AP (The Netherlands) - 26.11.2020: Difference between revisions
No edit summary |
No edit summary |
||
Line 48: | Line 48: | ||
}} | }} | ||
The Dutch DPA fined a hospital 440 000 | The Dutch DPA fined a hospital € 440,000 for violating Article 32(1) of the GDPR by failing to comply with the requirement of two-factor authentication and regular review of access log files. | ||
==English Summary== | ==English Summary== | ||
Line 58: | Line 58: | ||
Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale. | Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale. | ||
The AP found two potential issues. | The AP found two potential issues. | ||
1. Two-factor authentication. | 1. Two-factor authentication. | ||
The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital information system with the electronic patient records. | The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital information system with the electronic patient records. | ||
When logging into the VDI from a computer outside the OLVG network, employees must use a username and password in combination with a changing token which they received by SMS or via an application. OLVG linked a token reader to each computer on 9 March 2020, changing this method of authentication. This means that before they can access to the computer, employees must hold their employee card in front of this reader and enter a password. | When logging into the VDI from a computer outside the OLVG network, employees must use a username and password in combination with a changing token which they received by SMS or via an application. OLVG linked a token reader to each computer on 9 March 2020, changing this method of authentication. This means that before they can access to the computer, employees must hold their employee card in front of this reader and enter a password. | ||
OLVG has also indicated in its Information Security and Privacy Policy that that policy is based on: 1) the Dutch standard for information security in healthcare: NEN 7510, NEN 7512 and NEN 7513, and 2) the current laws and regulations, including the GDPR. OLVG has thus also committed to complying with the NEN security standards, which dictate that the identity of users must be established by means of two-factor authentication. | OLVG has also indicated in its Information Security and Privacy Policy that that policy is based on: 1) the Dutch standard for information security in healthcare: NEN 7510, NEN 7512 and NEN 7513, and 2) the current laws and regulations, including the GDPR. OLVG has thus also committed to complying with the NEN security standards, which dictate that the identity of users must be established by means of two-factor authentication. | ||
Given the sensitive nature of the data, the large scale of the processing by OLVG and the risks to data subjects, the AP has concluded that OLVG should have implemented two-factor authentication when accessing personal data in electronic patient records. However, this was not done when these records were from inside of the hospital’s network. | Given the sensitive nature of the data, the large scale of the processing by OLVG and the risks to data subjects, the AP has concluded that OLVG should have implemented two-factor authentication when accessing personal data in electronic patient records. However, this was not done when these records were from inside of the hospital’s network. | ||
2. Access logs review. | 2. Access logs review. | ||
The AP found that during the period from 1 January 2018 to 17 April 2019, OLVG conducted two sample checks of “Break the Glass” behaviour across larger groups of employees and eight incidental checks of the logging of health records. Further, the AP found that OLVG did not conduct systematic checks of anomalies in the access logs to all electronic health records during the period from 1 January 2018 to 22 May 2019, nor did it allow for systematic or automated alerts when certain logging limits were exceeded. | The AP found that during the period from 1 January 2018 to 17 April 2019, OLVG conducted two sample checks of “Break the Glass” behaviour across larger groups of employees and eight incidental checks of the logging of health records. Further, the AP found that OLVG did not conduct systematic checks of anomalies in the access logs to all electronic health records during the period from 1 January 2018 to 22 May 2019, nor did it allow for systematic or automated alerts when certain logging limits were exceeded. | ||
===Dispute=== | ===Dispute=== | ||
1. OLVG is of the opinion that the AP incorrectly concludes that OLVG has not applied two-factor authentication. According to Standard 9.4.1 of NEN 7510-2 (2017), health information systems that process personal health information should establish the identity of users and this should be done by means of authentication involving at least two factors. According to OLVG, its computers are in rooms to which can only be accessed with a personal employee pass. The pass only allows an employee access to the rooms she or he is authorized to enter. According to OLVG, there is no fundamental difference here between access limited to the person holding a pass in front of a reader which is built into the computer. | 1. OLVG is of the opinion that the AP incorrectly concludes that OLVG has not applied two-factor authentication. According to Standard 9.4.1 of NEN 7510-2 (2017), health information systems that process personal health information should establish the identity of users and this should be done by means of authentication involving at least two factors. According to OLVG, its computers are in rooms to which can only be accessed with a personal employee pass. The pass only allows an employee access to the rooms she or he is authorized to enter. According to OLVG, there is no fundamental difference here between access limited to the person holding a pass in front of a reader which is built into the computer. | ||
