CBS tightens criteria for remote access to CBS databases

/ Author: Miriam van der Sangen
Woman behind computer
Statistics Netherlands (CBS) asked a committee of independent scientific experts to investigate external researchers’ use of remote access to consult CBS’ databases. The committee’s study showed that, although CBS’ remote access provision satisfies current security and privacy standards, security and privacy must continue to be prioritised in order to safeguard that situation for the future. In view of those findings, CBS will bring in a stricter policy as of 1 August 2021.

Unique authorisation regulated by law

CBS collects government administrative data on Dutch citizens and enterprises for the mandatory production of official statistics. To this end, CBS has been given a unique mandate under Dutch law. CBS removes all individual identity description elements from the data as soon as possible and stores them in a highly secure manner. ‘CBS uses these data, known as microdata, to produce public statistics,’ says Ruben Dood, Director of Policy-related Statistics and Microdata Services at CBS, ‘but – under strict conditions – scientific researchers at Dutch universities and knowledge institutions can also gain access to these privacy-sensitive microdata in a secure environment, using remote access. Almost 200 organisations are currently accessing these data for their research.’

The value of CBS data to society

Under the Dutch Statistics Netherlands Act, CBS can grant access to microdata for statistical or scientific research purposes, with the aim of optimising the social value of CBS data as much as possible. Access is structured in such a way that authorised external researchers can only consult the microdata within CBS’ secure online environment, using a remote access facility. This means that CBS can maintain maximum control over the intended uses, privacy and information security. ‘The number of users of these microdata has increased significantly in recent years,’ says Ruben Dood. ‘What’s more, technological ways to circumvent security measures are becoming ever more sophisticated. The General Data Protection Regulation (GDPR) also sets requirements for the protection of personal data. Those are the reasons why CBS asked an independent research committee to provide clarity about potential risks.’

‘The number of users of microdata has increased significantly in recent years’

Final report

In 2020, the research committee, which is chaired by Bibi van den Berg, professor in Cyber Security Governance at Leiden University, delivered its final report on the findings relating to remote access to CBS databases. ‘There were two key conclusions,’ Ruben Dood explains. ‘First, microdata services are now an integral part of day-to-day practice in the scientific world. Secondly, the committee concluded that CBS’ current IT processes and privacy protection are sufficient. However, the committee made some recommendations for the future, which we used to start an internal discussion at CBS about how we weigh up the types of risks that may be associated with remote access in terms of users, processes, procedures, data and IT.’ According to Erik Bruinsma, Director of Strategy and Management Advice at CBS, ‘The change is based on the principle that statistical and scientific research should be top priorities and that institutions should therefore comply with scientific standards, one of the most important of which is publishing research findings.’

European privacy legislation

The discussion of remote access at CBS was not only founded on the research committee’s recommendations. ‘We also looked at the Statistics Netherlands Act and the European privacy legislation (GDPR) and decided to bring our policy more into line with those laws,’ Bruinsma explains. ‘That led us to make certain adjustments to the policy. The conditions for organisations that gain access to microdata have been made more explicit and transparent, to emphasise the importance of citizens’ and businesses’ privacy. This means that, from now on, our databases will only be accessible to universities, knowledge institutions and organisations from countries with a similar level of privacy protection to the GDPR. Organisations from countries that do not have that level of privacy protection will retain access until their current authorisation expires, but will no longer be eligible for a new authorisation.’ Bruinsma stresses how important it is to find the right balance between privacy and information security on the one hand and social and scientific value on the other. ‘CBS will continue to bear that in mind.’

New policy

The microdata user council was also consulted on the policy updates intended to make sure that remote access to microdata is secure in the future. ‘The user council in particular had some concerns,’ says Ruben Dood. ‘They felt that applying for remote access to microdata was already a bureaucratic process, and that it could become even more so under the new policy. In this instance, CBS decided to prioritise security over ease of use.’ CBS’ Advisory Board recognises the importance of reviewing the policy on access to microdata. The new policy will enter into force on 1 August 2021 and will be widely publicised, for instance in the Dutch Government Gazette. CBS will also write to all the institutes that currently have remote access to the microdata to inform them about the new policy.

Doing research using CBS microdata
Microdata are traceable data about individuals, businesses and addresses that universities, scientific organisations, public policy institutes, research institutes and statistical bodies in the Netherlands and the European Union can use – under strict conditions – to do their own statistical research. Safeguarding privacy and preventing the exposure of people and business are the key principles in granting access, and applicants must take certain steps in order to gain that access. To find out more about the application process, please click here.