The Netherlands’ data protection authority (Autoriteit Persoonsgegevens – AP) has ordered the Employee Insurance Agency (UWV) to pay €450,000 ($533,000) for not properly securing the sending of group messages via its My Work Folder system.
The platform is used by job seekers to contact the agency, an independent administrative authority commissioned by the ministry of social affairs and employment.
There were nine data breaches between August 2016 and the end of 2018 involving personal data, such as health, identity number, address and level of education, of more than 15,000 people.
AP board member Katja Mur said: “Some of this is special, personal data that must be handled with extra care. It is painful when this kind of data about yourself ends up in the wrong hands. Someone can run off with it, making you vulnerable to, for example, fraud.”
She also commented: “You must be able to expect from an organisation such as the UWV that your data is safe. If that is not the case, it will affect the public’s confidence in the government.”
At the time of the data breaches, 4.5m Dutch were registered with UWV, including job seekers, and ill and disabled people.
The AP’s investigation found the agency had insufficiently mapped out risks in processing job seekers’ personal data, should have better checked its own security and implemented technical measures earlier than the end of 2018.
The UWV has the right to appeal against the fine.
Missed PrivSec Global’s livestream experience?
No problem, simply CLICK HERE to access the sessions on demand.