The Dutch Data Protection Authority (CBP) has carried out an investigation into the required consent for the exchange of personal medical data through the National Switch Point (LSP). The LSP enables healthcare providers such as a general practitioners and pharmacists to access up-to-date medical data of patients by using their so-called Citizen Service Number (BSN). The introduction of the LSP last year was controversial because of worries about the security of the system and the protection of the privacy of the patients. The investigation by the CBP, conducted in 2013 and 2014, centered on the Association of Healthcare Providers for Healthcare Communication (VZVZ), which is responsible for the processing of medical data in the context of the Personal Data Protection Act.
Explicit consent of patients required
Based on a sample of 149 patient records, the CBP found that in eight cases it wasn’t possible to determine that the patient had given his or her valid consent for the exchange of their data through the LSP. In a number of records, the evidence that the valid consent had been given was missing, while from other records it appeared that the patient had been insufficiently informed about the exchange of data beforehand. It should be clear beforehand who is processing the personal data, for what purpose and to whom the data are passed.
The CBP underlines that explicit consent is required: “Putting down some leaflets on the reception desk, having a leaflet rack or offering the possibility to download leaflets on the website of the healthcare provider is not enough. Doctors should properly inform their patients and subsequently ask their explicit consent for the exchange of their data through the LSP.’’
According to the CBP, the consent for the exchange of medical data through the LSP is sufficiently demonstrated if one of the following documents is present in the patient record:
- a consent form signed by the patient;
- a screenshot of the information system of the healthcare provider, indicating that the patient has agreed on the exchange of information;
- an annotation on the obtained consent of the patient. In this case, a signature or the initials of an employee of the healthcare provider is required.
Furthermore, the document on the basis of which the consent is demonstrated, must always be dated.
Guarantees
The Dutch Patient Federation NPCF is also of the opinion that patients should be better informed about what happens to their data. As a result of the investigation, the VZVZ has taken technical and organizational measures to make sure that only the medical data of people who have given their explicit consent are exchanged. According to the CBP, these measures are adequate.