The world is hit exceptionally hard by the coronavirus. This pandemic is not only a health hazard, but can also lead to a human rights crisis, endangering privacy among other rights.

The right to privacy includes the protection of everyone’s private life, personal data, confidential communication, home inviolability and physical integrity. Privacy First was founded to protect and promote these rights. Not only in times of peace and prosperity, but also in times of crisis.

Now more than ever, it is vital to stand up for our social freedom and privacy. Fear should not play a role in this. However, various countries have introduced draconian laws, measures and infrastructures. Much is at stake here, namely preserving everyone’s freedom, autonomy and human dignity.

Privacy First monitors these developments and reacts proactively as soon as governments are about to take measures that are not strictly necessary and proportionate. In this respect, Privacy First holds that the following measures are in essence illegitimate:
- Mass surveillance
- Forced inspections in the home
- Abolition of anonymous or cash payments
- Secret use of camera surveillance and biometrics
- Every form of infringement on medical confidentiality.

Privacy First will see to it that justified measures will only apply temporarily and will be lifted as soon as the Corona crisis is over. It should be ensured that no new, structural and permanent emergency legislation is introduced. While the measures are in place, effective legal means should remain available and privacy supervisory bodies should remain critical.

Moreover, in order to control the coronavirus effectively, we should rely on the individual responsibility of citizens. Much is possible on the basis of voluntariness and individual, fully informed, specific and prior consent.

As always, Privacy First is prepared to assist in the development of privacy-friendly policies and any solutions based on privacy by design, preferably in collaboration with relevant organizations and experts. Especially in these times, the Netherlands (and the European Union) can become an international point of reference when it comes to fighting a pandemic while preserving democratic values and the right to privacy. This is the only way that the Corona crisis will not be able to weaken our world lastingly, and instead, we will emerge stronger together.

Published in Law & Politics

On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.

The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:

- the limited admissibility of interest groups in class action lawsuits 

- the Dutch ban on judicial review of the constitutionality of laws

- profiling

- Automatic Number Plate Recognition (ANPR)

- border control camera system @MIGO-BORAS

- the Dutch public transport chip card ('OV-chipkaart') 

- Electronic Health Record systems

- possible reintroduction of the Telecommunications Data Retention Act

- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)

- PSD2

- Passenger Name Records (PNR)

- the Dutch abolition of consultative referendums

- the Dutch non-recognition of the international prohibition of propaganda for war.

The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.

Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First: 

The Intelligence and Security Services Act

The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.

The Market Healthcare Act

The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.

During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.

The entire Dutch Session before the Committee can be watched on UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).

Published in Law & Politics

Since 2013, the Dutch Association of General Practitioners has, in an essential civil case, been litigating against the private successor of the Dutch Electronic Health Record (Elektronisch Patiëntendossier, EPD): the National Switch Point (Landelijk Schakelpunt, LSP). At the end of last week, the Dutch Supreme Court decided that, for the time being, the LSP is not in violation of current privacy law. However, the Supreme Court has laid down in its judgment that the LSP will soon have to comply with the legislative requirement of privacy-by-design. This constitutes an important precedent and raises the bar with a view to the future.

Private relaunch of EPD: National Switch Point

In April 2011, the Dutch Senate unanimously rejected the EPD, primarily on account of privacy objections. However, almost directly afterwards, various market participants (among which health insurance companies) made sure there was a relaunch of the same EPD in private form: the LSP, intended for the large-scale, central exchange of medical data. Since then, the LSP has been introduced nationally and many practitioners have aligned themselves with it, oftentimes under pressure of health insurers. Millions of people in the Netherlands have given their ‘consent’ to the exchange of their medical records via the LSP. However, this ‘consent’ is so broad and general, it’s virtually impossible to deem it lawful. This was one of the main objections the court case of the Association of General Practitioners against the LSP revolved around. Other objections against the LSP are related to the fact that its architecture is inherently insecure and in breach of privacy. Through the LSP, every connected medical record is accessible for thousands of health care providers. This is in violation of the right to privacy of patients and the medical confidentiality of treating physicians. What’s more, there is no privacy-by-design, for example through end-to-end encryption. The LSP is basically as leaky as a sieve, which means that it’s ideal for function creep and possible abuse by malicious actors.