Line 85: | Line 89: | ||
5. The AP's investigation report refers to Article 3(2) of the Decree on Electronic Data Processing by Healthcare Providers (Begz). This article states that a healthcare provider must, in accordance with the provisions of NEN7510 and NEN7512, ensure a safe and careful use of the healthcare information system and a safe and careful use of the electronic exchange system to which it is connected. OLVG states that the AP can only impose a fine or issue a penalty to enforce the obligations imposed by the GDPR and not for a violation of the Begz. | 5. The AP's investigation report refers to Article 3(2) of the Decree on Electronic Data Processing by Healthcare Providers (Begz). This article states that a healthcare provider must, in accordance with the provisions of NEN7510 and NEN7512, ensure a safe and careful use of the healthcare information system and a safe and careful use of the electronic exchange system to which it is connected. OLVG states that the AP can only impose a fine or issue a penalty to enforce the obligations imposed by the GDPR and not for a violation of the Begz. | ||
The AP does not follow OLVG's view in this regard either. The AP imposed an administrative fine for the violation of Article 32(1) of the GDPR, more specifically with respect to authentication and a regular checks of the log files. Incidentally, the Begz does apply to the OLVG and it obliges OLVG to apply the NEN 7510 and NEN 7512 standards. | The AP does not follow OLVG's view in this regard either. The AP imposed an administrative fine for the violation of Article 32(1) of the GDPR, more specifically with respect to authentication and a regular checks of the log files. Incidentally, the Begz does apply to the OLVG and it obliges OLVG to apply the NEN 7510 and NEN 7512 standards. | ||
===Holding=== | ===Holding=== | ||
The AP has concluded that OLVG has not applied an appropriate level of security for the processing of personal data in its hospital information system. The AP has determined that until at least 22 May 2019, OLVG has been processing sensitive personal data of hundreds of thousands of patients without adequate security. The AP considers the fact that the violation continued in a structural manner for a longer period, partly under the Personal Data Protection Act, which already required an adequate security level, to be serious. In view of the nature, seriousness, scope and duration of the infringement, the AP increased the basic amount of the fine by €80,000 to €390,000 under the 2019 Fine Policy. | The AP has concluded that OLVG has not applied an appropriate level of security for the processing of personal data in its hospital information system. The AP has determined that until at least 22 May 2019, OLVG has been processing sensitive personal data of hundreds of thousands of patients without adequate security. The AP considers the fact that the violation continued in a structural manner for a longer period, partly under the Personal Data Protection Act, which already required an adequate security level, to be serious. In view of the nature, seriousness, scope and duration of the infringement, the AP increased the basic amount of the fine by €80,000 to €390,000 under the 2019 Fine Policy. | ||
OLVG is expected, partly in view of the sensitive nature and large scale of the processing, to ascertain the standards applicable to it and to act according to those standards. In addition, OLVG has indicated in its own Information Security & Privacy Policy that the policy is based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. Which means that OLVG has committed itself to complying with those norms. OLVG also stipulated in its logging policy that it will take a representative sample every four weeks to analyse the log data. OLVG therefore also fails to comply with its own existing policy rules, which is considered by the AP to be extremely negligent. Given the negligent nature of the breach, the AP increases the base amount of the fine under Article 7(b) of the 2019 Fine Policy by €50,000 to €440,000. | OLVG is expected, partly in view of the sensitive nature and large scale of the processing, to ascertain the standards applicable to it and to act according to those standards. In addition, OLVG has indicated in its own Information Security & Privacy Policy that the policy is based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. Which means that OLVG has committed itself to complying with those norms. OLVG also stipulated in its logging policy that it will take a representative sample every four weeks to analyse the log data. OLVG therefore also fails to comply with its own existing policy rules, which is considered by the AP to be extremely negligent. Given the negligent nature of the breach, the AP increases the base amount of the fine under Article 7(b) of the 2019 Fine Policy by €50,000 to €440,000. | ||
Revision as of 09:50, 17 February 2021
AP - Ziekenhuis OLVG | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 26.11.2020 |
Published: | 11.02.2021 |
Fine: | 440000 EUR |
Parties: | OLVG hospital |
National Case Number/Name: | Ziekenhuis OLVG |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | n/a |
The Dutch DPA fined a hospital € 440,000 for violating Article 32(1) of the GDPR by failing to comply with the requirement of two-factor authentication and regular review of access log files.
