Test line staff may access personal data, even if they are not allowed to do so

The personal data of anyone who has a coronation test carried out can be accessed by hundreds of employees of the coronation line who would not be allowed to do so for their work. This is evident from a tour of New Hour among (former) employees of the corona-virus testing line.

The tasks of the employees consist of scheduling appointments and calling in negative test results. But with a date of birth and surname, a street name and postcode or a BSN number, all employees with access to the CoronIT IT system can use CoronIT for all test appointments, results, medical notes and telephone numbers. Also from people they do not need to call.

For example, employees can look up positive and negative test results, or the test data of Dutch celebrities, colleagues or neighbours. Data such as 06 numbers and test results are sometimes shared in Whatsapp groups in which employees ask each other for help, according to research by Nieuwsuur.

Not allowed according to privacy law

The 2100 test line employees of Teleperformance, the call centre hired by the GGD, should not be able to search in data they do not need for their work, several privacy experts say. But they can.

According to the AVG Privacy Act, you have to ensure that only people who need it can access the data. A staff member may only see the data that is necessary for the task of the day, says Sarah Eskens, a lawyer at the University of Amsterdam.

Employees claim to have had little or no training on privacy on condition of anonymity. However, they did have to sign a declaration of confidentiality. Most people dont want to deliberately violate the AVG, but it does happen, says a former employee. The employees who spoke to Nieuwsuur emphasise that they themselves are careful with personal data, but state that not everyone does.

Looking up the results of acquaintances

When people – who are, for example, waiting a long time for their results – call the coronation test line, employees have to say that they do not have any insight into the results, even though they do. Nieuwsuur has been in contact with people who have received the results in this way. The GGD confirms that this has happened.

Test line staff have also shared results with acquaintances who asked for the results of their own test. This is not allowed by law.

The Ministry of Health refers to the GGD for a response. They let it be known that strict controls are in place. Employees who can look into a file without reason are tracked down. In addition, the Municipal Health Service (GGD) says it draws the staffs attention in detail to privacy obligations. If it appears that the rules are being broken, measures are taken

Employees are often mistaken by the people they have on the phone for GGD staff, but are actually temporary workers who have been placed with call centre company Teleperformance via temporary employment agencies Olympia and YoungCapital.

Employees say that hours worked are often not paid out. According to employment agency YoungCapital this is not true. Olympia states that some temporary workers had some technical problems in the beginning, but that everyone was paid according to the agreements. The FNV trade union has received dozens of complaints from employees

Faltering test policy

Several political parties are concerned. This is another part of failing test policy, says Member of Parliament Corine Ellemeet of the Green Left. It is very worrying that the ministry is not getting the testing policy in order

Kees Verhoeven (D66) calls the way data is handled very careless and says it needs to be rectified quickly. A lot goes wrong when it comes to data protection in corona files, he says. The testing policy depends on peoples trust