Articles

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

Dutch Data Protection Authority imposes strict security requirements on absence management systems

07.01.2016

The Dutch Data Protection Authority (“DPA”) conducted an investigation recently into the security of the absence management systems Humannet Starter and Humannet Absence (“the absence systems”), both are staff absence management software solutions of IT company Humannet B.V. (“Humannet”). Humannet’s customers (employers and those companies offering occupational health and safety services) use these software solutions for absence management of employees, including their re-integration following a sick leave period.

 

For the purpose of absence management, medical data of employees are processed via these absence systems, and it is important for these data to be well protected. During a broadcast of the Dutch television programme ZEMBLA in 2012, it was evident that there had been a data leak in Humannet’s absence systems. After the broadcast, the DPA made enquiries at Humannet promptly and then launched an investigation into the leak. The DPA concluded that Humannet’s absence systems did not have an appropriate level of data security in place.

According to Article 1 of the Dutch Data Protection Act, Humannet’s customers (i.e., the employers and those offering occupational health and safety services) can be qualified as data controllers for the processing of employee absence data. After all, Humannet’s customers determine the purpose of the processing (absence management) and the means (the use of the absence systems) to achieve this purpose. Humannet qualifies as a data processor because the absence systems run on its self-managed servers. Further, Humannet has access (and can give third parties access) to the medical data it holds, and it can alter or delete the data. An element of managing the absence systems is the security thereof. The DPA emphasized that Humannet, as a data processor, has an active role in data security especially since specialized expertise concerning the complex automation of data is necessary. The customers’ lack or absence of such expertise is the very reason why they hire specialized data processers. The DPA states: “This active role involves responsibilities that it [the data processor] needs to fulfil actively, for instance in respect of sufficiently securing the processing of data that it manages or performs for the data controller.” Therefore, Humannet, despite being a data processor, is required to contribute to providing adequate data security actively for the absence systems in which medical data are being processed, and it should do this according to the appropriate technical and organizational measures as laid down in Article 13 of the Dutch Data Protection Act.

In its report, the DPA set out which appropriate technical measures Humannet must adopt. Humannet was obligated to apply so-called “multiple factor authentication” to all its customers. Humannet’s systems were previously accessible by merely logging in with a user name and password (“one factor authentication”). Humannet had to add an extra factor, like a token, a smartcard (a personal access card), or a biometric characteristic to enable a person to prove his or her identity using another manner before gaining access to the absence system. Humannet must also continuously identify and list security risks. According to the DPA, Humannet must perform penetration tests and/or security scans several times a year. In doing so, vulnerabilities in the absence systems can be promptly identified and resolved. In response to the DPA’s report, Humannet decided to offer its customers “multiple factor authentication”, but it did not make this an element of its standard service. Furthermore, an audit was only performed once a year, and the results thereof were not properly addressed. The DPA therefore concluded that Humannet had violated Article 6 of the Dutch Data Protection Act, which states that personal data must be processed in a proper and careful manner and in accordance with the law, because Humannet did not take appropriate security measures, it failed to comply with Article 13 of the same Act, and therefore the processing of data was improper and careless.

For the definition of security measures, the DPA refers to the following as guidelines: its own Beveiliging van persoonsgegevens (Security of personal data, only available in Dutch), as well as the Code voor Informatiebeveilging (Code on Information Security (NEN-ISO / IEC 27002 2007 nl), the ICT-beveiligingsrichtlijnen voor webapplicaties (ICT security guidelines for web applications, only available in Dutch) issued by the National Cyber Security Centre, and the Betrouwbaarheidsniveaus voor authenticatie bij elektronische overheidsdiensten (Reliability levels for authentication at electronic government service departments, only available in Dutch) issued by the Forum Standardization.

Noteworthy is that the security guidelines from other industries and security guidelines whose accessibility is conditional on payment were referred to by the DPA in its interpretation of Article 13 of the Dutch Data Protection Act. Controllers and processors therefore need to be aware of security guidelines besides those that are relevant for their respective industry when considering security measures.

Meanwhile, Humannet has implemented the necessary adjustments, and the DPA has decided to not take enforcement action. The investigation gave the DPA cause to send letters to 53 administrators of absence systems, drawing attention to the appropriate interpretation of the security requirements under the Data Protection Act. The letter, in addition to the investigation, states explicitly that if an administrator wants to test or develop its system further, no medical data can be used for that, but only dummy or anonymized data. Furthermore, the risks of the open fields in the system must be addressed. In these open fields, an employer may specify information on the nature and cause of the employee’s illness. However, an employer is not allowed to process such data. To prevent such processing, the DPA has warned against building open fields into the systems. Moreover, it has to be guaranteed that the employer cannot access the data that are being processed by the company doctor. It is therefore crucial that the administrator of the absence system—and not the employer— provide the login codes. The DPA has indicated that it will not hesitate to take enforcement action if it suspects that absence administrators are not complying with the law.  

 

Source: DPA June 2015, z2012-00288, click here.The letter to the administrators can be viewed here.

 

This article was co-written by Friederike van der Jagt.  

 

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

08.08.2019 BE law
Regulating online platforms: piece of the puzzle

Articles - The new Regulation no. 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, applicable as of 12 July 2020, is another piece of the puzzle regulating online platforms, this time focussing on the supply side of the platforms.

Read more

23.07.2019 LU law
The Revised CSSF Cloud Circular

Articles - On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring