The Court of Auditors considered three questions: How is the privacy of residents of Amersfoort protected? How is the privacy of residents protected by third parties to whom the municipality has contracted out the implementation of the policy, or with whom personal data is otherwise shared? Is GDPR being used properly?
The audit office had discussions with aldermen, civil servants, organizations representing residents (for example the Conseil des Clients Travail et Revenu), but also with partners such as the probation service. In addition, workshops were organized with officials and a session was organized with the council.
CULTURE Much attention has been paid to the influence of culture in the organization on the processing of personal data. According to the audit office, the municipality works actively for a pleasant working climate where employees dare to admit possible errors. In addition, key people have been assigned to ensure that it is easy to find someone in every department who can ask questions about confidentiality. There are also professionals in the organization who can answer difficult questions, technical or legal.
APPOINTMENT Coherent agreements are concluded with partners in the form of agreements or pacts, concludes the court. Third parties with whom data is shared are subject to the same requirements as the requirements to which the municipality adheres in the area of confidentiality and information security. Steps can still be taken to monitor the agreements reached. The first steps in the form of a new system have already been taken for this purpose. The Court of Auditors recommends setting up an annual monitoring of agreements concluded with third parties in terms of the protection of personal data and including the results in the annual report of the data protection officer.
AVG According to the Court of Auditors, the AVG is generally not perceived as restrictive or obstructive by the municipality. This is related to the constructive attitude towards privacy. No signal has been obtained on the basis of which it can be concluded that an abuse has been made against the GDPR. However, there are sometimes difficult situations where it is not entirely clear how the GDPR interacts with other legislation. GDPR also requires a new way of working, which means existing IT systems need to be adapted or implemented differently. The organization is working on the latter and hopes to be able to take more steps in the future with privacy and security by design. The Court of Auditors recommends that the protection of personal data and privacy be an integral part of the purchase and design of new systems and work processes.
PROSPECTIVE RESIDENTS The municipality has a limited view of residents’ attitudes towards privacy. The municipality communicates privacy to residents via the website and at the counter. It is difficult for residents to assess when their rights are threatened. Although communication with residents is sufficient for the time being, the municipality could play a more proactive role in this regard. The Court of Auditors recommends an inventory of the way in which the inhabitants perceive the collection and use of personal data and their protection by the municipality. For example, it can be checked whether the current way of communicating on this subject can be improved.
REPORT In addition to the investigation report, the Court of Auditors also drew up a summary of the results of the investigation. These documents can be found at www.amersfoort.nl/rekenkamer. The city council will discuss the investigation report on June 29, 2021 and then vote on the recommendations.