It cannot possibly have escaped your notice: since May 25, 2018, the General Data Protection Regulation (AVG) has been in effect. This has caused quite a stir. It also brings new responsibilities for healthcare providers. For example, you may be required to appoint a Data Protection Officer (FG). The purpose of this article is to answer the question of whether you need to appoint an FG, and if so, what to look out for.
Pursuant to Article 37 of the AVG, various organizations are required to appoint an FG to oversee the application of and compliance with obligations under the AVG within the organization. Not so long ago, the Complaints Officer was created under the Wkkgz. To what extent does the FG differ from this officer? In other words, what does an FG do, what is the added value of an FG for healthcare organizations, and who is suitable to fulfill this role?
The FG is expected to be a supervisor with above-average expert knowledge of privacy legislation as well as data protection practice. This means that the FG must at least have knowledge of national and European privacy laws and regulations, the data processing and IT environment of your organization as well as the healthcare sector in which you operate. In addition, the FG must be able to develop a data protection culture within your organization.
The main task of the FG is to ensure compliance with the AVG. He does this by conducting internal supervision and gathering information about how data are processed within the organization. In doing so, the FG checks whether the processing operations meet the requirements of the AVG. Based on this knowledge, the FG informs and advises the organization or makes recommendations. The FG performs his tasks independently. This means in any case that the employer may not give the FG any instructions on the performance of his tasks.
It is the responsibility of the organization itself to appoint an FG with the appropriate competencies. Thereby, in general, the more complex the organization, the more expert the FG. According to the Autoriteit Persoonsgegevens (AP), the FG should at least have a grasp of national and European data protection laws and practices.
In principle, anyone, whether internal or external, can be appointed as an FG. However, there should be no conflict of interest with the organization. In particular, this means that the FG may not have a position in the organization that leads him to determine the purpose and means of processing personal data. This is a further elaboration of the aforementioned requirement of independence of the FG.
As for the appointment, it is required that (healthcare) organizations publish the FG's contact information and provide the FG's contact information to the Autoriteit Persoonsgegevens (AP). Nevertheless, appointing an FG under the AVG is not always mandatory. What circumstances determine whether it is mandatory?
In any case, an FG must be appointed when there is large-scale processing of special personal data. Think, for example, of large-scale processing of data about a person's health by health care providers. Of course, this immediately raises a clarification question: when is there "large-scale data processing" of "special personal data"?
The AP recently clarified this. Hospitals, pharmacies, GP surgeries and healthcare groups must always appoint an FG. GP practices and specialist medical care institutions that are not hospitals must appoint an FG if:
that practice or institution has more than 10,000 patients enrolled or if it treats an average of more than 10,000 patients per year; and
the data of these patients are in one information system.
For other healthcare providers, the 10,000-patient criterion does not apply. They must use the following four factors to judge for themselves whether they are required to appoint an FG:
The number of patients about whom data are processed;
The amount of personal data being processed;
the duration of the data operation;
the scope of the processing.
Thus, although the AP has indicated that it will soon provide more clarity for these healthcare providers as well, for now this group of "other healthcare providers" will have to make their own assessment of whether an FG is required.
Does your organization not yet have an FG and are you unsure if one is mandatory? Then use this article as a first check. Pay attention to the requirements for the nature and size of the organization and, above all, do not forget to register the appointment of an FG on the website of the Autoriteit Persoonsgegevens.
This article can also be found in the files Privacy in Healthcare and AVG
More articles by Kennedy van der Laan
