Police illegally monitor 11 million children and adults, sometimes just after birth
Sebastiaan BrommersmaEleven million Dutch people are automatically followed by the police in the basic registration of persons. Many have even been around since they were babies and children. The police are thus violating various laws. The officers and the police management have known this for years, but don't care much about it. This is what research by Follow the Money shows. THIS PIECE IN 1 MINUTE The police request personal information, such as address details, social security numbers, nationality and marital status, from people on a large scale from the Personal Records Database: a database that contains all Dutch people.If the police request someone's information, the police automatically take out a “subscription” to that person. The police will be notified automatically of any change. Once you have a subscription, you won't get rid of it. These automatic updates facilitate the daily work of the police. This way, she can identify people quickly. The number of subscriptions is completely out of hand, according to research by Follow the Money based on an appeal to the Open Government Act. The police follow eleven million people in this way, including millions of children. The police are thus acting in violation of various Dutch and European laws. Although the police management has known this for years, it allows this unlawful situation to continue.
It doesn't really want to be spring on April 25, 2014. That morning, a big hailstorm will even sweep over the south of the Netherlands. Vera is not bothered by that. She is still lying in bed, dreaming about her birthday the next day. At least we will never know for sure what Vera is dreaming about that morning. She will be one year old the next day and is still not very good at talking. What we do know for sure is that the police will request Vera's data for the first time that day from the Basic Registration of Persons (BRP): the database for all Dutch residents. The law enforcement officers verify her name, address, date of birth, gender, and whereabouts. Why? No one knows. Not the police (anymore) either. But because the police also automatically take out a “subscription” for everyone she registers, she automatically receives a signal from that moment on when this data changes. Baby Vera now also has such a subscription, or “customer indication”, to follow the major events in her life. If she moves, gets married or has children, the police will be notified. She is no exception. Documents obtained by Follow the Money through the Open Government Act (Woo) show that the police are monitoring millions of minors using these customer indications. And once you have such a subscription, you will not get rid of it.
11 million subscriptions
Under the Police Data Act (Wpg), the police have the authority to collect personal data and the duty to keep it accurate and accurate. Customer indications help with this, because they automatically report changes in the basic registration of persons, such as changes of address. This keeps the systems up to date, which is useful for carrying out daily police tasks such as surveillance, dealing with traffic offences, investigating thefts and recording reports of burglaries.
© REBEKA MÓR
Since at least 2015, everyone who has these types of contacts with the police has been receiving a customer indication as standard. Through the police's source systems, such as the Basic Enforcement Service (BVH), where all incidents and reports are registered, they receive a registration in the so-called police person server. That server is the gateway from the police systems to the basic registration of persons. Everyone who ends up there automatically receives a customer indication in the basic registration. From suspects of a crime to reported stolen bicycles and from those involved in a traffic accident to emergency workers. Even passers-by who help the police in the event of an incident receive a customer indication as a “thank you”. The latter happened to just under a thousand people, according to documents held by FTM. The result of this collecting frenzy is that the number of consumer indications rose to just under eleven million in May 2023. Out of a total population of 17,947,684, more than 60 percent of the Dutch therefore currently have such an indication.
This includes millions of minors. An internal e-mail from September 2016 shows that the police are currently following four million “juveniles” in the basic registration of persons. More minors than the Netherlands had in that year. On 1 January 2016, there were according to the CBS namely only 3.43 million inhabitants in this age category. Although a police spokesperson reports that by the word “young people” she probably meant zero to seventeen-year-olds, it is therefore more obvious that it concerns young people under the age of 25. The percentage with a customer indication is also extremely high in that age group. On 1 January 2016, 4.9 million Dutch people were 25 or younger. That would mean that more than 80 percent of all people under the age of 25 were at that time via the basic registration. gemonitord.Dat are enormously high numbers. To illustrate, the Royal Military Police, which shares a customer indication with the police for the police tasks it performs, says that it has currently posted 161,000 customer indications. In 4 percent of the cases, these are minors, a quarter of whom are under the age of 12. The KMar only registers an indication as a standard in the case of “suspects” and deletes registrations in accordance with the legal deadlines, according to a spokeswoman. Follow the Money asked the police how many “young people” currently have a customer indication, but received no answer because this would require “a lot of research”. That is why Follow the Money will not receive a substantive answer, a spokesperson confirms.
DOSSIER
DIGITAL BUSINESS
What happens to the data that governments, companies and institutions store about us? What if they are hacked or taken hostage? How secure are our systems and data?
