In May 2024, CBP BES announced it would start an investigation into a possible data breach at the Department of Civil Affairs of the Public Body Bonaire (OLB). This followed a report by a local deputy regarding the use of current personal data in a new digital application of the OLB. The full report has now been completed and published. The conclusions are concerning.
Illegal Use of Personal Data
CBP BES has determined that identifiable personal data from PIVA was transferred to the test environment without prior anonymization. There was no legal basis for this, no Data Protection Impact Assessment (DPIA) was conducted, and the necessary internal procedures and accountability lines were missing. This practice deviates from the legal frameworks and the usual responsibilities within the organization.
Digital Working Group Operating Outside the Rules
In 2021, the Executive Council of Bonaire established a separate Digitalization Working Group (WD). This working group operated outside the regular civil service organization, with its own budget and without clear safeguarding of responsibilities, such as the protection of personal data, within the OLB. The task was to accelerate the digitization of the administration, including making current personal data from the PIVA system available.
Multiple Violations Identified
CBP BES concludes that both the Personal Data Protection Act BES and the Basic Registration of Personal Data Act BES have been violated. The approach is contrary to the principles of purpose limitation, necessity, and security. The lack of careful governance and control increased the risk of errors or misuse of personal data.
CBP BES Makes Recommendations
CBP BES requests the OLB to immediately stop using current personal data in the test environment and to completely delete this data. The OLB must also ensure a clear legal basis for future processing of personal data. Only anonymized data may be used in test environments. Additionally, a DPIA must always be conducted for digital applications that process personal data. Finally, the OLB should strengthen its digital organization, for example, by working according to the Baseline Information Security Government (BIO).
CBP BES will monitor the implementation of the recommendations. The protection of personal data is a shared responsibility and a legal obligation. Even with digital innovation, it is important that choices are made within the law. Citizens must be able to trust that their data is handled carefully and lawfully. CBP BES is committed to this.
The full research report can be found at www.cbpbes.com.