Statecraft

02 · Symptom

The Architecture of Silence

Why the Dutch Tax Authority's data vault is not an incident, and what can actually protect a public-service state from itself

18 April 2026 · by Jacob Huibers · Lees in het Nederlands →

Statecraft Position Paper, April 2026 — Jacob Huibers

Executive summary

In mid-April 2026, the Dutch Ministry of Finance disclosed that its Tax Authority had been holding an uncatalogued “data vault” containing at least 64 million files, which had remained outside the scope of every major information request to the Tax Authority for the past seven years, including the parliamentary inquiry into the 2020 childcare benefits scandal. The revelation has been treated in Dutch public debate as an extraordinary scandal. Seen from the practice of interim management inside the Dutch public administration, the opposite is true: the mechanism is structural, the pattern recognisable, and the current response (parliamentary inquiry, ministerial accountability, calls for criminal liability) will not resolve the underlying problem. This paper sets out why concealment is a rational organisational survival strategy, why punitive responses are counterproductive, and what a transparency architecture could look like that addresses the problem at its root. It closes with implications for public-sector principals at national and municipal level.

Context for readers outside the Netherlands

A brief primer is useful for international readers, because several Dutch institutions and events are referenced throughout this paper.

The Dutch childcare benefits scandal (toeslagenaffaire) is the defining public administration failure of the past two decades. Between roughly 2005 and 2019, the Dutch Tax Authority unlawfully accused tens of thousands of parents, disproportionately of dual nationality or migrant background, of fraud in claiming childcare benefits. Families were forced to repay amounts they did not owe, were placed on opaque internal blacklists and were denied access to their own files. The resulting financial and psychological damage was catastrophic. When the scale became undeniable, the government of Mark Rutte resigned in January 2021. A parliamentary inquiry followed, as well as a still-ongoing compensation operation. Two of the authors who prompted this paper, Pieter Omtzigt and Renske Leijten, were the members of parliament who most doggedly exposed the scandal.

The data vault (datakluis) revelation of April 2026 concerns a sealed digital storage environment at the Tax Authority, holding at least 64 million uncategorised files transferred in bulk from shared network drives in 2019. Its original purpose was compliance with the Dutch implementation of the GDPR and the national Archives Act: files that could not be promptly reviewed for personal data were isolated rather than deleted, pending later case-by-case assessment that never materialised at scale. The existence of this vault was disclosed to the Dutch House of Representatives in two 2019 letters from the then-state secretary. For seven subsequent years the vault was not searched in response to any major information request, including the Parliamentary Inquiry into Fraud and Service Provision (PEFD), which concluded in early 2024 and was meant to establish the full truth about the benefits scandal. The current state secretaries, Eerenberg and Palmen-Schlangen, only informed Parliament eight months after the vault’s relevance to these earlier inquiries was confirmed through sampling in late 2025.

Key Dutch institutions referenced: the Tweede Kamer (House of Representatives) is the directly elected lower chamber of parliament. A staatssecretaris (state secretary) is a junior minister with a delegated portfolio. The Autoriteit Persoonsgegevens is the Dutch data protection authority. The Auditdienst Rijk is the central government audit service. The Nationale Ombudsman is the independent national ombudsman. The Algemene Bestuursdienst (Senior Public Service, abbreviated ABD) is the corps of senior civil servants at national level, designed to rotate between ministries. Gemeenten (municipalities) are the lowest directly elected tier of Dutch government, with a high degree of autonomy over the social domain (youth care, social assistance, long-term care for older people). A gemeentesecretaris is the chief public administrator of a municipality, equivalent to a chief executive. A parliamentary inquiry (parlementaire enquête) is the heaviest investigative instrument available to the Dutch parliament, carrying the power to compel documents and witnesses under oath.

1. The pattern, not the incident

In their Volkskrant opinion piece of 17 April 2026, Pieter Omtzigt and Renske Leijten argue that the silence around the Tax Authority’s data vault undermines the rule of law. That analysis is correct. Their proposal to hold individual officials personally accountable and transfer the investigation to another ministry is defensible. But framing this affair as an exceptional case underestimates the nature of the problem.

