On March 19, 2020, the draft bill to address multiple problems in the social domain, also known as Wams, went out for consultation. This bill will amend the current Social Support Act 2015 (Wmo 2015).(1) With the Wams, the government aims to implement a number of changes within the social domain that will contribute to better care for residents with multiple issues.(2)
Since 2015, municipalities have been responsible for youth assistance (Youth Act), work and income (Participation Act) and support for those with limitations in the home (Wmo 2015). In 2015, one of the thoughts behind decentralization was to provide residents with appropriate support in the context of self-reliance and participation. This was (and still is) based on the premise that the support needs of the requesting resident are the focus, not the offer of the municipality.
In order to get a good picture of support needs, it is important for a municipality to have personal data on the applicant. Depending on the applicant's need, this can be a lot of and often confidential personal data. This requires a clear legal framework for processing them. In the opinion of the Autoriteit Persoonsgegevens (AP), that was insufficiently present when the laws came into force. The Cabinet decided at the time that the (envisaged) legal frameworks would provide sufficient room for the necessary data sharing and safeguarding of privacy. Municipalities were given the space to find their own form to shape the decentralized tasks and responsibilities in work processes, the learning practice. The Cabinet promised to follow developments closely and to adjust where necessary, where new forms require new guidelines.(3)
After the entry into force of the WMO, it became clear that the ambition to work from one family, one plan and one director is at odds with the legal possibilities to do so in the social domain laws.(4) This is evidenced by, among other things, studies by the AP,(5) and despite the fact that from the Ministry of the Interior and Kingdom Relations, the VNG and projects such as UPP, much attention has been paid to information, manuals and best practices.
For this reason, the Cabinet has now put the Wams bill into consultation. Below is an explanation of and points of attention to the most important changes. It does not aim for completeness, but outlines the most important changes and points of attention regarding the processing of personal data.
College responsible for Integrated and coordinated approach
First, the college becomes explicitly responsible for an integrated and coordinated approach. To this end, the Wams assigns a legal task to the college. When a resident requests help or support from or for a resident, the college will investigate whether, given the personal circumstances of the resident and his family, there may also be a need for other services in the social domain or adjacent domains. The resident's request for help is leading in this regard. In the investigation phase, the Board may organize a case consultation with involved parties, which may include the resident and possibly his family members. Based on the case consultation, the college will draw up a work plan if the resident qualifies for more than one social domain service. The College also draws up a work plan if several family members qualify for a social domain service.
In doing so, the college is also responsible for the coordination of any support, if the various forms are so interrelated that a coordinated approach contributes to solving the problems. This responsibility for the integrated and coordinated approach also applies to reports under the Youth Act, Participation Act and the Municipal Debt Assistance Act.
In addition to a request for help or support by a resident himself, the Wams also provides the possibility for an organization that already actually performs work for the resident to submit a request to the college. There must then be a suspicion that services in the social domain can be helpful for the resident or his family members, given the seriousness of the (assumed) problems. Such a request may also be made by an organization if there is a suspicion that services and interventions already underway could be better coordinated. In both cases, the college conducts an investigation as already described and involves the resident.
College responsible for establishing a hotline
The Wams also includes a mandate for the college to establish a hotline.(6) The hotline can be established as a telephone hotline. The purpose of the hotline is to receive signals from residents or professionals about "vulnerable" people at the earliest possible stage. It concerns questions or signals about a resident's health, well-being, self-reliance or participation. These are situations in which immediate action is not required.
The municipality assesses(triage) the question or signal and advises the person involved or, if necessary, transfers the signal to the appropriate professional (internal or external). If a report can be dealt with by the Meldpunt itself with a referral or advice, no registration by name takes place. If the signal is forwarded to an internal or external professional, the data are included in a report file. The report file may include contact information of the reporter and the resident concerned. Health data and data of a criminal nature about the resident may also be processed as part of the triage. The municipality may make use of data already available to the municipality under the WMO, the Youth Act, the Participation Act, the Municipal Debt Assistance Act and the Compulsory Education Act 1969. Data under the responsibility of the Mayor or other parties in the social domain or adjoining domains may also be used for this purpose, with or without breaching official or professional secrecy of the party providing the data.(7) The Municipal Executive may also transfer the report file to another municipality if the resident and/or his/her family move. For example, if the care continues or children are involved. The data in the report file are kept for a minimum of six months and a maximum of one year after receipt of the report. After that, based on the Archives Act, an assessment must be made as to when the data will be destroyed.