Specific Consent Campaign

Over the last couple of years, Privacy First has repeatedly raised the alarm about this in the media. We have brought the issue to the attention even of the United Nations Human Rights Council. In April 2014, a large scale Internet campaign was launched on the initiative of Privacy First and the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in order to retain and enhance the right to medical confidentiality: www.SpecifiekeToestemming.nl. Ever since, this campaign is being supported by numerous civil organizations, healthcare providers and scholars. The essence of the campaign is that specific consent should (again) become the leading principle when it comes to the exchange of medical data. In case of specific consent, prior to sharing medical data, clients have to be able to decide whether or not, and if so, which data to share with which healthcare providers and for which purposes. This minimizes risks and enables patients to control the exchange of their medical data. This is in contrast to the generic consent that applies to the LSP. In the case of generic consent, it is unforeseeable who can access, use and exchange someone’s medical data. In this respect, generic consent is in contravention of two classic privacy principles: the purpose limitation principle and the right to free, prior and fully informed consent for the processing of personal data.

Privacy by design

Courtesy also of the pressure exerted by our campaign SpecifiekeToestemming.nl, the Dutch legislative proposal Clients’ Rights in relation to the processing of data in healthcare (legislative proposal 33509), was strenghtened by the House of Representatives in 2014 and was adopted by the Senate in 2016 as a result of two crucial motions: 1) the motion Bredenoord (D66) about the further elaboration of data-protection-by-design as the starting point for the electronic processing of medical data and 2) the motion Teunissen (Party for the Animals) related to keeping medical records accessible on a decentral (instead of a central) level. Under the new law, specific (‘specified’) consent is obligatory. This should now be implemented in all existing and future systems for the exchange of medical data, including the LSP. Moreover, privacy-by-design will become an inexorable legal duty under the new European General Protection Data Regulation (GDPR), that is to say, privacy and data protection should be incorporated in all relevant hardware and software from the very first design. In this context, there have been several developments on the Dutch market in recent years, all of which indicate that both specific consent as well as privacy-by-design are indeed becoming standards in new systems. A prime example of this in a medical context is Whitebox Systems, which won a Dutch National Privacy Innovation Award in 2015 already.

Court case of Association of General Practitioners

Since March 2013, the Dutch Association of General Practitioners (Vereniging Praktijkhoudende Huisartsen, VPH) has been litigating in a large-scale civil case against the private administrator of the LSP: the Association of Healthcare Providers for Healthcare Communication (Vereniging van zorgaanbieders voor zorgcommunicatie, VZVZ). Following unsatisfactory rulings by the district court of Utrecht and the Arnhem Court of Appeal, VPH appealed before the Dutch Supreme Court at the end of 2016. Since then, this case has, on the recommendation of Privacy First, received pro bono support from law firm Houthoff Buruma. As amicus curiae, Privacy First and the Platform for the Protection of Civil Rights filed a letter (PDF) with the Supreme Court in support of the general practitioners and in line with our joint campaign SpecifiekeToestemming.nl. In her conclusion, the Advocate general of the Supreme Court referred extensively to the amicus curiae letter. On 1 December 2016, the Supreme Court finally came up with its ruling. Regrettably, the Supreme Court by and large agreed with the line of reasoning of the Arnhem Court of Appeal. Privacy First cannot help thinking that the LSP (even before the Supreme Court) is apparently too big too fail: by now this faulty system has grown to the extend that no one dares to declare it unlawful. There is, however, an important positive note, which can be found in the final consideration of the Supreme Court:

‘‘[The Court has] acknowledged that the healthcare infrastructure can be designed in such a way that a clearer distinction can be made between (sorts of) data and (categories of) healthcare providers and, particularly, in such a way that the exchange of data on the basis of consent can beforehand be limited to cases of urgency. The Court takes the view that such infrastructure would be better in line with the principles of the Privacy Directive and the Personal Data Protection Act, but that it could not have been demanded from VZVZ at the time of the contested ruling. According to the Court, VZVZ can be expected, however, to alter its system offering greater freedom of choice, as soon as this is technically possible and feasible.

