Many boa employers last year failed to conduct a mandatory audit under the Police Data Act (Wpg audit) and submit a report of this to the Personal Data Authority (AP). Of a total of over 600 boa employers, about half ultimately sent an audit report. These were mainly small boa employers who did not submit anything.
The AP notes this in its report on the Wpg audit.
A boa (special investigating officer) can have a major impact on a person's privacy by recording personal data. For example, boas can make an official report. This has special probative value in criminal law. And it can be used for police duties, among other things.
In addition, a registration by a boa may have an impact on a person for many years. Registered data can be included in a personal file or used to assess an application for a Certificate of Good Conduct (VOG). The registration of incorrect information or careless handling of this information can, for example, result in a person being wrongly denied a VOG.
Employers of boas with investigative duties are required to conduct an annual internal audit to assess their handling of personal data. They must also conduct an external audit every 4 years. They must send a report of this external audit to the AP so that the AP can supervise it. This is stated in the Police Data Act (Wpg).
In addition to police and investigative agencies, they include boa employers such as municipalities, transportation companies and nature managers. Boa employers had until Dec. 31, 2022, to submit the results of the four-year external audit to the AP.
By the end of 2022, less than a third of the boa employers had sent a report. By early 2023, this number had risen to about half of employers.
Katja Mur, AP board member: "We are pleased that in the last period quite a few Wpg audit reports were still delivered to us. As a result, a significant proportion of employers have complied with this obligation. Still, less than half of the boa employers ultimately delivered a report."
"In addition, unfortunately, the results of external audits often turn out to be insufficient. We want boa employers to have their affairs in order so that citizens can be confident that their personal data is handled with care. A large proportion of boa employers are currently falling short in this regard."
The AP found in its report, based on a sample of the reports received, that overall, many boa employers' compliance with the Wpg is not yet in order. In only half of the reports reviewed are employers in compliance.
Organizations that do not sufficiently meet the set requirements must take improvement measures. They must have these items reassessed and send the report to the AP by Dec. 31, 2023.
The AP is engaging with the Department of Justice and Security about the low number of audits conducted, the insufficient results and possible follow-up steps.
A point of concern here is the degree of proportionality of the mandatory Wpg audit. About half of all boa employers are organizations that employ 5 or fewer boas. The AP has received signals from smaller boa employers who experience the Wpg audit as a heavy (financial) burden.
Want to know when boas must comply with the Wpg? Then register for the course Privacy legislation in detection via this link .
