The Commission Supervision Personal Data Protection BES (CBP BES) investigated how the Immigration and Naturalisation Service Caribbean Netherlands (IND-CN) uses citizens’ personal data and how it uses its privacy statement in practice. CBP BES checked whether IND-CN follows the Personal Data Protection Law BES (Wbp BES). The Commission looked at transparency, whether the use of data is lawful, data security and whether citizens can use their privacy rights.
The investigation shows that IND-CN knows its legal task and understands the importance of handling personal data with care. The privacy statement also gives citizens the main information they need.
At the same time, the investigation shows important shortcomings and risks. These mainly concern the security, storage and access to personal data. This includes data in the Foreign Management System (FMS), the system IND-CN uses for its work.
According to CBP BES, IND-CN does not have enough insight into the security and management of this system. External parties largely manage the system. Personal data is also sometimes stored outside the system, for example on internal network drives. This creates a risk that people who do not need the information may still be able to access it.
CBP BES is especially concerned about how IND-CN handles criminal record files and judicial data. These are sensitive personal data. Clear agreements are needed on who may access these data, where they are stored, how long they are kept and when they are deleted.
Information for citizens must also be improved. At the moment, the privacy statement is only available in Dutch. It may also be too difficult for many people to understand. CBP BES therefore advises IND-CN to make the privacy statement available in the official languages of the Caribbean Netherlands and to rewrite it at B1 language level.
According to CBP BES, IND-CN must urgently act on the recommendations in the report. IND-CN must give priority to the needed improvements in security, management, storage, access, how long data is kept and the deletion of personal data.
If IND-CN does not take proper measures, the risks for citizens and for the organisation may remain or increase. IND-CN may also be unable to show clearly enough that personal data is used lawfully, carefully and securely.
CBP BES expects IND-CN to make a clear plan to carry out the recommendations and to complete the improvements within set timeframes. The Commission will actively monitor progress at agreed reporting moments.
Although IND-CN has already taken some steps, more measures are urgently needed to better protect citizens’ personal data.
The full investigation report can be found at www.cbpbes.com.