Perhaps surprisingly, the Dutch are among the worst-performing European countries during the current COVID-19 pandemic. With its vaccination program struggling to gather speed, Minister of Health Hugo de Jonge is increasingly under fire. With public trust being key for any successful governmental policy in battling a pandemic, a recent scandal on the online sale of personal data is most unwelcome.

On Jan. 25, RTL News discovered widespread trade in the personal data of COVID-19 test subjects. With their personal data registered in the two main IT systems of the Municipal Health Services — known as the GGD — at least two employees maliciously downloaded the data. Apparently, over the course of the previous months, the data was offered for sale on various large chat groups on services such as Telegram, Snapchat and Wickr. Two GGD employees were arrested, though it is unclear whether they in fact managed to sell the data.

The illegality of the actions, as well as their highly detrimental effects on public trust in an already strained public health care system, are obvious. But next to the concrete damage of the theft, the scandal also revealed a fundamental lack of respect for and understanding of privacy law in both public institutions and Dutch politics.

First, the ease with which the employees were able to steal the data was staggering. An export function within one of the two programs allowed employees to download large data sets, while their identity wasn’t logged. Next to the subject’s name, the exportable data included address, social security number, test results, and possibly additional medical details. Furthermore, the systems allowed for a virtually unrestricted search across the database by many employees, greatly beyond the data they required for the execution of their tasks. Whereas over the course of the past months various employees had pointed out these problems, this was ignored by executives.

Understandably, the public outcry was palpable. While a large number of phone calls by worried citizens made the Dutch Data Protection Authority difficult to reach for a while, Minister of Health Hugo de Jonge gave an account in the Dutch parliament.

The debate revealed a more fundamental problem on privacy legislation: De Jonge’s answers were a mix of truths, half-truths and falsehoods, downplaying the scope of the incident and general vulnerabilities of the system. Just as disconcerting, however, was the lack of the parliament to hold the minister accountable. Questions asked by members of Parliament were in general non-specific, irrelevant or outright unrelated to the issue at hand. This was not due to a lack of importance attached to the issue, but a clear lack of knowledge.

This needs to change soon.

If anything, the shock of this incident, unprecedented both in scope and timing, should stress the current general lack of compliance with data privacy laws throughout most organizations. It is naïve to scapegoat a small number of people at the institutions involved and to then believe the problem has been solved.

Organizations, and especially those which process sensitive data, should be much more proactive in ensuring compliance with privacy legislation. Obviously, alarm signals from employees should never be ignored. Finally, politicians should take a more active role in monitoring progress and compliance with privacy standards, both by public institutions and private organizations. In order to be able to do so, political parties should acknowledge the importance of the subject in the selection of its members of Parliament.

At the peak of a global pandemic, the Dutch lesson is a costly one, so it should not go to waste.

Photo by Leif Niemczik on Unsplash