Information Security Policy and Privacy Policy

Information is one of West Maas en Waal's most important assets. The loss of data, ICT failure, or unauthorized access to or manipulation of certain information can have serious consequences for business operations and also damage the organization's image. Serious incidents can have negative consequences for citizens, businesses, partners, and the organization itself, with likely political consequences as well.

Every employee, whether permanent or temporary, internal or external, is obliged to protect data and information systems against unauthorized access, use, alteration, disclosure, destruction, loss, or transfer where necessary, and to report any suspected breaches.

Information Security Policy

To guarantee the flow of information, the municipality of West Maas en Waal applies the following information security principles based on the Baseline Information Security Municipalities (BIG):

1. Organization of information security

Employees are responsible for information security. To support this, roles and tasks have been defined.

  • The Board has final responsibility and determines the information security policy.
  • The Information Provision team is responsible for the day-to-day management of technical information security aspects.
  • The coordination of information security is the responsibility of the CISO.
  • The team leaders report to the CISO and, together with the CISO, are jointly responsible for the executive tasks of the IB policy.
  • The CISO and FG are responsible for the supervisory tasks of the policy.

2. Management of company assets

  • Employees must exercise due care when using ICT resources, social media, and information, and must safeguard the integrity and good reputation of the municipality.
  • The employee shall take appropriate technical and organizational measures to protect information against loss or any form of unlawful use. In doing so, the employee shall in any case take into account:
    • the security classification of the information;
    • the security regulations set by the municipality (including this information security policy);
    • risks associated with the workplace;
    • The risk of accessing information using ICT equipment other than that provided or approved by the municipality.
  • Private use of information and files is not permitted. Further rules will be drawn up for remote working and the use of private resources.
  • Upon termination of employment and hiring, all company assets must be returned. Authorizations will be blocked on the instructions of the management team.

3. Security of personnel

  • Employees who work with confidential or secret information must submit a Certificate of Good Conduct before starting work. The Certificate of Good Conduct will be renewed during employment if necessary.
  • The team leader determines which role(s) the employee must fulfill and which authorizations for consulting, entering, modifying, and deleting data must be granted.
  • In the event of a breach of security, the usual disciplinary measures apply to employees, as specified in the Civil Service Regulations and other regulations.

4. Physical security and security of the environment

  • The municipality has a 'clear desk, clear screen' policy. This means that you should not leave any important information at your workplace, but store it securely when you leave. Within our organization, Clear Desk also includes the secure storage of USB sticks, external hard drives, and other removable data carriers. 'Clear screen' means that you must lock your screen. If you leave your desk, whether for a short or long period of time, you must at least lock your screen, for example by pressing the key combination [WINDOWS & L).

5. Management of communication and operating processes

  • The municipality is increasingly collaborating and exchanging information in chains and outsourcing more tasks. When systems and data are managed by a third party, information from the municipality may also become public. The municipality remains responsible for the information security of its data in the chain, even if management has been outsourced to another party. Employees are therefore also responsible for considering how data can be exchanged securely.

6. Access security

  • Authorization to information systems and workstations is role-based and is granted via function(s) and organizational units after approval by the relevant team leader.
  • Authentication methods such as passwords are protected against unauthorized access and modification during transport and storage (by means of encryption). Employees also bear responsibility in this regard by keeping passwords confidential.
  • A work environment is available for remote/home working. Employees are responsible for ensuring that this is done in a safe and responsible manner. This includes not using unsecured public Wi-Fi, not letting your neighbor look at your screen when you are working from home, etc.

7. Compliance

  • In order to improve the quality of information security and prevent any violation of legislation, legal and regulatory or contractual obligations, and security requirements, all employees are required to comply with the legal frameworks, guidelines, and policy principles of the municipality. Employees are also responsible for attending Information Awareness workshops offered by the municipality.

8. Data breach notification

  • Employees must immediately report any identified or suspected security breaches and security incidents to the municipality's CISO/information security officer. This also applies to the loss or theft of laptops, USB sticks, tablets, etc., whereby information may fall into the wrong hands. This can be done in person or by sending an email to: informatieveiligheid@westmaasenwaal.nl.

Privacy Policy

The municipality of West Maas en Waal works extensively with the personal data of citizens, employees, and (chain) partners. Personal data is mainly collected from citizens for the proper performance of municipal legal tasks. Citizens must be able to trust that the municipality will handle their personal data carefully and securely. The municipality is aware of this and ensures that privacy is guaranteed by applying privacy principles.

The municipality of West Maas en Waal applies the following privacy principles based on Article 5 of the General Data Protection Regulation:

  1. Lawfulness, fairness, and transparency: personal data shall be processed in a manner that is lawful, fair, and transparent in relation to the data subject.
  2. Purpose limitation: personal data is collected and processed for specific, explicitly defined and legitimate purposes and may not subsequently be processed in a manner that is incompatible with the purposes for which it was obtained.
  3. Minimal data processing: data processing only takes place to the extent that it is legally justified (there must be a necessity).
  4. Accuracy: data is accurate, precise, and sufficiently up to date. Requests from owners of personal data regarding rights such as "the right to be forgotten," "the right of access," and "the right to rectification" are complied with as far as possible.
  5. Storage limitation: personal data will not be stored for longer than necessary. The storage of personal data may be necessary in order to properly perform municipal tasks and to comply with legal obligations.
  6. Integrity and confidentiality: personal data is secured by means of technical and organizational measures in such a way that personal data is protected against, among other things, unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  7. Accountability: the municipality that processes personal data must, as the controller, be able to demonstrate why certain personal data is being processed.
  8. Information security: the municipality applies confidentiality agreements and there is a common framework of standards as a basis: the Baseline Information Security for Municipalities. Information systems are secured against problems that affect the confidentiality, integrity, and availability of data.
  9. Internal and external parties: Everyone working within the municipality is responsible for handling personal data responsibly and safeguarding individuals' privacy rights. In the event of structural exchange or cooperation with external organizations or other municipalities, the municipality of West Maas en Waal will make agreements in advance about data exchange and record these in a processing agreement.
  10. Processing operations – any new list of processing operations involving personal data must be included in the processing register and reported to the Data Protection Officer by email at fg@westmaasenwaal.nl.

After termination of employment or in the event of a change of position, the obligation to protect information and personal data remains in force.