A salient detail underplayed in the current debate: the data vault was never a secret. Exactly seven years before its re-emergence, on 17 April 2019, the then-state secretary for Finance, Menno Snel, disclosed its existence publicly in the Tax Authority’s 23rd semi-annual report to Parliament (Kamerstukken II 2018/19, 31066, no. 480). He presented it explicitly as a GDPR-compliant measure to isolate outdated data whose manual assessment for personal information exceeded the organisation’s capacity. The initial inventory spoke of “hundreds of millions of documents”. A second informational letter followed on 28 May 2019 (Kamerstukken II 2018/19, 31066, no. 485). The current ministerial letter of 15 April 2026 explicitly acknowledges that Parliament was informed about the construction twice in 2019. The vault was not hidden from the legislature; it was presented to the legislature, with a state secretary’s signature, as a solution. What was missing was anyone monitoring what was inside it and whether the promised follow-up steps, inventory, case-by-case assessment and either archiving or destruction under the Archives Act, were ever actually taken. A compliance instrument without governance silently becomes an instrument of concealment. That is precisely what happened here.

This fact changes the nature of the scandal. This is not an actively hidden server environment discovered after years of detective work. This is a publicly announced vault, notified twice to Parliament, that nobody looked at for seven years, until a sampling exercise in late 2025 established that it contained documents that should have been delivered to the Parliamentary Inquiry into Fraud and Service Provision. It then took several more months before Parliament was publicly informed in April 2026. For the architectural argument this is stronger evidence, not weaker, than a hidden-vault narrative: it shows that visibility alone does not suffice. What was missing was governance: structural attention, periodic reporting on content and progress of the announced processing, independent verification of what the vault actually contained, and a standing protocol requiring that every major information request or parliamentary inquiry include a search of the vault.

In more than twenty years as an interim manager in Dutch municipalities with populations between 50,000 and slightly over 200,000, I have not encountered a single assignment without its own local version of the data vault. Not at the same scale, not followed by a hundred thousand victims. But the mechanism is identical. Documents that are “somewhere”. Knowledge concentrated in one or two key figures. Shadow administrations in local Excel files or on personal laptops. Meeting notes that were never taken, or that “went missing”. Reports of which only the summary circulates, while the original conclusions rest in a desk drawer.

Three anonymised examples, stripped versions of actual assignments.

In a mid-sized municipality where I led a reorganisation of the social domain, it became clear after four months that the financial management information on which the municipal executive based its decisions diverged from actual expenditure in service delivery. The divergence was not incidental but structural, amounting to several percent of the total domain budget. The information had been known to two senior civil servants. They had never reported it, because in their own words “the alderman did not ask and it was politically inconvenient”.

In another assignment, I inherited a locked network drive accessible only to one departmental head. When eventually opened, the drive contained complaints, internal investigations and case materials that did not appear in the official records management system. The stated rationale: “material we preferred not to have retrievable through an Open Government Act request.” The Dutch Open Government Act (WOO) is the equivalent of a freedom-of-information regime. Here, the circumvention of that statute was not opportunistic but institutionally engineered.

In a third assignment, a start-up leadership role in a regional inter-municipal partnership, the steering committee had for years taken decisions based on budget overviews in which a significant share of overhead costs was systematically excluded. The figures did exist, but in a separate sub-system, and nobody had performed the consolidation because the result would have been politically indigestible.

None of these cases matches the scale of the Tax Authority affair. But the mechanism is identical. Painful information is isolated, uncomfortable conclusions are softened or entrusted to a single person, and whoever knows the full picture is gradually marginalised or chooses to leave. This is not a conspiracy. It is how organisations protect themselves from their own content. The larger the service-delivery organisation, the more ingenious the architecture of concealment becomes. The Dutch Tax Authority simply had the scale and the time to bring this mechanism to institutional perfection.

2. The organisational logic of concealment

The relevant question is why concealment is rational behaviour inside public-service organisations. Three mechanisms compound.

The first is loyalty as a career instrument. Within the civil service, internal reputation is the decisive factor in promotion. Those who share information that damages their own organisation pay for it. Those who remain loyal are rewarded. In the Senior Public Service at national level the mechanism operates most visibly; in municipalities the scale is smaller but the dynamic identical. Silence is not moral weakness, it is a career strategy that works. Whistleblowers in the Dutch public sector almost without exception end up outside the organisation, frequently with a settlement agreement and a non-disclosure clause attached. That pattern is common knowledge and functions as deterrence decades before an individual official faces the choice of whether to speak about a data vault.

