The Autoriteit Persoonsgegevens (AP) has reprimanded the Alliance Quality in Mental Health (Akwa GGZ) for processing personal data on health.
Akwa GGZ has acquired a set of insufficiently anonymized health data from Stichting Benchmark GGZ (SBG) since the beginning of 2019. SBG and Akwa GGZ conduct quality research in mental health care (GGZ). Patients complete a questionnaire at the request of the healthcare facility so that GGZ providers can be benchmarked for treatment effect and customer satisfaction. This so-called. Routine Outcome Monitoring (ROM) data went to SBG via Zorg TTP after pseudonymization.
In response to an enforcement request from a data subject, the AP investigated SBG's practices and reviewed them against the General Data Protection Regulation (AVG). The data subject claimed that SBG was processing her medical data without her consent. The two issues at the center of the investigation relate to whether ROM data qualify as personal data within the meaning of the AVG and, if so, on what basis these special personal data can be processed.
"During the investigation it became known that SBG would cease its activities and transfer a large part of its activities and the data it collected and processed to Akwa GGZ. This prompted the AP to also investigate the data that would still be retained by SBG and transferred to Akwa GGZ."
After patients in the GGZ provide personal data to their GGZ providers, whether or not through completed questionnaires, an initial pseudonymization step takes place in SBG's Privacy and Transmission Module (PVM) on site at the GGZ provider. In the PVM, four of the 29 data categories entered are then hashed, creating a pseudonym for these four data.
This splits the file provided by the healthcare provider into a pseudonym part, also called the key part, and a part containing substantive data, also called the data part. The key part and data part are both encrypted such that only the key part is visible to ZorgTTP. The data part containing substantive data is encrypted so that it is not accessible to ZorgTTP. However, SBG can decrypt the data part and thus view it.
After this processing in the PRM, data transfer to ZorgTTP takes place, where ZorgTTP performs a second pseudonymization step. ZorgTTP keeps the key used for itself and never shares it with SBG. ZorgTTP keeps the key and can decrypt the encrypted values back into pseudonyms (the hashes originating from the healthcare provider).
The pseudonymization method used by SBG looks at a combination of a hash function and encryption with a secret key. A hash function has "for an input of arbitrary size (a single attribute or a collection of attributes) an output of fixed size, and cannot be reversed." In encryption with a secret key, "the person holding the key can easily re-identify each person involved by decrypting the data set."
However, the results of this pseudonymization process are always the same for each unique BSN, link number, DBC Pathway number and Care Pathway number. So: each input always produces exactly the same output. This ensures that over time new information can be added to the information already known to SBG. For the preparation of the SBG Benchmark reports, SBG believes this is also necessary to follow patients through time and derive information about the success of a treatment with a particular practitioner. This makes it necessary to link new information to information already known to SBG about that individual.
The AP concludes that SBG's dataset is detailed to the extent that a selection can be made on one or more attributes, pseudonymized or not, such that one individual can be lifted from the dataset. As a result, there can be no question of an anonymous dataset.
Under the AVG, the processing of special personal data, such as health data, is prohibited. This prohibition does not apply if SBG can invoke a statutory ground for exception (Article 9 AVG in conjunction with Articles 22 to 30 of the AVG Implementation Act).
First, SBG cannot invoke the legal ground of exception for scientific or historical research or statistical purposes because it was possible to ask explicit consent of those involved, which SBG failed to do. For example, consent could have been requested from those involved when filling out the questionnaires. Nor can SBG rely on the other legal grounds for exception regarding data on health (Article 30 of the AVG Implementation Act). This is because SBG does not fall under the listed norm addressees, which include employers, schools, insurers and care providers.
The AP thus concludes that SBG cannot invoke any of the statutory grounds for exception that could override the prohibition on processing health data. As a result, SBG is prohibited from processing the dataset containing personal data on health.
SBG no longer exists and has transferred the insufficiently anonymized data to Akwa GGZ. This is a processing of personal data that is also prohibited without legal grounds for exception. Because SBG now no longer exists as a legal entity, the AP is only imposing an enforcement measure on Akwa GGZ. In this case, that is a reprimand because Akwa GGZ quarantined the dataset and then destroyed it.
On its website, Akwa GGZ writes that the ruling has no consequences for Akwa GGZ's current working methods: "We still only work with pseudonymized data for which the patient has given explicit consent."
More articles by SOLV Lawyers
This article can also be found in the files AVG, Privacy in Healthcare and Privacy in the Social Domain
On March 12, 19 and 26, 2020, the three-day course Privacy in the Social Domain will take place.
Since the decentralizations in 2015, there has been intensive cooperation between social workers and officials, as well as between agencies and municipalities. This involves the exchange of sensitive, often special personal data. How can effective cooperation be organized in which the civil servant executes the law, the social worker maintains his integrity and the privacy of clients remains protected?
The course is led by privacy lawyer Corrie Ebbers and is intended for employees and lawyers of municipalities and healthcare providers who are designated as quality officers, privacy experts or data protection officers in the social domain.
