk 41. The AP has elaborated the requirements regarding security in the Guidelines for the Security of Personal Data. The AP indicates that for certain categories of personal data the consequences ofloss or unlawful processing can be serious. These are the data with a higher or high risk. These categories in any case include special personal data. 2 See also CBP Guidelines, Security of personal data, February 2013 3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision. 4 Chamber documents II1997 / 98, 25892, No. 3, p. 102 5 42. In addition, the AP uses the Guide version 4 s . This Guide gives substance to the assurance levels based on the eIDAS regulation for digital identifiers trust services 6, which came into effect on I July 2016 (hereinafter: the eIDAS regulation). The eIDAS regulation distinguishes three assurance levels of authentication means: low, substantial and high. The Guide offers a classification model with which a simplified risk analysis of the digital service can be made. The main criterion here is the nature of the personal data to be protected. Four classes of personal data are distinguished here: class 0, I (basic), II (increased risk) and III (high risk), where data with an increased risk also includes a require higher security level. 43. The AP has established that the data processed in the employer portal is in accordance with the Guide so-called class II personal data because it concerns special personal data. In front of Class II data carries an increased risk. 1 Of a high risk, such as with the so-called class III data, given the nature of the data processed in the portal is out of the question. Multi-factor authentication 44. According to the Guide, there is a minimum reliability level for processing class II data 'substantially' applies. s Also when answering the question what with regard to this reliability level are appropriate measures as referred to in Article 32, first paragraph, of the GDPR the Guide offers a framework: both for reliability level 'substantial' and confidence level 'high', as type of authenticator, multi-factor authentication is required. 9 45. The requirement of multi-factor authentication when granting access to a system in which health data is additionally endorsed by security standards such as NEN-7510, which provides instructions for the application of the ISO/ IEC Information Security Code 27002 in health care: 5 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization 6 Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market 7 A guide for government organizations, version 4, Forum for Standardization, p. 33 8 A guide for government organizations, version 4, Forum for Standardization, p. 29. based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial". You will have to make this assessment yourself, see also margin number 54 and further. 9 A guide for government organizations, version 4, Forum for Standardization, p. 24-25. Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation (EU) No. 910/2014, on which the Guide is based. Health information systems that process personal health information include the identity of users and this should be done through authentication involving at least two factors to become. ' 10 46. As an appropriate measure as referred to in Article 32 (1) of the GDPR, when providing access to the employer portal, thus using multi-factor authentication. Now that access to the portal takes place through a form of one-factor authentication, the UWV is taking action violation of Article 32 (1) of the GDPR. UWV has also recognized this. Offender 47. The UWV can be regarded as an offender, because it is the controller within the meaning of the AVG. The UWV determines the purpose of and the means for the processing of personal data: the employers' portal is a service of the UWV and is made available by the UWV to employers, whereby the purposes of the data processing are determined by the UWV. The UWV also has the power to end the violation. The solution from the UWV: eRecognition 48. Already by letter of 25 January 2016, the UWV has declared the violation of Article 32, first paragraph, of the Wbp recognized. The UWV indicated its intention to use the employer portal create eHerkenning, which provides for the use of multi-factor authentication in the granting access to the employer portal. 49. EHerkenning is a system that offers companies electronic access to government and government services. Entrepreneurs or employees of an organization can join one identification oflogin means safely and easily at various organizations. Government organizations need do not develop their own authentication system themselves, but can connect to the system. The development of eHerkenning is a public-private partnership directed by the Ministries of Economic Affairs and Climate Policy and the Interior and Kingdom Relations. EHerkenning has five different confidence levels. At these confidence levels sought alignment with the three assurance levels distinguished by the eIDAS regulation and the requirements imposed on the resources in that Regulation. The government organization itself determines it confidence level that is applied. 50. The UWV has indicated that the implementation of eHerkenning by the UWV should be considered in the light of the Wdo currently in preparation. The Wdo aims to be safe and reliable can log in for Dutch citizens and companies with the (semi-) government. Deploys The Netherlands, the EU directive on accessibility of government websites and apps. 11 Ahead of the Wdo has been developed by the government eHerkenning. In time, the UWV will be obliged to connect to eRecognition. 51. The UWV has indicated that it sees the implementation of eHerkenning as the only realistic solution. The UWV has investigated possible workarounds, in which multi-factor authentication with SMS is the second factor was the most viable and safe alternative option. However, the technical implementation of this would be just take as long as the implementation of eRecognition and would furthermore take the implementation of Delay eRecognition because it must be performed by the same team. Besides, it wouldn't be efficient and proportional to go through two far-reaching implementation processes in quick succession: this leads to additional administrative burdens for employers and the ineffective use of public resources. Time course / planning 52. The UWV has indicated that it had already been working on connecting to eHerkenning in 2015. In front of the UWV, however, are the availability of the RSIN (Legal entities and Partnerships Information number) and the BSN for sole proprietorships in the eHerkenning system necessary, because without these numbers, the UWV cannot link eHerkenning to its systems. The UWV is for this extension of the system dependent on third parties and has made this extension a condition for the switch to eHerkenning. In April 2017, the UWV decided to discontinue the implementation of eHerkenning because at that moment there is prospect of linking the RSIN to eHerkenning (87.7% of the users of the employer portal are identified with RSIN). In its opinion of June 21, 2017 the UWV has indicated that the connection to eHerkenning is expected to be realized in May 2018 to have. The UWV will complete the preliminary investigation in November 2017. In February 2018, the UWV has it eRecognition employer portal project plan adopted and