The Dutch Data Protection Authority (DPA) recently published a guide intended for healthcare providers about the cloud storage of patient data. The guide provides a practical interpretation of the DPA’s Guidelines on personal data protection (2013) which indicate how healthcare providers can fulfil data protection obligations. The key points within the guide refer to:

  • Patient consent. The Dutch Personal Data Protection Act (PDPA) does not require patient authorisation for the storage of patient data in clouds located within the EEA. However, data transfer to clouds located outside the EEA is subject to special provisions.
  • Healthcare providers’ obligations. Healthcare providers are responsible for ensuring that their cloud provider: (i) makes patient data accessible to the healthcare provider at all times; (ii) processes patient data only on the healthcare provider’s behalf; (iii) is bound by confidentiality; and (iv) securely protects patient data. Healthcare providers must conclude written agreements with their cloud provider to ensure that these requirements are met.
  • Data leak notification. Any data leak must be notified promptly to the DPA by either the healthcare provider or, if agreed upon, the cloud provider.
  • Sanctions. In case of violation of the PDPA provisions, the DPA can issue an administrative order to cease the violation or impose a fine of up to EUR 820,000. Once the EU General Data Protection Regulation comes into force on 25 May 2018, the maximum fine will be EUR 20 million or 4% of the healthcare provider’s total worldwide turnover.

A prior version of this post was originally published by the same author in Practical Law – Life Sciences, July 2017 Issue (Thomson Reuters).