AVG Privacy Policy
Sander Sprong Osteopathy Privacy Statement.
On May 25, 2018, the new Privacy Law came into effect. These are Privacy Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC), the national laws implementing these directives and/or, where appropriate, Regulation (EU) 2016/679 (the “General Data Protection Regulation”). One and all summed up as the AVG. This legislation will replace the Personal Data Protection Act. The AVG expects a more proactive role from any organization processing personal data. The most relevant changes to consider are:
– strengthening and expanding privacy rights;
– more responsibilities for organizations;
– the same, robust powers for all European privacy regulators, such as the power to impose fines of up to €20 million.
As before under the Personal Data Protection Act, the Personal Data Authority (hereinafter AP) remains the authority that checks whether organizations are complying with the legislation. To prepare for the new regulations, the AP has created a roadmap:
The AVG-10 roadmap:
1 Awareness
2 Rights of data subjects
3 Overview of processing operations
4 Data protection impact assessment (DPIA)
5 Privacy by design & privacy by default
6 Data Protection Officer
7 Duty to report data breaches
8 Processor Agreements
9 Leading supervisor
10 Consent
A further elaboration of this roadmap and compliance with it in practice should ensure that Sander Sprong Osteopathy can comply with the new legislation AVG as much as possible. The different steps will be discussed below. Thereby, the extent to which these points apply within Sander Sprong Osteopathy, what Sander Sprong Osteopathy is up against and how Sander Sprong Osteopathy can meet the “new” obligations in a responsible manner.
1 Awareness
1.1 Sander Sprong Osteopathy is a practice within which osteopathy is offered by Sander Sprong as a service. To carry out that purpose, Sander Sprong Osteopathy needs to process and use personal data of patients within its daily business operations.
1.2 The data being documented is privacy sensitive. These are personal data, from which the data subject can be identified both directly and indirectly. In order to ensure that the data is handled in a responsible manner and complies with the privacy legislation as it will come into force on May 25, 2018, Sander Sprong Osteopathy has chosen to map out with this protocol, on the basis of the AVG roadmap (as listed above), how the AVG should be interpreted.
1.3 This is registration of personal data with a legitimate interest. After all, patients self-report to Sander Sprong Osteopathy. They would like to be helped by the osteopath for their complaints.
2 Rights of data subjects
2.1 To ensure fair processing of personal data, the Regulation gives various rights to the data subject. The data subject may exercise these rights against the controller. The individual has:
– The right to information about processing operations;
– the right to access his data;
– The right to correct the data if it is incorrect;
– the right to erasure of data and “the right to be forgotten.
– The right to limit data processing;
– The right to object to data processing;
– The right to transfer his data (data portability);
– The right not to be subjected to automated decision-making.
2.2 A patient or former patient (the data subject) may request the above information. The individual may do so by mail to
[email protected]
. In doing so, the data subject must identify himself or herself so that Sander Sprong Osteopathy can establish with sufficient certainty that the person making the request is actually the data subject.
2.3 Sander Sprong Osteopathy will inform concerned about the execution of the request within 1 month after receipt of the request. In the case of complex, or multiple requests, this deadline can be extended by up to 2 months. The data subject will be informed accordingly in such a case of extended period of execution of the request. The information is basically provided in writing.
2.4 In some cases, Sander Sprong Osteopathy may refuse to proceed with the execution of the data provision request or charge a fee for doing so. This must be the situation where the individual is making excessive or unfounded requests. (For example, multiple consecutive requests for the same data. Or when there is one of the protective necessity criteria known to the AVG (e.g. in the context of a criminal investigation into the data subject). If Sander Sprong Osteopathy refuses to comply with the request, Sander Sprong Osteopathy will motivate this and inform the data subject of the right to complain to the AVG regulator.
2.5 Sander Sprong Osteopathy realizes that if it makes a written decision in the context of exercising the rights of the data subject, this then counts as a decision within the meaning of the General Administrative Law Act.
2.6 In some cases, Sander Sprong Osteopathy must inform the patient concerned of its own accord. This is the case if:
– data obtained outside the data subject
– data is going to be used for a different purpose than what the data was originally issued for.
Sander Sprong Osteopathy will inform data subject in those cases within 1 month.
2.7 If the patient’s treatment ends, Sander Sprong Osteopathy will retain the personal data in its system for some time. The Wgbo law states that medical records must be kept for 15 years. Sander Sprong Osteopathy will adhere to that retention period. Records will be destroyed after 15 years. Within the file are also data of a non-medical nature.
2.8 In order to ensure that the data subject has a complete picture of how their personal data are handled and for what purpose and on what basis (legitimate interest), each person involved in registration will be given access to this privacy statement and the associated documents. Sander Sprong Osteopathy will post this information on the website and point each data subject to that location.
