The mayor of a Brabant municipality wants to send a letter to residents of the municipality who are in home isolation because of suspected contamination to show his commitment. May he receive personal data from the GGD for this purpose?
Using this current case study, the standard operating procedure for arriving at a response is described. Fighting infectious diseases is of very great social importance. For this reason, the Public Health Act (WPG) includes detailed regulations on how to act. The greater the authority to act and process personal data, the more precisely is regulated how far those powers extend and what may be done with personal data.
The WPG includes far-reaching powers to intervene in personal privacy in infectious disease control. The purposes and data to be processed are precisely defined.
The law leaves no room to use personal data of potentially infected people for other purposes, such as the mayor sending encouraging letters. Consent of the people involved is not advisable in this case; the information is too sensitive for that. The mayor will have to find another avenue to encourage people.
To answer this question, it must first be clear who the controller and who the data subject is, what the nature of the data is, what law applies and what that law says about the processing and disclosure of personal data.
The origin of the data is as follows. Every physician is obliged to report to the GGD: "The physician who suspects or diagnoses an infectious disease belonging to group A in a person examined by him shall report this without delay to the municipal health department."(1) This "duty to inform" is prescribed in the WPG.(2)
In the doctor-patient relationship, the rules of the Medical Treatment Agreement Act (WGBO) apply. This states that the "duty of confidentiality" can be breached "if the provisions of or pursuant to the law require it."(3) An example of such an obligation is the doctor's duty of information in the WPG.
In this way, the GGD collects information from all infected people in the region. The GGD's powers are described in detail in the WPG. The GGD is responsible for the processing of those data.(4) The purpose of the WPG is to monitor public health care: "the health-protecting and health-promoting measures for the population or specific groups thereof, including the prevention and early detection of diseases."(5) Combating infectious diseases is of very great social importance. For this reason, the WPG includes detailed regulations on how to act.
The affected person is any person who belongs to the target group of the WPG. In this case, that is the person infected or suspected of being infected with the coronavirus.(6)
The doctor's report to the Public Health Service shall include the following information: name, address, sex, date of birth, citizen service number and place of residence of the person concerned; the infectious disease or description of the clinical picture, first day of illness, vaccination status, use of chemoprophylaxis, suspected source of infection, date of suspicion or ascertainment of infection and method of ascertaining that infectious disease. If necessary also information on whether the person concerned or a person in his immediate vicinity is professionally or commercially involved in the handling of food or drink or in the treatment, nursing or care of other persons.(7)
This information falls into the category of "special personal data," for which the main rule is that it is prohibited to process unless the purposes are explicitly regulated by law.(8) In this case, the processing of data to combat infectious diseases is regulated by the WPG
The WPG describes far-reaching powers of the GGD, the role of the RIVM, the role of the mayor and the chairman of the security region in combating infectious diseases. One of the region's mayors is appointed chairman. These powers go so far as to allow people to be forced into isolation or quarantine.(9) For the rest, GGD employees are subject to professional secrecy, which means that personal data may not be used for other purposes. Behind this professional secrecy is a great social interest; every infected person must be able to turn to a doctor for advice and treatment. This requires that everyone can count on confidentiality of the information available to a professional. The threshold for asking for help must remain low, because the consequences are incalculable if infected people do not come forward.
Besides collecting the reports by the Municipal Health Service, it is also very important to find out which contacts an infected person has (had). For this reason, an authority has been created to do source and contact tracing.(10) To do this, the GGD has access to the personal data in the national basic registration of persons. The GGD can obtain information from the national population data bank (GBA-V) about persons registered at the same address as the infected person. The authority and purposes are precisely defined: the GGD is authorized to request the data if it is necessary in connection with the detection and control of infectious diseases and at least one of the persons registered at the address has an infectious disease or is suspected to have an infectious disease. The data that the GGD may receive are identifying data of the infected person himself, data of both parents, partner and children.(11)
Now we come to the question: may that data be provided by the GGD to the mayor when he wants to send people a letter of encouragement?
The provision is described in the law as follows: "The municipal health department shall provide the mayor or the chairman of the security region with the information that the mayor or the chairman of the security region needs for the exercise of the powers granted to him by this law."(12)
So all data on all infected people may not be provided without question, but only if that data is needed to carry out tasks listed in the law. For example, one such power is "measures aimed at the individual": the power of the president of the security region or the mayor to proceed to compulsory isolation or quarantine. The data that may be provided are those previously mentioned from Article 24 WPG: name, address, gender, date of birth, citizen service number and place of residence of the person concerned etc.
In other cases for other purposes, a mayor may not have that data.
The figures that RIVM publishes daily on its website are based on the reports that doctors are required to make to the GGD. These reports are sent anonymously to RIVM by the GGD. This provision is also a "legal duty," as is the doctor's duty to provide information.(13)
Now that the law does not allow for it, is there any room for "consent" as a lawful basis for providing the data to the mayor?
