Handling personal data with care
In the Netherlands, the existing Data Protection Act (in Dutch: Wbp) will be replaced by the European GDPR (in Dutch: AVG). ‘Businesses have been given time since May 2016 to set up their operational processes in such a way as to comply with the new legislation as of 25 May 2018. This means there is no transition period and the regulation will enter into force with immediate effect. We started preparations on time and have just made the last few adjustments,’ says Max Booleman, Data Protection Officer at CBS. He monitors whether CBS handles personal data with care and keeps a register of all data processing that takes place within CBS: the ‘privacy accounts’. ‘It only took minor adjustments to our existing register in order to achieve full compliance with GDPR requirements.’
In order to fulfil its legitimate task, CBS collects and processes data for the production of official statistics. As soon as data are received, CBS removes all direct personal identifiers. CBS conducts statistical research using these so-called pseudonymised data. Eric Schulte Nordholt, statistical researcher and closely involved with privacy protection at CBS: ‘We only publish statistical information if it cannot be traced back to individuals and if the information satisfies the toughest requirements regarding data protection. This is reviewed annually by an external organisation and results in a privacy-proof statement.’ Even after the GDPR is enforced, CBS will have an external audit carried out to assess whether it meets all the requirements of the new regulation.
Not much will change for CBS with the introduction of the new European privacy legislation, according to Booleman: ‘We have had to revise some phrasing on the CBS website. Furthermore, the GDPR places more emphasis on transparency. For CBS this means being very clear about its working methods, which data are available to CBS and why.’ An important difference between the old and the new legislation is that the GDPR is applied more strictly to a number of registrars in the process of personal data collection. ‘Over the past few months, we have often received quite appropriate questions from registrars, for example whether they are allowed to provide certain data and how CBS deals with them.’ In this context, the CBS website now includes a more general explanation which also refers to the privacy audit proof certification and the ISO 27001 certification. Vice versa, CBS also pays particular attention to the datasets it receives by verifying whether the supplying party is allowed to possess such data.
Well before the implementation of the GDPR, CBS received all sorts of enquiries from Dutch ministries, government agencies and other European statistical offices. Schulte Nordholt advises national and international (governmental) organisations on such matters, mainly in the area of methodology. ‘A country like Germany was quick to pick up on the new privacy legislation, but a small country like Lithuania found it to be a challenge as the statistical authority has relatively few staff. If public authorities in the Netherlands do not fully comply with the new regulation, the Dutch DPA (Data Protection Authority) may impose high penalties: up to 4 percent of annual turnover’.
CBS complies with the strictest privacy requirements
CBS has complied with the strictest privacy requirements for many years. For example, it adheres to the privacy-related stipulations in the Statistics Netherlands Act and the European Statistics Code of Practice. In addition, CBS has been ISO 27001 certified in the context of information security requirements and certified privacy proof in the context of privacy requirements. As of last week, CBS is the first statistical office in Europe which demonstrably complies with the European security framework.