These considerations are not incomprehensible. It is worthwhile noting that, considering (...) the regulatory changes and VZVZ’s ambitions in relation to the system (...), privacy by design and privacy by default as explicit points of departure (art. 25, paragraphs 1 and 2 General Data Protection Regulation), is what the Court can reasonably expect from VZVZ.’' (5.4.4)

Just like the Arnhem Court of Appeal, the Supreme Court clearly homes in on the implementation of specific consent and privacy-by-design when it comes to the LSP. The Supreme Court thereby creates a positive precedent which will set the scene for the future, also in a broader sense. Privacy First will continue to actively follow the developments in this case and, if necessary, will not hesitate to bring certain aspects to the attention of the courts once more.


Read the entire ruling of the Supreme Court HERE (in Dutch) and the previous conclusion of the Advocate General HERE.

HERE you find the amicus curiae letter written by Privacy First and the Dutch Platform for the Protection of Civil Rights (pdf in Dutch).


Comments from the Dutch Association of General Practitioners: http://www.vphuisartsen.nl/nieuws/cassatieberoep-vphuisartsen-verloren-toch-winst/

Comments from SpecifiekeToestemming.nl: http://specifieketoestemming.nl/werk-aan-de-winkel-na-teleurstellend-vonnis-over-lsp/.

Published in Medical Privacy

Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).

Privacy First shadow report

During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:

  • Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.

  • Introduction of constitutional review of laws by the Dutch judiciary.

  • Better legislation pertaining to profiling and datamining.

  • No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.

  • Suspension of the unregulated border control system @MIGO-BORAS.

  • No reintroduction of large scale data retention (general Data Retention Act).

  • No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.

  • Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.

  • A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.

  • Introduction of an anonymous public transport chip card that is truly anonymous.

You can find our entire report HERE (pdf). The reports from other organizations can be found HERE.

Embassies

Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).

Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.

UN Human Rights Committee

In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).

We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.

The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.

Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.

Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.

Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);

Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);

Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);

Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);

Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);

Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]

Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.

Published in Law & Politics

At the end of this summer our colleagues from Bits of Freedom will once again be organizing the annual Big Brother Awards. Below are our nominations for the biggest Dutch privacy violations of the past year:

