The AVG does not prescribe specific retention periods; based on the AVG, personal data may not be kept longer than necessary, unless a specific law does specify a retention period.
See more on this in 2.3.5.
The Wgbo stipulates a retention period for data that are part of a client's file. These data must be kept for 20 years after the last change in the file.
As of 1-1-2020, the retention period for medical records has been extended from fifteen to twenty years and also begins to run only from the time the last change in the record takes place and not, as before, from the time each individual piece of data in the record was produced. The twenty-year retention period applies immediately from the entry into force of the amendment to the Wgbo, i.e. as of 1-1-2020. This means that records in which the last amendment on 1-1-2020 is less than 20 years ago must be kept until the twenty-year period expires. If, on the basis of the old retention period, records had already been destroyed that should be retained in accordance with the new retention period, the individual healthcare provider or care provider cannot be held accountable for this. This follows from Parliamentary Papers II 2017/18, 34994, no. 3, p. 8 (MoT).
If it concerns a file of a client in an institution, the retention period only begins after the last change in the client's entire file. Therefore, as long as the retention period with respect to one (or more) subfiles is still running, all subfiles of specialties will still be retained.
At the end of the 20-year retention period, the file should, in principle, be destroyed. However, a longer retention period may apply to some parts of the file. This may occur in two cases:
If provided by law;
If it reasonably follows from the care of a good health care provider.
Examples of the first exception are the Working Conditions Act or the Archives Act.
Basic Selection Document Public and Special Academic Hospitals 1985 prepared pursuant to Art. 5 (2) (b) Archives Act.
Under the Archives Act, university medical centers must retain certain documents about a patient for longer than 20 years. These are documents such as the discharge letter, the surgery report, the anesthesia report, the PA report, the emergency room report, and documents containing records of emergencies. These documents must be kept for 115 years from the date of birth of the patient in question.
Examples of data to which a longer retention period applies that derives from the care of a good health care provider are data on hereditary testing, data from clients with implants or data from cured cancer clients.
Opinion Patient Data Retention Period, Health Council, April 1, 2004.
With respect to minor clients, it is generally accepted based on the care of a good caregiver that the 20-year retention period does not begin to run until the client reaches the age of 18.
KNMG Guideline on Handling Medical Data, Utrecht, 2021, p. 36.
The client may also ask the health care provider to keep the data longer than the statutory period; in principle, this should be complied with. File information can also be kept longer than twenty years if the information is made anonymous by removing all directly and indirectly traceable personal data such as name and address, BSN, date of birth and client number from the file. In practice, however, this is a difficult task.
Tip
It is advisable to make national agreements within the scientific professional associations for which data a longer retention period is appropriate and how long this period should be. Primarily for the benefit of clients, in order to prevent arbitrariness and data being kept either too short, if this obligation is ignored, or data being kept too long by invoking this obligation. Secondly, because of legal risks that may arise from this for the care provider. An unambiguous request can then also be made to suppliers of ECDs to facilitate care providers in this regard.
The decision to destroy a file upon expiration of the retention period is a joint responsibility of healthcare provider and involved healthcare provider(s). Pursuant to the Wgbo, destruction of the file can only take place with the consent of that care provider(s). Healthcare providers have no independent authority to proceed with destruction on their own authority after the expiration of the period.
Parliamentary Papers II, 2001/02, 28 000 XVI, no. 14, p. 15.
Within healthcare facilities, the primary care provider is often designated to decide on destruction. Under the AVG, there is also a responsibility on the healthcare provider itself, as the data controller.
The Wabvpz
Art. 15j Wabvpz.
provides that a general order in council may establish rules on the functional, technical and organizational measures for the management, security and use of the ECD.
A separate retention period applies with respect to access to and mutations of the file by employees of the healthcare provider - the logging. This is discussed in more detail in 3.5.1.
In 3.4.6 we saw that within healthcare, data files are also created for purposes other than healthcare provision. We will not consider data processing for purposes such as personnel administration and purchasing by the healthcare provider in the scope of this book. With regard to data that are processed in the context of procedures directly related to the quality of healthcare provision, such as the settlement of complaints and the investigation of incidents, we briefly mention here that no retention periods have been established for specific laws such as the Wkkgz, Wgbo, Wet BIG and the BW. This leaves room for drawing up one's own (sectoral) policy. Because of the storage limitation principle of the AVG, the data controller will have to set time limits for the destruction of personal data or their periodic review.
Recital 39 AVG.
Retaining personal data longer than the set period is only possible if this is done with the consent of the person involved (client), for scientific research or statistical purposes, or when there is a legitimate interest. If none of these exceptions occur, the personal data will have to be anonymized or destroyed, whereby anonymization is an independent processing that will have to meet the requirements of the AVG.
