Autoriteit Persoonsgegevens investigates privacy protection by UWV

KPMG finds widespread privacy violations in IT system SONAR

It's all about SONAR. SONAR is an IT system that is replete with personal details and other personal data of job seekers. These include first and last name, residential addresses, date of birth, nationality, phone numbers, e-mail addresses, citizen service numbers (BSN) and medical data and related background history that tell why someone is applying for benefits. The system is also linked to various decentralized systems to help job seekers find new jobs, such as werk.nl and a variety of chain partners.

KPMG conducted research last year to see how SONAR is dealing with various privacy issues arising from the General Data Protection Regulation (AVG). The main conclusion is not mild: According to the researchers, the IT system does not comply with the principles of the AVG in terms of lawfulness, minimal data processing, purpose limitation, storage limitation and ensuring data integrity and confidentiality.

To begin with, a group of some 15,000 officials have access to the data in the SONAR information system, both for active and inactive profiles. However, this is not necessary for the performance of their work, which is an indication that the authorization model is flawed. It also appears that the UWV hardly cleans up the database, even when the legal retention period has expired. KPMG recommended that measures be implemented as soon as possible to end the privacy violations.

AP: 'UWV has too little regard for privacy'

"The UWV should have the security of personal data better in mind," a spokesman for the Autoriteit Persoonsgegevens told Trouw. "It often also involves health data of many people. This organization is required by law to do this properly. For that reason, the UWV employs a privacy expert to take care of this: the data protection officer (FG)."

On several occasions in the past, the FG has indicated internally that the data storage of citizens was not properly regulated. The UWV then ordered a follow-up investigation, or minor adjustments. Evenden has led to large-scale improvements. For that, we have to wait until 2025. That year, Social Affairs Minister Wouter Koolmees expects to replace SONAR with a new IT system.

UWV views survey conclusions with confidence

In addition to the regulator, Trouw also spoke to a spokesman for the UWV. He said the benefits agency was informed about the investigation into SONAR several months ago. "We find it important to be transparent and therefore share with the AP our plans for the adjustments, as well as the replacement of the system in the longer term," he said. The UWV is therefore happy to engage in further discussions with the AP."

The spokesperson for the Autoriteit Persoonsgegevens reveals that the investigation into SONAR is not the only investigation the regulator is currently conducting at the UWV. "What the content is of the investigations that are currently ongoing, I cannot explain at this time in the interest of these investigations," the spokesperson told Trouw.

UWV evades penalty by implementing eRecognition

This is not the first time the UWV has run afoul of the Autoriteit Persoonsgegevens. Last year, the benefits agency managed to avoid a large fine by improving the security of the employer portal. In November 2017, the regulator found that employees in the absence management department were processing the health data of people eligible for benefits while they were not authorized to do so. Also, the security of the online employer portal was not up to par because two-step verification was not used.

A year after the finding, the regulator imposed a penalty payment on the UWV to put its house in order. This amounted to 150,000 euros per month, with a maximum of 900,000 euros. Both parties agreed that the problems had to be resolved by March 1, 2020. By only allowing login to the employer portal with eHerkenning, the security and authorization problems were solved.