3 Register of processing activities
3.1 Sander Sprong Osteopathy processes personal data of patients. The following personal data are processed from these members. With respect to all these forms of processing of personal data, Sander Sprong Osteopathy will maintain a register of processing activities. This lists all the types of personal data that will be processed.
3.2 in case the patient files a complaint against the osteopath, that data will also be processed by Sander Sprong Osteopathy.
4 DPIA (data protection impact assessment)
4.1 DPIA stands for data protection impact assessment. A DPIA is required only when there is data processing that is likely to pose a high privacy risk. Within the AVG, three situations are discussed when there is increased risk…:
– Systematically and comprehensively evaluate personal aspects
– Process special personal data on a large scale
– large-scale, systematic tracking of people in a publicly accessible area.
4.2 In addition to the criteria in the AVG itself, the working group of European privacy regulators has developed a list of 9 criteria to further consider whether a DPIA is necessary. The criteria that might apply to osteopaths:
– sensitive data processing
– large-scale data processing
– data processing on vulnerable persons
4.3 Privacy regulators do not view processing of special personal data by individual physicians as large-scale. Thus, individual physicians are not required to conduct a DPIA. It is obvious that data processing by the individual osteopath thus also does not require the performance of a DPIA. As such, Sander Sprong Osteopathy will not conduct a DPIA.
4.4 However, Sander Sprong Osteopathy is aware that special personal data is involved. The contents of a medical record are sensitive to the individual and require a high degree of confidentiality. Sander Sprong Osteopathy will thus endeavor to keep that data confidential.
4.5 The data as recorded by Sander Sprong Osteopathy are for internal use only. Personal information is used to ensure that the osteopath can provide the best possible service to the patient. Being of service in remedying the symptoms and being of service by enabling health insurance to reimburse the costs as much as possible.
4.6 In time, the Personal Data Authority (AP) will publish a list of processing operations for which a DPIA is mandatory. Once that list is in place, Sander Sprong Osteopathy will review its processing of personal data to see if further measures are needed.
5 Privacy by design & privacy by default
5.1 Privacy by design and by default settings for producers. Sander Sprong Osteopathy is a producer of a service, which is supported by the processing of personal data. Thus, when developing and elaborating that service, Sander Sprong Osteopathy takes into account the right to protection of personal data. Taking into account the state of the art, Sander Sprong Osteopathy shall ensure that controllers and processors are able to fulfill their data protection obligations.
5.2 Sander Sprong Osteopathy pays attention to:
minimizing the processing of personal data;
only note the BSN number, but do not make a copy of the passport/ID card;
transparency regarding the functions and processing of personal data;
enabling the data subject to exercise control over information processing; and
create and enhance security features.
6 Data protection officer
6.1 As with the DPIA, an osteopath’s individual practice is not considered a large-scale processor by the AP. The establishment of an FG is not necessary despite the fact that special personal data is involved. Sander Sprong Osteopathy once again points out that in this case it is a matter of processing personal data at the request of the patient, as the patient wants the best possible treatment. Sander Sprong Osteopathy does not process personal data for commercial purposes. Patients are not tracked by Sander Sprong Osteopathy using the personal data.
6.2 Sander Sprong Osteopathy stresses again to realize to process personal data that have a high degree of confidentiality. However, Sander Sprong Osteopathy believes it has taken all measures to ensure that the personal data of patients are not used for other purposes than intended.
7 Duty to report data breaches
7.1 A data breach within the meaning of the AVG is a personal data breach. It is a breach of security leading to the destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
7.2 It is irrelevant for the qualification as “personal data breach” that malicious intent is involved. In addition to the “hacking” of personal data, one can also think of data stored on a lost laptop or a locked website with personal data accidentally left open. A security breach means that a security incident has actually occurred. There is not exclusively a threat, or a security flaw (also referred to as a security breach) that could lead to a security incident. A security incident actually occurred and the preventive measures taken were not sufficient to prevent it.
7.3 Sander Sprong Osteopathy will report any data breach to the AP, unless the breach is unlikely to pose a risk to the rights and freedoms of natural persons. Sander Sprong Osteopathy will notify the AP within 72 hours of discovery, even if all information is not yet available.
7.4 Moreover, Sander Sprong Osteopathy will notify the data breach to the data subjects without delay, if there is a high risk due to the personal data breach. For the question of whether there is a high risk, Sander Sprong Osteopathy will first be allowed to conduct further research on that.
7.5 The data breach will be documented by Sander Sprong Osteopathy in an overview of data breaches that have occurred within Sander Sprong Osteopathy. Not only will the facts about the breach and its consequences be documented in this summary, but also the corrective actions taken.
