On July 18, 2023, NRC published an article about the storage of large amounts of medical data by external software providers of general practitioners. The article prompted some uproar and Parliamentary questions from Member Bushoff (PvdA) and Van Haga (Group van Haga) to the Minister of Health. The questions were answered quite extensively on Sept. 12.
NRC reported that large amounts of medical patient records are copied weekly to the servers of a "commercial software company," Calculus of Leiden. Using this company's "VIP Live software," a copy of the entire patient record is made every week in order to enable data sharing with other local practitioners. This need appears to exist particularly with regard to patients with chronic conditions such as diabetes.
The AP already investigated Calculus in 2018 but did not see any reason for further investigation or enforcement action at that time, also because the extracted data is automatically encrypted immediately and only accessible by the GP. The data was also not shared with third parties for scientific research or statistics as follows from the AP's official notice on the subject.
The commotion arose partly because the suggestion was made that third "commercial" parties were given free access to the data. This does not appear to be the case. The data is processed by the third parties on behalf of and under the responsibility of the general practitioners in accordance with a processing agreement. This means that those third parties may only process the data in accordance with the client's instructions and therefore may not use the data for their own purposes. As long as the security of the systems is sufficiently guaranteed, this is a common practice. After all, it is inevitable that IT suppliers will be involved in the storage of medical data. There is nothing wrong with that in itself, either. After all, specialized third parties will generally be better able to adequately protect patient data than GPs themselves. In 2018, the AP therefore considered that this structure was essentially in order.
However, many GPs wondered whether the responsible-processor relationship did justice to practice. There appears to be little or no real steering influence on the choice and design of the system in practice, so that one could speak of a paper reality.
Another issue raised was whether the system met the requirement of data minimization. After all, one might question the need to make copies of the entire patient record on a regular basis for the purpose of exchange with other health care providers when it is only useful for patients with chronic conditions.
Minister Kuipers emphasized in his answers to questions that a judgment on legality is not up to him but that the use of IT service providers is necessary to give substance to the care process. The responsibility to inform citizens/patients also lies with GPs as data controllers. He also states that GPs can choose what data they share or not through the system.
Supplier dependence
Kuijpers, on the other hand, does acknowledge with a reference to his April 4, 2023 parliamentary letter that supplier dependency in healthcare is a problem and that there is a lack of a concerted strategy by healthcare providers to break through this dependency. He points to the Healthcare ICT Market Action Plan that aims to support healthcare providers in setting up (cross) sectoral supplier management. The goal is to strengthen the position of healthcare providers. In that context, Minister Kuipers also mentions the importance of standardization of language and technology and the implementation of generic functions as laid down in the Electronic Data Interchange in Healthcare Act (Wegiz). Interoperability can contribute to freedom of choice for healthcare providers and citizens regarding IT solutions in healthcare.
It is understandable that many GPs feel that there is little or no real influence on (the design of) the system. The question can therefore rightly be asked whether the GP can be seen as the party that "determines the purpose and means of data processing" (the AVG's definition of a data controller). At its core, however, the GP (or the organization the GP is affiliated with) ultimately does choose the system (the means) as a whole for a particular purpose of the GP. The vendor then does not use the data for its own purposes. For this reason, the most logical solution is to designate the GP (organization) as the controller and the supplier as the processor. The alternative is also not workable under privacy law since the suppliers will generally not have their own processing basis.
Data minimization
If the same goal can indeed reasonably be achieved with less data exchange, it is conceivable that the system does not meet privacy requirements, Whether the system stores more data than necessary as was suggested cannot be determined on the basis of the publication and the answers to the parliamentary questions. Understandably, the Minister is leaving that judgment to the AP. However, it is quite conceivable that it is not technically workable to separate relevant data from less relevant data, or that this requires an analysis of data that in itself has a greater privacy impact than storing all data encrypted weekly.
Leaving aside the fact that the healthcare market would obviously be served by more competition and choice in IT, the commotion surrounding the NRC article seems a bit overblown.