The Healthcare and Youth Inspectorate (IGJ) recently investigated information security at GP surgeries. The outcome is alarming: 43 of the 49 GP surgeries do not comply with the NEN 7510 legal standard. This standard was developed specifically for the healthcare sector and describes how organizations should set up their information security technically and organizationally. Healthcare organizations that adjust their policies and processes accordingly are better prepared for supervision, incidents, future legislation and contribute to a safe and reliable healthcare environment.
The study raises questions about broader privacy compliance within healthcare institutions. After all, NEN 7510 constitutes the actual implementation of Article 32 AVG: appropriate security measures. Information security is an essential part of the protection of personal data. In practice, therefore, we see that lack of NEN 7510 compliance often goes hand in hand with broader privacy shortcomings. Think of outdated or missing processing registers, lack of clarity about the privacy policy towards patients and employees, insufficient agreements with suppliers and inadequate procedures for reporting data breaches or handling requests from data subjects.
The recent data breach at the population screening for cervical cancer illustrates how vulnerable personal data are in healthcare. In the data leak, data of hundreds of thousands of women were captured. The IGJ launched an investigation in this case as well, also involving the Autoriteit Persoonsgegevens (AP). This incident again underscores the importance of privacy compliance and information security.
The IGJ has announced that all GP service structures must demonstrate compliance with NEN 7510 by 2026. For healthcare institutions, this is the time to reflect on their privacy and information security policies. Not only to comply with legal obligations, but also to manage risks and maintain the trust of patients and employees. The combination of increasing digital (AI) healthcare applications, surveillance and societal attention to data security makes privacy protection a relevant theme. This requires an integrated approach: from policy to implementation, from awareness to supervision.
A good first step is to perform a legal and organizational review of the current situation. Are the processes around data breaches, processing agreements and AVG requests properly set up? Are DPIAs carried out in a timely and correct manner? How is information security secured in daily practice? And is there sufficient oversight and awareness within the organization?
In the context of privacy oversight, the role of the Data Protection Officer (FG) is also important. General practitioner offices are required to appoint an FG. This obligation stems from Article 37 of the AVG. Healthcare institutions can choose to outsource this role externally. Through BDO, it is possible to appoint an FG remotely. This external FG fulfills the legal tasks and offers structural support in setting up, testing and improving privacy processes - tailored to the specific context of the healthcare institution. In this way, structural improvements can be realized efficiently.
