The purpose of the Digital Government Act (Wdo) is to regulate secure and reliable log-in systems for Dutch citizens and companies with the (semi-)government. Administrative bodies must therefore make their services available digitally and be able to connect to approved means of identification. This law also enshrines tasks, responsibilities and powers regarding digital facilities for administrative bodies. This blog discusses topics from the bill and the supplementary (draft) Digital Government Decree* (hereinafter "the Decree") that, in addition to the General Data Protection Regulation (AVG), are important in the context of personal data protection.
The addressees mentioned in this bill (Ministers, governing bodies and designated organizations, private parties) process personal data for the purposes of:
Good access to electronic services; and,
By extension, the prevention of abuse or improper use of access to electronic services, personal data.
Therefore, to protect privacy, the law also aims to impose requirements for processing, security and reliability of personal data.
The processing of the Citizen Service Number (BSN) is only allowed if a specific legal basis is created for it, according to the AVG Implementation Act. Article 16 of the current bill contains such a legal basis for processing the BSN. However, this legal basis is only limited to processing in the context of:
Authentication and the digital facilities involved in that context;
Accessing electronic services
Prevent, recognize and remediate abuse and improper use.
The provision of electronic services an sich belongs to the policy domain and responsibility of the relevant administrative body or designated organization and falls outside the scope of this Act. An independent processing basis must therefore be present for the processing of the BSN and other personal data in the context of the electronic service in question.
The "Privacy by Design" principle, as we know from Article 25 AVG, is considered specifically important by the legislator. This principle means that throughout the entire process - that is, from design to implementation - appropriate measures must be taken to ensure that data protection principles are effectively implemented and compliance is ensured.
The following factors are considered important under the Wdo in each case:
Data minimization: each party processes only those personal data necessary for the purpose of providing access;
Avoiding hotspots: avoiding large concentrations of personal data as much as possible;
The use of privacy enhancing technologies: the protection of personal data is systematically enforced whenever possible, through techniques such as automatic anonymization or automatic deletion of personal data at the time the retention period is reached;
Incident impact mitigation: measures that can directly reduce the impact of any security incident.
From the AVG, the principle of Privacy by Default is related to Privacy by Design. Privacy by Default means that appropriate measures should be taken to ensure that only those personal data are processed that are necessary for the purposes of processing. Consider the amount of personal data, the extent of further processing, the duration of storage and access to personal data.
Under the AVG, security measures must be taken that are appropriate in view of the potential security risks. Both technical and organizational measures are important. However, the AVG does not specify concrete measures - the measures deemed appropriate will have to be assessed on a case-by-case basis.
The Wdo and the Decree, on the other hand, do contain a number of concrete measures that must be taken in each case:
An information security policy should be established, which includes a security plan;
Also, operations should be reviewed annually and adjusted where necessary ("plan-do-check-act");
Staff must be able to implement security policies;
Log files should be used and checked regularly;
The security systems are checked annually through an audit.
Once enacted, these measures are not non-binding, but legally binding.
Even before the AVG came into force, the data breach notification obligation existed in the Netherlands. Under the AVG, this still applies.
In addition, administrative bodies must report security incidents to the Minister without delay. Security incidents in this case are: a breach of the security or integrity of one's own electronic service or misuse or improper use of access to one's own electronic service. This includes both breaches of (technical) security (hacking, DDoS attacks) and deliberate breaches of the processes for service provision and systems of administrative bodies and designated organizations.
This reporting requirement was created so that the Minister can enforce in case of unsafe or unreliable situations. The Minister can take preventive action, but in the most far-reaching case, the Minister can shut down a service completely.
*The bill has already been approved by the House of Representatives and, if passed by the Senate, will take effect in phases.
More articles from AKD
