Netherlands: Sharing of travel data violated students’ privacy
It was all over the news on 22 August 2017: Translink, the company responsible for the Dutch public transport card “OV-chipkaart” had been passing student travel data to the Education Executive Agency responsible for student finance in the Netherlands (DUO). DUO uses this data to figure out whether students who claim to live on their own – and therefore receive a supplementary grant – actually still live with their parents. A court ruled that this was violating students’ privacy. The same day, Dutch EDRi member Bits of Freedom called upon students to issue a right of access request to DUO and Translink. The students were encouraged to ask the following questions:
- Which data does DUO have on me and if I didn’t supply this data myself, how did DUO obtain it?
- Which data does Translink have on me and with whom has this data been shared?
Where and when we travel, whom we call, what we buy: sometimes it seems records are kept of every single thing we do. We are becoming more and more transparent and easier to influence for companies and governments. Based on the data that is gathered about us, conclusions are drawn with tangible, sometimes far-reaching consequences. Therefore it is important that we gain insight into who knows what about us. And of course, what is being done with that information.
Imagine: you live in a dorm room when one of your parents becomes seriously ill. You are at your parents’ home for weeks or even months on end. You don’t actually live there, but you do sleep over. Is it really possible for a DUO employee to make that distinction based on your public transport data? We don’t think so. You can interpret data in multiple ways and often it does not tell the whole story. Conclusions that someone else reaches by looking at your data are not always correct. But still, you are the one who has to deal with the consequences.
It is indeed important that fraud is addressed. However, it is also important that the tools used to do so are proportionate to the offence. In this case, the Dutch court ruled that DUO cannot request this kind of privacy-sensitive information just like that. And even Translink really does know better: in its terms and conditions, Translink states that it will only hand over data as part of a criminal investigation and therefore only to the police and judiciary. By deviating from its own commitment, the company undermines trust in its service.
The Dutch constitution states that everyone is entitled to respect of their personal environment. The Dutch Data Protection Act (Wbp) is the most important law regarding the collection and sharing of personal data. This law also gives citizens the right to gain insight into their own data and the right to correct it. By executing these rights, you can verify whether the processing of your personal data is correct, complete, relevant and lawful. Bits of Freedom’s Privacy Review Machine can help you with this.
DUO and the OV-chipkaart: Ask for clarification about your data! (only in Dutch, 22.08.2017)
Privacy Review Machine (only in Dutch)
(Contribution by Evelyn Austin, EDRi member Bits of Freedom, the Netherlands; Translation: Philip Westbroek)