The reporter is informed about any follow-up to the report, as long as there is no acute situation. The person who has been reported is also informed, unless this hinders the provision of assistance. The bill leaves open whether the person who made the report will also be communicated. The Explanatory Memorandum states that anonymous reporting is not possible. This does not follow directly from the legislative text itself, because it states that the College is authorized to process the reporter's personal data.(8) However, confidentiality may be requested by a reporter, with the exception of professionals.
Processing data of a criminal nature and health data
The Wams provides that the college may process personal data for the investigation, including data of a criminal nature and health data. This fits in with the purpose of the investigation to be able to arrive at customized solutions to multiple problems and the extension to the domain of public order and safety. The explicit basis for processing data of a criminal nature and health data is then obvious.
Re-use of data
Also new is the provision that the college may also process personal data for the investigation from the Youth Act, the Participation Act, the Municipal Debt Relief Act, the Public Health Act, the Social Employment Act, or the Compulsory Education Act 1969. For the investigation, the college may reuse these personal data insofar as it concerns the services received or interventions deployed as regards that client or his family members.(9)(10)
This aims to solve one of the main bottlenecks in the current WMO: the use of consent as a basis. The current WMO 2015 includes a provision that allows the reuse of the client's personal data and that of his family members with the client's consent.(11) However, the AP is highly critical of the use of consent as a basis within the social domain. Moreover, this basis is limited to a notification under the WMO and the reuse in that context of personal data processed under the Youth Act, Participation Act and Municipal Debt Relief Act.
Thus, the Wams not only regulates a basis for the reuse of data (other than consent), it also expands the number of laws to which the possibility of reuse applies. Moreover, the possibility of reuse applies not only to reporting under the Wams but also under the three other social domain laws.(12)
Reuse of data in the governing body Mayor
In addition to data available to the College, the investigation may also use data for which the Mayor is responsible. This concerns the Temporary Restraining Order Act and the Housing Nuisance Act. It is noteworthy that this concerns data in the context of the implementation of both laws. This implies ongoing services or interventions as well as historical ones. It is also noteworthy that it is up to the college to assess whether the data are necessary for the investigation. In practice, this may mean that the mayor makes all data available for the college's assessment.
Basis for provision by other organizations
In addition to data at the municipality itself (the College and Mayor), data from other organizations may also be used for the investigation. This must involve organizations that provide a service or intervention on behalf of the resident or (one of) his family members. Here it is up to the providing party to assess what data they provide and therefore not to the College. This may include health data and data of a criminal nature. As far as organizations of Police and Justice are concerned, it is stipulated that such data can only be provided in accordance with the existing provisions in the Police Data Act or the Judicial and Criminal Records Act. This is in connection with the secrecy provisions applicable to such data. Thus, no change is intended here to the existing provision for provision by Police or Justice.
Breach of professional or official secrecy.
For organizations with an obligation of confidentiality by virtue of a statutory regulation or office or profession, this confidentiality must be broken. The condition is that this is necessary given the content of the college's request. The assessment of the necessity is up to the organization with the duty of secrecy.
In addition to explicitly assigning duties and powers to the college and expanding bases for processing data, the bill also has safeguards. More generally, the Wams pays attention to the position of the applicant. For example, the investigation phase provides that this is carried out in consultation with the resident and, if applicable, his family members. This can prevent the data processing from being completely out of the sight of those involved. Also, those involved receive a copy of the work plan prepared by the college. This actively fulfills the information obligation and allows a data subject to exercise their rights if necessary. If necessary, individual family members are informed separately about the results of the investigation.
