Dutch Data Protection Agency issues guidance on large-scale data processing in healthcare

Last month, the Data Protection Agency (DPA) issued guidance on large-scale healthcare data processing. The General Data Protection Regulation requires organisations involved in large-scale processing of data to appoint a Data Protection Officer (DPO) and in certain cases to conduct a Data Protection Impact Assessment (DPIA). In this respect, the guidance clarifies when healthcare providers are considered to be involved in large-scale data processing.

For general practice (GP) healthcare physicians and institutions for specialised medical healthcare, other than hospitals, data processing is large-scale if: (i) that practice or institution more than 10,000 registered patients or if it treats more than 10,000 patients per year on average; and (ii) the data of these patients is gathered in one information system.

The criterion of 10,000 patients does not apply to other healthcare providers. These organisations must assess whether they are involved in large-scale data processing (and whether they are thus obliged to appoint a DPO and to conduct a DPIA) on the basis of:

• The number of patients whose data is being processed.
• The amount of personal data processed.
• The duration of the data processing (in healthcare usually 15 years).
• The geographical scope of the processing.

Importantly, the processing of patient data by hospitals, care groups (zorggroepen), GP out-of-hours service centers (huisartsenposten), and pharmacies (except for healthcare providers who provide professional healthcare in another capacity other than in service or (in)directly on behalf of an institution, (solistisch werkende zorgverleners) is always deemed to be large-scale.

The DPA aims to provide further information concerning other healthcare providers in the near future.

A prior version of this post was originally published by the same author in Practical Law – Life Sciences, June 2018 Issue (Thomson Reuters).