The Autoriteit Persoonsgegevens (AP) is fining the Uitvoeringsinstituut Werknemersverzekeringen (UWV) €450,000. The UWV had not properly secured the sending of group messages via the so-called "My Work Folder" environment. That is a personal environment on the UWV website, where job seekers have contact with the UWV. As a result, there were several data breaches of personal data, including health data, of a total of more than 15,000 people.
Katja Mur, AP board member: 'How the UWV handles the protection of personal data has the attention of the AP. There were earlier security problems with the employer portal, for example, and we had to enforce better security with a sanction. You should be able to expect from an organization like the UWV that your data is secure. If it is not, it affects the citizen's trust in the government.'
Between August 2016 and the end of 2018, the process for sending group messages through the My Work Folder environment was not properly secured. As a result, files containing a multitude of job seekers' personal data ended up with the wrong recipients, namely in the My Work Folder environment of other job seekers.
This included various personal data, such as address information, data on education, nationality, BSN, as well as information on physical limitations, mental and physical work capacity and whether people are too sick to work.
Data leaks occurred nine times during that period, with a total of more than 15,000 people's data reaching the wrong recipients.
Mur: "Some of this is special personal data, which must be handled with extra care. It is embarrassing if this kind of data about yourself ends up in the wrong hands. Someone can also get hold of it, making you vulnerable to fraud, for example.'
'It is therefore worrying that the UWV did not immediately come up with appropriate action after the first data breach. At the time, 4.5 million Dutch people were registered with the UWV, including job seekers, the sick and the disabled. These people unnecessarily ran the risk of their personal data being leaked.
The AP launched this investigation after nine data breaches occurred at the UWV. The investigation revealed, among other things, that the UWV had insufficiently mapped out the risks when processing personal data of job seekers in advance.
In addition, the UWV should have implemented technical measures earlier. Moreover, the UWV did not adequately monitor and evaluate its own security measures.
Only in late 2018 did the UWV take technical measures to prevent similar data breaches.
The UWV can still appeal the AP's fine.
View here the fine
