Zuid-Holland closes data leak after nearly two years

The province of Zuid-Holland has all but resolved a data leak that has caused problems for nearly two years. The issue involved an internal system containing around 50 million documents, many of which included sensitive personal information. In September 2023, the province was alerted that employees had access to data they should not have been able to view, such as personal details, salary specifications, and criminal records.

Since then, Zuid-Holland has been under increased supervision by the Dutch Data Protection Authority (AP). As part of this oversight, the province is required to provide quarterly updates on its progress in improving data security.

At the end of last year, the AP threatened sanctions, criticizing the province for not acting quickly enough to resolve the issue. “The longer the data leak continues, the greater the risk that personal information ends up in the wrong hands,” the authority said at the time.

The province has now adjusted access permissions for “the vast majority” of the documents, ensuring that only staff with a relevant need can view them. “A small number of final, limited issues remain in the cleanup, which will be addressed in the coming weeks,” the Provincial Executive said.

Zuid-Holland has said that there are no indications that "anyone other than its own employees" was able to access the documents. The Provincial Executive previously stated it expects the data leak to have "little to no impact" on residents and businesses.

Zuid-Holland also faced a data breach in 2019. The provincial government decided to allocate 23 million euros for an “information transition” as a result of this, but implementation has only just begun. Among other things, Zuid-Holland aims to replace the outdated information system, where the breach occurred, with a modern one.

The AP has also instructed Zuid-Holland to improve its so-called privacy maturity level, which measures how an organization handles personal data and privacy. On a scale from 1 to 5, the province currently scores between 1 and 1.5, while it should be at least a 3.

As a result, all civil servants are now required to complete an e-learning course. However, about 25 percent of the 2,500 employees have not yet taken the course. The official overseeing compliance with privacy laws has advised the province to impose consequences in cases of "persistent refusal."