The GGD still does not have its privacy affairs in order. Employees who have been fired sometimes, more than a month after their dismissal, still have access to personal data of all Dutch citizens. Further confidential data is displayed when training new employees.
This is what De Gelderlander writes. The newspaper spoke with several current employees and former employees of the GGD.
The GGD has long been under fire for a massive data leak. The leak surfaced in early 2021 after RTL News discovered that thousands of employees had access to personal and medical data of millions of Dutch people who had been tested for corona. Some copied this data and sold the data through channels such as Telegram, Snapchat and Wickr.
Then Minister of Health, Welfare and Sports Hugo de Jonge went deep into the dust. He apologized for the course of events in the Lower House and promised improvement. He took all kinds of additional safety measures to prevent repetition in the future. The GGD largely switched off the print and export functionality, limited the search options in the computer systems, had more internal checks and external audits performed to prevent abuse and had the VOG (Certificate of Good Conduct) administration put in order.
After the data breach came to light, the Autoriteit Persoonsgegevens launched an investigation into the matter. The regulator saw that the GGD had made all kinds of improvements, but still found them insufficient. According to the privacy watchdog, there was still too much uncertainty about authorization management and the checking of log files. Also lacking were clear agreements on security measures between umbrella organization GGD GHOR, the 25 GGD departments and collaboration partners. The Autoriteit Persoonsgegevens called these shortcomings "substantial risks."
The Gelderlander spoke with several (former) GGD employees to see if the GGD has its privacy affairs in order by now. This appears not to be the case. As an example, the newspaper mentions a training round in the Arnhem/Ede region. GGD Gelderland-Midden showed classrooms the personal data of a woman who was to be vaccinated. This included residential address, contact information, BSN number and medication use.
A spokesperson for GGD GHOR acknowledges that this situation occurred. "This happened once. This should not and is not our usual practice. Every training is given from a test environment with fictitious people and data," the spokesman told De Gelderlander. He said the error resulted from the rapid scaling up of GGD departments to do booster pricks.
This is not the only incident where privacy was not ensured. A former employee says that a month and a half after he left employment he could still log in to the GGD's IT systems. This allowed him to view personal and other confidential data of millions of Dutch citizens. "Such as the BSN number and the e-mail address, and that's a dangerous combination if you mean any harm," he told the newspaper.
The GGD stresses that this is not the intention. If someone quits or is fired, the regional GGD department must terminate the account. However, sometimes it takes a while to arrange this, a spokesperson says.
According to the GGD, it is impossible to arrange for temporary or agency employees to see less personal data than permanent employees. "The GGDs scaled up at a very high rate in order to administer vaccinations against the coronavirus in a timely manner to residents of the Netherlands who wanted them. The speed of the scaling-up operation did not make it possible to distinguish between permanent and temporary employees," the GGD said.
The spokesperson stressed that measures have been taken so that employees on temporary contracts only have access to the data necessary for their work. For example, medical history and medication use are visible only to permanent employees.
In other areas, the GGD does have its act together. All employees must sign a confidentiality agreement and provide a VOG. Furthermore, each employee is automatically checked by the system to make sure they are not requesting more data than necessary.
The Autoriteit Persoonsgegevens would not say anything to De Gelderlander about the newspaper's claims. The regulator will see in March what has come of its recommendations. Until then, the privacy watchdog makes no announcements.
Lower House member Attje Kuiken (PvdA) says she finds it "very damaging" that the GGD still has not put its house in order. "While it is about very personal data with which malicious people can do a lot of damage. So despite the cabinet's promises to the Lower House, it is still not in order."