Furthermore, it follows from the explanatory note to the bill that it is not the intention to ask a person concerned to take the shirt off their back without reason. It is also not permitted to check for every person involved in every area whether or not there are problems. Starting a broad investigation for every report is also not permitted. This repeats conclusions of investigations by the AP.(13) In the legal text this is reflected in the articles on data processing. Personal data may be processed to the extent necessary.(14)
The explanatory note also states that if the individual indicates that he or she does not want to participate in an investigation or indicates that there are no problems, no further investigation will take place. However, this is not included in the legal text itself. Furthermore, based on its duty of care, the college is obliged to provide further details on the method of the investigation through clear work instructions. This obligation too is not included in the legal text itself, but in the Explanatory Memorandum (MoU).
Finally, a retention period is included for the retention of data derived from the study. Both the research file and work plan will not be retained for more than 2 years after completion of work plan.
The bill addresses one of the main problems in the current WMO. Relevant personal data already held by the municipality in the performance of its duties may be used again for provisions in the social domain. Here comes clarity for municipalities and residents. Moreover, the municipality also has the task of looking broadly (integrally) and coordinating the implementation of facilities. This provides more clarity for the municipality, residents and chain parties about the role and responsibilities of the municipality. However, in some parts of the Wams, additions to the legal framework are desirable. Both for the resident from the perspective of data protection and also for municipalities and chain partners.
The college is required to establish a hotline where residents and professionals can report questions and/or concerns about themselves or another person. The Wams also addresses the processing of personal data within the framework of the hotline. There are still a number of points for attention here. A first is the moment at which a resident is informed about a report that concerns him. In the situation that a person involved or a professional makes a report it is important that the resident is informed in time about the report that concerns him. It is not clear from the Wams when this moment is. The obvious course of action is to inform the resident about this immediately so that information from the resident himself can also be included in the triage, unless this impedes assistance. This requires further clarification.
A second point of attention is the moment at which personal data may be processed at the Reporting Point after a report. The MoT indicates that data are only processed (of the reporter and about whom has been reported) if a report is followed up. The question is when that is. The MoT mentions as an example where there is no follow-up if the reporter is referred to another municipality. This seems to suggest that processing personal data for a triage falls under follow-up. This requires clarification, as the purpose of triage in the legal text is to assess whether follow-up should take place.
Finally, it is important to note that the Hotline follows up on one of the recommendations of the Verwarde Personen Aanjaagteam. However, the hotline has a broader scope than just vulnerable or confused persons. Residents who have questions about municipal services can also contact it. For these questions and reports, the powers to access data may be too broad. This therefore calls for a clear delineation of the extent to which data querying powers may be used in the context of triage. In this regard, it may help to include in the bill the obligation for the college to establish working methods and procedures in this regard prior to processing.
The Wams focuses on the support needs of the applicant and allows municipalities and chain partners to share personal data to this end. The MoT articulates that chain partners have a legal obligation to provide personal data to the college to the extent necessary for the proper performance of the college's tasks in the Wams.
This provision is also intended to allow professionals with professional secrecy under the WGBO, the BIG Act or the Youth Act to provide personal data to the college without the consent of the data subject. By may here is meant legitimized,(16) because if the data is necessary in view of the college's request, breach of professional secrecy is mandatory.
No further justification is given in the MoT for the possibility of breaching professional secrecy. This is striking, because in the Netherlands there is restraint in imposing a duty to breach medical confidentiality. This has to do with the importance attributed to professional secrecy. That interest is twofold. The public interest consists of ensuring free access to the provision of health care aid and assistance. It also serves the individual interest of patient privacy. A patient must be able to trust that the information he provides to the provider will remain confidential.(17)
Medical confidentiality, which falls under the right to respect for privacy, is also enshrined in various treaties. For example, the right to respect for privacy is recognized and protected in Article 8 European Convention on Human Rights (ECHR)(18) and Article 8 Charter of Fundamental Rights of the European Union. Pursuant to the second paragraph of Article 8 ECHR, an interference with privacy must be provided for by law and be necessary in a democratic society.(19) Whether an intrusion is necessary in a democratic society depends on the degree of urgency of the social need, whether the intrusion is proportionate in relation to the urgent social need, and whether that goal cannot be achieved by other means.(20)
Given the current wording of Article 5.4.2 Wams, this provision does not seem to fully meet the requirements. A substantiation of the need is not present in the MoT and thus cannot be tested. But it may prove to be a difficult task to substantiate the urgent social need and demonstrate that this urgent social need cannot be met in any other way. Wams assumes an active involvement of the resident in the phases of notification, investigation, case consultation, work plan and implementation. Thereby, it is not well explained why this involvement does not apply to the retrieval of personal data covered by professional or official secrecy.