English Summary
Facts
The AP received two data breach notifications from the OLVG Foundation about access by employees and work students to electronic patient records. In response to these data breach notifications, the AP initiated an investigation into OLVG's compliance with Article 32(1) of the GDPR by inspecting, among other things, authentication, and verification of the logging procedures.
The AP announced the investigation in a letter dated 17 April 2019, and asked questions to OLVG. These questions were answered by a letter dated 3 May 2019. On 22 May 2019, five inspectors from the AP conducted an on-site investigation at one of the locations of OLVG. During this investigation, the inspectors checked different components of the hospital’s information system. Oral statements were also taken from members of the Executive Board and various employees of OLVG. The AP sent the report of findings to OLVG on 10 February 2020. On February 17, 2020, the AP sent OLVG a letter to announce the intention to enforce. OLVG provided its views on this intention in writing on 27 March 2020 and orally on 25 June 2020.
Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale.
The AP found two potential issues.
1. Two-factor authentication.
The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital information system with the electronic patient records.
When logging into the VDI from a computer outside the OLVG network, employees must use a username and password in combination with a changing token which they received by SMS or via an application. OLVG linked a token reader to each computer on 9 March 2020, changing this method of authentication. This means that before they can access to the computer, employees must hold their employee card in front of this reader and enter a password.
OLVG has also indicated in its Information Security and Privacy Policy that that policy is based on: 1) the Dutch standard for information security in healthcare: NEN 7510, NEN 7512 and NEN 7513, and 2) the current laws and regulations, including the GDPR. OLVG has thus also committed to complying with the NEN security standards, which dictate that the identity of users must be established by means of two-factor authentication.
Given the sensitive nature of the data, the large scale of the processing by OLVG and the risks to data subjects, the AP has concluded that OLVG should have implemented two-factor authentication when accessing personal data in electronic patient records. However, this was not done when these records were from inside of the hospital’s network.
2. Access logs review.
The AP found that during the period from 1 January 2018 to 17 April 2019, OLVG conducted two sample checks of “Break the Glass” behaviour across larger groups of employees and eight incidental checks of the logging of health records. Further, the AP found that OLVG did not conduct systematic checks of anomalies in the access logs to all electronic health records during the period from 1 January 2018 to 22 May 2019, nor did it allow for systematic or automated alerts when certain logging limits were exceeded.
Dispute
1. OLVG is of the opinion that the AP incorrectly concludes that OLVG has not applied two-factor authentication. According to Standard 9.4.1 of NEN 7510-2 (2017), health information systems that process personal health information should establish the identity of users and this should be done by means of authentication involving at least two factors. According to OLVG, its computers are in rooms to which can only be accessed with a personal employee pass. The pass only allows an employee access to the rooms she or he is authorized to enter. According to OLVG, there is no fundamental difference here between access limited to the person holding a pass in front of a reader which is built into the computer. The AP does not agree with OLVG. For adequate security of personal data in electronic patient records, it is necessary that OLVG's information system is accessible only with two-factor authentication. If access to the room is controlled by the authentication via a personal pass but the computer itself is not protected by two-factor authentication, then there is a greater chance that employees who are authorized to access the room (such as cleaners) could gain access to the patient records. In addition, certain areas of the hospital are not completely locked down. Which means there is a significant difference between this and limiting access to the person holding a card in front of the computer. Finally, the AP emphasizes that standard 9.4.1 of NEN 7510-2 (2017) contains the term 'health information systems'. Which means that the information systems themselves must be secured by two-factor authentication. In view of the above, the AP considers that OLVG has violated Article 32(1), of the GDPR at least until 22 May 2019, as OLVG's hospital information system has not complied with the requirement of two-factor authentication. OLVG has since ended this violation by quipping each computer with an employee card reader.
2. OLVG argued that the AP has imposed fine contrary to the nemo tenetur principle as set out in Article 48(1) of the European Charter and Article 6(1) of the European Convention on Human Rights (ECHR), since the investigation was based on data breach notifications which OLVG was obliged to make under the threat of a penalty. Referring to various court decisions, OLVG argues that will-dependent information may not be used for an administrative punishment by means of issuing a fine. In the letter dated 17 April 2019, the AP further requested information pursuant to Sections 5:16 and 5:17 of the General Administrative Law Act (Awb). In this letter, the AP did not point out that OLVG was not obliged to provide information if by doing so it would provide evidence of a violation of the GDPR. This means that also all the information obtained by the AP because of its request for information, was obtained under coercion as referred to in Article 6(1) ECHR and Article 48(1) of the Charter. OLVG concludes that in view of the foregoing, the wilful information obtained under coercion from OLVG cannot be used for the imposition of an administrative fine. AP disagrees. The two reported data breaches only prompted the AP to launch an investigation into OLVG's compliance with Article 32 of the GDPR. While the two data breach reports are included in the case file with the documents relating to the case, they do constitute evidence of the violation of Article 32 of the GDPR found by the AP. Exclusion of those data breach notifications as evidence is therefore out of the question. In addition, the AP considers the data breach notification to be will-independent information. In view of article 33(5) of the GDPR, OLVG is required to document all personal data breaches, together with the facts about those breaches, their consequences and the measures taken to mitigate risks, so it had this information at its disposal. Secondly, the AP does not agree with OLVG that the AP, with its information request of 17 April 2019, forced OLVG to provide information to the AP and, consequently, that this information should not be used to impose an administrative fine. Information in question was not formally requested with reference to the duty to cooperate. The fact that the letter in question referred to Article 58(1)(a) of the GDPR and Article 5:16 in conjunction with Article 5:17 of the Awb does not make this any different. These references were included in the letter for OLVG's information only to make it clear that the AP may request OLVG to provide this information and on what basis they may do so. In the opinion of the AP there is therefore no question of providing information under duress. The AP did not use the will-independent material to impose the administrative fine. The AP concludes that the imposition of a fine for the conduct observed is not in violation of the nemo tenetur principle as laid down in Article 48(1) of the European Charter and Article 6(1) of the ECHR.
3. OLVG argues that the imposing of a fine for the behaviour identified by the AP, at least those related to authentication, violates the rights of defence as set forth in Article 48(2) of the European Charter and Article 6(2) ECHR, as the identified behaviour fall outside the scope of the purpose of investigation previously formulated by the AP. According to OLVG, the AP does not conclude in the investigation report that OLVG has not taken appropriate technical and organizational measures to ensure that personal data in the electronic patient record are not accessed by unauthorized employees. Instead the AP notes that OLVG does not comply with the requirement of at least two-factor authentication pursuant to article 32(1) of the GDPR. The AP disagrees. The conclusion of the AP that OLVG does not comply with article 32(1) of the GDPR by not meeting the requirement for two-factor authentication is directly related to the purpose of the investigation and falls within the scope of the purpose of the investigation. The AP explicitly mentioned that the investigation would focus on the access security (authentication and authorization), logging, checking the logging and awareness of employees. The fact that two-factor authentication cannot guarantee that unauthorized access to patient records by employees will no longer occur, does not change the fact that it is still a measure that contributes significantly to preventing unauthorized access as required under Article 32 of the GDPR. In this context, the AP emphasizes that the application of two-factor authentication and logging control are not isolated measures, but they must be considered in conjunction with all other appropriate measures. It is the combination of these measures that enables OLVG to manage the protection of personal data as well as possible and to prevent breaches as much as possible. The application of two-factor authentication does not therefore relieve OLVG of the obligation to promote the awareness of employees about data protection.
