The Dutch Healthcare Authority was allowed to request and process mental health patient data in 2023. Requesting and processing so-called HoNOS+ data was not against the law. This was ruled by the District Court of Midden-Nederland in a mass claim case under the WAMCA (Wet afwikkeling massaschade in collectieve actie). Three interest groups brought this collective case on behalf of all clients and practitioners in the GGZ against the healthcare authority, together with several individual plaintiffs.
Since Jan. 1, 2022, the Dutch legislature has introduced a new costing system for mental health care (GGZ) and forensic care, also known as the care performance model. Treatment providers in the GGZ had to submit answers to questionnaires about their clients to the Dutch Healthcare Authority (NZa) once in 2023. The anonymous questionnaire contained 19 questions about the client's social and mental state. The practitioner had to give a score on the severity of the problem. The NZa processed this so-called HoNOS+ data. Based on the answers, the practitioner then determined what type of care might be appropriate for the client and was advised on a possible treatment option by the algorithm behind the questionnaire.
The plaintiffs believe that the data about their (mental) health contains personal data and that the NZa's requesting and processing of this data violates the General Data Protection Regulation (AVG). They also believe that the NZa is seriously violating clients' right to privacy in the mental health sector. In addition, according to the plaintiffs, practitioners are forced to breach their medical confidentiality. They want the court to find that the NZa acted in violation of the right by requesting and processing the data. They also want the NZa to be prohibited from requesting and processing the data in the future and to destroy the existing data.
The court dismisses the plaintiffs' claims. The retrieval and processing of the data is not contrary to law. The court notes that the data is anonymous. It contains no identifiable data relating to clients, such as names, address information and citizen service numbers. The completed questionnaires contain only ticked scores as answers to the questions and thus cannot be traced back to an individual. Nor is it possible to link the HoNOS+ data to other data available to the NZa in order to identify an individual. Thus, the AVG does not apply when requesting and processing the data. The court has sympathy for clients who feel unsafe because questionnaires about their mental state were completed and shared with the NZa. But, because the data is anonymous, the clients' privacy is not at risk. In addition, it is in the interest of society that the care performance model be developed in this way. Finally, the court finds that the practitioners are not violating their medical confidentiality by sharing the data. In fact, practitioners have a legal obligation to share this data with the NZa. This allows the practitioner to breach their medical confidentiality, even without the client's consent.
The NZa is not currently prohibited from requesting the data in the future. There is no legal provision for this at the moment so the court cannot rule on this. In addition, the NZa does not have to destroy the existing data. However, the NZa informed that it has already destroyed the collected data. Their backups will be destroyed very soon.