If the situation arises where a resident is unwilling to do so, it may affect their facility application. This is a choice a resident is entitled to and must be respected. For situations in which a resident is unable to adequately weigh his own interests (or those of his family members), the Compulsory Mental Health Act (WvGGZ) came into effect on January 1, 2020, which provides options in this regard, including with regard to medical data.
Whether there are then still situations in which the resident does not give consent, which are not covered by the WvGGZ and, moreover, the resident is not sufficiently able to weigh the consequences of his choice against his interests (or those of his family members) must be assessed by the legislator. Depending on that assessment, it can be considered whether a substantiation of the compulsory breach of professional secrecy is justifiable in that situation. This could then do more justice to the proportionality of the rule and the premise of the Wams that the support needs of the resident are central. Not the assessment of the municipality.
In current practice, there are many different forms in which the implementation of tasks in the social domain by municipalities are shaped. Examples include carrying out the tasks entirely themselves, outsourcing them to another municipality, or having them carried out in whole or in part by neighborhood teams, regional collaborations and welfare foundations. There is also the question of who is the data controller. This is important because, for example, the basis for processing and the exceptions to processing prohibitions for special personal data are inextricably linked to the controller. But there are also obligations for reporting data breaches, implementing security measures and accounting for the handling of personal data that fall to the controller.
The different forms in which tasks within the social domain are outsourced have also brought different insights regarding the roles of the controller and processor. There are municipalities that see themselves as the data controller in outsourcing and see the contractor as the processor. There are also municipalities in which the municipality and the contractor see the latter as the data controller and in that sense no longer see a role for the municipality.
The MoT tries to clarify this by making it clear that when tasks are outsourced, the municipality remains data controller. Mandate therefore seems possible but there does not (can not) be delegation.(21) With this it can be argued that the municipality is and remains the data controller. However, practice is unruly as is the doctrine of controller and processor.
To be a data controller it is decisive who determines the purpose and means of the processing.(22) In an opinion (WP29-opinion) of the European supervisory authorities a further interpretation is given to what should be understood by the determination of purpose and means.(23) In short, the WP29-opinion states that the determination of the purpose is reserved to a controller. Regarding the means, the WP29 opinion states that in part these can be determined by the processor, for example with respect to technical and organizational issues.
The WP29 opinion cites as an example, in terms of purpose, the situation in which an authority is assigned by law a public task which cannot be fulfilled without processing personal data. In that situation, that body is considered a data controller.(24) In the context of the Wams, that would mean that the municipality is a data controller.
In some situations, however, the influence the contractor has over the resources is significant.(25) For example, with respect to the (technical) design of processing, policy, implementation, and the conduct of objection and appeal proceedings. The WP29 opinion also articulates that factual circumstances are relevant in determining the controller of processing.
Based on the WP29 opinion, the option for a contractor to be an independent data controller does not seem likely. Also because the contractor would then have no basis or exception to the prohibition on processing special personal data. For the contractor, that leaves being a processor or a joint processing responsibility with the municipality.
The intended clarity regarding processing responsibility is desired but not yet realized with the current text of the Wams. It is possible that the supervisor could provide clarity regarding whether a task assigned by law can be performed by another, independent data controller. However, the simplest solution is to provide in the text of the law itself that the municipality is the processing controller.(26) This provides clarity on responsibilities for all parties, resident, municipality and contractor, and still leaves the possibility for municipalities to outsource tasks, albeit while retaining their processing responsibility.(27)
The Wams gives municipalities broad powers to process personal data. Personal data processed under a large number of laws may be used for a different purpose for which it was originally collected, a large number of parties are required to provide data to the municipality,(28) medical confidentiality must be broken, and the municipality may conduct investigations without a request from the resident.
In addition to substantiating the necessity of these intrusive powers, adequate safeguards must be provided. The legal text of the Wams assumes necessity when processing personal data.(29) This is a limitation for processing personal data but not sufficient as a safeguard.
