Information Security Policy and Privacy Policy

Information is one of the primary assets of West Maas en Waal. The loss of data, ICT failure, or unauthorized access to or manipulation of certain information can have serious consequences for business operations and also lead to reputational damage. Serious incidents may have negative consequences for citizens, businesses, partners, and the organization itself, likely with political repercussions.

Every employee—whether permanent or temporary, internal or external—is required to protect data and information systems from unauthorized access, use, alteration, disclosure, destruction, loss, or transfer whenever necessary, and to report any suspected breaches.

Information Security Policy

To ensure information flows, the municipality of West Maas en Waal applies the following information security principles based on the Baseline Information Security Municipalities (BIG):

1. Information Security Organization

Employees are personally responsible for information security. To support them in this, specific roles and responsibilities have been defined.

  • The Board has ultimate responsibility and establishes the information security policy.
  • The Information Services team is responsible for the day-to-day management of technical information security matters.
  • The CISO is responsible for coordinating information security.
  • The team leaders report to the CISO and, together with the CISO, are jointly responsible for the implementation of the information security policy.
  • The CISO and Data Protection Officer are responsible for monitoring compliance with the policy.

2. Management of company assets

  • Employees must exercise due care when using IT resources, social media, and information, and must safeguard the integrity and reputation of the municipality.
  • The employee shall take appropriate technical and organizational measures to protect information against loss or any form of unauthorized use. In doing so, the employee shall, at a minimum, take into account:
    • the security classification of the information;
    • the security regulations established by the municipality (including this information security policy);
    • risks associated with the workplace;
    • The risk associated with accessing information using IT equipment other than that provided or approved by the municipality.
  • The use of information and files for personal purposes is not permitted. Further rules will be established regarding remote work and the use of personal devices.
  • Upon termination of employment or a contract, all company assets must be returned to the organization. Access privileges will be revoked at the direction of the management team.

3. Employee Safety

  • Employees who handle confidential or classified information must submit a Certificate of Good Conduct before starting employment. If necessary, the Certificate of Good Conduct is renewed during the course of employment.
  • The team leader determines which role(s) the employee is to perform and which permissions must be granted for viewing, entering, updating, and deleting data.
  • In the event of a security breach, the usual disciplinary measures apply to employees, as specified in the Civil Service Regulations and related policies.

4. Physical security and environmental security

  • The municipality follows a “clear desk, clear screen” policy. This means that you should not leave any important information at your workstation but should securely store it when you leave your workstation. Within our organization, the “clear desk” policy also requires that USB drives, external hard drives, and other portable storage devices be securely stored. “Clear Screen” requires you to lock your screen. If you step away, whether for a short or long period, you must at least lock your screen, for example by pressing the [WINDOWS & L] key combination.

5. Management of communication and operational processes

  • The municipality is increasingly collaborating and exchanging information within networks and outsourcing more tasks. When systems and data are managed by a third party, municipal information may also be exposed. The municipality remains responsible for the information security of its data within the network, even if management has been delegated to another party. Employees are therefore also personally responsible for considering how data can be exchanged securely.

6. Access Control

  • Access to information systems and workstations is role-based and is granted based on job function(s) and organizational units following approval by the relevant team leader.
  • Authentication methods such as passwords are protected against unauthorized access and modification during transmission and storage (through encryption). Employees also share responsibility for this by keeping their passwords confidential.
  • A workspace is available for remote/work-from-home arrangements. Employees are responsible for ensuring that this is done in a safe and responsible manner. This includes: not using unsecured public Wi-Fi, not letting your neighbor look over your shoulder while you’re working from home, etc.

7. Compliance

  • To improve the quality of information security and prevent any violations of laws, legal and regulatory obligations, contractual obligations, or security requirements, all employees are required to comply with the municipality’s legal frameworks, guidelines, and policy principles. Employees are also personally responsible for attending information security awareness workshops offered by the municipality.

8. Data Breach Notification

  • Employees must immediately report any detected or suspected security breaches and security incidents to the municipality’s CISO or information security officer. This also applies to the loss or theft of laptops, USB drives, tablets, and similar devices, where information may fall into the wrong hands. This can be done in person or by sending an email to: ciso@westmaasenwaal.nl

Privacy Policy

Within the municipality of West Maas en Waal, extensive work involves the personal data of citizens, employees, and (chain) partners. Personal data is primarily collected from citizens for the proper execution of municipal legal tasks. Citizens must be able to trust that the municipality handles personal data carefully and securely. The municipality is aware of this and ensures that privacy remains guaranteed by applying privacy principles.

Since October 1, 2025, the municipality has been collaborating with the West Betuwe operational management organization (BVO WB or BWB) in the area of information security. BWB advises our municipality on information security and the protection of personal data. The Data Protection Officer (DPO) is also based at BWB. This independent internal supervisor verifies whether the municipality complies with privacy laws and regulations and reports on this to management. Emails sent to the external email address are received by the DPO without interference from others. This allows the DPO to operate independently.

The municipality of West Maas en Waal applies the following privacy principles based on Article 5 of the General Data Protection Regulation:

  1. Lawfulness, fairness, and transparency: Personal data is processed in a manner that is lawful, fair, and transparent to the data subject.
  2. Purpose limitation: Personal data is collected and processed for specific, explicitly defined, and legitimate purposes and may not subsequently be processed in a manner that is incompatible with the purposes for which it was collected.
  3. Minimal data processing: Data processing takes place only to the extent that it is legally justified (there must be a necessity).
  4. Accuracy: Data is accurate, precise, and sufficiently up-to-date. Requests from data subjects regarding their rights—such as the “right to be forgotten,” the “right of access,” and the “right to rectification”—are honored to the extent possible.
  5. Retention limit: Personal data will not be retained for longer than necessary. Retaining personal data may be necessary to properly perform municipal duties and to comply with legal obligations.
  6. Integrity and confidentiality: Personal data is secured through technical and organizational measures in such a way that it is protected against, among other things, unauthorized or unlawful processing, as well as accidental loss, destruction, or damage.
  7. Accountability: The municipality that processes personal data must, as the data controller, be able to demonstrate why specific personal data is being processed.
  8. Information security: The municipality adheres to confidentiality agreements and follows a common set of standards known as the Municipal Information Security Baseline. Information systems are protected against issues that compromise the confidentiality, integrity, and availability of data.
  9. Internal and External Parties: Everyone working within the municipality is responsible for the responsible handling of personal data and safeguarding the privacy rights of individuals. If there is structural exchange or cooperation with external organizations or other municipality(ies), the municipality of West Maas en Waal makes prior agreements on data exchange and records these through a data processing agreement.
  10. Processing Activities – Any new list of processing activities that involves personal data must be included in the processing register and reported to the Data Protection Officer by email at fg@bvowb.nl

The obligation to protect information and personal data remains in effect after termination of employment or a change in position.