Municipality of Eindhoven is not adequately protecting residents’ privacy
The Dutch Data Protection Authority has announced its intention to place the municipality of Eindhoven under increased supervision because its policy on the protection of personal data is inadequate. For example, privacy scans are carried out either too late or not at all, and data breaches are not reported to the Dutch DPA on time. In the summer of 2022, the municipality already received a warning, after which it presented an improvement plan. However, this plan has now also proved inadequate.
“The Dutch Data Protection Authority (Dutch DPA) has serious concerns about compliance - across the board - with the General Data Protection Regulation (GDPR) within your municipality”, reads the letter sent to the Board of Mayor and Aldermen. “Moreover, the Dutch DPA seriously doubts whether the Board feels sufficient compelled to adequately invest in the development of a sound privacy organization and privacy culture.”
The municipality of Eindhoven has some 238,000 residents and they have no choice when it comes to handing over their data: after all, it is mandatory to register with the municipality where your main address is located. This is precisely why municipalities have an increased responsibility to handle these data with great care. Many of TU/e’s students and staff members also live in Eindhoven. Just recently, they were affected by the leak at ID-Ware, the company that makes TU/e’s access cards, in which all kinds of personal data were leaked. Afterwards, it turned out that no DPIA had been carried out there either, and that too much data had been stored. The amount of data leaked there poses a genuine risk of identity fraud. Likewise, the amount and type of data that municipalities store on residents could also potentially lead to identity fraud in the event of a leak.
Citizens left high and dry
Projects that involve the storage or processing of personal data usually require a PIA or DPIA to be carried out in order to identify what data are being processed, what risks are involved and what protective measures will be taken. “The municipality allegedly introduced, among other things, an environmental card and a pressure meter without conducting that risk analysis, as well as a trial project with an app that uses an algorithm to connect job seekers to vacancies”. These are a few examples of the municipality’s violations given by the Dutch DPA. “Citizens should be able to trust that their municipality handles their personal data with care”, says Monique Verdier, deputy chair of the Dutch DPA. “As a citizen, you have no choice: the municipality where you live collects and uses your personal data. What’s more, municipalities manage a lot of sensitive data on their residents. The fact that one of the largest municipalities, the 'Brainport' of the Netherlands of all places, doesn’t seem to have this in order is very serious.”
Verdier: “The municipality's improvement plan is substandard. For example, it seems that the municipality doesn’t observe retention periods for personal data and the policy for carrying out DPIAs is also not up to scratch. There are also concerns about the handling of data breaches and questions about whether the municipality is duly adhering to the advice of the Data Protection Officer. All in all, the municipality doesn’t seem to be fully aware of the seriousness and urgency of the concerns. This requires extra attention from the Dutch DPA”, explains Verdier with regard to the increased supervision by the Dutch Data Protection Authority.
Questions to the Board
Political party Volt has drafted a number of questions to the Board of Mayor and Aldermen. One of the questions concerns the matter of which parties will be involved in a new improvement plan. Is it perhaps possible for other municipalities that do have their affairs in order to be of help to Eindhoven? Are there any external experts who can be brought in? The party also wants to know whether the Board is aware that these are not ‘merely’ procedural errors, but also a threat to people's right to privacy, to careful processing of their data. Volt's written questions to the Board should, in principle, be answered within four weeks. GroenLinks is also going to ask questions during the municipal council meeting next Tuesday.
Further upscaling still an option
The first step of this increased supervision is that the Dutch DPA has ordered the municipality to send a report with more information and documents on data breaches, DPIAs, retention periods, the position of the Data Protection Officer and several other points from the improvement plan within two months. Based on that information, the Dutch DPA will determine what further steps are needed. “We will keep the option of scaling up our intervention explicitly open”, says Verdier.
Update: the questions have been answered.
Discussion