Minister De Jonge (Housing and Spatial Planning) reports to the House of Representatives the status of a data breach at the Land Registry in the period September 18-October 11, 2022. As a result, secret residential addresses were temporarily visible. The minister also reports how data subjects, whose data was leaked, will be informed. This letter fulfills a request from the Standing Parliamentary Committee on Digital Affairs.
Date March 13, 2023
Subject Parliamentary letter on state of data breach Kadaster
Processing and protection of personal data
No. 263 Letter from the Minister of Housing and Planning
To the Speaker of the House of Representatives of the States General
The Hague, March 13, 2023
A data leak occurred at the Land Registry in the period from September 18 to October 11, 2022, as a result of which secret residential addresses were temporarily visible. By letter dated November 8, 2022 (1), I informed the House of Representatives about this. In response to this letter, your Committee asked me to provide you with further information about the state of affairs, as well as the manner in which those whose data has been leaked will be informed. I am enclosing this additional information herewith.
Citizens can have their residential address blocked in the Basic Registration of Persons (BRP) through their municipality, so that these secret residential addresses can no longer be viewed by unauthorized persons at the Land Registry either. Only authorized authorities (including notaries) will then have access to this data to carry out their legal duties. This form of shielding is an option available to every citizen in the Netherlands. More than 100,000 people in the Netherlands currently use this option.
An incident occurred at the Land Registry during the period from September 18 to October 11, 2022, as a result of which the link with the BRP that enables foreclosure was temporarily not correctly established. As a result, secret residential addresses were, in the event of any consultation by professional users of the Land Registry Base Registry via Kadaster Online (KOL) or Ketenintegratie Inschrijving Kadaster (KIK), still temporarily visible. Persons protected by the Land Registry under the Surveillance and Protection System could not be found.
Involved
Approximately 3,700 individuals were identified by the Land Registry whose undisclosed address was temporarily visible in information products for professional users. On October 20, 2022, the Land Registry informed these affected persons in writing of that fact, along with an explanation of the incident. Among other things, this letter alerted affected persons to a specific web page with the most important questions and answers, as well as a separate telephone number at the Kadaster Customer Contact Center for questions and personal contact. A permanent group of employees was available during this period to answer questions from those affected. Nearly 800 stakeholders contacted the Land Registry by phone for additional information through this route. Over 175 unique visitors have visited the special web page on Kadaster.nl. This service and in particular the transparency was appreciated.
KOL & KIK users
Professional users who obtained personal data (inadvertently) (approximately 2,700) through KOL and KIK inspection received an email on Oct. 25, 2022, explaining the incident and requesting that they delete this data, if still available. A reminder on this mail was sent on Nov. 10, 2022. Professional users were also asked to fill out an online form confirming they had removed the info. The final score for this (as of Dec. 22, 2022) was an 81.6% response rate.
Complaints 7 claims
Data subjects and users were also given the opportunity to file a complaint about the incident. This opportunity was used by 34 data subjects and 5 KOL users. The Kadaster has indicated to me that it takes these complaints seriously and is looking at the situation on a person-by-person basis in order to apply customization. A total of two claims have been filed holding the Land Registry liable for the alleged consequences of information leaks. No amounts or description of damages suffered have been mentioned. Autoriteit Persoonsgegevens notification.
The preliminary notification to the Autoriteit Persoonsgegevens has been converted to a final notification.
Policies to prevent recurrence
The Land Registry pays close attention to information security and has itself audited and certified externally every year. By continuously checking systems for any risks, the Land Registry safeguards citizens' privacy. Nevertheless, something can always go wrong where technological developments do not stand still. That's why the Land Registry has conducted a self-critical evaluation of the incident to minimize the chance of recurrence as much as possible. The starting point here is to subject all forms of personal data in all Kadaster applications to additional testing. The Land Registry intends to do this by means of a Privacy Impact Assessment (PIA), which will be carried out on all information systems that process BRP data. In addition, all software development will be verified that the (regression) tests also cover the intended processing of personal data. Finally, the Cadastre intends to investigate the possibilities of an automated daily test on the filtering of secret addresses.
The Land Registry reports annually on information security policies in its annual report, which is also sent to the Chamber.
The Minister for Housing and Physical Planning,
H.M. de Jonge
Parliamentary paper 32 761, no. 247
Decision note accompanying Parliament letter on state of data breach Kadaster
