Co-author: Dennis Teuben (Ministry of Defence)
GGD data breach: a look through from theory
08 February 2021
Co-author: Dennis Teuben (Ministry of Defence)
We are writing February 2021. After nearly a year of Corona stress, society seems to be under high stress. Recent measures - a temporary curfew - led to riots in the country. People are tired of sitting at home and entrepreneurs are having a hard time. One of the important parties in the chain of organisations which is crucial in controlling the virus is the Municipal Health Service (GGD). It appears that the GGD is having a hard time with the national scaling up of their ICT systems for Covid. A list of headlines from the news characterizes the problem:
- On 29 January, the headline at NU.nl read: GGD wants to quickly switch to another software system because of data breach
- On 30 January, the headline at NOS.nl read:Slow vaccination, a GGD data leak: problems pile up for De Jonge
- On January 30, another headline at NOS.nl read: GGD switches off printing function after data breach
- On 1 February, the headline at The AD read: Chance of identity fraud after GGD data breach is small
- On 2 February, the headline at Parool read: Third suspect arrested for data theft GGD
A more nuanced picture
The seriousness of the situation calls for a more nuanced view. On February 3, a heated debate rages in the Dutch Lower House. Members of Parliament questioned Public Health Minister Hugo de Jonge about the privacy problems in the system which, with the best of intentions, the Municipal Health Service employees had started to work with. Given the required speed of action, it appears that the protection of privacy did not receive the necessary attention. Municipal Health Service employees had access to information that was in principle not needed and the Lower House wonders how supervision of this is arranged.
The Authority for the Protection of Personal Data (hereinafter referred to as: AP) is responsible for supervising privacy. They are responsible for dealing with reports and for obliging organizations to take corrective action if risks arise. However, the AP is structurally struggling with staff shortages. The AP's 2019 annual report states that only 0.3% of all reports were investigated. The AP has indicated that it needs more capacity for supervision.
Preventing privacy problems in advance is better than having to correct them afterwards. The term used for this is privacy by design. This means that when developing ICT systems, privacy considerations, as described in the AVG, must be taken into account from the very beginning. When developing and using the information system, avoid actions that are not permitted.
Thesis at the Hogeschool Utrecht
For the completion of his Master of Informatics, Dennis Teuben wrote a thesis under the supervision of Bas van Gils, which unexpectedly turns out to be topical. In his (ongoing) research Dennis observes that the AP does not appear to be in a position to adequately supervise the lawfulness - compliance - of the processing of personal data by a government organization. Not to mention that the AP can fulfill its advisory role or act as an advisory body for organizations.
The objective of the design-oriented research is to determine whether and how supervision by the AP could be more efficient and effective if the so-called horizontal supervision principle were applied. The research is based on an extensive literature study and validation with experts in the field. The research is currently in the completion phase in which the results will be further validated, after which the thesis can be written.
One of the results of the study is that (horizontal) supervision can be effective if organisations and supervisory authorities invest in three aspects: understanding, trust and transparency. This is a good result, but privacy by design as a philosophy still offers few concrete handles for organizations to get started themselves. Using the design science approach, the insights have been translated into a privacy control framework. This provides organizations with an instrument with which to safeguard their privacy interests and the supervision thereof.
It seems obvious that when developing information systems, including the GGD registration system, privacy by design should be taken into account. In this digital era, you can't do otherwise if you strive for sustainable solutions in which all the interests of stakeholders are properly safeguarded. This line can also be extended to the phase in which the system is actively used (the 'management phase'). In practice, this does not always happen.
Properly dealing with privacy interests requires periodic evaluations to determine whether the system is still adequate and compliant. Based on the aforementioned study, we conclude on the one hand that privacy by design is a somewhat vaguely formulated approach, and that a translation into a privacy control framework helps to give it concrete substance.
The first piece of advice is: make sure you don't go overboard with new measures! The pitfall is to regulate the system so tightly, for example by deactivating functions or allocating authorisations to a minimum, that this creates an inflexible work situation and considerable bureaucracy. The crux is to find a balance here, strict where necessary, flexible where possible.
A second recommendation is that, once the crisis has been averted, research should be carried out into how the AP's supervision can be made more effective and efficient. Horizontal supervision could be an interesting approach. This would require organizations and the supervisory authority to work on the criteria of understanding, trust and transparency. This will require an investment in the Office because it will have to work on fulfilling its advisory function and acting as an "authority" for organizations that have questions.
Our research can be a first step towards the practical application of privacy by design and the possible application of horizontal supervision. The perspective offered by this is firstly to prevent unlawful use of information systems, but also to relieve the supervisor in its heavy workload.