ORANJESTAD – Thousands of immigration forms containing the private data of tourists (mostly Americans) including passport numbers, home addresses, and signatures were left in an open container over the weekend. “I estimate that there were hundreds of thousands”, an anonymous witness said.
The container itself and its contents have been brought to the dump by the waste management company. But when Caribbean Network goes to the area, the surrounding bushes still contain these so-called ED-forms, which tourists have to fill in when they arrive on Aruba.
“I think the container was put there on Thursday afternoon”, said a different witness. Her company leases storage space on the same street. “A lot of forms flew out of the container. I picked-up the ones I found and threw them in the trash because this is not ok. People could use them for nefarious reasons.”
The Aruba Tourism Authority (ATA) seems to be the responsible party and when questioned they sent the following statement: “The normal procedure is that the forms are shredded and transported to the dump for disposal when the incinerator is running.” The forms were kept in storage so that a check could be carried out on the data during the period where Radex, the border control system, was being updated the tourism authority says.
“That’s why the forms were kept for longer than usual. However the ATA has started destroying most of the forms. Unfortunately during the last phase of these clean-up efforts, some forms including old promotional materials, were left behind in a trash can in the storage unit.”
However the ‘garbage can’ was a big container, the two witnesses say as they show us pictures and the outline on the ground. “There were a lot of other things in there too. A lot of binders with invoices from local companies but also American companies. An employment contract for someone in Colombia who was going to get 4000 dollars. Orders for signs, advertising materials, furniture. And documents from the period of time where former ministers for tourism Edison Briezen and Otmar Oduber were in office. All of it from 2008 up to 2016”, says one of the witnesses who took pictures.
Questions about how this data breach occurred were not answered by ATA. Earlier this year there was a medical information data breach tied to the corona-app. Even though the prime minister apologized for this, it seems the Aruban government hasn’t done much to protect the private information of individuals.
Who keeps an eye on this?
In Nederland houdt Autoriteit Persoonsgegevens (AP) toezicht om zo de privacy te beschermen. Deze instantie kan ook boetes geven aan instanties die laks omgaan met privégegevens.
In the Netherlands, the Dutch Data Protection Authority (DPA) is the supervising agency tasked with protecting privacy. This institution can also fine other institutions who don’t properly protect private data.
Aruba however doesn’t have an independent supervising agency and the legislation is outdated, justice minister Andin Bikker admits. “We are currently working on new legislation as a result of GDPR. GDPR indirectly affects us too. That’s why I had to sign a protocol with KLM and Schiphol because individuals with European nationalities are covered by GDPR and we have to take that into account when they travel to Aruba.”
The General Data Protection Regulation (GDPR) is a piece of European legislation which amongst other things guarantees the protection of personal data. The legislation covers all companies and organizations worldwide that store and process personal data of European individuals.
The tasks the Dutch DPA carries out flow forth from this legislation. That’s why the Dutch DPA works together with supervising agencies for countries where GDPR applies. But not with Aruba, is the reply of the Dutch DPA when asked about this: “Seeing as Aruba doesn’t have an independent privacy supervising agency, cooperation with Aruba cannot exist. We have however been in contact with the supervising agency on the BES islands.”
Dutch DPA not aware of the corona-app data breach
The Dutch DPA says that they are not aware of the Aruban corona-app data breach. Even though there was medical data of Dutch citizens involved, the agency says: “The Aruban government is responsible for the supervision.”
On Aruba, Dutch passports are regularly copied by companies and institutions while there are strict rules in the Netherlands for this. The rules encompass both when the passports are allowed to be copied and how these copies should be stored.
Dutch passports (including those of Arubans) are the property of the Dutch State but the Dutch DPA says that it is also not responsible for the supervision in this case. “It is up to individuals themselves to pay attention to when an organizations asks for a copy of your passport.”
Minister Bikker says that as soon as Aruba updates its privacy legislation a new supervision entity will be created.