The Social Insurance Bank (SVB) has been fined 150,000 euros due to a long-term inadequate identity check by the telephone helpdesk. As a result, the privacy of callers was not sufficiently protected for years, the Dutch Data Protection Authority (AP) has determined. The AP also ruled that privacy risks were not properly identified.
In 2019, the regulator received a complaint from a woman whose information about her benefit had been requested by a family member. That family member was not entitled to this, but was given the information anyway. Initially, the AP did nothing with the complaint, but after an objection from the woman, an investigation was started.
Control questions easy to figure out
As a result of that investigation, the Authority concludes that employees of the SVB helpdesk did not properly check the identity of callers. Control questions were often about a person’s first name, address or zip code. These are data that can easily be retrieved by outsiders.
Insufficient checks were also made as to whether the employees of the telephone helpdesk were complying with the control policy. They were insufficiently informed of the importance of the secure management of personal data. The violations lasted from May 2018 to May 2022.
The SVB is pleased with the report. “It is true. It is a lesson that we have taken up and learned from,” says a spokesperson.
Initially, the fine amounted to 310,000 euros. Because the SVB has taken measures quickly, this has been reduced to 150,000 euros. “We have tightened up the audit questions. We have also worked on awareness within the organization so that employees know what to look out for and understand the importance of privacy,” says the spokesperson.
A new, unambiguous work instruction has been created so that employees know how to check whether a caller is who they claim to be. The work instruction will be evaluated every two years.
- Software company must tell market researcher more about data breach
- 95,000 participants of the PME pension fund also fell victim to a data breach
