GGD surprised by reports of increased supervision from privacy authority
The Dutch data protection authority is placing health service GGD under "stricter supervision" after reports of large-scale data theft from the health service's coronavirus test systems, a spokesperson said to Nieuwsuur on Thursday evening. The GGD is surprised to hear about this, Andre Rouvoet of umbrella organization GGD GHOR Nederland said to NOS.
Earlier this week, two GGD call center employees were arrested for offering lists with data of people who had been tested for Covid-19 for sale on Telegram. NOS reported that employees were able to download and share such lists since April last year. RTL Nieuws reported that GGD employees raised privacy concerns with the organization for months, but the GGD management ignored these concerns.
A spokesperson for AP called these reports worrying. "In future, the GGD will have to demonstrate, among other things, what it has done with the critical questions of the AP and which adjustments they have made," the spokesperson said to Nieuwsuur.
GGD GHOR Nederland "knows nothing" about stricter supervision from the AP, Rouvoet said to NOS on Friday. "Neither the umbrella organization, nor the director of the 25 GGDs received a message about this," he said. "Stricter supervision is a legal term, of which you normally inform someone in advance.
Rouvoet said he had contact with the AP. "In those conversations it was confirmed to me that the AP does not have the legal instrument of stricter supervision. And I also said: if the AP needs a penetrating conversation: anyplace, anytime."
Parliamentarians are shocked by how little attention the GGD paid to protecting Dutch citizens' privacy, and by Health Minister Hugo de Jonge's "nonchalant" explanation that the GGD did everything that could be expected and that theft could not be prevented.
"This is unbelievable, isn't it?" PvdA parliamentarian Attje Kuiken said to RTL Nieuws. "The fact that criminals have access to the data of millions of Dutch people is already very bad, but that the GGD has been pushing signals about it under the carpet for months is downright scandalous." According to the party, De Jonge can no longer push this aside with an "explanation full of untruths". The PvdA wants a debate.
"Minister De Jonge has paid far too little attention to the data security of millions of Dutch people," D66 parliamentarian Kees Verhoeven said to the broadcaster. He accused De Jonge of "misplaced self-confidence" and "nonchalance".
The SP thinks De Jonge deliberately "downplayed" the privacy problems with the GGD's coronavirus databases. "There has been large-scale theft of personal data and that should and could have been prevented," parliamentarian Maarten Hijink said. "People must be able to be sure that your citizens registration number will not be sold when you come to the testing center.'
GroenLinks wants clarification quickly. "This is incomprehensible," MP Suzanne Kroger said to RTL. "We want to know from the Minister exactly how this could happen and what went wrong here."