The Commission Supervision Personal Data Protection BES (CBP BES) investigated how the Immigration
and Naturalisation Service Caribbean Netherlands (IND-CN) uses citizens’ personal data and how it uses
its privacy statement in practice. CBP BES checked whether IND-CN follows the Personal Data Protection
Law BES (Wbp BES). The Commission looked at transparency, whether the use of data is lawful, data
security and whether citizens can use their privacy rights.
The investigation shows that IND-CN knows its legal task and understands the importance of handling
personal data with care. The privacy statement also gives citizens the main information they need.
At the same time, the investigation shows important shortcomings and risks. These mainly concern the
security, storage and access to personal data. This includes data in the Foreign Management System (FMS),
the system IND-CN uses for its work.
According to CBP BES, IND-CN does not have enough insight into the security and management of this
system. External parties largely manage the system. Personal data is also sometimes stored outside the
system, for example on internal network drives. This creates a risk that people who do not need the
information may still be able to access it.
CBP BES is especially concerned about how IND-CN handles criminal record files and judicial data. These
are sensitive personal data. Clear agreements are needed on who may access these data, where they are
stored, how long they are kept and when they are deleted.
Information for citizens must also be improved. At the moment, the privacy statement is only available in
Dutch. It may also be too difficult for many people to understand. CBP BES therefore advises IND-CN to
make the privacy statement available in the official languages of the Caribbean Netherlands and to rewrite
it at B1 language level.
According to CBP BES, IND-CN must urgently act on the recommendations in the report. IND-CN must give
priority to the needed improvements in security, management, storage, access, how long data is kept and
the deletion of personal data.
If IND-CN does not take proper measures, the risks for citizens and for the organisation may remain or
increase. IND-CN may also be unable to show clearly enough that personal data is used lawfully, carefully
and securely.
CBP BES expects IND-CN to make a clear plan to carry out the recommendations and to complete the
improvements within set timeframes. The Commission will actively monitor progress at agreed reporting
moments.
Although IND-CN has already taken some steps, more measures are urgently needed to better protect
citizens’ personal data.