The Dutch data protection authority (AP) has sent a letter to the GGD GHOR Nederland, the central office of public clinics, ordering additional measures to better protect personal data in the context of the processing of personal data in relation to the COVID-19 pandemic. Following a data breach that occurred in January 2021 when personal data processed in relation to the pandemic was stolen, AP announced that it would intensify its surveillance of GGDs that process personal data on large numbers of individuals for testing, vaccination, source and contact research.
As a result of its investigation, the AP found, among other things, that allowing employees to use personal work equipment along with the ability to log into the administrator’s IT systems outside of a secure work environment results in data security risks. The AP also pointed out that failing to update or revoke authorisations to access personal data when they are no longer necessary to perform work tasks increases the risk of breaches.
The AP recommended, among other things:
- recording contracts with entities responsible for IT security and personal data protection issues,
- defining roles and responsibilities with regard to granting authorisations to access personal data,
- continuous assessment of authorisations,
- regular inspection of IT system log files.