The second is the asymmetric distribution of risk between political and civil service levels. After every scandal, the sequence is predictable. The alderman or state secretary resigns, the director remains, the senior civil servant rotates to a comparable position elsewhere. Under that condition it becomes rational for a civil servant to manage information so that the political leadership can continue to plausibly deny knowledge. The informal norm “what the minister does not know cannot hurt them” protects everyone except the public. In municipalities the same dynamic operates: aldermen come and go, the chief municipal executive remains, and institutional memory reorganises itself around each new coalition.

The third is increasing juridification. Open Government Act requests, GDPR claims, damages litigation and parliamentary inquiries have raised the cost of documented errors exponentially. The rational response has not been to make fewer errors but to document less. Oral coordination, informal working arrangements, decision notes that are never made official: these are all adaptations to an environment in which writing things down has become a liability risk. Those who prepare every internal communication for a potential future Open Government Act request write differently from those who communicate to solve a problem. That shift is visible in every current dossier.

These three mechanisms are mutually reinforcing. Together they produce an organisation in which concealment is not the exception but the default mode, and in which any individual who chooses to act otherwise incurs a personal cost for which no institutional reward exists.

3. Why punitive thinking does not work

The reflex response to the data vault is more supervision, harsher rules and criminal liability for those responsible. On moral grounds this is defensible. Practically it is ineffective, and in some respects counterproductive.

Harder sanctions for documented violations increase the incentive not to document. The next data vault will not be a central server environment but a collection of local encrypted drives, oral knowledge transfer and informal working arrangements. Legal provability decreases, while actual openness does not increase. An organisation that learns the price of written form exceeds the price of oral culture will shift towards oral culture. This is not malice, it is learning capacity.

Personal liability for senior civil servants sounds just but in practice produces defensive organisational cultures in which nobody decides, nobody signs, and all decision-making runs through collective bodies that cannot be held to account as individuals. The effect is paralysis, not accountability. The Dutch healthcare and education sectors provide evidence of this pattern: intensified supervision regimes have produced file discipline at the expense of substantive work, without demonstrable quality improvement.

Supervision that depends on what the supervised organisation chooses to submit is not real supervision. The National Ombudsman, the Data Protection Authority and the Central Government Audit Service all had formal access to all documents and did not substantively examine the Tax Authority vault in the seven years between its announcement and its rediscovery, despite its existence being public knowledge since two parliamentary letters in 2019 (Kamerstukken II 2018/19, 31066, nos. 480 and 485). This is not a detection failure, it is a design flaw in the nature of the supervision itself. The supply-and-demand structure makes it possible not to submit what has never been precisely enough requested, and equally makes it possible to treat something that was formally announced as a closed file thereafter. Criminal consequences change none of this without structural adjustment of the supervisory model.

The parliamentary inquiry, the heaviest investigative instrument available to the Dutch parliament, carrying the statutory right to all documents and the power to compel witnesses under oath, equally failed to bring the vault’s contents into view. This is not a shortcoming of that particular commission. It is a fundamental limitation of a control model that assumes the supervised organisation knows what it has, is willing to share it and, if the supervisor does not explicitly probe, is more likely to forget than to disclose. All three assumptions have turned out to be incorrect.

4. Aiki as design principle: redirecting force

In the Japanese martial art of aikido, the core principle is not to defeat the opponent through greater force but to redirect the direction of their movement. Applied to organisational design, this means: the force we are dealing with, the reflex of organisational self-protection, does not disappear through moral indignation or harsher laws. What can be done is to shape the direction of that force so that self-protection produces transparency as a by-product rather than concealment.

Concretely, this requires a different design philosophy for public-service organisations.

Open data as default, not as exception on request. Decision information, performance data and service-delivery data should be public by default, with explicit privacy and security exceptions reviewed by an independent body. The current situation, in which everything is closed unless someone requests it, is the breeding ground for data vaults. Inverting the default setting requires no legislative change but a political decision, and is technically feasible in any modern service-delivery organisation.

Immutable audit trails. Every modification to case files, deletion of documents or encryption action should automatically leave a trace that the organisation cannot itself erase. Technically this is trivial since the existence of append-only logs and cryptographic sealing. It is almost universally absent because organisations want to retain the option of cleaning up “messy” history. That option is precisely the problem.

Direct source access for supervision. Supervisors should have direct access to source data, not to reports pre-processed by the supervised organisation. The difference between being permitted to ask and being able to look is precisely where the Tax Authority vault was able to survive. A supervisor with read-only access to source databases would detect a vault of this scale through metadata analysis, even if the supervised organisation denied its existence.

