Wabvpz - Supplementary Provisions for the Processing of Personal Data in Healthcare Act

A final Dutch law that may impact upon research activities is the Wet algemene bepalingen verwerking persoonsgegevens in de zorg (Wabvpz). This law has been created in an attempt to restore trust in the Electronic Patient Record, after the Dutch Senate had rejected an earlier regulation on the basis of sincere privacy and security issues. Unfortunately, the short history of the Wabvpz up till today is a rather troublesome one. Due to the complexity that has been inserted to enable individuals to exercise control over their health data in a very extensive manner, in October 2019 it became clear that it will not be possible to execute the law fully in due time (i.e. before 1 July 2020). This implies that parts of the law are not enforced at the moment the law enters into force, 1 July 2020.

The Wabvpz in its initial form would give patients detailed rights to determine which care institute should be able to make specific categories of health data available to specific care providers when using electronic exchange systems. These systems are, in the definition of the law, systems that enable third parties to consult data from patient records. A typical condition for using such a system, as imposed by the law, is that they enable the third party to access the data at a time determined by the third party (‘pull’ traffic). Processing of data for research purposes, making these data accessible through electronic exchange systems, requires a ground for lawful processing as discussed before.