Legislation relevant for sharing of health data#


In this chapter we give a short introducion of legislation relevant for handling and sharing of personal health data. This chapter is may be used as a rough guideline for the variety of legislation but cannot be regarded as legal advise.

A variety of legal instruments are in place presenting legal conditions that need to be met when processing health data. The General Data Protection Regulation (GDPR), which entered into force 26 May 2018, offers a specific set of requirements that need to be met when processing personal health data. For the Netherlands, the Uitvoeringswet AVG (UAVG) presents the Dutch implementation of the GDPR, among others detailing issues the GDPR leaves open to Member States. In combination with already existing and recently updated other laws, such as the Wet Geneeskundige Behandelingsovereenkomst (WGBO) and the Wet Medisch-wetenschappelijk Onderzoek met mensen (WMO), a framework of legal conditions can be constructed that should be kept in mind when processing personal health data. GDPR and other acts determine the technical and organisational measures that should be met when processing personal data, leading to concepts such as data processing by design and by default. For scientific research, specific obligations are in place, and specific derogations are offered as well.

In this document the GDPR and its Dutch implementation, the UAVG, are presented with respect to basic requirements concerning the processing of – sensitive – personal health data, followed by a brief overview of a number of relevant European and Dutch laws dealing with health data. Then, the main requirements and derogations that are in place for scientific research are presented, again focusing on the processing of – usually sensitive – health data. This chapter supports the creation of a privacy-respecting ecosystems in which personal health data can be processed in a trustworthy, safe and accountable manner.

The legal domain is constantly evolving and compliance towards data legislations can be a challenging topic, which requires constant active effort. Having a dynamic data ecosystem that already takes privacy and legislation into account can significantly ease legal compliance. Three recent regulations that have been introduced are:

However, in this chapter we will only focus on the variety of Dutch relevant legislation.