Articles

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

07.01.2016

The Dutch Data Protection Authority (“DPA”) conducted an investigation recently into the security of the absence management systems Humannet Starter and Humannet Absence (“the absence systems”), both are staff absence management software solutions of IT company Humannet B.V. (“Humannet”). Humannet’s customers (employers and those companies offering occupational health and safety services) use these software solutions for absence management of employees, including their re-integration following a sick leave period.

 

For the purpose of absence management, medical data of employees are processed via these absence systems, and it is important for these data to be well protected. During a broadcast of the Dutch television programme ZEMBLA in 2012, it was evident that there had been a data leak in Humannet’s absence systems. After the broadcast, the DPA made enquiries at Humannet promptly and then launched an investigation into the leak. The DPA concluded that Humannet’s absence systems did not have an appropriate level of data security in place.

According to Article 1 of the Dutch Data Protection Act, Humannet’s customers (i.e., the employers and those offering occupational health and safety services) can be qualified as data controllers for the processing of employee absence data. After all, Humannet’s customers determine the purpose of the processing (absence management) and the means (the use of the absence systems) to achieve this purpose. Humannet qualifies as a data processor because the absence systems run on its self-managed servers. Further, Humannet has access (and can give third parties access) to the medical data it holds, and it can alter or delete the data. An element of managing the absence systems is the security thereof. The DPA emphasized that Humannet, as a data processor, has an active role in data security especially since specialized expertise concerning the complex automation of data is necessary. The customers’ lack or absence of such expertise is the very reason why they hire specialized data processers. The DPA states: “This active role involves responsibilities that it [the data processor] needs to fulfil actively, for instance in respect of sufficiently securing the processing of data that it manages or performs for the data controller.” Therefore, Humannet, despite being a data processor, is required to contribute to providing adequate data security actively for the absence systems in which medical data are being processed, and it should do this according to the appropriate technical and organizational measures as laid down in Article 13 of the Dutch Data Protection Act.

In its report, the DPA set out which appropriate technical measures Humannet must adopt. Humannet was obligated to apply so-called “multiple factor authentication” to all its customers. Humannet’s systems were previously accessible by merely logging in with a user name and password (“one factor authentication”). Humannet had to add an extra factor, like a token, a smartcard (a personal access card), or a biometric characteristic to enable a person to prove his or her identity using another manner before gaining access to the absence system. Humannet must also continuously identify and list security risks. According to the DPA, Humannet must perform penetration tests and/or security scans several times a year. In doing so, vulnerabilities in the absence systems can be promptly identified and resolved. In response to the DPA’s report, Humannet decided to offer its customers “multiple factor authentication”, but it did not make this an element of its standard service. Furthermore, an audit was only performed once a year, and the results thereof were not properly addressed. The DPA therefore concluded that Humannet had violated Article 6 of the Dutch Data Protection Act, which states that personal data must be processed in a proper and careful manner and in accordance with the law, because Humannet did not take appropriate security measures, it failed to comply with Article 13 of the same Act, and therefore the processing of data was improper and careless.

For the definition of security measures, the DPA refers to the following as guidelines: its own Beveiliging van persoonsgegevens (Security of personal data, only available in Dutch), as well as the Code voor Informatiebeveilging (Code on Information Security (NEN-ISO / IEC 27002 2007 nl), the ICT-beveiligingsrichtlijnen voor webapplicaties (ICT security guidelines for web applications, only available in Dutch) issued by the National Cyber Security Centre, and the Betrouwbaarheidsniveaus voor authenticatie bij elektronische overheidsdiensten (Reliability levels for authentication at electronic government service departments, only available in Dutch) issued by the Forum Standardization.

Noteworthy is that the security guidelines from other industries and security guidelines whose accessibility is conditional on payment were referred to by the DPA in its interpretation of Article 13 of the Dutch Data Protection Act. Controllers and processors therefore need to be aware of security guidelines besides those that are relevant for their respective industry when considering security measures.

Meanwhile, Humannet has implemented the necessary adjustments, and the DPA has decided to not take enforcement action. The investigation gave the DPA cause to send letters to 53 administrators of absence systems, drawing attention to the appropriate interpretation of the security requirements under the Data Protection Act. The letter, in addition to the investigation, states explicitly that if an administrator wants to test or develop its system further, no medical data can be used for that, but only dummy or anonymized data. Furthermore, the risks of the open fields in the system must be addressed. In these open fields, an employer may specify information on the nature and cause of the employee’s illness. However, an employer is not allowed to process such data. To prevent such processing, the DPA has warned against building open fields into the systems. Moreover, it has to be guaranteed that the employer cannot access the data that are being processed by the company doctor. It is therefore crucial that the administrator of the absence system—and not the employer— provide the login codes. The DPA has indicated that it will not hesitate to take enforcement action if it suspects that absence administrators are not complying with the law.  

 

Source: DPA June 2015, z2012-00288, click here.The letter to the administrators can be viewed here.

 

This article was co-written by Friederike van der Jagt.  

 

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

07.12.2018 BE law
GDPR-roundtable on practical questions encountered during implementation

Roundtable - After the success of the roundtable sessions we held before the GDPR took effect (in May this year), our TMT team is enthusiastic about the session of 7 December, focusing on the lessons we have learned from working on multiple GDPR-matters in the past year. We will tackle some practical questions that we have encountered and that are not or cannot be readily answered by the new regulation.

Read more

20.11.2018 NL law
Seminar 'Personal data from a broader perspective: overlap inside and outside the privacy domain'

Seminar - On 20 November 2018, Stibbe will host a seminar on privacy. Several Stibbe lawyers will discuss personal data from a broader perspective and the overlap that can occur inside and outside the legal privacy domain.

Read more

07.12.2018 BE law
Virtual Currency Regulation Law Review

Articles - The first edition of the Virtual Currency Regulation Law Review is intended to provide a practical, business-focused analysis of recent legal and regulatory changes and developments, and of their effects, and to look forward at expected trends in the area of virtual currencies on a country-by-country basis.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring