Current status of Dutch health data breaches


eHealthDutch hospitals already reported 304 cases of lost sensitive information. The official report does not provide all the details, because these may be traced to individual patients or hospitals. Since 1 January 2016, the data breach notification obligation has entered into force. This obligation means that organisations (companies as well as governments) must immediately notify the Dutch Data Protection Authority (DPA) as soon as they experience a data breach.

Unprotected communication

From the beginning of 2016, hospitals in the Netherlands are required to report any data breach. For example, hackers gained access to patient data, but also lost USB stick or public e-mail in which all email addresses are visible to everyone. In general, the data breaches are a result of unprotected communication channels and human mistakes. One case that previously was published, was the loss of a hard drive with unencrypted data from almost 800 patients by a doctor of the Amsterdam Antoni van Leeuwenhoek Hospital. In total, the DPA received since January 2016, 4700 notifications of data breaches through out all sectors because private data may have fallen into the hands of third parties. Nearly a quarter came from the healthcare sector, including 300 hospitals.

Report incidents

An organisation that an incident is not reported within 72 hours, can be fined up to 820,000 euros or ten percent of the annual turnover. The data subject must also be informed if ‘the breach probably will result in adverse effects on their private life’.  These data breach notification obligations only apply if the Dutch Data Protection Act applies, for instance in situations wherein a Dutch entity is the data controller. If the infringement was not committed intentionally and there is no serious culpable negligence, the DPA will first give instructions imposed prior to any imposition of an administrative penalty according to the policy rules.

Role of Dutch Data Protection Authority vs. GDPR

The Dutch Data Protection Act is the legislative response to the European General Data Protection Regulation (GDPR). The GDPR was adopted in April 2016 to strengthen existing obligations and to modernise the current data protection framework. It will apply directly in all member states as of spring 2018. However, there is some room for manoeuvre for national authorities to implement and specify European principles. The DPA supervises the processing of personal data in order to ensure compliance with European and Dutch laws that regulate the use of personal data. The most important laws are the Dutch Data Protection Act (Wet Bescherming Persoonsgegevens), the Police Data Act (Wet Politiegegevens) and the Basic Registration of Persons Act (Wet Basisregistratie Personen).

The current and recently introduced obligation under the Dutch Data Protection Act to notify data breaches is not entirely in agreement with the future data breach notification provisions of the GDPR. Under the GDPR, the requirements for reporting a data breach to the supervisory authority are different from those under current Dutch legislation. It seems that a data breach is more likely to be eligible for notification to the supervisory authority under the GDPR than under the Dutch Data Protection Act. The European Data Protection Board is expected to provide further guidance on the scope of the data breach provisions of the GDPR.

Preparing your organisation

Today, large part of the value of your organisation are enshrined in datasets and databases with valuable business information. Organisations must take ‘appropriate’ security measures to protect their privacy-sensitive data. Security awareness and dealing with data breaches and incidents is important for all business operations, next to the trust of your customers and safeguard compliance with legal and contractual obligations. The security solutions of AET Europe will help your organisation with compliance and more important with the loss of sensitive data.