4. OLVG points out that AP is not allowed to set further binding rules to interpret Article 32 of the GDPR, like AP did when they applied the NEN security standards. These standards cannot constitute a basis for the interpretation of article 32 of the GDPR since they are not referred to by the GDPR and were created without being related to or based on the GDPR. The AP disagrees with this argument. NEN standards are generally accepted security standards of information security in healthcare. The AP considers the requirement for two-factor authentication contained in these standards and the obligation to regularly assess the log files to be a concrete interpretation of what can be considered appropriate by Article 32 of the GDPR. Moreover, OLVG itself indicated in its Information Security & Privacy Policy that that policy was based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. In its Epic logging policy, OLVG indicates that this document must lead to compliance with NEN 7513 and applicable laws and regulations. In short, the AP concludes that OLVG also believes that these NEN standards provide interpretation of the correct degree of information security and has therefore committed itself to comply with the NEN standards.
5. The AP's investigation report refers to Article 3(2) of the Decree on Electronic Data Processing by Healthcare Providers (Begz). This article states that a healthcare provider must, in accordance with the provisions of NEN7510 and NEN7512, ensure a safe and careful use of the healthcare information system and a safe and careful use of the electronic exchange system to which it is connected. OLVG states that the AP can only impose a fine or issue a penalty to enforce the obligations imposed by the GDPR and not for a violation of the Begz. The AP does not follow OLVG's view in this regard either. The AP imposed an administrative fine for the violation of Article 32(1) of the GDPR, more specifically with respect to authentication and a regular checks of the log files. Incidentally, the Begz does apply to the OLVG and it obliges OLVG to apply the NEN 7510 and NEN 7512 standards.
Holding
The AP has concluded that OLVG has not applied an appropriate level of security for the processing of personal data in its hospital information system. The AP has determined that until at least 22 May 2019, OLVG has been processing sensitive personal data of hundreds of thousands of patients without adequate security. The AP considers the fact that the violation continued in a structural manner for a longer period, partly under the Personal Data Protection Act, which already required an adequate security level, to be serious. In view of the nature, seriousness, scope and duration of the infringement, the AP increased the basic amount of the fine by €80,000 to €390,000 under the 2019 Fine Policy.
OLVG is expected, partly in view of the sensitive nature and large scale of the processing, to ascertain the standards applicable to it and to act according to those standards. In addition, OLVG has indicated in its own Information Security & Privacy Policy that the policy is based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. Which means that OLVG has committed itself to complying with those norms. OLVG also stipulated in its logging policy that it will take a representative sample every four weeks to analyse the log data. OLVG therefore also fails to comply with its own existing policy rules, which is considered by the AP to be extremely negligent. Given the negligent nature of the breach, the AP increases the base amount of the fine under Article 7(b) of the 2019 Fine Policy by €50,000 to €440,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="nl"> <![endif]--><!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8" lang="nl"> <![endif]--><!--[if IE 8]> <html class="no-js lt-ie9" lang="nl"> <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="nl"><!--<![endif]--><head><title> OLVG hospital fined for insufficient security of medical records | Dutch Data Protection Authority </title><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes"><meta name="author" content=""/><meta name="description" content=""><!-- absolute url to image for facebook --><meta property="og:image" content="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-200x200.png"><!-- For third-generation iPad with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="152x152" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-152x152.png"><!