The Dutch Data Protection Authority has imposed a fine of €150,000 on the Social Insurance Bank (SVB) for inadequate identity checks at its telephone helpdesk, which enabled a data breach of privacy-sensitive information.
In 2019, a complaint was filed with the privacy supervisor after it was discovered that it was possible to obtain privacy-sensitive information from SVB clients via the telephone helpdesk without a proper identity check.
The regulator found that the SVB had not established clear rules for the provision of information due to the high volume of customer interactions – an average of 20,000 per week. Furthermore, the system for verifying callers’ identity was inadequate, and the SVB had not sufficiently monitored whether service employees adhered to the inspection policy. The violations lasted from May 2018 to May 2022.
The SVB has now taken measures to address the issue. A new, unambiguous work instruction has been implemented to ensure that service employees check the identity of callers correctly. The new policy is evaluated every two years, and the amount of the fine has been reduced from €310,000 to €150,000.
The Dutch Data Protection Authority has imposed a fine of €150,000 on the Social Insurance Bank (SVB) for inadequate identity checks at its telephone helpdesk, which enabled a data breach of privacy-sensitive information. In 2019, a complaint was filed with the privacy supervisor after it was discovered that it was possible to obtain privacy-sensitive information from SVB clients via the telephone helpdesk without a proper identity check.
The regulator found that the SVB had not established clear rules for the provision of information due to the high volume of customer interactions – an average of 20,000 per week. Furthermore, the system for verifying callers’ identity was inadequate, and the SVB had not sufficiently monitored whether service employees adhered to the inspection policy. The violations lasted from May 2018 to May 2022.
To address the issue, the SVB has implemented a new, unambiguous work instruction to ensure that service employees check the identity of callers correctly. The new policy is evaluated every two years, and the amount of the fine has been reduced from €310,000 to €150,000.