The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has found that municipalities have been collecting more personal data than is necessary for the performance of their tasks under the social support act (Wet maatschappelijke ondersteuning, Wmo) and the youth act (Jeugdwet). It concerns the method in which two municipalities (of Nijmegen and of Zaanstad) process the personal data in a so-called self-reliance matrix (zelfredzaamheidsmatrix, ZRM).
ZRM is an instrument used to measure how self-reliant people are. Municipalities use the content during conversations that they have with residents for the purpose of determining the support and care that the residents may need (keukentafelgesprekken). ZRM contains a broad scope of data, including sensitive data relating to the physical and mental health of the residents, data concerning their financial situation, and any criminal convictions and offences. The AP has found that collecting such (sensitive and) extensive data is not necessary in order for municipalities to determine what care residents may be in need of. ZRM therefore contains data that is disproportionate, unnecessary and ungrounded, which is in breach with the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp)
In addition, municipalities have a duty of care (Article 15, Wbp) to ensure that professionals are capable of determining the relevant categories of personal data that they require. This means that municipalities have the responsibility to implement appropriate measures to enable professionals to have this capability, by providing trainings and adequate guidelines for instance. The AP has found that the municipalities have not fulfilled this duty of care as their current measures in this respect are insufficiently specific and clear. The AP has therefore urged the municipalities to adjust their practices in accordance with the findings of the AP.