This short article was published by the EU Dashboard Digest of the International Association of Privacy Professionals.
Perhaps surprisingly, the Dutch are among the worst-performing European countries during the current COVID. With its vaccination program struggling to gather speed, Minister of Health Hugo de Jonge is increasingly under fire. With public trust being key for any successful governmental policy in battling a pandemic, a recent scandal on the online sale of personal data is most unwelcome.
On the 25th of January, the Dutch news station RTL News discovered a widespread trade in the personal data of COVID test subjects. With their personal data registered in the two main IT systems of the Municipal Health Services (GGD), at least two employees had maliciously downloaded the data. Apparently, over the course of the previous months the data had been offered for sale on various large chat groups on services such as Telegram, Snapchat and Wickr. Two GGD employees were arrested, though it is unclear whether they in fact managed to sell the data.
The illegality of the actions, as well as their highly detrimental effects on the public trust in an already strained public health care system are obvious. But next to the concrete damage of the theft, the scandal also revealed a fundamental lack of respect for and understanding of privacy law in both public institutions and Dutch politics.
Firstly, the ease with which the employees were able to steal the data was staggering. An export function within one of the two programs allowed employees to download large data sets, while their identity wasn’t logged. Next to the subject’s name, the exportable data included their address, social security number, test results, and possibly further medical details. Furthermore, the systems allowed for a virtually unrestricted search across the database by many employees, greatly beyond the data they required for the execution for their tasks. Whereas over the course of the past months various employees had pointed out these problems, this was ignored by executives.
Understandably, the public outcry was large. While the large number of phone calls of worried citizens made the Dutch Data Protection Authority difficult to reach for while, Minister of Health de Jonge was held to give an account in Dutch parliament. The debate revealed a more fundamental problem on privacy legislation. De Jonge’s answers were a mix of truths, half-truths and falsehoods, downplaying the scope of the incident and general vulnerabilities of the system. Just as disconcerting, however, was the lack of the parliament to hold the minister accountable. Questions asked by Members of Parliament were in general non-specific, irrelevant or outright unrelated to the issue at hand. This was not due a lack of importance attached to the issue, but a clear lack of knowledge.
This needs to change soon. If anything, the shock of this incident, unprecedented both in scope and timing, should stress the current general lack of compliance with data privacy laws throughout most organizations. It is naïve to scapegoat a small number of people at the institutions involved and to then believe the problem to have been solved. Organizations, and especially those which process sensitive data, should be much more proactive in ensuring compliance with privacy legislation. Obviously, alarm signals of employees should never be ignored. Finally, politics should take a more active role in monitoring progress in monitoring compliance with privacy standards, both by public institutions and by private organizations. In order to be able to do so, political parties should acknowledge the importance of the subject in the selection of its Members of Parliament. At the peak of a global pandemic the Dutch lesson is a costly one, so it should not go to waste.
Remko Mooi LLM MA
PhD Candidate at Tilburg Law School