Articles

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

07.01.2016

The Dutch Data Protection Authority (“DPA”) conducted an investigation recently into the security of the absence management systems Humannet Starter and Humannet Absence (“the absence systems”), both are staff absence management software solutions of IT company Humannet B.V. (“Humannet”). Humannet’s customers (employers and those companies offering occupational health and safety services) use these software solutions for absence management of employees, including their re-integration following a sick leave period.

 

For the purpose of absence management, medical data of employees are processed via these absence systems, and it is important for these data to be well protected. During a broadcast of the Dutch television programme ZEMBLA in 2012, it was evident that there had been a data leak in Humannet’s absence systems. After the broadcast, the DPA made enquiries at Humannet promptly and then launched an investigation into the leak. The DPA concluded that Humannet’s absence systems did not have an appropriate level of data security in place.

According to Article 1 of the Dutch Data Protection Act, Humannet’s customers (i.e., the employers and those offering occupational health and safety services) can be qualified as data controllers for the processing of employee absence data. After all, Humannet’s customers determine the purpose of the processing (absence management) and the means (the use of the absence systems) to achieve this purpose. Humannet qualifies as a data processor because the absence systems run on its self-managed servers. Further, Humannet has access (and can give third parties access) to the medical data it holds, and it can alter or delete the data. An element of managing the absence systems is the security thereof. The DPA emphasized that Humannet, as a data processor, has an active role in data security especially since specialized expertise concerning the complex automation of data is necessary. The customers’ lack or absence of such expertise is the very reason why they hire specialized data processers. The DPA states: “This active role involves responsibilities that it [the data processor] needs to fulfil actively, for instance in respect of sufficiently securing the processing of data that it manages or performs for the data controller.” Therefore, Humannet, despite being a data processor, is required to contribute to providing adequate data security actively for the absence systems in which medical data are being processed, and it should do this according to the appropriate technical and organizational measures as laid down in Article 13 of the Dutch Data Protection Act.

In its report, the DPA set out which appropriate technical measures Humannet must adopt. Humannet was obligated to apply so-called “multiple factor authentication” to all its customers. Humannet’s systems were previously accessible by merely logging in with a user name and password (“one factor authentication”). Humannet had to add an extra factor, like a token, a smartcard (a personal access card), or a biometric characteristic to enable a person to prove his or her identity using another manner before gaining access to the absence system. Humannet must also continuously identify and list security risks. According to the DPA, Humannet must perform penetration tests and/or security scans several times a year. In doing so, vulnerabilities in the absence systems can be promptly identified and resolved. In response to the DPA’s report, Humannet decided to offer its customers “multiple factor authentication”, but it did not make this an element of its standard service. Furthermore, an audit was only performed once a year, and the results thereof were not properly addressed. The DPA therefore concluded that Humannet had violated Article 6 of the Dutch Data Protection Act, which states that personal data must be processed in a proper and careful manner and in accordance with the law, because Humannet did not take appropriate security measures, it failed to comply with Article 13 of the same Act, and therefore the processing of data was improper and careless.

For the definition of security measures, the DPA refers to the following as guidelines: its own Beveiliging van persoonsgegevens (Security of personal data, only available in Dutch), as well as the Code voor Informatiebeveilging (Code on Information Security (NEN-ISO / IEC 27002 2007 nl), the ICT-beveiligingsrichtlijnen voor webapplicaties (ICT security guidelines for web applications, only available in Dutch) issued by the National Cyber Security Centre, and the Betrouwbaarheidsniveaus voor authenticatie bij elektronische overheidsdiensten (Reliability levels for authentication at electronic government service departments, only available in Dutch) issued by the Forum Standardization.

Noteworthy is that the security guidelines from other industries and security guidelines whose accessibility is conditional on payment were referred to by the DPA in its interpretation of Article 13 of the Dutch Data Protection Act. Controllers and processors therefore need to be aware of security guidelines besides those that are relevant for their respective industry when considering security measures.

Meanwhile, Humannet has implemented the necessary adjustments, and the DPA has decided to not take enforcement action. The investigation gave the DPA cause to send letters to 53 administrators of absence systems, drawing attention to the appropriate interpretation of the security requirements under the Data Protection Act. The letter, in addition to the investigation, states explicitly that if an administrator wants to test or develop its system further, no medical data can be used for that, but only dummy or anonymized data. Furthermore, the risks of the open fields in the system must be addressed. In these open fields, an employer may specify information on the nature and cause of the employee’s illness. However, an employer is not allowed to process such data. To prevent such processing, the DPA has warned against building open fields into the systems. Moreover, it has to be guaranteed that the employer cannot access the data that are being processed by the company doctor. It is therefore crucial that the administrator of the absence system—and not the employer— provide the login codes. The DPA has indicated that it will not hesitate to take enforcement action if it suspects that absence administrators are not complying with the law.  

 

Source: DPA June 2015, z2012-00288, click here.The letter to the administrators can be viewed here.

 

This article was co-written by Friederike van der Jagt.  

 

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

12.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

11.10.2018 NL law
Stibbe hosts NGB Extra Seminar about product development and counsel’s role at the interface of new technology and law

Seminar - On 11 October 2018, Stibbe will host the NGB (Dutch Association of Corporate Lawyers) Extra Seminar.  IT/IP lawyers Judica Krikke, Jasper Klopper, Marc Spuijbroek and Frederiek Fernhout will discuss the practical aspects of the development of innovative new products. 

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring