The Dutch Data Protection Authority (“DPA”) conducted an investigation recently into the security of the absence management systems Humannet Starter and Humannet Absence (“the absence systems”), both are staff absence management software solutions of IT company Humannet B.V. (“Humannet”). Humannet’s customers (employers and those companies offering occupational health and safety services) use these software solutions for absence management of employees, including their re-integration following a sick leave period.
For the purpose of absence management, medical data of employees are processed via these absence systems, and it is important for these data to be well protected. During a broadcast of the Dutch television programme ZEMBLA in 2012, it was evident that there had been a data leak in Humannet’s absence systems. After the broadcast, the DPA made enquiries at Humannet promptly and then launched an investigation into the leak. The DPA concluded that Humannet’s absence systems did not have an appropriate level of data security in place.
According to Article 1 of the Dutch Data Protection Act, Humannet’s customers (i.e., the employers and those offering occupational health and safety services) can be qualified as data controllers for the processing of employee absence data. After all, Humannet’s customers determine the purposeof the processing (absence management) and the means (the use of the absence systems) to achieve this purpose. Humannet qualifies as a data processor because the absence systems run on its self-managed servers. Further, Humannet has access (and can give third parties access) to the medical data it holds, and it can alter or delete the data. An element of managing the absence systems is the security thereof. The DPA emphasized that Humannet, as a data processor, has an active role in data security especially since specialized expertise concerning the complex automation of data is necessary. The customers’ lack or absence of such expertise is the very reason why they hire specialized data processers. The DPA states: “This active role involves responsibilities that it [the data processor] needs to fulfil actively, for instance in respect of sufficiently securing the processing of data that it manages or performs for the data controller.”Therefore, Humannet, despite being a data processor, is required to contribute to providing adequate data security actively for the absence systems in which medical data are being processed, and it should do this according to the appropriate technical and organizational measures as laid down in Article 13 of the Dutch Data Protection Act.
In its report, the DPA set out which appropriate technical measures Humannet must adopt. Humannet was obligated to apply so-called “multiple factor authentication” to all its customers. Humannet’s systems were previously accessible by merely logging in with a user name and password (“one factor authentication”). Humannet had to add an extra factor, like a token, a smartcard (a personal access card), or a biometric characteristic to enable a person to prove his or her identity using another manner before gaining access to the absence system. Humannet must also continuously identify and list security risks. According to the DPA, Humannet must perform penetration tests and/or security scans several times a year. In doing so, vulnerabilities in the absence systems can be promptly identified and resolved. In response to the DPA’s report, Humannet decided to offer its customers “multiple factor authentication”, but it did not make this an element of its standard service. Furthermore, an audit was only performed once a year, and the results thereof were not properly addressed. The DPA therefore concluded that Humannet had violated Article 6 of the Dutch Data Protection Act, which states that personal data must be processed in a proper and careful manner and in accordance with the law, because Humannet did not take appropriate security measures, it failed to comply with Article 13 of the same Act, and therefore the processing of data was improper and careless.
For the definition of security measures, the DPA refers to the following as guidelines: its own Beveiliging van persoonsgegevens (Security of personal data, only available in Dutch), as well as the Code voor Informatiebeveilging (Code on Information Security (NEN-ISO / IEC 27002 2007 nl), the ICT-beveiligingsrichtlijnen voor webapplicaties (ICT security guidelines for web applications, only available in Dutch) issued by the National Cyber Security Centre, and the Betrouwbaarheidsniveaus voor authenticatie bij elektronische overheidsdiensten (Reliability levels for authentication at electronic government service departments, only available in Dutch) issued by the Forum Standardization.
Noteworthy is that the security guidelines from other industries and security guidelines whose accessibility is conditional on payment were referred to by the DPA in its interpretation of Article 13 of the Dutch Data Protection Act. Controllers and processors therefore need to be aware of security guidelines besides those that are relevant for their respective industry when considering security measures.
Meanwhile, Humannet has implemented the necessary adjustments, and the DPA has decided to not take enforcement action. The investigation gave the DPA cause to send letters to 53 administrators of absence systems, drawing attention to the appropriate interpretation of the security requirements under the Data Protection Act. The letter, in addition to the investigation, states explicitly that if an administrator wants to test or develop its system further, no medical data can be used for that, but only dummy or anonymized data. Furthermore, the risks of the open fields in the system must be addressed. In these open fields, an employer may specify information on the nature and cause of the employee’s illness. However, an employer is not allowed to process such data. To prevent such processing, the DPA has warned against building open fields into the systems. Moreover, it has to be guaranteed that the employer cannot access the data that are being processed by the company doctor. It is therefore crucial that the administrator of the absence system—and not the employer— provide the login codes. The DPA has indicated that it will not hesitate to take enforcement action if it suspects that absence administrators are not complying with the law.