What does this cover?

The Dutch Data Protection Authority (the DDPA) has insisted that extra attention be afforded to the protection of patient data by way of an open letter to the boards of healthcare facilities in the Netherlands dated 15 February 2016 (the Letter).

According to the DDPA, the protection of patient data is essential for good healthcare, but security in many healthcare facilities may not be in order. The letter refers to several investigations the DDPA has carried out in recent times in the context of the Electronic Patient Record. The investigations showed that healthcare facilities did not meet the legal requirements regarding data security. The authorisation rights of employees were too broad, and there was not sufficient control on the use of these rights, with insufficient record keeping in place. Consequently no sanctions were imposed in cases of abuse. According to the DDPA, careless processing of patient data may withhold people from asking for care on time.

In the Letter the DDPA points at the legal obligation to report data breaches as of 1 January 2016. In addition, the DPA states it may start new investigations if it receives indications that data was being accessed unlawfully. Healthcare facilities may face a data breach in a number of ways, either because of employee error or oversight, or by way of an attack by hackers. This happened to the Hollywood Presbyterian Medical Centre (the HPMC) in the US last week. HPMC personnel were limited to paper based operations after hackers locked the HPMC computer system until the demanded ransom was duly paid by the HPMC (this was reported to have been in the region of US $17,000).

It is important for health care facilities to take appropriate measures to secure patient data, both stored on computer systems and in paper files. The DDPA has demonstrated its intention to focus this year on the protection of medical data and consequently as seen its recently published supervisory agenda, the likelihood of being caught in case of non-compliance with the Dutch Data Protection Act is increased. Moreover, the competences of the regulator are extended as of 1 January 2016, meaning that the regulator can impose high fines if, for example, personal data is insufficiently protected or a data breach is not reported in a timely manner.

To view a copy of the DPA's Letter, please click here (Dutch).

To view the DPA's press release, please click here (Dutch).

What action could be taken to manage risks that may arise from this development?

Given the intention of the DDPA in the Netherlands to focus on the protection of medical data where relevant, organisations operating in The Netherlands should ensure appropriate security measures and controls are in place to protect any medical data. 

Article submitted by Nicole Wolters Ruckert and Leonie von Sloten – Kennedy Van der Laan – Amsterdam, The Netherlands, in partnership with DAC Beachcroft LLP