CBP BES: Violations in the digitalization of personal data OLB
In May 2024, CBP BES announced it would launch an investigation into a possible data breach at the Civil Affairs department of the Public Entity Bonaire (OLB). This followed a report by a commissioner regarding the use of current personal data in a new digital application of the OLB. The full report has now been completed and published. The conclusions are concerning.
Unlawful use of personal data
CBP BES found that identifiable personal data from PIVA were transferred to the DDS test environment without prior anonymisation. There was no legal basis for this, no Data Protection Impact Assessment (DPIA) was carried out, and the necessary internal procedures and accountability structures were lacking. This approach deviates from the legal frameworks and usual responsibilities within the organisation.
Digital taskforce operating outside established rules
In 2021, the Executive Council of Bonaire set up a separate Digitalisation Taskforce (WD). This taskforce operated outside the regular civil service organisation, with its own budget and without clear safeguarding of responsibilities, such as the protection of personal data within the OLB. Its mandate was to accelerate the digitalisation of administration, including making current personal data from the PIVA system available.
Multiple violations identified
CBP BES concludes that both the BES Personal Data Protection Act and the BES Basic Administration of Personal Data Act have been violated. The approach breached the principles of purpose limitation, necessity, and security. The absence of sound governance and control increased the risk of errors or misuse of personal data.
CBP BES issues recommendations
CBP BES requests that OLB immediately stop using current personal data in the test environment and to completely delete this data. The OLB must also ensure a clear legal basis for future processing of personal data. In test environments, only anonymised data may be used. In addition, a DPIA must always be conducted for digital applications involving personal data. Finally, the OLB should strengthen its digital organisation, for example by implementing the Government Information Security Baseline (BIO).
CBP BES will continue to monitor the follow-up of these recommendations. The protection of personal data is both a shared responsibility and a legal obligation. Even in digital innovation, it is essential that decisions are made within the law. Citizens must be able to trust that their data are handled carefully and lawfully. CBP BES remains committed to this.
The full investigation report can be found at www.cbpbes.com.