  1. Automatic Number Plate Recognition plans from Minister Opstelten
    If it’s up to the Dutch Minister of Security and Justice, Ivo Opstelten, the travels of every motorist in the Netherlands will soon be stored in a police database for four weeks through automatic number plate recognition (ANPR) for criminal investigation and prosecution purposes. This means that, in the view of Mr. Opstelten, every motorist is a potential criminal. Privacy First deems this proposal absolutely disproportional and therefore in breach with the right to privacy as stipulated under Article 8 of the European Convention on Human Rights. In case Dutch Parliament accepts this legislative proposal, Privacy First will summon the Dutch State on account of unlawful legislation in violation with the right to privacy; see http://www.privacyfirst.eu/focus-areas/cctv/item/580-every-motorist-becomes-potential-suspect.html
  2. Proposal for hacking scheme from Minister Opstelten
    A second miserable plan from Minister Ivo Opstelten is to authorize the Dutch police force to hack into your computer and to oblige citizens to decrypt their encrypted files for the police. In the view of Privacy First this plan, too, is entirely in breach with the right to privacy, since it’s unnecessary and disproportional. Moreover, the proposal contravenes with the ban on self-incrimination (nemo tenetur). The proposal will lay the basis for future abuse of power and forms a typical building block for a police State instead of a democratic constitutional State. For our main objections, see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/599-privacy-first-objections-against-opstelten-hacking-scheme.html.
  3. License plate parking
    As of late, in an ever greater number of Dutch cities (among which Amsterdam) license plate parking is becoming compulsory. Privacy First stands up for the classical right of citizens to travel freely and anonymously in their own country. The right to park anonymously is a part of this. License plate parking clearly disregards these rights. Moreover, it leads to function creep in breach with the right to privacy. The prime example here is the already proven abuse of parking information of lease drivers by the Dutch tax authorities; see http://www.nrc.nl/nieuws/2013/07/29/privacywaakhond-het-servicehuis-parkeren-overtreedt-de-wet/ (in Dutch).
  4. Highway section controls
    Section speed checks on Dutch highways make that the journeys of motorists are continuously being monitored. This forms a massive infringement of the right to privacy. Such an infringement requires a specific legal basis with guarantees against abuse. Moreover, function creep is just around the corner; this already becomes obvious from the current plans of Dutch Minister Opstelten to soon use all highway speed cameras for automatic number plate recognition (ANPR) for investigation and prosecution purposes of a whole range of criminal offences as well as the collection of outstanding fines, tax debts, etc.  
  5. Drones
    Besides the ‘usual’ cameras in neighbourhoods, shops, stations, above highways etc., citizens are increasingly – and almost unnoticed – being spied upon by flying cameras: so-called drones. The government does this (mainly the police) and so are private parties, yet without any sufficient legislation. Because of this the privacy risks and the likelihood of an accident are enormous. Privacy First therefore pleas for a moratorium on the use of drones until proper national legislation is put in place. Furthermore, drones should only be allowed to be used by the government in exceptional cases, for instance in disaster situations or for the investigation of suspects of very serious crimes, and only in case no other adequate means can be deployed. For private parties a license system is to be introduced with strict supervision and enforcement. Moreover, every drone is to be equipped with a transponder that is publically cognizable. 
  6. Police Taser weapons
    In September 2012 it became known that Dutch Minister Opstelten was planning to equip the entire Dutch police force with Taser weapons. In the view of Privacy First, the use of Taser weapons can easily lead to violations of the international ban on torture and the related right to physical integrity (which is part of the right to privacy). Taser weapons lower the threshold for police violence and hardly leave behind any external scars. At the same time they can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. In May 2013 the Dutch government had to justify itself over Opstelten’s plans in front of the UN Committee against Torture in Geneva; see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/595-dutch-taser-weapons-on-agenda-of-un-committee-against-torture.html. Nevertheless, for the moment Opstelten’s intentions seem to be unchanged...
  7. Electronic Health Record
    In April 2011 the introduction of a Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD) was unanimously binned by the Dutch Senate due to privacy objections and security risks. However, the national introduction of almost the same EPD was subsequently worked towards along a private route and this included the exchange of medical data through a National Switch Point (Landelijk Schakelpunt, LSP). This will by definition lead to 'function creep by design' instead of privacy by design. The digital ‘regional walls’ in and around the LSP will easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails. Furthermore, the current layout is characterized by generic instead of specific permission of the patient to share medical data with healthcare providers (and future third parties). This constitutes an imminent danger for the medical privacy of citizens as well as the professional confidentiality of medical specialists.
Published in Law & Politics

The Netherlands is a democratic constitutional State. This implies that every government action is to be 1) democratically legitimized and 2) subject to the rule of law. Therefore the law decides what the government has to adhere by. Whereas the prohibition on vigilante justice applies to every citizen, it also applies to the government itself. In that sense the government fulfils an important exemplary role. But what if the government ignores a judicial verdict? In that case citizens in a constitutional State are fortunately able to go to court again to call the government to order. This is what happened last year in a lawsuit against the Dutch Healthcare Authority (Nederlandse Zorgautoriteit, NZa) about medical privacy and professional confidentiality within the Mental Health Sector (Geestelijke Gezondheidszorg, GGZ). Last week the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, CBb) judged that the NZa had not adhered by an earlier verdict of the CBb and still has to do so. Here below Privacy First briefly clarifies the CBb’s verdict.  

