The Dutch Data Protection Authority (AP) has imposed a fine of 450,000 euros on the UWV benefits agency for insufficiently securing group messages sent via the so-called ‘My Workmap’ environment. As a result, personal information ended up with the wrong recipients. Job seekers have contact with the UWV through their surroundings.
In total, data from more than 15,000 job seekers ended up with other job seekers. This happened between August 2016 and the end of 2018, there were a total of nine data breaches.
According to the privacy watchdog, this concerns several personal data such as address, education, nationality and BSN. It also included medical information, including on physical limitations and psychological work ability.
‘Does citizens’ trust in government affect’
“You should be able to expect from an organization such as the UWV that your data is safe,” says AP board member Katja Mur. “If not, it will affect the public’s trust in the government.” The board member also calls it worrying that the UWV did not take action immediately after the first data breaches.
The supervisor notes that the risks have not been sufficiently identified in advance by the implementing body. It should have “implemented technical measures earlier” and did not sufficiently check and evaluate its own security measures.
In a response to the fine, the UWV says that in 2018, before the investigation started, the agency took a technical measure to prevent this situation. The UWV also endorses the opinion that it should have acted differently.