Whistleblower channels that actually work. Current whistleblower protection in Dutch public-sector practice is largely symbolic. Those who report are marginalised, drawn into difficult conversations, or removed through reorganisation. Real protection requires anonymisation at source, external handling outside the employee’s own organisation, legal immunity for material disclosures and financial security for the reporter. Not procedurally, but materially.

Decoupling career progression from column loyalty. So long as civil service promotion remains within a single organisation or vertical column, loyalty to that column is rational. Mandatory rotation between columns, external assessments and open vacancies at director level reduce dependence on internal reputation and therefore the price of openness. The current Senior Public Service does rotate between ministries, but leaves departmental column loyalty largely intact. Real openness requires an arrangement in which an executive who dismantled a data vault in a previous role is rewarded for it rather than quietly isolated.

These five elements do not together form a silver bullet, but they do form a coherent design. They do not make it impossible for an individual or a group to conceal documents. They do make it more costly, more traceable and ultimately unsustainable. The force of self-protection is not denied, it is redirected towards behaviour compatible with openness.

5. Implications for principals

For the Dutch public administration this produces an agenda that extends well beyond the Tax Authority affair.

At national level this calls for reform of the Senior Public Service that not only rotates officials but breaks the underlying loyalty structure, combined with legally enforceable proactive disclosure duties based on content rather than on request. The “major project” procedure proposed by Omtzigt and Leijten, a specific Dutch parliamentary oversight instrument, is a sound first step, provided the mandate goes beyond reconstruction and includes design proposals for the structural organisation of public-service bodies.

At municipal level, where my practice lies, this requires executives and municipal chief executives to actively seek out their own data vault before a successor or an interim manager finds it. This is uncomfortable but demonstrably cheaper than the restoration operation afterwards. It requires principals to build explicit forensic scope into assignment briefs for interim managers, with mandate and time to surface shadow administrations without this being treated as a reputational problem. It requires interim managers to treat the discovery of shadow administrations as a regular component of the work, not as an incident, and to document in the handover to their successor not only the solution but also the existing architecture of concealment they encountered.

For society the stakes are larger than the Tax Authority alone. A public administration structurally built on concealment cannot, in the long run, protect what it is supposed to protect. The bill for that governance choice runs into billions in remediation costs, further aggravated in 2026 by a steep drop in central government funding of Dutch municipalities, and into an almost irreparable loss of public trust, of which the childcare benefits scandal was only the first instalment.

The alternative is not a silver formula, but a design philosophy that takes the human tendency towards self-protection seriously and redirects it rather than opposing it. A philosophy that also accepts that announcement alone is not oversight, that a GDPR-compliant solution without structural content monitoring can, within a single ministerial term, turn into a repository for what nobody wants to look at anymore. The Tax Authority affair provides the momentum for that design conversation. Whether we seize it is a political choice. If we do not, the next data vault is already being assembled while these lines are being read, presumably neatly announced in a letter to Parliament and just as carefully allowed to drift out of view.

Jacob Huibers is an interim manager in the Dutch public sector, with assignments in municipalities ranging from 50,000 to over 200,000 inhabitants. He is the author of “The Direction of Movement: Interim Management in the Public Sector” (forthcoming autumn 2026) and founder of Statecraft, a platform for strategic reflection on public-service delivery.

Sources

  • Pieter Omtzigt and Renske Leijten, “Silence around the data vault is nothing less than sabotage of the rule of law” (orig. Dutch), de Volkskrant, 17 April 2026.
  • Letter from State Secretary Snel, “23rd semi-annual report of the Tax Authority”, Kamerstukken II 2018/19, 31066, no. 480, 17 April 2019.
  • Letter from State Secretary Snel, “Progress of GDPR implementation at the Tax Authority and submission of the ADR report”, Kamerstukken II 2018/19, 31066, no. 485, 28 May 2019.
  • Letter from State Secretaries Eerenberg and Palmen-Schlangen, “Update data vault Tax Authority”, 15 April 2026.
  • “Tax Authority to store outdated data in data vault” (orig. Dutch), Security.NL, 17 April 2019.
  • “Tax Authority data environment remained out of sight for years” (orig. Dutch), Rijksoverheid.nl, 15 April 2026.