Dutch Tax Authority violating privacy law and struggling to fix it: report
The Tax Authority still does not comply with the most basic aspects of the privacy law, the General Data Protection Regulation (GDPR), over five years after its implementation. And the current approach to fix its privacy violations and comply with the law by 2017 won’t work, NRC reports based on an evaluation from an internal research team of the Tax Authority.
The GDPR, implemented in May 2018, states that agencies must be transparent about exactly what data they store and for what purpose. The data must be correct and up to date; an agency can’t keep more data than strictly necessary, and organizations must delete information as soon as it is no longer needed.
The evaluation, published in July after a team of Tax Authority employees researched the matter for six months, states that the Tax Authority still has far too little control over the citizens’ data in its possession. For most work processes, it is unclear which personal data are processed, there is no policy to recognize and correct errors in the personal data, and outdated data is often not archived or destroyed in time. The “basis for compliance” with the GDPR is missing, the evaluation states.
The Tax Authority also does not keep track of which employees have access to what data, violating the “need to know” principle of the law. The Tax Authority takes too little account of citizens’ privacy rights, including the right to inspect, correct, and delete data. And new applications aren’t built to comply with the privacy rules, the evaluation states.
The internal conclusions are extra painful because, of all government services, the Tax Authority has the most personal data of Dutch citizens. It registers financial data like income, debt, and assets, but also information about family relationships, criminal records, health, religion, trade union membership, property, childcare, bankruptcies, severance payments, nationalities, and even usernames for online gambling sites.
Despite this, the evaluation raises major doubts about the Tax Authority’s current plan to fully comply with the GDPR from 2027. The plan is to test all 791 business processes before the end of 2024 and then remedy the privacy shortcomings per process. But the evaluators think that approach won’t work. The checklists used to check the process are incomplete, don’t address all aspects of the privacy law, and don’t identify the greatest risks. According to NRC, internal information from the Tax Authority also shows that, despite the project running for three years already, only 40 processes have been tested to date.
The Ministry of Finance told NRC that complying with the GDPR is “complex” and “consists of more than just testing business processes.” Employees are also receiving awareness courses about using personal data responsibly, for example. “It is true that GDPR compliance is an extensive process that takes time and capacity and, therefore, also demands a lot from the organization. The Tax Authority feels the urgency to get this in order as quickly as possible, in addition to carrying out all regular work.”