The MoT does provide further interpretation to frame the broad powers of the municipality. For example, the Explanatory Memorandum states that it is not the intention to check for every person involved in every area whether or not there are problems and if so, which ones. Nor is it the intention, according to the Explanatory Memorandum, to start a broad investigation for every report or to ask the client all over the place for no reason. Another restriction is that if the person involved indicates that there are no problems or does not want them to be included in the investigation, no further investigation may be conducted. Finally, the Explanatory Memorandum indicates that the Board, on the basis of its duty of care, should give further substance to the working method of the investigation by means of clear working instructions.
Some of these frameworks can be traced back to the investigations conducted by the AP and, in that sense, are not new.(30) However, they do gain in importance as the possibilities for municipalities to process data have expanded. However, they focus primarily on the professional, while the college bears responsibility for data processing. For a proper balance between powers and safeguards, it is necessary to include in the law an obligation for the college to establish procedures and work instructions. These can provide further details of the frameworks to balance powers and safeguards. Subjects that can be included in the work instructions in addition to those mentioned in the Explanatory Memorandum include the working method within the Disclosure Office regarding personal data, the manner in which personal data are shared with other parties and an annual account of data processing in the social domain.
As currently drafted, the safeguards included are insufficient to carry the expanded powers. By including an obligation on the college to fulfill the duty of care for data processing, this can be met at least in part.
The purpose of the Wams is to enable municipalities to give substance to the integral support of their residents who are dealing with multiple and cross-domain problems. To this end, the Wams creates a task for the municipality in order to create a legal basis for this cross-domain data processing. The Wams can be expected to succeed in this. A sufficiently clear task is assigned to the municipality and bases are included for the reuse of data available at the municipality. Third parties are also required to provide data if the municipality deems it necessary. This allows the municipality to make maximum use of available data to support residents who need it in situations where it is truly necessary.
But part of supporting residents is also the careful handling of their data, based on the resident's support needs. In giving these guarantees, Wams does not (yet) succeed. The breach of official and professional secrecy is insufficiently substantiated and in its current form is not in accordance with international law. The college's ability to process data is not yet balanced with the broadening of safeguards. The safeguards are mentioned as examples in the MoT, but they are not sufficiently translated in the draft text of the Wams. As a result, the college is not yet sufficiently held accountable. For example, with regard to the establishment of work instructions and procedures for the details of processing personal data. In current practice, these are not always available. It should be taken into account that the question of who is a data controller is still subject to much debate. For now, the Wams fulfills the promise of realizing an integral approach and providing customized services for residents with multiple problems. The promise to provide more clarity and guarantees for both the resident and the implementing practice regarding the permitted processing of personal data has yet to be fulfilled.(31)
(1) Ook de Jeugdwet, Participatiewet, Wet gemeentelijke schuldhulpverlening en de Zorgverzekeringswet worden gewijzigd
(2) https://www.internetconsultatie.nl/meervoudigeproblematiek
(3) Kamerstukken 2013/2014 32 761 nr. 62
(4) Wet gemeentelijke schuldhulpverlening, WMO 2015, Jeugdwet en Participatiewet
(5) https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-gemeenten-onzorgvuldig-bij-uitwerking-privacyregels-sociaal-domein#subtopic-4419,
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/01_onderzoek_gegevensverwerking_gemeente_nijmegen.pdf
(6) Hoe een gemeente het meldpunt inricht en met welke ketenpartners staat de gemeente vrij. Veel gemeenten hebben al een meldpunt.
(7) Publieke gezondheidszorg, geneeskundige zorg, langdurige zorg, onderwijs, welzijn, wonen anders dan beschermd wonen op grond van deze wet, werk of ander inkomen, met uitzondering
van inkomen op grond van de Participatiewet, openbare orde en veiligheid;
(8) Artikel 5.5.1 onder a Wams
(9) Voor zover noodzakelijk
(10) WMO 2015, artikel 7.4.0, eerste lid, onderdelen a en b van de Jeugdwet, de Participatiewet, de Wet gemeentelijke schuldhulpverlening, de Wet publieke gezondheid, de Wet sociale
werkvoorziening, of de 10 Leerplichtwet 1969 verder te verwerken voor zover dat noodzakelijk is voor het uitvoeren van artikel 2.3a.1, eerste lid, onderdeel b, of artikel 2.3a.5, tweede lid,
onderdeel b.
