Legislative proposal on mortgage data requires clearer delineation
The government wants to give De Nederlandsche Bank (DNB) the power to collect data of mortgage owners in the Netherlands. DNB needs these data for the performance of statutory tasks. The legislative proposal that pertains to this, however, has to be delineated more clearly. This is the conclusion of the Dutch Data Protection Authority (Dutch DPA) after a test.
Through the DNB Mortgage Market Reporting Act, the government wants to oblige mortgage lenders to share data about customers periodically with DNB. Mortgage lenders are, for example, banks, investment institutions, pension funds, and insurers. In terms of customer data this concerns, for example, the term of a mortgage, interest, energy label, and any failures to pay.
DNB needs mortgage data for the performance of its statutory tasks. These tasks are promoting the stability of the financial system and compiling statistics about the housing market in the Netherlands. The Dutch DPA now finds that the government has to adjust the legislative proposal on some points.
Personal information
‘Financial information is highly personal and tells a lot about someone's private life, so it has to be handled with as much care as possible’, Dutch DPA board member Katja Mur says. ‘The government has come up with a legislative proposal, partly on the insistence of the Dutch DPA, and it is a good thing that a proposal has been drafted. A number of points for attention now remain.’
Arranging pseudonymisation on a legal level
The legislative proposal pertains to detailed data of mortgage holders in the Netherlands. However, the draft legislative text does not state clearly that there is an obligation to pseudonymise the data provided. Pseudonymisation is a security measure that makes tracing back data to individuals more difficult, so the privacy of people remains protected. This is an essential safeguard. The requirement of pseudonymisation must therefore be included in the legislative text.
Use for a different purpose not allowed
Pursuant to the current legislative proposal, DNB can not only use the mortgage data for economic reports and statistics, but also pass on the data to DNB departments with other tasks, such as supervisory departments. These departments have a very different task.
In that case, data are therefore used for a purpose other than set out in the legislative proposal. Under the privacy legislation, this is not allowed because people must be able to know what their personal data are used for so they will know what to expect. The legislative proposal also requires adjustment on this point.
Retention period is too long
Finally, the period during which the data are retained by DNB seems somewhat long. This is 15 years, but there is no proper substantiation for this duration. The starting point must always be that personal data are retained for the shortest possible period.