8 Processor Agreements
8.1 Sander Sprong Osteopathy uses the Crossuite to process personal data in a patient management platform. This company should thus be considered a processor. In order to ensure that Crossuite adheres to the requirements necessary to comply with the AVG, Sander Sprong Osteopathy has entered into a processing agreement with Crossuite.
8.2 Within the processor agreement with Crossuite, at least the following matters are regulated:
– The subject and duration of processing;
– The nature and purpose of the processing;
– The type of personal data and categories of data subjects;
– the rights and obligations of the controller.
– the personal data are only processed under the written instruction of Sander Sprong Osteopathy, including with respect to the transfer of personal data to a third country or an international organization (unless it is required to do so by law);
– assurance by the processor that access to that data is limited to authorized individuals. These individuals must be bound to confidentiality by contract or legal obligation;
– the processor maintains at least the same level of personal data security as Sander Sprong Osteopathy does;
– the processor will provide all possible support to Sander Sprong Osteopathy in fulfilling its obligations in order to respond to requests around the rights of data subjects;
– processor will assist Sander Sprong Osteopathy in fulfilling its obligations regarding personal data security and data breach notification requirements;
– upon termination of the agreement between Sander Sprong Osteopathy and processor, deletes or returns to Sander Sprong Osteopathy the personal data processed on your behalf, and deletes existing copies;
– Sander Sprong Osteopathy makes available all information necessary to demonstrate compliance with the obligations under the Regulation surrounding the use of a processor and necessary to enable audits;
– processor discloses its arrangements with respect to sub-processors;
– processor lists the approved codes of conduct and certification mechanisms used by processor in its operations;
– processor guarantees Sander Sprong Osteopathy to comply with all obligations as required of processor by the AVG.
8.3 Sander Sprong Osteopathy does not use processors other than Crossuite. However, Sander Sprong Osteopathy does use an accountant. This did not process patient data, but did have access to some personal data. Especially the data around payments, the accountant will be able to see. So bookkeeper signed a non-disclosure agreement. That statement not only reflects that the bookkeeper himself will maintain confidentiality about all personal data that he sees from patients of Sander Sprong Osteopathy, the employees and third parties that the bookkeeper uses also have that same duty of confidentiality. In addition, the statement states that the bookkeeper will not process personal data of patients.
9 Leading Supervisor
9.1 Sander Sprong Osteopathy should determine which regulator it falls under. Sander Sprong Osteopathy has 2 offices, namely a main office in Amsterdam and an annex in Laren. This is on Dutch soil. The activities of Sander Sprong Osteopathy rest on Dutch territory. Thus, the Leading regulator for Sander Sprong Osteopathy is the Personal Data Authority in the Netherlands.
10 Consent
10.1 The processing of certain data requires the consent of the data subject. This is the case if special categories of personal data and personal data of a criminal nature are involved. The national identification number (BSN) is also a matter that requires explicit consent of the data subject if that number is processed. Sander Sprong Osteopathy processes the BSN number of its patients now that Osteopaths are required to use this number in correspondence with other health care providers. Processing health data is also a special category of data whose processing requires the consent of the patient. However, it is strongly preferable to discuss the processing of all personal data with patients in advance and to explicitly state with that processing whether the patient has given consent for that processing.
10.2 Sander Sprong Osteopathy will fulfill this required consent in the following manner. In addition to establishing a treatment plan, a schedule of appointments will be provided at a patient’s intake. These will be reviewed with the patient and then either handed to the patient or sent to the patient by mail, noting that this is a confirmation of the appointments made. A confirmation of receipt will be requested from the patient. This “order confirmation” will name key details about what the patient can expect from the osteopath. It involves the following:
– That patient has been made aware that personal data will be processed and what personal data is involved;
– That patient has given explicit consent to such processing;
– that patient has rights with respect to the processing of personal data and that patient can read these and the further procedure of Sander Sprong Osteopathy with respect to those personal data in the present regulations as stated on the website of Sander Sprong Osteopathy
– That patient is made aware of the retention period(s) of personal data;
– That patient has the option of filing a complaint against Sander Sprong Osteopathy with the NRO
– What the consultation rate is for Sander Sprong Osteopathy;
11 Final word
11.1 Sander Sprong Osteopathy assumes with this privacy policy to meet all requirements of the new AVG regulations. Sander Sprong Osteopathy is aware that there are new regulations and that this means that not all aspects can be explained easily. Sander Sprong Osteopathy will monitor adjustments, decisions and further news from the AP, so that timely action can be taken to further tighten, or trim, these policies as yet.
Note: This privacy statement also applies to the branch in Laren