Netherlands Court of Audit: public services benefit from earlier and clearer GDPR decisions

Provision of public services is often below standard because implementing organisations look upon privacy rules (as laid down in the General Data Protection Regulation, GDPR) as a hindrance. This can have serious consequences for citizens. Elderly people living below subsistence level, for instance, are not informed that they are entitled to a supplementary benefit, and fraudsters in the care sector can remain under the radar more easily. The Netherlands Court of Audit comes to these conclusions from several of its audits.

The Court of Audit has sounded the alarm in a letter to the House of Representatives, stating that problems in the provision of public services can be largely prevented if politicians make clearer and earlier decisions on the balance between privacy and public service. The GDPR, however, is part of the solution. Inspectorates, benefit agencies and other implementing organisations must improve their understanding of privacy rules. They often ask whether data processing is permitted, when they should be asking: how can we use and share personal data in a reasonable manner that respects the public’s right to privacy?

Legal provisions on how public organisations share personal data among themselves are often inadequate. When drafting new legislation, parliament and government should give more thought to the kind of personal data that organisations need to do their work properly. Such decisions are often taken too late, when problems have already arisen in the provision of services. As a result, implementing organisations can face prolonged problems, as drafting new rules can take several years. Parliament and government should therefore weigh up the benefits of data processing against the impact on public privacy at an early stage in the legislative process.

Correct application of the GDPR also requires implementing organisations to have applicable knowledge of privacy protection. The Court of Audit concludes from several audits that appropriate data processing is possible under the current rules. It may simply be necessary to modify the data in order to protect privacy, for instance by anonymising it. The Court also suspects from several audits that organisations act more cautiously than necessary out of fear of the GDPR. The Court cannot rule out that the GDPR is sometimes used as an excuse to avoid having to share data with other public organisations.

Further to the Court’s recommendations, the Social Insurance Bank and the Employee Benefits Agency have launched a pilot to identify and contact potential entitled persons. To tackle fraud in the case sector, regulations will be drawn up to facilitate the exchange of information. In light of the COVID-19 pandemic, the Ministry of Agriculture, Nature and Food Quality and the Ministry of Health, Welfare and Sport have prepared a zoonosis action plan that provides for data sharing.

The letter is only available in Dutch