In many cases, there is a residual possibility, in the absence of a lawful basis, to still process or provide data if the data subject gives consent.(14) But asking the data subject for consent is administratively cumbersome and a very shaky basis for providing data. After all, consent can be withdrawn at any time and then the disclosure must be stopped immediately. Even more important in this relationship is the requirement that the consent must be freely given.(15) The definition of consent reads as follows: "Any freely given, specific, informed and unambiguous expression of will by which the data subject accepts, by means of a statement or an unambiguous active act, the processing of personal data concerning him."(16)
The person involved must be fully informed in advance (informed consent) and the responsible party, the GGD, has the duty to prove this. Usually in writing or in any case by a note in the file. Care should be taken to ensure that the act or signature granting consent does not also relate to other subjects than the provision of data to the mayor.
Consent is legitimate only if it is freely given. Consent can only be a basis if the person concerned is offered a genuine choice, in terms of accepting or refusing, with no adverse consequences.(17) Facing a caregiver, the client is often in a vulnerable and dependent position. And this makes asking for consent difficult, because if a client is ill or needs help, there is soon an unequal relationship.
Obtaining the data subject's consent does not yet imply an obligation to break professional secrecy. Consideration must be given in all individual cases. If the person involved gives permission to share information with third parties, the provider of the data must ensure that he or she is acting in the interest of the person involved and that the reliability and accessibility of the care is not compromised.
Consent of the data subject to provide his data to the mayor is not advisable. The information is too sensitive for that and further processing for other purposes is a very serious infringement and surrounded by risks. Such disclosure by consent should then be surrounded by the highest security measures such as encrypted data and encrypted transmission, only a very limited number of people should have access to that information and that information should not be left lying around somewhere. How tempting and newsworthy is it to know who in a community is infected and where those people live?
For enthusiasts, the lawful bases are listed here. For the doctor who has an obligation to inform and report to the GGD, art. 457 paragraph 1 Book 7 of the Civil Code applies. The sick person has a direct relationship with the attending physician to which the WGBO remains applicable throughout the treatment.
The processing of the reports by the GGD is the legal obligation to process personal data of art. 6 paragraph 1 part c jo Art. 9 paragraph 2 part i General Data Protection Regulation (AVG), as well as the provision of the anonymized data to RIVM. All this is elaborated in the WPG. And the possibility of providing data on the basis of explicit consent despite the prohibition is based on art. 6 subsection 1 part c jo art. 9 subsection 2 part a and art. 22 subsection 2 part a AVG Implementation Act (UAVG).
It is noteworthy that the WPG has no provision that allows personal data of the data subject with consent to be used for other purposes. This may mean that consent as a legitimate basis is not intended. This is because the WPG has limitative disclosure provisions and these generally leave no room for further use of personal data. This is not further explored in these specifications. It is helpful, however, if the legislature explicitly includes this in the law.(18)
The WPG does not provide that the mayor or the chairman of the security region may use personal data to encourage people staying in isolation at home. Consent is administratively cumbersome, requires the highest degree of security and is very risky, because personal data of infected people would then be known to several people in a municipality. The best alternative is to find another avenue through which people can receive the mayor's message.
(1) The coronavirus belongs to group A: Middle East respiratory syndrome coronavirus (MERS-CoV), smallpox, polio, severe acute respiratory syndrome (SARS), viral hemorrhagic fever. Art. 1 section e WPG
(2) Art. 22 WPG and COVID-19 Directive
(3) Art. 457 subsection 1 BW Book 7 The Medical Treatment Agreement
(4) Art. 4 section 7 AVG jo. art. 29 WPG
(5) Art. 1 section c WPG
(6) Art. 4 section 1 AVG.
(7) Art. 24 WPG
(8) Art. 9 AVG
(9) Art. 30 e.v WPG 'Measures aimed at the individual'
(10) Art. 6 paragraph 1 c WPG
(11) Official Gazette 2016, 9485
(12) Art. 27 paragraph 7 WPG
(13) Art. 28 paragraph 3 WPG
(14) In this case the 'explicit' consent of Art. 9 paragraph 2 part a joins Art. 22 paragraph 2 part a UAVG
(15) Art. 7 AVG.
(16) Art. 4 paragraph 11 AVG.
(17) Art.9 AVG, Art. 22 UAVG and WP 259, Guidelines on consent. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/wp259_rev_0.1_nl.pdf.
(18) Art. 9 paragraph 2 part a AVG.
Some of the topics described here can be found in the book Privacy in the Social Domain by Corrie Ebbers, Paulien Bunt, Sophie Vastenhout and Micha Venderbos (Berghauser Pont; August 2019)
This article can also be found in the Coronavirus dossier
