Direct naar content

You are here:

  1. Home
  2. Algorithms
  3. Risk-based prioritisation of data breach notifications

Please note: The algorithm descriptions in English have been automatically translated. Errors may have been introduced in this process. For the original descriptions, go to the Dutch version of the Algorithm Register.

Risk-based prioritisation of data breach notifications

Dutch Data Protection Authority

The AP uses this algorithm to classify data breach reports by severity. Based on that classification, inspectors can prioritise serious reports. The algorithm does not contain any personal data.

Last change on 11th of October 2024, at 9:33 (CET) | Publication Standard 1.0
Publication category
Other algorithms
Impact assessment
Field not filled in.
Status
In use

General information

Theme

Law

Begin date

01-2016

Contact information

https://www.autoriteitpersoonsgegevens.nl/themas/beveiliging/datalekken/zo-meldt-u-een-datalek

Link to publication website

https://www.autoriteitpersoonsgegevens.nl/datalek-melden

Responsible use

Goal and impact

The AP's supervision of the data breach notification requirement is risk-based. Some data breach reports are so serious that AP inspectors have to pick them up urgently. To determine the severity of a data breach, the AP looks at the risk of harm faced by the victims of the data breach. The higher the risk, the sooner and the more intensively inspectors deal with the data breach notification. The AP has drawn up a number of criteria to ensure that inspectors handle data breaches with serious consequences as a matter of urgency.

Considerations

Data breaches can have serious consequences for victims. Therefore, an organisation that has a data breach must act quickly: quickly plug the data breach and also quickly warn victims of the consequences of the data breach. In addition, the organisation must report the data breach to the AP within 72 hours. This reporting obligation allows the AP to check whether the organisation handles the data breach carefully. The AP receives around 20,000 data breach reports per year. In order to be able to pick up the reports of the most serious data breaches urgently and to make optimal use of the AP's available capacity, prioritisation of data breach reports is necessary. An algorithm is used to determine this prioritisation. This is a simple algorithm in which various characteristics of a data breach notification are weighted. The operation of the algorithm is easy for inspectors to understand: it is easy to see why a particular report has or has not been given a high priority. In doing so, the AP does not use personal data, nor does it result in an immediate automatic decision.

Human intervention

After prioritising the data breach reports, inspectors handle the reports. Thus, these data breach reports always involve human intervention.

Risk management

When AP inspectors handle data breach reports, they also pay attention to the quality of the reports (e.g. whether they are complete and whether they contain enough relevant information). They also monitor the outcomes of the algorithm. Based on this, the AP can adjust risk indicators used in the algorithm if necessary. Furthermore, every year the AP publishes the data breach report, in which the AP provides insight into all data breach notifications received and their handling. Finally, the AP also uses the knowledge and experience gained from the AP's other supervisory tasks to identify any risks of or deviations in the prioritisation of reports.

Legal basis

  • Article 33 AVG
  • Article 33a Wpg
  • Article 26g Wjsg

Links to legal bases

  • Artikel 33 AVG: https://eur-lex.europa.eu/eli/reg/2016/679/oj
  • Artikel 33a Wpg: https://wetten.overheid.nl/BWBR0022463/2022-10-01
  • Artikel 26g Wjsg: https://wetten.overheid.nl/BWBR0014194/2023-03-01

Elaboration on impact assessments

The algorithm does not process personal data. Moreover, the effect of prioritisation by the algorithm with predetermined criteria is not substantially different from human prioritisation. The algorithm is particularly helpful because it can quickly prioritise many reports, thus putting serious reports on the radar of inspectors quickly. This is why the AP did not conduct an impact test like a DPIA or IAMA.

Operations

Data

The data in question is data that organisations entered on the data breach form on the AP's website. The algorithm does not process personal data entered by organisations, such as contact details.

Technical design

For prioritisation, the AP uses a decision tree. Based on knowledge and experience of inspectors, certain fields of the report form have been designated as input for the algorithm. If the entered value exceeds a set limit, an inspector urgently picks up the report in question. This inspector then determines the steps to be taken.

Similar algorithm descriptions

  • Risk prioritising environmental controls

    Regional Environment Agency North Sea Canal Area

    The risk prioritisation scores companies based on compliance behaviour, environmental variables and the latest controls. The higher a company is on the list, the earlier it is eligible for inspections which can have an impact on any occurrences on humans and the environment.

    Last change on 3rd of April 2024, at 13:50 (CET) | Publication Standard 1.0
    Publication category
    Other algorithms
    Impact assessment
    Field not filled in.
    Status
    In use

  • Dashboard evaluation camera surveillance

    Municipality of Amsterdam

    Data analysis for evaluating the need to apply camera surveillance at a specific location to maintain public order.

    Last change on 18th of November 2024, at 16:20 (CET) | Publication Standard 1.0
    Publication category
    Impactful algorithms
    Impact assessment
    Field not filled in.
    Status
    In use

  • Public space reports

    Municipality of The Hague

    The reporting system's algorithm recognises words in reports, such as 'rubbish' or 'pavement', and automatically determines the correct category and department. As a result, reporters no longer have to choose a category, and reports are dealt with faster at the right department.

    Last change on 7th of January 2025, at 13:02 (CET) | Publication Standard 1.0
    Publication category
    Other algorithms
    Impact assessment
    DPIA
    Status
    In use

  • BIG re-registration selection model

    CIBG

    A healthcare provider applying for BIG re-registration does not always have to substantiate this application with documentary evidence. A random and targeted sample is carried out. For the targeted random sample, the BIG register deploys an algorithm.

    Last change on 17th of June 2024, at 14:00 (CET) | Publication Standard 1.0
    Publication category
    Impactful algorithms
    Impact assessment
    DPIA
    Status
    In use

  • Gladness reporting system

    Province of North Brabant

    The algorithm uses sensor data to make a calculation for predictions of slipperiness risks. These predictions are used to determine where to grit (preventively), in consultation with meteorologists. In addition, the algorithm can issue various alarms, for example when there is a chance of wet road sections freezing.

    Last change on 10th of July 2024, at 8:18 (CET) | Publication Standard 1.0
    Publication category
    Other algorithms
    Impact assessment
    Field not filled in.
    Status
    In use