AP: Data breaches due to misuse of personal data at municipalities often remain undetected

This is stated in anexploratory study by the AP. The AP calls on municipalities to prevent, detect, and address data breaches caused by integrity violations, and provides various recommendations to this end. Every year, the AP receives reportsof data breachesfrom approximately 10 to 20 municipalities involving civil servants who have unlawfully accessed personal data. Examples include civil servants who:

• shares data with a criminal organization under pressure or in exchange for payment;
• searches for information about family members in municipal systems due to a family conflict;
• viewing the details of a celebrity out of curiosity.

Monique Verdier, vice-chair of the AP: 'Such privacy violations can have far-reaching consequences. It is important that municipalities improve their ability to prevent, detect, and address these types of data breaches. Municipalities use and store a lot of sensitive information about their residents. People must be able to trust that this information will remain confidential. If data is shared with criminals, it can even pose serious security risks to people. For example, Openbaar Ministerie year the Openbaar Ministerie linked dozens of explosions and at least two attempted murders and homicides to a corrupt civil servant from the municipality of Amsterdam.'

Reporting is important

The number of cases of misuse may be significantly higher than the number of reported data breaches. This could be because misuse went undetected or because municipalities often do not recognize integrity incidents as data breaches. There are also misconceptions about what constitutes a data breach and when reporting is mandatory. It is important that such incidents are also reported to the AP, so that the AP can take corrective action if insufficient security measures are taken or intervene if victims are not informed.

How to prevent, detect, and address it?

Municipalities can take measures to help prevent, detect, and address data breaches. Based on the practical situations it has encountered, the AP provides municipalities with a number of recommendations, such as:

• Determine what information employees can and cannot see, record employee actions in systems, and monitor them. This also protects employees from criminal influences.
• Establish rules for integrity and privacy and provide training;
• Record every data breach in a register and analyze incidents;
• Seek advice from the Federal Police if you suspect abuse and report any abuse;
• Share knowledge and experiences with other municipalities.

About the study

For this investigation, the AP questioned 29 internal privacy supervisors, data protection officers (DPOs), from municipalities about the misuse of data by civil servants. The AP also visited three municipalities and spoke with the National Criminal Investigation Department and the Association of Netherlands Municipalities (VNG). In addition, the AP compared a list of integrity violations at municipalities with its own overview of data breaches at municipalities.