Van der Klaauw's interest for privacy in the field of IT started in 2012 when he, as the system and network manager at CWI, experienced a hack. During the investigation, it became clear that a security service was behind the hack. Next, his system at home was attacked. ‘In a private capacity, I also managed the equipment for the Open Document Society. All things being considered, it was an interesting experience. Since then, I have delved into the ethical aspects of the digital society'.
Privacy by design
In 2017, NSCR approached Van der Klaauw with the request to search for breaches in the institute's IT system. He subsequently made the switch from CWI to NSCR. He looks back: 'In the run-up to the General Data Protection Regulation (GDPR) in May 2018, we rebuilt the systems of NSCR. The GDPR refers to that as "privacy and security by design". In the new environment, this means that researchers on their PCs that are connected to the Internet work with data that cannot be traced back to people. We also built a Secure Analytics Lab, with several systems that are not linked to the Internet. In this lab, researchers can work with sensitive data. Van der Klaauw explains that the sharing of data, in collaboration with Youth Care and the police or government ministries and Slachtofferhulp Nederland [Victim Support in the Netherlands] is heavily regulated. Nothing leaves NSCR before the director and he have assessed it. Furthermore, each research plan is assessed beforehand by an ethics committee with respect to what participation means for the respondent.
GDPR is not the multi-headed beast that many citizens think it is. Van der Klaauw dryly remarks that for unique personal data, you do not need to do much to be GDPR compliant: ‘If it’s not necessary, it’s forbidden Therefore you may not store any personal data if this is not described in the GDPR. One such example is the Citizen Service Number. The Dutch Tax and Customs Authority states that an employer of employees who leave service, must keep the Citizen Service Numbers of these employees for several years but after that, these may no longer be kept, according to the GDPR. We need to integrate that. Also for the GDPR, you need to describe what you do. An important aspect is that you inform those concerned properly in advance and ask consent for how you process their personal data. Everybody has more rights than was previously the case'.
Van der Klaauw refers to working with GDPR as 'bookkeeping with personal data'. There are different categories of personal data with various binding conditions attached to these. By ticking off checklists, you can determine whether these conditions have been satisfied. After doing a round of all institutes and the office of NWO-I, his impression is that employees do their absolute best, and that every institute is busy cleaning up the last bits of archive. Van der Klaauw: ‘The Dutch Data Protection Authority, which supervises compliance with the GDPR, prescribes that for a large organisation like NWO-I – 2000 employees – matters are administrated centrally. That is easier if the administration is completely digital, as is already the case at ARCNL and AMOLF. My task is to ensure that we grow towards communal processes. However, that is a process that will take several years. I believe awareness is something that must gradually seep into your operational DNA. That NWO-I has given me, risk manager Peter van den Brakel and auditor Francis Bouwman the space to do our work, is part of that awareness'.
Van der Klaauw is keen to give the example of how you may be assertive as an employee: ‘In principle, nobody gains permission to place a photo of me on the Internet. Therefore there is no photo with this interview. NWO-I has no visible data on the new access pass. That is also privacy by design. I am proud of that. In my private life I am also cautious. I quite happily use the Internet without WhatsApp, Facebook and Twitter. If a product is free of charge, then you pay for it with your privacy'.
Van der Klaauw also has a privacy tip for his NWO-I colleagues. ‘Be careful with your passwords and do not reuse them. Remember your passwords or store them safely, for example in a password safe. A central password policy is still on my list of things to do. Organise everything so that the human aspect – such as a mistake - is considered to be normal'.
About Aad van der Klaauw
Aad van der Klaauw has worked since 2017 as the data protection officer at Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), and since May 2019 he is also the privacy officer of NWO-I. Van der Klaauw started his career in the 1980s at the Centrum voor Wiskunde en Informatica (CWI), where besides his position as system and network manager he was also the security officer and data protection officer during his last years there.
In his spare time, Van der Klaauw studies blockchain technology, which for him is the breakthrough in the area of technology for constructing honest systems. ‘We are moving towards an entirely new network. In the Netherlands, there are groups of people who are interested in how you can use this technology to bring society to a higher plan. I regularly ride on my motorbike to meetings in a cafe or on a terrace to exchange ideas about this'.
Newsletter Inside NWO-I, October 2019