On Oct. 9, the Personal Data Authority (AP) published a the Government Sector Assessment. The report maps a number of developments and trends in the field of privacy. The report covers all governments: ministries, water boards, as well as a number of observations about Municipalities. In two blogs I will discuss the observations the AP makes about municipalities.
The AP notes in its report that governments, including municipalities, do not view the AVG as a given but only as part of a balancing act. It notes that other interests sometimes outweigh compliance with the AVG. Examples given are fighting undermining crime or welfare fraud. Because in government organizations the director is the data controller, she therefore notes that directors are sufficiently knowledgeable to make good decisions about (new) processing of personal data.
On the question of whether such a straightforward stance is justified, Christian Verhagen wrote an interesting blog for iBestuur. In it he notes that privacy is a fundamental right but so is, for example, subsistence security. According to him, this is no excuse for a government to break the law, but "it is a good thing to hold the law and its interpretation up to the light from time to time in order to come to one's own assessment."
The AP identifies an increasing need for municipalities to share and link data. This need is particularly evident in the following areas: social, healthcare and security. The need plays out within municipalities between different departments, but also outside the municipalities in partnerships.
The AP points out that a legal basis is also required for these processing operations. If there is no basis, organizations may not process personal data, regardless of any measures taken or guidance prepared.
The second comment the AP makes on this is that in collaborative ventures, it is not always clear who takes on what role and who exactly is responsible for what. The collaborating parties should make clear agreements about this before they start the collaboration.
And: also for experiments and pilots involving data processing the AVG applies in full.
Another development that the AP has observed specifically within the social domain is that a number of municipalities have used algorithms to profile citizens on social security benefits according to their risk of fraud. People with - according to the algorithm - a higher risk of fraud could count on more intensive monitoring by their municipality. In this regard, the AP notes that municipalities are not always clear on the requirements of the AVG regarding the automated processing of personal data.
For this reason, the AP is engaging with the VNG on the development and use of algorithms
On the privacy culture within municipalities, the AP makes a number of observations.
In particular, the AP expresses concern about the protection of personal data in the security domain: it believes that the AVG is regularly seen as an obstacle there. It also notes that in some municipalities, the AVG is being deliberately ignored when combating crime and maintaining public order.
Third, the AP notes that municipalities are often unwilling to invest in privacy safeguards, such as conducting DPIAs and involving the FG in a timely manner.
In the next section, I address, among other things, the AP's observations on camera transparency and the role of the FG.