In 2008, so-called Diagnosis Treatment Combinations (Diagnose Behandel Combinaties, DBCs) were introduced in the Netherlands. This means that every medical treatment has a special code. This code is printed on your invoice and on that of your health insurance company so it can verify your expense claim. Furthermore, a short description (‘layman’s description’) is indicated on the expense claim. Every DBC registration is also entered (pseudonymously) in a central government database: the DBC Information System (DIS). This database can be consulted among others by the Dutch Central Agency for Statistics (Centraal Bureau voor de Statistiek, CBS). Through linkage these DBC data can easily be tracked back to private individuals. All of this constitutes a violation of the medical privacy (of patients) and the professional confidentiality (of medical specialists) in medical healthcare, including curative mental healthcare. A few years ago a number of independent psychiatrists & psychotherapists (being represented among others by the KDVP Foundation and the DeVrijePsych) rightly alarmed the NZa about this. However, their objections against the DBC system were declared unfounded by the NZa, after which legal action with the CBb followed. In August 2010 the CBb decided in favour of the psychiatrists & psychotherapists: the NZa was summoned to henceforth exclude them from the DBC system. However, the NZa happened to be reluctant to live up to the verdict, after which new proceedings with the CBb followed to reconfirm the earlier verdict. In its verdict of 8 March 2012 the CBb judged that the NZa has not lived up to the earlier verdict:

‘‘Based on what was stated earlier, the question whether or not [the NZa], in its new decision on appeal, has in the right way implemented the earlier verdict of the CBb, has to be answered in the negative.’’ (para. 5.33)

The guiding consideration in the earlier verdict of the CBb reads as follows:‘‘Providing diagnosis data about individual patients to health insurance companies violates the medical privacy of these very patients. Appellants have extensively elucidated which objections - from the perspective of the patient, the treatment and that of the professional confidentiality - are linked to the passing on of this sort of information to third parties that are not involved with the treatment. In the view of the CBb these objections are substantial: it concerns diagnoses that affect the core area of private life of the individuals involved, which makes information about this very privacy-sensitive. In addition, when it comes to the treatment of mental disorders confidentiality and secrecy are of great importance, as appellants have maintained.’’ (para. 2.4.4.3)

In the new verdict the CBb obliges the NZa to design an opt-out privacy regulation for the provision of diagnosis data for the treatment of mental disorders within the Mental Health Sector:

‘‘The outcome of the modification to the expense claim-system will in any case need to be that the obligation to indicate the diagnosis-classification code, as well as the obligation to indicate other data on the expense claim with which a diagnosis can be deduced, will be discontinued as such.’’ (para. 5.42)

In this context the CBb concludes on the one hand that the NZa (and the Dutch Ministry of Health) has the competence to realize this, and on the other hand that an exemption regulation (opt-out) is very well achievable. As the brand-new winner of a Dutch 'Big Brother Award', this is an excellent opportunity for Minister of Health Edith Schippers to restore her reputation with regard to privacy by closely monitoring the NZa’s implementation of the verdict. Privacy First is keen on keeping an eye on this.

Update 10 June 2012: Meanwhile the NZa has lived up to the verdict of the CBb by adjusting its rules. As of 7 June 2012, new NZa-policy rules within the Mental Health Sector apply according to the ‘letter and the spirit’ of the CBb:

1. In order to protect their privacy, patients who undergo psychiatric or psychotherapy treatment can reject indicating the diagnosis on the expense claim. In case patients want to make use of their health insurance, they must compose a ‘privacy statement’ together with the practitioner and send it to their insurance company. In that case it’s no longer compulsory to indicate the diagnosis. However, the medical advisor of the health insurance company may make inquiries respecting patient confidentiality.

2. For patients who pay for themselves, indicating the diagnosis is no longer compulsory. There is no need for a privacy statement.

3. In these two cases sending DBC registrations to the DBC Information System (DIS) is no longer compulsory either.

You can find more about this HERE on the weblog of the DeVrijePsych (in Dutch). Click HERE to read the entire decision (in Dutch) by the NZa dated 7 June 2012.

