Earlier this week, BRIC, an implementing body of the ministry that manages the Dutch donor register, informed Hugo de Jonge, the Dutch Minister of Health, Welfare, and Sport, of the physical loss of two external backup hard drives (HDD). The Minister, in turn, wrote a letter to the Parliament informing them that these hard drives contained 6.9 million donor records registered from 1998 to 2010. The physical loss of these drives has sparked concerns of identity theft among registered Dutch donors.
BRIC began digitizing the donor records in 2011, wherein, the paperwork was replaced by a digital version. The backup of these records is maintained in external HDDs which are kept in a highly secured and guarded vault. BRIC recently started disposing of the paper archive of the Donor Register as part of their physical document clean-up process. The cleanup guidelines suggested to check for a corresponding digitized copy of the donor record and only then proceed with the physical destruction of the paper record.
While doing so, the agency discovered that two backup HDDs were missing from the vault. To make it worse, BRIC’s spokesperson confirmed that the drives were unencrypted. The donor details in these drives include donor details such as first and last name, gender, date of birth, the then-address, organ donation choices, identification numbers and a copy of the user’s signature.
However, BRIC has maintained that the data stored on the drives do not contain “special personal data” as mentioned under GDPR and thus the risk of identity theft is very low. The loss of drive and corresponding Dutch donor records has already been reported to the Dutch Data Protection Authority and, as of now, the investigation revealed no incidents of identity theft.