forwarded to the AP at the request of the AP. 53. According to this project plan, the UWV is heading for the implementation date on November 1, 2018, followed by a one year rollout period during which the users of the portal can switch. At the hearing the UWV has indicated that it now expects implementation in the fourth quarter of 2018. To The BSN is also expected to be added to the system in the second half of 2018. For this group the same implementation date with rollout period applies. There is also a group of users (0.7%) who do not have can use eHerkenning and for which no solution is available yet. The UWV has indicated that if no solution is found, this group will no longer be able to use it on I November 2019 making the employer portal. Confidence level; application Guide version 4 54. In 2015, on the basis of the then available Guide to the Standardization Forum, the UWV version 3 12 perfonncd a risk analysis. This version of the guide is based on the European STOR Framework. This risk analysis showed that level STORK 3 is appropriate. The UWV sent this risk analysis to the AP on request by letter dated 3 April 2018. 55. Version 4 of the Guide was published in November 2016. This version no longer relies on it STORK framework but, as shown earlier, on the eIDAS regulation. The UWV has this however, saw no reason to reconsider the 2015 risk analysis of the latest version of the Guide. In its letter of25 May 2018, the UWV states that in the risk analysis of2015 UWV has included the eIDAS system as proposed legislation. The new version of the Guide has therefore not given rise to a new one carry out a risk analysis'. 56. According to the eHerkenning employer portal project plan, the UWV has opted to connect to eRecognition level 3. This corresponds substantially to eIDAS level. 57. The AP has established that the UWV's 2015 risk analysis is based on version 3 of the Guide. The standard from Article 32, first paragraph, of the GDPR, and previously Article 13 of the Wbp, prescribes that the (controller) responsible for taking appropriate technical and organizational measures in order to ensure an appropriate level of security, taking into account, inter alia, the state of the Technic. This implies, among other things, that a risk assessment that has already been carried out from time to time must be updated according to the standards in force at that time. It had then located on the way of the UWV to re-perform the risk analysis already carried out in 2015 to based on the most recent version of the Guide. Failure to do so creates a risk the end of the implementation period of, in this case, eHerkenning, may no longer be an appropriate security level. 58. Although the reliability level of Stork 3 from version 3 of the Guide appears to correspond with eIDAS assurance level substantial from version 4 of the Guide, both versions of the Guide to various assessment frameworks. Testing against version 4 of the Guide therefore leads to this possibly until the outcome that a higher assurance level must be assumed than the UWV has done so far on the basis of version 3 of the Guide. Ultimately, this determines the choice of the measures to be taken to ensure an appropriate level of security guarantees. The AP cannot provide all relevant guidelines for or in place of the UWV assess factors. Order subj ect to penalty and term of grace 59. From Article 16, first paragraph, of the UAVG, viewed in conjunction with Article 5:32, first paragraph, of the Awb, it follows that the AP is authorized to impose an order subject to a penalty in the event of a violation of Article 32, first paragraph of the GDPR. Pursuant to Article 5: 2, first paragraph, under b, of the Awb, the order may be aimed at terminating the violation found and the prevention of recurrence. 60. The AP orders the Employee Insurance Agency (UWV) to declare the violation of Article 32, first paragraph of the GDPR. This means that the UWV is within the beneficiary period must take measures to ensure an appropriate level of security with regard to the provision of access to the employer portal, where logging in is only possible through an appropriate form of multi-factor authentication (for example by using eHerkenning). Because the UWV in determining has made use of the confidence level for the employer portal outdated version of the Guide, the UWV must revise the assurance level by performing a risk analysis on the basis of version 4 of the Guide. 61. Article 5: 32a, second paragraph, of the Awb stipulates that a grace period is set 'during which the offender can execute the order without a penalty being forfeited '. The term during which an order can be executed without a penalty being forfeited should be so short as possible. The term must be long enough to be able to carry out the burden. 62. In view of the foregoing, the DPA decides that the UWV must be notified by 31 October 2019 at the latest meet. The AP has taken the planning into account when determining the grace period of the UWV with regard to the implementation of eHerkenning and the rollout period mentioned therein one year after implementation on November I , 2018. 63. Article 5: 32b, third paragraph, of the Awb prescribes that the penalty amounts are in reasonable proportion. to the gravity of the infringed interest and to the intended effect of the penalty. The latter is It is important that a penalty payment must provide such an incentive that the order is complied with. 64. If the UWV does not end the established violation within the beneficiary period, it forfeits it a penalty. The AP has set the amount of this penalty at € 150,000 for each month that the load has not been carried out (in full) up to a maximum of€ 900,000. In the opinion of the AP, the the amount of these amounts in reasonable proportion to the gravity of the violation importance - the protection of special personal data and of the privacy of those involved - and are they sufficiently high to induce UWV to terminate the violation. The AP takes into account the costs associated with the implementation of eHerkenning, as well as the structural additional costs per year. 65. The Dutch DPA requests the UWV in good time before 1 October 2018 for a new risk analysis in which the UWV assigns a confidence level to the employer portal. This remains unaffected that the AP is authorized to initiate an investigation, including an on-site investigation, if it does so useful. Operative part The AP submits an order to the UWV for a violation of Article 32, first paragraph, of the GDPR penalty with the following content: - The UWV must grant access to the employer portal of a provide an appropriate security level, whereby logging in is only possible from that moment on via a appropriate form of multi-factor authentication. Prior to this, the UWV serves the requirement confidence level by performing a risk analysis based on version 4 of the Guide. -The UWV forfeits a penalty of € 150,000 at the end of this period (in words: one hundred and fifty thousand euros) for each month that the burden has not been (fully) carried out u p t o a maximum of € 900,000 (in words: nine hundred thousand euros). The Dutch Data Protection Authority, On their behalf, signed Mr. A. Wolfsen Chairman If you do not agree with this decision, you can send it within six weeks a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag, stating “Awb objection” on the envelope. 12/12