The Autoriteit Persoonsgegevens (AP) has found in investigations that the Uitvoeringsinstituut Werknemersverzekeringen (UWV) is in violation of the Personal Data Protection Act (Wbp) with regard to absence management and access security.
Employees absenteeism control process unauthorized health data of people under Sickness Benefits Act. In addition, the security of the online employer portal is inadequate because multi-factor authentication is not used when granting access to this portal. UWV has indicated its intention to take measures to end the violations. The AP plans to proceed with enforcement if the violations continue.
The UWV processes a great deal of personal data including data about someone's health, such as sick leave. Extra strict rules apply to the processing of this sensitive data. UWV clients must have confidence that their data are well protected.
Absenteeism management UWV
Notifications of illness from people under the Sickness Benefits Act are handled at the UWV by absenteeism management employees. These employees ask employees who report sick for information about their health in order to assess the claim for benefits. This does not routinely involve a doctor.
AP findings absenteeism management
The AP notes that the UWV allows sensitive personal data to be processed by employees who are not authorized to do so. Processing data about someone's health to assess eligibility for sickness benefits is only allowed if it is done under the responsibility of a doctor, such as an insurance physician. This is not the case at the UWV.
UWV is going to change working method
As a result of the investigation, the UWV initiated a process to adjust its practices and end the violation. The UWV has promised the AP that absenteeism control employees will work under the supervision of an insurance physician so that the physician becomes responsible for the processing of health data.
Employer portal access security
Employers and occupational health and safety services can enter and view employee absence data via the UWV's online employer portal. Because this involves sensitive employee data, the UWV, as provider and administrator of this absence system, is obliged to adequately secure access to this portal by applying multi-factor authentication.
AP findings access security
The AP concludes that the security of the UWV's online employer portal is inadequate. The UWV does not apply so-called multi-factor authentication when granting access to this portal, while this is required.
Multi-factor authentication is a form of (access) security that requires the user to authenticate in at least two ways to access a computer or application. For example, a password combined with a PIN.
The UWV has indicated security measures are in place.