-- For iPhone with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="120x20" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-120x120.png"><!-- For first- and second-generation iPad: --><link rel="apple-touch-icon-precomposed" sizes="72x72" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-72x72.png"><!-- For non-Retina iPhone, iPod Touch, and Android 2.1+ devices: --><link rel="apple-touch-icon-precomposed" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-57x57.png"><link rel="icon" sizes="200x200" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-200x200.png"><link rel="shortcut icon" href="/profiles/cbp/themes/cbp/ap_favicon.ico" type="image/vnd.microsoft.icon" /><!--[if IE 8]> <link href="/profiles/cbp/themes/cbp/src/templates/presentation/ie8.css" rel="stylesheet" type="text/css" media="screen"/> <script src="/profiles/cbp/themes/cbp/src/templates/behaviour/IE9.js"></script><![endif]--><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta property="og:title" content="OLVG hospital fined for insufficient security of medical records" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_evcz7bSXIDmzfjJLCk5DYJEg6zvZHIe9tZRwmYQjBaE.css" media="all" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_lTCg8sconCr6x4ZveeqUBMsO9VQb6J2zSp5XWeO5HIA.css" media="all" /><!--[if !IE]><!--><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_I0v96izA8i-GyEHKRA12SFFhh2rWTYhMKaswssVsgqg.css" media="screen" /><!--<![endif]--><!--[if lte IE 9]> <link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_rGRDEH3gEthmV_wwagrJV8TQAVPwohcLF--_NCWkGY4.css" media="screen" /> <![endif]--><!--[if gt IE 8]> <link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_FH2spmH1NCWvlmsSbvThQWXU-7xi8P3uiCUYoNQIP8k.css" media="screen" /> <![endif]--><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_ZKk63fo-ILt8Zvr_L4yMi4nNzZRnGdwdCdlNhT6VpZs.css" media="all" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_VD3KFnMvOkXOhpybJJAsM4E06dhkwzzaV7Fr5xNNOQU.css" media="print" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_ReOU5p9fEDP2pfIeTzdGlfAJZ1egFj7V0NxiMTneYsc.css" media="screen" /></head><body class="html not-front not-logged-in no-sidebars page-node page-node- page-node-8106 node-type-news i18n-nl" ><header><div id="header-wrapper"><div id="logo"> <a href="/nl"><img alt="Homepage Dutch Data Protection Authority" src="/profiles/cbp/themes/cbp/src/img/ap_logo.png"></a></div><!-- SKIPLINKS --> <a class="skipLink" id="skipLinkMenu" href="#mainMenuSkip">To main navigation menu</a> <a class="skipLink" id="skipLinkMainContent" href="#mainContentSkip">To main content</a><div id="contrast-switch"> <a id="contrast-switcher" href="#" title="Increase contrast" ><img src="/profiles/cbp/themes/cbp/src/img/contrast_icon.png" alt="Increase contrast"></a></div><div id="language-switch"><ul><li> <a href="/nl" title="Dutch" class="selected"><abbr>NL</abbr></a></li><li> <a href="/en" title="English"><abbr>AND</abbr></a> </li></ul></div><div id="search-box-container"><form class="search-box" action="/nl/zoekresultaten" method="get" id="views-exposed-form-search-panel-pane-1-1" accept-charset="UTF-8"><div class="form-item form-type-select input-group form-item-sort-by"><select style="display: none;" id="edit-sort-by" name="sort_by" class="form-select"><option value="search_api_relevance_1" selected="selected"> Sort by</option><option value="cbp_date_1"> Date ascending</option><option value="cbp_date"> Date descending</option><option value="search_api_relevance"> Relevance </option></select></div><input type="hidden" name="cbp_date" value="" /><input type="hidden" name="cbp_date_1" value="" /><fieldset><legend> Search the entire site </legend><div class="field-container"><input class="text ctools-auto-submit-exclude auto_submit form-text form-autocomplete" title="Enter your search term" placeholder="Doorzoek de gehele site" size="" data-search-api-autocomplete-search="search_api_views_search" type="text" id="search_api_views_fulltext-1" name="search_api_views_fulltext" value="" maxlength="128" /><input type="hidden" id="search_api_views_fulltext-1-autocomplete" value="https://autoriteitpersoonsgegevens.nl/index.php?q=nl/search_api_autocomplete/search_api_views_search/body%3Asummary%20body%3Avalue%20field_display_title%20field_extra_search_terms%20field_intro%20field_linked_scald_atom%3Afield_case_number%20field_linked_scald_atom%3Afield_extra_search_terms%20field_linked_scald_atom%3Ascald_tags%3Adescription%20field_linked_scald_atom%3Ascald_tags%3Aname%20field_paragraphs%3Afield_paragraph_body%3Avalue%20field_paragraphs%3Afield_paragraph_title%20field_qa_themes%3Afield_qa_questions%3Afield_extra_search_terms%20field_qa_themes%3Afield_qa_questions%3Afield_qa_answer%3Afield_paragraph_body%3Avalue%20field_qa_themes%3Afield_qa_questions%3Afield_qa_answer%3Afield_paragraph_title%20field_qa_themes%3Afield_qa_questions%3Atitle%20field_qa_themes%3Atitle%20field_topics%3Atitle%20title%20search_api_views_fulltext" disabled="disabled" class="autocomplete" /><input