Privacy Audit Proof certificates Statistics Netherlands

/ Author: Masja de Ree
PricewaterhouseCoopers (PwC) has recently carried out independent audits of fourteen statistical processes at Statistics Netherlands (CBS). CBS was found to comply with all the standards governing safe handling of data and privacy-sensitive information and will receive a Privacy Audit Proof certificate for these fourteen processes, thereby occupying a unique position among Dutch government institutions.

Meeting all standards

‘CBS handles huge quantities of data on individuals in order to produce statistics’, says Max Booleman, Data Protection Officer at CBS. ‘We must treat these with great care and we take many appropriate measures to that effect.’ Booleman is responsible for ensuring that the privacy of individuals remains guaranteed during the process of compiling statistics. ‘Having an external body look at our working methods gives us even more certainty.’ PwC conducted the audit based on the standards laid down by the Dutch Data Protection Authority and found CBS to comply with all of them.

Safe operation

Making personal data secure is not merely a question of having a secure IT infrastructure in place. It is also a matter of following correct operational procedures. How do staff handle data? How does CBS ensure that information cannot be traced back to individuals? Who have access to which information? How do you prevent unauthorised access to the building? All these issues were under investigation during the audit.

More and more data

In order to ensure safe handling of all data and privacy-sensitive information, CBS has adopted three points of departure. Booleman: ‘To begin with, we remove any directly identifiable personal data from databases as soon as we receive them, such as Burgerservicenummers (personal ID numbers). Second, we make sure that staff only have access to the files they need to work on. Finally, we never keep files which we are no longer using. For example, we receive information from the tax authorities; as soon as that has been processed, the source file will be destroyed. This prevents proliferation. We use the same three points of departure to handle the growing volume of big data at CBS.’

Awareness and transparency

For the departments concerned, the audit was an intensive procedure. Ms. Irene Salemink, director at the department maintaining business registers, explains: ‘We were very well-prepared. During the audit, staff were interviewed and the audit committee was checking whether we actually do as we say we do. It was an intensive and exciting process. Moreover, it has led to a great many new insights. The audit process has led to even higher awareness and further transparency within our department. We find this extremely important. Data volumes are forever increasing, and so is the complexity. This makes it particularly important to maintain a manageable overview and ensure permanent protection of company and personal privacy.’