UWV fined for poor security when sending group messages
The Dutch Data Protection Authority (DPA) has imposed a €450,000 fine on the Employee Insurance Agency (UWV). This is due to poor security when sending group messages via the ‘Mijn Werkmap’ section of its website, a personal environment in which jobseekers can interact with the UWV. As a result, multiple data breaches occurred, involving the personal data (including health data) of over 15,000 people.
Katja Mur, a DPA board member, explains: ‘The DPA has been paying attention to how the UWV handles the protection of personal data. In the past, there were security problems with the employers portal, and we had to impose a sanction to force improvements to be made. People expect organisations like the UWV to protect their data. Failure to do so undermines public trust in the government.’
From August 2016 until the end of 2018, the procedure for sending group messages via the ‘Mijn Werkmap’ environment was not properly secured. This resulted in documents containing a wide range of jobseekers’ personal data ending up with the wrong recipients, namely in the ‘Mijn Werkmap’ environment of other jobseekers.
Personal data breaches
The personal data included address data, education and training details, nationality, citizen service numbers (BSNs), but also information about physical disabilities, physical and psychological work capacity and whether people are too ill to work.
There were nine data breaches during the period in question, resulting in the data of over 15,000 people ending up with the wrong recipients.
‘This included some sensitive personal data, which must always be handled with the utmost care,’ says Ms Mur. ‘It can be very distressing if this sort of information gets into the wrong hands. It could also be misused, for example to commit fraud.’
‘So it’s very concerning that the UWV did not respond to the initial data breaches by immediately taking appropriate action. At the time, 4.5 million people in the Netherlands were registered with the UWV, including jobseekers, sick people and people unfit for work. They all faced the unnecessary risk of their personal data being leaked.’
The DPA launched this investigation after nine data breaches had occurred at the UWV. One of its findings was that the UWV had not adequately identified in advance the risks associated with processing jobseekers’ personal data.
In addition, the UWV should have taken technical measures sooner. It also failed to adequately monitor and evaluate its own security measures.
Not until the end of 2018 did it take technical measures to prevent similar data breaches.
What happens next?
The UWV can lodge an objection to the fine imposed by the DPA.