Why do the police follow children? “If an incident involves a child, that child will be registered in the Basic Enforcement Service and will receive a customer indication,” explains the police spokesperson. “We are trying to reduce that number. “In Vera's case, it remains unclear why the police requested her data. When asked, her father states that she was not involved in any incident around her first birthday and that he cannot think of a reason. The police do not know this either, because she says she does not keep track of the reason for requesting data. Formally, the police only request data “to keep the registered data accurate and complete for the daily police task”. The police cannot explain why this is necessary for a child of zero.
Warning upon warning
The police have lost control over their customer indications for years. It follows from the Woo documents that the own data authority has been warning at least since November 2015 that the number of indications is running too high and that, according to the documents, a large part of the personal data held by the police is being kept “unnecessarily”. Earlier that year, the National Office for Identity Data (RVIg), the authority that manages the basic registration of people, even expressed concern about this, according to the documents, after which the police “hand on heart”.” promises to reduce the number of indications to “what is proportionate”. Nevertheless At the end of 2015, the number of customer indications will rise rapidly from 8.7 to nine million. Under pressure from the RVIg, the police carried out major cleaning in 2016, removing around 2.5 million customer indications. But that is met with resistance. The police intelligence domain believes that “too many” indications have been removed, as a result of which the quality and reliability of some risk assessment tools are “seriously compromised” and information from “relevant people” has disappeared. In other words, the child is thrown away with the bathwater.
At the beginning of 2023, the police will remove more than 700,000 customer indications from people who have died long and wide
That is why in 2017, the police will restore several hundred thousand customer indications from suspects. And because new indications are also being placed, the total number is rising rapidly again. Sometimes by tens of thousands per week. In August 2022, Trouw newspaper revealed that the counter thus exceeded nine million again, only to rise to just under eleven in May 2023. By the way, miljoen.Dat could have been many more if the police had not removed more than 700,000 customer indications from people who had died long and wide at the beginning of 2023. Following so many deceased people is illustrative of the police's approach to the indications, a data authority employee already found in 2017: “It shows that we are not very selective and do not think about them. As far as I'm concerned, it fits in with our goal (legitimacy and trust) if we deal with this consciously. '
Losing control
The lack of a valid policy is one of the main reasons why the police have lost control over customer indications. Over the years, proposals have been made for this, the documents show, but none of them were eventually rolled out [see box]. Moreover, the current police ICT systems facilitate endless collection and therefore do not meet the requirements of the Police Data Act. After all, the Basic Enforcement Service and the person server are set up in such a way that everyone who enters it automatically receives an indication. This “weaving error” cannot be easily fixed, because it is currently not possible to remove a customer indication without completely removing the person concerned from the person server (and therefore also) the connected police applications.
That broken ICT infrastructure is the core of the problem, says Bart Schermer, professor of privacy and cybercrime at Leiden University who viewed the Woo documents at the request of Follow the Money: “It seems that it is currently preventing the police from complying with the law. But the fact that this has still not been solved after ten years is very painful. “According to the documents, this solution can only be achieved with a new personal server, but according to the police, that is complex, expensive and time-consuming — and far from a priority. The introduction of the “person server 2.0” has also been delayed for years, so that it can now be put into use “at the earliest” on 1 January 2025. Only then can the police reduce the number of customer indications and until then, the counter is expected to continue to increase. “It may well be that these adjustments are major and expensive,” says Schermer. “But the police can't hide behind ICT.”
NEVER FINALIZED POLICY
In September 2022, Minister Yeşilgöz-Zegerius of Justice and Security wrote to the House of Representatives that by 2020, the police would have established a policy framework for customer indications, which will be used when developing new systems. It defines five categories of people for whom a customer indication may be included, namely: suspects, people with a risk classification, people in a certain target group, people who are important for the execution of a criminal decision and people with a weapons permit. There are no documents among the WOO documents that definitively establish a policy. However, concepts and proposals. The minister confirms in the letter to parliament that existing police systems, including the BVH, are still not adapted to the policy she has set.
After the revelations in allegiance in 2022, Minister Dilan Yeşilgöz-Zegerius (VVD) of Justice and Security received Parliamentary questions about the customer indications. they answered that by pointing to the police's legal duty to keep the data they process accurate and accurate. According to her, that's what the customer indications are for. According to her, there is no unlawful processing or action by the police. The minister thereby ignores that, by law, the police can only process this data if this is necessary for the performance of daily police tasks. But in many of the millions of cases, that need is not the case. That's what the police themselves think. Indeed, he does not consider the number of customer indications proportional, confirms a spokesperson.
