Duty to report the loss of personal data

In future, providers of information services will be obliged by law to report the theft, loss or abuse of personal data. This is evident from a letter of State Secretary of Security and Justice Teeven and Minister of the Interior and Kingdom Relations Donner disclosing their privacy policy plans, as announced, for instance, in the coalition agreement. The Council of Ministers has agreed to sending the letter to the Lower House.

The regulation concerns an adjustment of the Personal Data Protection Act and will apply for instance to the Social Insurance Bank, the Tax and Customs Administration, the Employee Insurance Agency (UWV), banks and insurance companies. This therefore includes more service providers than just the providers of electronic communication networks and services for which a duty to report is currently being prepared through a change in the Telecommunications Act to improve the protection of personal data of subscribers or users.

In future, the Personal Data Protection Act (Wbp) will include a duty to report data leaks. Due to a security leak large quantities of personal data may wind up on the streets. In that case, the persons to whom the data pertain must be informed quickly, because their privacy is at risk. The incident will also be reported to the supervisory authority, the Data Protection Authority (Cbp).

The Cabinet will also make it possible to use personal data in life-threatening situations, if necessary overruling the duty of secrecy. This may concern very distressing cases of child abuse, for instance.

To strengthen the enforcement of the Personal Data Protection Act, the Data Protection Authority will have more powers to impose administrative fines, for instance for non-compliance with the duty to report data leaks. Such fines and the final report of findings of the Data Protection Authority will be open to objection and appeal.

The Cabinet wants to improve the protection of personal data. To achieve this the government will monitor the effectiveness of all new regulations applicable to the large-scale storage, linking and processing of personal data more closely.

The processing of personal data may enhance and improve the safety of citizens, for instance in the case of camera surveillance. To stimulate the use of camera monitoring, citizens and companies may keep the camera footage recorded for their own safety for four weeks instead of the current 24 hours, without prior notice to the Data Protection Authority. This gives them more time to report any criminal offences recorded or to take measures to improve their safety.

If it appears that existing regulations offer insufficient scope for structural and non-informal information exchange within network alliances, the Cabinet will propose new initiatives. In the Safety House, for example, partners from various disciplines (care providers, aid workers, local authorities, judicial authorities) work together and jointly determine, taking the severity of the abuse and the underlying problems into account, how the nuisance causing or criminal behaviour can best be tackled or prevented. This is only possible if the participating partners exchange relevant information at a local and national level. There will also be a privacy helpdesk for security and youth care professionals.