The Cabinet believes that the government has an exemplary role in the data protection of citizens. Therefore, State Secretary for Digitalization Alexandra van Huffelen expects a concrete plan from municipalities and the Association of Dutch Municipalities (VNG): compliance with the General Data Protection Regulation (Avg).
In addition to that requirement, the cabinet is also engaging with municipalities and the VNG to see how it can help put privacy compliance and information management in order, Van Huffelen writes in a letter to the House of Representatives
The state secretary says that municipalities work with many information systems to carry out their tasks. In practice, it turns out to be quite difficult to work in compliance with European privacy legislation. But that should not stand in the way of the most seamless compliance with the Avg, she believes. "Nevertheless, society should expect the government to have its housekeeping in order and the government itself to meet the standards of data protection law," Van Huffelen wrote.
Her answers to questions by GroenLinks MP Kauthar Bouchallikht have a history. Research by Bits of Freedom among the ten largest municipalities in the Netherlands earlier this year showed that municipalities are insufficiently complying with the AVG. According to the digital civil rights organization, the basis in many municipalities is not in order, while everywhere experiments with data-driven work are taking place. Data management often falters and citizens have to wait too long if they have requested access to information.
Moreover, there is also a capacity problem: municipalities simply lack clout to comply with the AVG. There is also a problem with the processing registers, according to Bits of Freedom. These are not complete and up-to-date. As a result, municipalities are insufficiently informed about what data they process, for what purpose, whether that processing is lawful and secure, and with whom. As a result, municipalities cannot clearly assess the risks to citizens.
To Data&Privacyweb privacy experts then announced that they did not necessarily think the criticism was justified. Some leniency is in order. Menno Weij, privacy expert at accountancy firm BDO, said that municipalities are increasingly aware that they must comply with privacy standards. At the same time, they now lack clout and capacity, Weij said. "I believe the intention of municipalities is good. But sometimes things go wrong. You then also talk about an insane amount of data that has to be processed."
Take the example of the processing register, which includes personal data. Setting up such a register helps organizations keep track of processed data and is mandatory under the AVG in many cases. Weij calls it bureaucratic quibbling: "It goes wrong if you process data without a proper basis. But is it so bad if your processing register is not completely in order because you have not included some data, but you are using that good basis. It may be that you do take good care of your data. At most, you are a little sloppy."
So the cabinet is somewhat less lenient on municipalities in its letter to the House of Representatives. In it, Van Huffelen reveals a number of other policy plans. For example, the cabinet is working on proposals to strengthen privacy within government organizations, among other things. The role of the Data Protection Officer is being re-examined and his position within the privacy domain may be strengthened. Finally, the Cabinet is working on the creation of algorithm registers, which should provide transparency about the operation and application of algorithms.
