Social Insurance Bank fined for inadequate identity checks

Data breaches
Security of personal data

The Dutch Data Protection Authority (Dutch DPA) is imposing a fine of €150,000 on the Social Insurance Bank (SVB) for its failure to adequately confirm the identity of callers to its telephone helpdesk. The shortcoming potentially enabled unauthorised persons to obtain the personal details of old-age pension (AOW) recipients. The SVB has now taken measures to address the problem.

In 2019, an unauthorised individual obtained personal information about an SVB client. The client discovered that the SVB’s telephone helpdesk had disclosed information about their pension, and subsequently lodged a complaint with the Dutch DPA.

Privacy risks underestimated

Each week, the SVB answers an average of 20,000 questions about social security legislation such as the AOW pension scheme. All of its approximately 1,500 helpdesk staff have access to clients’ personal details.

It is therefore vitally important to have clear rules for providing information by telephone. However, the Dutch DPA's investigation revealed that the SVB did too little to identify the potential privacy risks associated with its telephone service.

In practice, its system for checking callers’ identities was inadequate. The answers to questions put to callers to check their identity, such as the client's given name, address and postcode, could be found out with relative ease by people other than the client.

The SVB also failed to sufficiently monitor whether its helpdesk staff complied with identification policies and to ensure that staff were sufficiently aware of the importance of handling personal details securely. The infringements took place between May 2018 and May 2022.

Very personal information

‘The SVB administers benefits for over 5 million people. With so many people in the Netherlands depending on the SVB for their benefits, it is vital that privacy policies are watertight,’ says Dutch DPA board member Katja Mur.

‘Information about benefits is very personal information, since it reveals so much about people’s lives. This means that clients should be able to rely on the SVB to check callers’ identities very carefully to make sure they are who they say they are.’

When it received the Dutch DPA’s findings, the SVB took immediate action to improve its telephone service. New, unambiguous working instructions set out exactly how staff should check the identity of callers. The SVB will evaluate its new policy every 2 years.

Broader relevance

‘Organisations that provide services by phone can learn from this,’ says Ms Mur. ‘Privacy policy is not only about digital services, but also about services provided by phone. People may be doing more and more online, but they also still frequently use telephone helpdesks. This means it’s important to make sure that privacy is safeguarded equally well when services are provided by phone.’