Dutch Councils Are Still Leaking Residents' Personal Data, Including Citizen Service Numbers
Investigation found hundreds of documents on Dutch council websites containing residents' emails, phone numbers, addresses and even citizen service numbers (BSNs)
See more of Dutch Brief in your Google search results

Dutch municipalities are still accidentally publishing residents’ personal data on the internet, including email addresses, private phone numbers and even citizen service numbers, according to an investigation by the broadcaster NOS and the current affairs programme Nieuwsuur.
What the investigation found
The reporters searched council websites and found hundreds of documents that still contained people’s private details. Among them were documents showing identity document numbers and, in 255 cases, residents’ burgerservicenummers (BSNs), the unique number every resident of the Netherlands has and which is used for things like taxes, healthcare, benefits and employment.
In one document from Pijnacker-Nootdorp, a town near Rotterdam, the BSNs of 43 people who had given their opinion on a new housing project were visible, along with their names, addresses, email addresses and, in some cases, phone numbers.
Why councils publish these documents
The data ends up online through ordinary council business. When residents apply for a permit, or send in a comment on a plan in their neighbourhood, such as the arrival of an asylum seekers’ centre, councils are often required to publish the related documents, partly under the Open Government Act (the Wet Open Overheid). Before doing so, they are supposed to black out, or redact, any private information. The investigation shows that this frequently does not happen, or is not done thoroughly enough.
SPONSORED
You’re overpaying your accountant. And they still don’t call you back.
Neno gives you a dedicated bookkeeper, automated admin, real-time financial insights and a free business bank account. Everything your business needs, in one place.
No chasing. No surprises. No unnecessary costs.
The risks
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is clear that publishing a BSN is not allowed and counts as a data breach. Careless use of the number, it warns, can lead to misuse of someone’s personal data, including identity fraud. Experts say there is no reason a BSN should ever appear in a public document.
It is not only the most sensitive numbers that count. The watchdog stresses that even wrongly publishing an address, or just a name, can already be a data breach. The consequences can be real: last summer, the municipality of Midden-Delfland accidentally published a document with the names and addresses of 133 residents who opposed an asylum centre, causing worry among those affected, before it replaced the file with an anonymised version and wrote to them.
The councils’ response
The councils have not disputed the findings. A spokesperson for the VNG, the association of Dutch municipalities, said councils “take the results of the NOS investigation very seriously” and that personal data must be well protected. After being told about the documents late last week, many councils have removed them or are in the process of doing so, and several have reported the leaks to the Data Protection Authority. “It involved a human error, and we immediately made the documents inaccessible. We filed a report straight away,” the municipality of Pijnacker-Nootdorp said.
At the same time, the VNG pointed to the scale of the task. Anonymising millions of documents is an enormous job, it said, and councils receive no separate budget for it. Since 2018, many have started using software to redact documents automatically, usually with a staff member checking them before they go online, though the systems that publish council documents do not automatically flag sensitive data.
An old problem
The issue is far from new. The Data Protection Authority urged councils to handle residents’ data more carefully back in 2017. Most of the documents containing BSNs that the reporters found dated from 2016 and 2017, but 99 were published after the stricter privacy rules took effect in 2018. The watchdog received more than 120 reports this year from councils that had accidentally made data public, up from 75 last year, and said the real scale of the problem is probably larger.



