Being flagged as high fraud risk while never having broken a law is possible with SyRI. The System Risk Indication (SyRI) generates fraud risk profiles of citizens using an unknown algorithm. SyRI does this based on linked databases of personal data. Municipalities use the system to detect fraud with public funds (such as benefits, allowances and taxes), among other things.
Eindhoven, Capelle aan den Ijssel, Haarlem and Rotterdam have already unleashed SyRI on residents of its poorer neighborhoods. The system links data on work, income, housing, detention, integration, education, pension, reintegration, debts, benefits, permits and insurance. In short, this is the bulk of available data on a Dutch citizen. An as yet unknown calculation is applied to these data. Using a risk model, this calculation assigns values to (the combined) data. Thus, for example, someone who is young, has no job, but does have a lot of assets is assigned a high value. This also applies to someone who has been in detention several times for committing fiscal offenses. As a result, SyRI shows the addresses of residents who, according to the calculation, pose a high risk of fraud.
In 2014, the legal basis for commissioning the system was included in the SUWI (Structuur Uitvoeringsorganisaties Werk en Inkomen) law. This proceeded without much political discussion, despite a critical opinion from the Council of State; advisory body to legislative proposals. Its criticism focused on the list of types of (special) personal data (such as criminal and medical data) included in the SUWI Decree on which SyRI bases its judgment. The Council of State noted that this list was not meant to be restrictive - as the legislator claimed - but to have as much leeway as possible. These data can deeply invade a person's personal privacy.
Research conducted by the Volkskrant shows that SyRI has not yet succeeded in detecting a single case of fraud. In addition, Parliamentary questions have been raised in response to the article High risk citizens, which shows that 62 of the 113 high risk reports in Capelle aan den Ijssel should never have appeared in the report overview (so-called false positives). According to the article - which obtained its information from the Ministry of Social Affairs and Employment - these "high-risk" citizens would never have committed a violation of any law. State Secretary Van Ark denies these conclusions, but does not provide any contrary results.
A motion to implement an audit on SyRI and disclose the results, as well as a request for reconsideration, was ignored by Van Ark. SyRI should be audited in this audit for discrimination and/or conflict with laws and regulations. According to Van Ark, the implementation of an audit and disclosure of the results would be undesirable because (potential) violators could align their behavior with SyRI. In addition, disclosure would be undesirable because a lawsuit regarding SyRI has been initiated and could influence the process.
This lawsuit was filed in March 2018 by an alliance of SyRI opponents the State for its deployment of SyRI. The plaintiffs include the Civil Rights Protection Platform, the Dutch Lawyers Committee for Human Rights and the National Clients Council. Coming October 29 is the first hearing of these proceedings on the merits in the District Court of The Hague.
Due to the secrecy surrounding SyRI it is not possible for us to make a legal analysis regarding the (un)legality of SyRI. In any case, we will keep you informed about the ongoing legal procedure.
On Thursday, December 12, 2019, Privacyweb is hosting the Privacy and the Municipality seminar.
This seminar will give you a bird's eye view of recent developments in the field of privacy for municipalities. Where do things often go wrong and where are challenges and opportunities? We will also zoom in on a number of current themes. Best practices are presented by municipalities on increasing awareness and shaping privacy supervision within the organization.We also consider the delineation of the roles of the Data Protection Officer, the Privacy Officer and the CISO. How can these roles reinforce each other? And what is the role of management within the municipality: how do you involve management and how do you permanently bring privacy to their attention?
Read more about the program of the Privacy and the Municipality seminar
This article can also be found in the Information Security dossier