(11) Artikel 5.1.1 lid 4 Wmo 2015
(12) Jeugdwet, Participatiewet, Wet gemeentelijke schuldhulpverlening
(13) https://autoriteitpersoonsgegevens.nl/nl/nieuws/gemeenten-verzamelen-te-veel-persoonsgegevens-bij-uitvoering-wmo-en-jeugdwet#subtopic-4419
(14) Artikel 5.4.1 t/m artikel 5.4.4 Wams
(15) https://www.rijksoverheid.nl/documenten/rapporten/2016/06/15/basisprincipes-medisch-beroepsgeheim
(16) In paragraaf 3.3.4 van de MvT, wordt gesproken over, mogen verstrekken. Dit kan verwarring oproepen omdat mogen geen verplichten suggereert. Duidelijker zou zijn moeten.
(17) Zie ook Handreiking beroepsgeheim 6 stappen voor zorgvuldig handelen https://www.ggznederland.nl/uploads/publication/Handreiking%20Beroepsgeheim.pdf
(18) Uit diverse jurisprudentie op basis van artikel 8 EVRM blijkt dat de medische geheimhoudingsplicht ook valt onder artikel 8 EVRM artikel
(19) In het belang van de nationale veiligheid, de openbare veiligheid of het economisch welzijn van het land, het voorkomen van wanordelijkheden en strafbare feiten, de bescherming van de
gezondheid of de goede zeden of voor de bescherming van de rechten en vrijheden van anderen
(20) Zie ook Basisprincipes medisch beroepsgeheim 15-06-2016 https://www.rijksoverheid.nl/documenten/rapporten/2016/06/15/basisprincipes-medisch-beroepsgeheim
(21) MvT pagina 23 eerste alinea
(22) Artikel 4 sub 6 AVG
(23) Opinion 1/2010 on the concepts of "controller" and "processor" 16-02-2010; https://autoriteitpersoonsgegevens.nl/nl/nieuws/opinie-europese-privacytoezichthouders-belicht-twee
kernbegrippen-bij-verwerking-van
(24) Opinion 1/2010 on the concepts of "controller" and "processor" 16-02-2010 pagina 10: โHowever, more frequent is the case where the law, rather than directly appointing the controller or
setting out the criteria for his appointment, establishes a task or imposes a duty on someone to collect and process certain data. For example, this would be the case of an entity which is entrusted with certain public tasks (e.g., social security) which cannot be fulfilled without collecting at least some personal data, and sets up a register with a view to fulfil them. In that case, it follows from the law who is the controller. More generally, the law may impose an obligation on either public or private entities to retain or provide certain data. These entities would then normally be considered as the controller for any processing of personal data in that context.โ
(25) Bijvoorbeeld een Stichting die hiervoor is opgericht
(26) De AVG maakt dat mogelijk in artikel 4 sub 7 AVG
(27) Ook in het geval de feitelijke situatie zou maken dat de partij aan wie de gemeente een taak heeft uitbesteed verwerkingsverantwoordelijke wordt, is er duidelijkheid. Namelijk dat dit
onrechtmatig is omdat de wetgever anders heeft bepaald.
(28) Een persoon of instantie werkzaam in het domein publieke gezondheidszorg, geneeskundige zorg, langdurige zorg, onderwijs, welzijn, wonen anders dan beschermd wonen op grond van
deze wet, werk of ander inkomen, met uitzondering van inkomen op grond van de Participatiewet, openbare orde en veiligheid; artikel 1.1.1 lid 3 Wams
(29) Bijvoorbeeld artikel 5.4.1, 5.4.2 en 5.4.3 Wams
(30) https://autoriteitpersoonsgegevens.nl/nl/nieuws/gemeenten-verzamelen-te-veel-persoonsgegevens-bij-uitvoering-wmo-en-jeugdwet
(31) MvT pagina 1
