Information security and privacy are an ongoing priority for CBS
Strict requirements
CBS maintains very strict requirements in the field of information security and privacy, says Douwe Kuurstra, head of the CBS Audit Department. ‘And that’s why it’s so important to us to subject our policy to external evaluation on a regular basis. We are constantly looking for ways to improve. This is essential for any statistical office. The audit entails an in-depth investigation, in which employees are interviewed and auditors take a behind-the-scenes look at the organisation’s computer programs. With a successful audit behind us, we are once again officially certified for the coming year.’Access to data
One aspect assessed during the audit was whether CBS only collects the data it needs to fulfil its statutory duties. The auditors also checked whether access to certain data is restricted to those working with the data. Kuurstra explains, ‘Only those statisticians who work on a particular statistic have access to that data, which by that point has already been made unrecognisable. All other CBS employees are denied this access.’ Of course, the audit also evaluates whether the data is sufficiently protected from outside interference. That proves to be the case.Working method on website
This year, for the first time, the audit was carried out by the firm Duijnborgh Audit. ‘They were not yet familiar with CBS, so first you have to explain how the organisation works,’ Kuurstra says. ‘Based on the information we provided and the information on our website about our methodologies, Duijnborgh selected the employees they wanted to speak. Among them were statisticians, but also people who take care of our ICT security, for example. All interviews took place online due to coronavirus restrictions.’‘Audits aside, CBS also takes an ongoing critical look at its processes in all kinds of areas’
Monitoring processes
‘CBS is a complex organisation,’ Frank Kossen of Duijnborgh Audit observes. ‘That’s because it produces so many statistics and conducts so many different activities. We had to pull out all the stops to get to the bottom of the organisation. We succeeded, thanks to the cooperation we received from within CBS. I was impressed by the awareness among the professionals at CBS – from the lower levels right to the top – when it comes to the importance of privacy and information security. They were therefore open to our questions.’ His colleague Edin Golotic adds, ‘In preparation, we carried out a survey to map how the privacy and information security processes were organised. That gave us an accurate impression and a solid basis for further discussion. A comprehensive audit like this requires extensive planning. CBS was a great help in this regard: we were able to switch gears quickly when needed, so everything ran smoothly.’Areas for improvement
The audit also identified a number of areas for improvement, particularly in documentation management and ensuring the proper ownership of processes. As Frank Kossen notes, ‘The complexity of CBS makes it a challenge to keep all documentation on privacy and information security up to date throughout the organisation. That is one of the points on which we have made recommendations. When it comes to privacy, the general rule is that routine is good, but drudgery is not. This is another aspect we emphasised in our report. Because privacy is a recurring theme, it is important to maintain a conscious focus and that, for example, it is always clear who is responsible for what.’ Douwe Kuurstra adds, ‘CBS is now working on an action plan to improve on these points. This should be ready on 1 April, with results visible in the summer. Audits aside, CBS itself also takes an ongoing critical look at its processes in all kinds of areas.’Staying focused
Information security and privacy are not only vital to the work of CBS but are also the focus of public attention. It is an area in which a good result is not good enough for CBS: the organisation is committed to excellence. Kuurstra emphasises that audits are a very useful tool when it comes to staying focused: ‘Individuals and businesses in the Netherlands, as well as our own employees, can rest assured that the data they entrust to us are safe and well protected. It’s an achievement of which we are proud.’Related items
- Article - CBS: Inquiry into risks of data access
- Article - CBS is ready for the EU GDPR
- CBS privacy regulations - Privacy