“There is no distinction between the people we really want to follow and just follow everyone, as has been done so far”
Internally, since 2015, there has also been no doubt about the illegality of all this customer indication. Since then, internal documents have consistently and regularly pointed out that the registration of all these indications is “not necessary”, “disproportionate” and “unnecessary”, that there is often “no legal basis” for this massive collection of personal data and that that collection is “unjustified”. How skewed the relationships are, follows from an email from the data authority in September 2016, which states that the records of the indications “no a distinction is made between the people we really want to follow and just follow everyone as it has been done so far. The ratio is maybe like 10:90. '
“Undefensible”
In her response, the minister also ignores the fact that the police are also obliged to remove customer indications from the BRP as soon as they are no longer necessary for the police task. However, that will not happen, a spokesperson confirms. In fact, according to her, the police no longer even delete personal data at all. “This is incredible,” says Bas Bekenkamp, public sector privacy expert at Privacy Company. He also studied the Woo documents at the request of Follow The Money: “By always maintaining customer indications and never destroying data, the police exceed many legal terms and conditions for the use and storage of data. That is impossible to defend. “Schermer takes it just as seriously: “This would mean that the police keep personal data indefinitely. This is not only in conflict with Dutch law, but also with the European Convention on Human Rights. '
CHANGE IS NOT ALLOWED, BUT COMPARE
According to the police, data from the Basic Enforcement Service is “no longer generally accessible” after five years. One year after the first processing, the police are already no longer allowed to use personal data for the daily police task, it follows from the Wpg, unless an investigation has actually started. If this is not the case, the police may only keep that data for a targeted comparison with other data and to look for connections between them — and as long as this is necessary to carry out those daily tasks. But even if this is the case, that data may no longer be changed during that period. After five years, according to the police, this data will be “put at gunpoint”. The police may then keep the data for another five years, but only for dealing with complaints and accounting to, for example, the Data Protection Authority. Then the data really must be destroyed. The customer indications cycle right through this, because their purpose is precisely to keep data up to date every time and (thus) adapt it where necessary.
Internally, employees have been pointing out for years that the police are breaking the law with the unbridled collection of customer indications and personal data. The RVIg has also warned the police more than once, the documents show. The spokesperson agrees to Follow the Money that the RVIg finds the high number of customer indications worrying and has made this known to the police. Bekenkamp is therefore clear in his opinion: “The police will soon know that they are breaking the law for almost ten years, but will just go ahead with it. Then you can only say that the police are consciously, structurally acting unlawfully. '
“This is not about serious criminals, but for the most part about ordinary citizens”
The Woo documents show that the police leadership is very well informed. According to the documents, several (former) members have been directly involved in this headache file since 2015, including Henk Geveke (police command), Liesbeth Huyzer (deputy police chief), Ester Woudenberg (ICT director), Jan Jansen (Director of Information Services), Peter Holla (Deputy Police Chief of Amsterdam) and the former Chief Information Officers by the police leadership Dick Heerschop and Koos Veefkind and former director of Resources Wim Saris. “The police leadership is an example,” says Bekenkamp. “If they have known about this unlawful situation for so long and they deliberately allow it to continue, then that is culpable and very bad.” “Moreover,” he continues, “the situation has been maintained for so long that eleven million people are now being monitored. There is no way to explain that anymore. It's also not about serious criminals, but for the most part about ordinary citizens. '
“Protective monitoring”
Both experts point to the risks of this data collection spree. After all, the police do not always handle their data properly. In 2013, 2015, 2020 and 2023, external audits showed that the police systems are in conflict with the Wpg on essential points and that control measures to ensure that the police (again) comply with the law do not work. In recent years, there have also been several incidents where (chief) officers misused information from their own systems and leaked or passed on data to criminals. The police also do not have their authorization policy in order, so it is not easy to determine who in the police has access to what information about a specific person and why. In February 2024 announced the police to protective monitoring to work to prevent the misuse of sensitive information by your own people.
© REBEKA MÓR
The police themselves warn in the WOO documents that the excessive use of customer indications can lead to the “creation and processing of false or improper combinations of data” about people. Bekenkamp and Schermer are therefore seriously concerned, especially about the large-scale processing of young people's data. Schermer: “That's extra problematic. A customer indication that you don't know was ever posted, let alone why, can lead to misinterpretations. Young people in particular should be protected against this as a vulnerable group. The fact that the police cannot explain why they collect data on a large scale from young people worries Vera's father: 'I understand very well that the police sometimes need to have my data, for example if I am involved in a collision. But what's really not possible is that the police have my and my daughter's data without them being able to explain why. That actually makes me feel less safe. “Follow the Money presented the findings from this article to the Data Protection Authority and asked the authority for a response to the fact that millions of children and adults have an indication of the customer. In a general response, a spokesperson writes: “It is legally regulated that the police may store all kinds of data in order to carry out police work. But never more data than necessary. The police must substantiate what is necessary, otherwise that data cannot be used or stored. We have instructed the police to adapt their way of working and their systems accordingly. “When asked whether an investigation into the use of the customer indications by the police is currently underway, the spokesperson says he is unable to answer.
Related articles
.avif)