Update 7 July 2012: Privacy First appears to have been celebrating too soon: The KDVP Foundation appeals to the new policy rules of the NZa. ‘‘The opt-out regulation designed by the NZa is incomplete, ineffective and in practice it is hence useless with regard to insured healthcare within the Mental Health Sector’’, KDVP states on its website. Among other things, the NZa appears to have ‘‘failed to provide the necessary information about the introduction of a privacy opt-out regulation for the Mental Health Sector’’ and has insufficiently defined the regulation in order to prevent that diagnosis data can (still) be exchanged. With the current opt-out regulation it can in fact not be prevented ‘‘that diagnosis data can still be deduced from codifications and declared amounts of money.’’ You can read the entire point of view of the KDVP Foundation HERE (in Dutch). It would be to the credit of the NZa if it were to mend the flaws in the opt-out regulation that were ascertained by the KDVP Foundation as soon as possible.
Published in Medical Privacy

This afternoon Privacy First sent the following letter to the Electronic Health Record spokespersons in the Dutch House of Representatives:

‘‘Dear Members of Parliament,

Recently the Senate, quite rightly, unanimously rejected the legislative proposal to introduce a national Electronic Health Record (Elektronisch Patiëntendossier, EPD), especially in light of the enormous privacy risks this EPD would entail. It is therefore with great concern that Privacy First has taken note of developments that indicate a possible restart of that very same EPD along a private, extra-parliamentary route. Such a restart is not only disdainful with regard to our democratic process, it is also a denial of the risks and worries on the basis of which a legal introduction of a national EPD recently did not go ahead. To this end, Privacy First makes an urgent appeal to you to call a halt to this development and to call the relevant persons in charge to account. From a privacy-legal point of view, Privacy First is of the opinion that the Dutch government remains unabatedly responsible for any privacy-infringements that will result from a private, national EPD, especially in light of the fact that such a system has been emphatically rejected by the Senate for privacy reasons.    

In line with the recently adopted Franken motion, in this respect Privacy First also urges you to have an independent, public Privacy Impact Assessment (PIA) carried out as soon as possible with regard to both 1) a national EPD as envisaged by the private parties involved as well as 2) possible alternatives for this national EPD. In carrying out this PIA, necessity, proportionality, subsidiarity and freedom of choice are to be guiding criteria. Privacy by design and privacy enhancing technologies, among which for instance technologically advanced patient cards or personal health records, are to fulfil an important role in such a PIA. Until the moment the PIA has been rounded off, no irreversible steps towards a private restart of the national EPD are to be taken.

In the view of Privacy First, the National Switch Point (Landelijk Schakelpunt, LSP) of the national EPD is to be transformed to small-scale, regional systems in accordance with the desire of the Senate. For regional exchange of data an LSP is unnecessary: to this end regional switch points are sufficient, possibly complemented by supra-regional 'push-communication'. This enhances security and reduces the risks of abuse that are inherent to a national EPD.’’

Published in Medical Privacy

This afternoon a long-awaited irrevocable decision has been made: the introduction of the national Electronic Health Record (Elektronisch Patiënten Dossier, EPD) was unanimously rejected by the Dutch Senate. After 14 years and spending 300 million euros, the national EPD has ended up where it should have been years earlier: at the Scrapyard of Draconian Laws. Two years ago the Dutch House of Representatives accepted by a large majority the same plan for the national exchange of very sensitive patient’s data: almost all of the large Dutch political parties, namely PvdA, GroenLinks, D66, VVD, ChristenUnie, SGP and CDA voted in favour. This afternoon all these parties made a historic U-turn. Even the Christian-democratic CDA now seems to be cured. Progressive insight? Who knows... In any case, this development fits in with a wider trend that has been ongoing for a year and which sees politics being increasingly considerate about the privacy of citizens. Privacy First welcomes this development and expects that many other privacy-violating laws will equally be rejected.

Published in Medical Privacy

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon