On May 20, 2020, the Internet consultation for the draft bill for the Data Protection Collection Act was launched. This bill adapts the General Data Processing Regulation Implementation Act (UAVG) and other legislation regarding the processing of personal data. What do the proposed adjustments mean for healthcare?
Shortly before the General Data Protection Regulation (AVG) went into effect, the UAVG was adopted. The UAVG fleshes out the space given by the AVG to include specific provisions or make exceptions. During the discussion of the proposal for the UAVG, Minister Dekker of Justice and Security promised that within six months of the introduction of the AVG and the UAVG, experiences in this regard would be surveyed. Where necessary, additional measures would be taken.
Eleven months later, in April 2019, the Minister issued a first Parliamentary letter with an outline inventory. This would be supplemented further after the summer of 2019. A second parliamentary letter followed in October of that year in which the Minister listed four points on which the UAVG should be amended. This led to the draft bill Collective Data Protection Act.
There are a number of provisions in the draft bill that affect the processing of health data. We list them for you in this blog. We will elaborate on some topics in specific blogs.
Young people as of the age of 12, in addition to their representative, can independently exercise their rights under the AVG, including the right of inspection and deletion. In addition, a young person, a guardian ad litem or a data subject for the benefit of whom guardianship or mentorship has been established, who believes that personal data should no longer be processed, can now decide independently of their representative to withdraw consent to the processing of personal data concerning them.
The Medical Treatment Agreement Act (WGBO) stipulates that if, by providing information about the patient, the caregiver cannot be deemed to observe the care of a good caregiver, he can omit this information. In case of conflict, the specific regulation from the WGBO prevails.
When conducting the mandatory audit, auditors may have access to records containing health data or other special personal data. This is the case at least in audits for audit reports to be issued regarding healthcare institutions. Processing health data is only allowed in specific cases. The Collective Act now includes a provision ensuring that what must be done for the audit can also be done in accordance with privacy laws.
Associations for client interests in care and welfare, such as patient associations but also disability sports associations are allowed to process data on the health of their members for internal use under the Collective Act. Currently, it is only possible to process such data on the basis of explicit consent, leading to much uncertainty and problems in practice. With the Data Protection Collection Act, consent is no longer required.
The Data Protection Collection Act contains a basis for the retention and management of medical records in the event of special circumstances, for example, the bankruptcy of the care provider. In this way, tasks can be transferred to another care provider.
More articles by SOLV Lawyers
