Dutch Data Protection Office fines the Dutch Ministry 565,000 Euros for data protection breaches.
May 3, 2022 |
The difference between Australian Privacy regulation and the European regulation under the General Data Protection Regulation has been well known. The protections are greater under the GDPR than Australia’s Privacy Act 1988 and the size of the fines are much greater. That is made clear with the Data Data Protection Australian imposing a fine of 565,000 Euros on the Ministry of Foreign Affairs for violations of Articles 13(1)(e) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
The media release provides:
The Dutch Data Protection Authority (DPA) fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.
NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties.
In addition to imposing a fine, the DPA ordered the ministry to ensure an appropriate level of security (subject to a penalty of €50,000 per two weeks) and provide applicants with adequate information (subject to a penalty of €10,000 per week).
Inadequate security
The Ministry of Foreign Affairs has processed an average of 530,000 visa applications per year for the past three years. The personal data in all these applications is not sufficiently protected.
The personal data involved includes sensitive information, such as an applicant’s finger prints, name, address, country of birth, purpose of travel, nationality and photograph. Anyone applying for a visa is required to submit this data to the Ministry of Foreign Affairs.
In the words of DPA deputy chair Monique Verdier, ‘When physical and digital data security is insufficient, there is an increased risk of unauthorised staff being able to access and alter personal data and of other errors or abuses remaining undetected for too long. That can have a major impact on individuals.’
‘For example, a visa application could be wrongly refused as a result. And that could lead to a serious infringement of a person’s freedom of movement. To obtain visas, people are dependent on the Ministry of Foreign Affairs. Because of that dependence, the lack of data security is a very serious issue.’
The ministry has been aware of the security risks in its visa system for some time, but the DPA believes that it has not acted swiftly enough and has done too little.
Serious negligence
According to Ms Verdier, ‘Given that visa applicants are required to submit personal data, the Ministry of Foreign Affairs should have immediately taken the measures necessary to protect their data properly. Because the security of the system has been insufficient for so many years now, in our view the Ministry of Foreign Affairs has been ? and remains ? seriously negligent.’
Order subject to penalty for inadequate security
The DPA has instructed the ministry to ensure appropriate security is in place by, for example, introducing information-security policy for NVIS and conducting regular checks of user rights and data logging (registration of users and events in the system). The DPA has imposed an order subject to a penalty of €50,000 for every two weeks that the infringement continues (up to a maximum of €500,000).
Insufficient information
The DPA has also determined that the Ministry of Foreign Affairs failed to adequately inform visa applicants about the sharing of their personal data with other parties. The ministry is required by law to ensure transparency so that people know with whom the ministry is sharing their personal data.
This infringement, too, concerns sensitive data contained in hundreds of thousands of applications per year. As a consequence, the DPA has instructed the Ministry of Foreign Affairs to inform people properly and transparently about the processing of their personal data and specifically about which parties their data is being shared with.
The DPA imposed an order subject to a penalty of €10,000 for every week the infringement continues (up to a maximum of €300,000).
In the meantime, the ministry has adapted the information it provides to visa applicants, and in doing so has complied with this order within the time limit.
Open to objection
The fine and the orders subject to penalty were imposed on the Minister of Foreign Affairs because he is responsible for the ministry’s processing of personal data. The minister may lodge an objection to the DPA’s decisions.
The Authority found:
- a security plan: the Ministry did not have a security plan so it was in violation of Articles 24 and 32(1) of the GDPR;
- physical security:
- by not explicitly determining which parts of the IT infrastructure should be regarded as the critical infrastructure of the visa process, the Ministry acted in violation of Article 32(1) of the GDPR from at least 1 September 2018 until at least the spring of 2020;
- failure in drawing up emergency plans and the protection of equipment against disruption in utilities from at least 1 September 2018 which is a violation ofArticle 32(1) of the GDPR;
- the physical security of the areas where the visa process is being worked on in London did not comply with Article 32(1) of the GDPR from 1 September 2018 to April 2020;
- there was insufficient guarantees for the physical security at work in the NVIS in public spaces and that the Ministry has also not checked the effectiveness of the policy in this regard from at least 1 September 2018 to date, thus acting in violation of Article 32(1) of the GDPR;
- access rights :
- no formal registration and deregistration procedures in place from at least 1 September 2018 to 1 January 2022 regarding access rights to the NVIS, therefore violating Article 32(1) of the GDPR;
- breaches of Article 32(1) of the GDPR regarding control access rights to and control of the NVIS environment from at least 1 September 2018;
- breaches of Article 32(1) of the GDPR with deficiencies in log files and a failure to regularly assess and have procedures in place;
- inadequate organisational measures to prevent unlawful data processing and deficiencies in procedures for reporting security incidents from at least 1 September 2018 to 13 October 2021; and
- inadequate privacy statement regarding the sharing of personal data with third parties from at least 1 September 2018. That is a violation of Article 13(1)(e) of the GDPR.
A vulnerability analysis of the system had not been updated since 2015. In this day and age that is an eternity ago. The procedures for logging checks were wholly inadequate with logs that were created being incomplete and not identifying which employees accessed data.
The protocols which only contain general advice and don’t have procedures specifically designed for particular systems is inadequate.
The Authority was rightly concerned that visa applicants were insufficiently informed about how their data would be processed and who it would be shared with.
Under the GDPR the transparency principle is important, particularly full transparency when sharing personal data with third parties.