Processing of health data
Under the General Data Protection Regulation (GDPR), processing of health data is prohibited. But the GDPR also contains a number of exceptions to this prohibition. Processing of health data is permitted, for example, if this is necessary for providing someone with care or help. This is subject to the condition that the processing takes place in the context of a treatment contract or that the processing has been regulated by law.
On this page
Legal basis of legal obligation
The GDPR stipulates that processing of personal data about someone's health or mental condition is only permitted with a legal basis. That legal basis can usually be found in a law. For example: the Medical Treatment Contracts Act (Dutch abbreviation: WGBO).
Here it says that a doctor is obliged to keep a patient record. This is important for the provision of care. The doctor may then record the complaints and the treatment that a patient received.
Often, a record-keeping requirement also applies for other care providers, institutions and facilities for healthcare and services to the community. This means that they are also obliged to keep a record on the people they treat.
Governmental organisations within the healthcare sector are also allowed to process health data for specific tasks and purposes. Such as the Health and Youth Care Inspectorate.
Examples of laws:
- Medical Treatment Contracts Act (Dutch abbreviation: WGBO).
- GDPR Implementation Act.
- Youth Act.
- Social Support Act (Dutch abbreviation: Wmo) 2015.
- Long-Term Care Act (Dutch abbreviation: Wlz).
- Processing of Personal Data in Healthcare (Additional Provisions) Act (Dutch abbreviation: Wabvpz).
- Healthcare Quality, Complaints and Disputes Act (Dutch abbreviation: Wkkgz).
- Healthcare Insurance Act. Health insurers make payments and process personal data. The legal basis for such processing operations has been arranged in the Healthcare Insurance Act.
- The Healthcare (Market Regulation) Act (Dutch abbreviation: Wmg). This Act stipulates, among other things, that the Dutch Healthcare Authority NZa supervises healthcare providers and health insurers. And is allowed to process health data if this is necessary.
Does the law not offer a legal basis for processing of health data? Then there are other options as well:
- Explicit consent from the patient. This is subject to strict requirements. For example: data processing operations for scientific research by research agencies, universities, and the industrial sector. Data collected for this purpose have often been pseudonymised and sometimes anonymised.
- A public task. In this case, consent from the patient is not necessary. The patient may object to the data processing, though. For example: data processing operations by governments for policy purposes. Such as determining budgets and premiums, checking for fraud, and planning of healthcare.
In addition to having a legal basis, processing operations also have to meet the other requirements from the GDPR.
Legal basis of consent
Most data processing operations in the healthcare sector have been sufficiently arranged in legislation. If this is the case, asking for consent is not necessary. The GDPR only requires consent if there is no other legal basis for processing of health data. This consent is subject to strict requirements.
However, the most common data processing operations in the healthcare sector do not require consent under the GDPR, because the legal basis has been laid down in law. But note: other laws may contain an obligation to ask for consent for the provision of health data to third parties.
Consent in various laws
Asking for consent may sometimes cause confusion, because this is mentioned in both the GDPR and in other laws. For example: the WGBO, the Wabvpz, the Wmo, and the Youth Act. This is what you need to know:
- Breaching professional secrecy requires consent from the patient. This consent is necessary, for example, if a doctor wants to share the health data with care providers who are not involved in the treatment.
- Processing of health data in an electronic exchange system requires consent from the patient (under the Wabvpz).
- The GDPR only requires consent if there is no other legal basis for processing of health data. This consent is subject to strict requirements. However, the most common data processing operations in the healthcare sector do not require consent under the GDPR, because the legal basis has been laid down in law.
The Dutch DPA's advice to care providers is that they always check properly whether asking for consent is necessary. And which requirements the consent has to meet. Do not ask for consent for a second time ‘to be on the safe side’ if the reason why is not clear. This makes it needlessly complex for the patient and puts an additional burden on registration.
Obligation of confidentiality
People in the healthcare sector who are involved in the processing of health data have an obligation of confidentiality. Such obligation of confidentiality may arise from, for example:
- the profession of the care provider;
- the treatment agreement concluded with the patient;
- an employment contract;
- the law.
The obligation of confidentiality means for care providers that they are only allowed to provide health data to others with consent from the patient or if they are obliged by law to do so.
An obligation of confidentiality (of some sort) applies for various professions. Besides, health data may not be accessed by unauthorised persons. This is also one of the provisions of the GDPR.
Verifying identity
A duty to provide proof of identity exists in healthcare. A care provider verifies a patient's identity with the aid of that patient's identity document. Making a copy or a scan of the identity document is not allowed. Including the type and the number of the identity document in the records is. See also: Identity document in healthcare.
Care providers are also obliged by law to use the citizen service number (BSN). The care provider includes the BSN in the records and uses this when exchanging patient data with other care providers and health insurers. See also: BSN in healthcare.
Also view
Privacystory
During a job interview, Eric (39) was confronted with his medical history. "There surely must be other ways to test someone's resistance to stress?"