Compliance with the Police Data Act (Wpg) has improved in several areas since 2015. This is evident from recent internal and independent external audits. However, there is still a battle to be made from policy to practice.
Compared to the previous audit in 2015, recent audits show that compliance with the Wpg has improved. Among other things, they show improvement when it comes to the rights of individuals recorded in police systems and authorizing police officers to work with privacy-sensitive information. However, in other areas there is still a battle to be made from the right policy to actual application in practice.
To this end, the police are taking a new approach in which senior managers such as police chiefs/portfolio holders and heads of operations within police units are given responsibility for specific topics in the Wpg. This incorporates privacy into the regular cycle of planning and control. When police officers do not comply, they will be held accountable. In addition, the police will prepare a legally required improvement report.
An improvement plan was also drawn up by the police as a result of the 2015 audit. It prioritized the authorization process, data subjects' rights and information security. During the course of this improvement plan, new rules were added as a result of the European Directive on Data Protection Investigation and Prosecution. Two of those topics are privacy by design (including data protection directly in the development of applications) and the appointment of a data protection officer.
Compared to 2015, the following improvements were made:
Privacy desks have been set up where requests are processed according to a uniform policy. Data subjects can ask to see their data here and possibly request their correction or destruction.
A national authorization model has been implemented. An application allows managers to provide employees with the appropriate authorizations in the most commonly used police systems. As a result, the privacy of people who appear in these systems is safeguarded as much as possible. It should be noted, however, that the revocation of authorizations granted before the introduction of this national authorization model is still a vulnerable point that requires attention.
A data protection officer has been appointed. This officer monitors compliance with the Wpg and AVG, informs and advises the chief of police, and cooperates with the Autoriteit Persoonsgegevens.
Personal data protection will be included in all newly developed applications. Mechanisms for the protection of personal data will thus be built in from now on during the development of information services.
These improvements do not mean that the police have already achieved full compliance with the Wpg. Continued effort for this is necessary. The fact that the police have difficulty complying with the Wpg is partly because the law does not fit well with implementation practice. For that reason, the Wpg is being revised. A start has been made by the legislature on preparing this revision.
Download the reports of the recent internal and external independent audits here:
See also: parliamentary letter Audit Police Data Act
