THE NETHERLANDS: Annual audit of algorithms: Potential for effectiveness clear, but key privacy risks not mitigated

Our audit results show that the use of algorithms can improve the effectiveness of governmental organisations and help citizens in need, but common risks are not mitigated adequately. Risks to the privacy of citizens were not controlled effectively, for instance by the Dutch Tax Administration. Two algorithms were found not compliant to the General Data Protection Regulation (GDPR).

This year, the Netherlands Court of Audit audited 3 risk prediction algorithms in use at different governmental organisations as part of its annual Accountability Audit of 2024. This type of algorithm is used to select citizens or businesses which will be subject to additional controls or additional support. An efficient governmental organisation cannot work without the use of these algorithms, however they should be used responsibly. We base the selection of the audited algorithms risk-based, on several factors.

Audited algorithms

At the Benefits department of the Dutch Tax Administration (Dienst Toeslagen), an algorithm is used to help identify parents who have to pay back a large sum of childcare benefits in the future. These parents will be offered additional personal guidance to help them and avoid financial problems. Almost 8000 parents have been offered this assistance with 80-90% found through the help of the algorithm. Whilst making a positive contribution, our audit found that many risks were not mitigated adequately. Sensitive data about this vulnerable group of citizens are not protected as the algorithm was not compliant with the GDPR.

The Dutch Tax Administration (Belastingdienst) deploys an algorithm that helps identify VAT-carousel fraud. This is a type of fraud where a company does not pay VAT, but gets the VAT back from the Dutch Tax Authority through business-to-business transactions of goods in the EU. Through the use of the algorithm, the Dutch Tax Administration assumes to have prevented more than €500.000 of damages. However, we conclude that the algorithm does not comply with the GDPR and that the results of the algorithm are not evaluated well.  

We also audited an algorithm in use at the Employee Insurance Agency (UWV). The algorithm makes an assessment if an applicant may be unemployed through due to their own doing. Applications with a higher risk are investigated by the staff members of the agency. After, they determine if the applicant indeed became unemployed through their own fault. The use of the algorithm results in a 3x more effective detection of such cases. We also found that many risks were mitigated effectively by the agency. However, there were still concerns with regards to General IT control.

Our algorithm audit framework

The Netherlands Court of Audit uses its own audit framework for algorithms to conduct the audits.  This framework includes norms on governance, privacy, model and data as well as general IT controls. Since 2022, we have audited algorithms and AI as part of our annual audits.