Data leak at Covid testing call center under investigation

The Dutch data protection authority AP is investigating whether health service GGD is complying with privacy rules with its coronavirus test line, the call center where Netherlands residents can book a Covid-19 test and which calls with their results. This follows stories of former employees still having access to personal data, even after they left the call center, Trouw reports.

The GGD coronavirus test line is outsourced to Teleperformance, an international call center company based in France. According to the newspaper, call center employees still had access to CoronaIT, the GGD's digital registration system for coronavirus data, even after they stopped working for the call center. AP now wants to know what happened.

The GGD told Trouw that all call center employees sign a contract stating that they are only allowed to view data that is necessary for their work, for example when making a test appointment or providing test results. If they access data when not necessary for their work, they are in violation of the privacy act and may be reported to the authorities.

The health service also said that it had little choice but to outsource the test line. "Since 1 June, everyone can have themselves tested for the coronavirus. That meant thousands of phone calls a day. We do not have the right infrastructure and systems for this, so we outsourced this work to Teleperformance. They are one of the largest and fastest call centers in the Netherlands," a spokesperson said to the newspaper.

According to trade union FNV, the GGD spends far too little time training employees on how to handle privacy-sensitive data. "The training courses are brief," spokesperson Elly Heemskerk said to Trouw. "Employees often don't know how to act and therefore ask each other via a WhatsApp group with 250 members."