class="submit form-submit" type="submit" id="edit-submit" name="op" value="Search" /></div></fieldset></form></div><div id="alert"> <a href="/nl/klacht" class="linkbutton">Report a complaint</a> </div></div></header><article><div class="center"><div id="breadcrumb-back" class="breadcrumb-container breadcrumb-hidden"><ol class="breadcrumb"><li><a class="back" href="#"></a></li></ol></div><div id="main-content" class=""><div class="main-content-article"><div id="mainContentSkip" tabindex="-1"></div><h1 class="generic">OLVG hospital fined for insufficient security of medical records</h1><div class="article-info"><div> <span class="type">News item</span> / <span class="date">11 February 2021</span></div><div class="category"> <span>Category:</span><ul><li class="first"> <a href="/nl/onderwerpen/beveiliging/beveiliging-van-persoonsgegevens">Security of personal data</a></li><li> <a href="/nl/onderwerpen/gezondheid/zorgverleners-en-de-avg">Healthcare providers and the GDPR</a></li><li class="last"> <a href="/nl/onderwerpen/gezondheid/medisch-dossier">Medical file</a></li></ul></div></div><p class="intro"> The Dutch Data Protection Authority (AP) imposes a fine of 440,000 euros on the Amsterdam hospital OLVG. The hospital had taken too few measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. This was due to insufficient checks on who viewed which file and insufficient security of the computer systems. Following the investigation by the AP, the OLVG has implemented the required improvements.</p><p> 'You have to be able to trust that whatever you discuss with the doctor will remain in the doctor's office,' says AP vice president Monique Verdier. "Don't think about the fact that people who have no business there at all might just poke around the doctor's notes about you and your illness."</p><p> 'Patients must be able to assume that employees will only see medical records when necessary for their treatment. The OLVG took too few security measures to guarantee this. That is serious and that is why the AP is now imposing this fine on the OLVG. '</p><p> In addition to medical data, the files contain information such as social security numbers, addresses and telephone numbers. This data must also be well protected, due to the risks of identity fraud and phishing, for example.</p><h2> Two violations</h2><p> The AP started the investigation after a tip from a concerned citizen, signals from the media and two data breach reports from the OLVG, about working students and other employees who viewed medical files without this being necessary for their work.</p><p> After its investigation, the AP concluded that the OLVG was structurally not dealing properly with access to medical files. The AP saw two violations:</p><ul><li> The hospital must keep track of and regularly check who consults which file. For example, the hospital can indicate in good time when someone is consulting a file when this is not allowed and take measures against it. The OLVG did automatically keep track of which employee saw which medical file and when (logging), but did not check that logging often enough for unauthorized access.</li><li> Good security requires authentication with at least two factors. The identity of a user to gain access to a patient file is then established, for example, with a code or a password in combination with a staff card. The OLVG did not use this two-factor authentication in the hospital. Logging in outside the hospital was done via two-factor authentication.</li></ul><h2> 'Protection of patient data is crucial'</h2><p> 'It is precisely in healthcare, where the most sensitive personal data is in the systems, that we see many data leaks: in recent years, healthcare has always been in the top 3 of sectors with the most data breaches,' says Verdier.</p><p> 'While the protection of patient data is crucial. Patients share a lot of data with healthcare institutions and this is necessary, recently due to the corona crisis perhaps more than ever. People must then be able to trust that their data is safe. We therefore call on hospitals and other healthcare institutions to examine very carefully how they have arranged the protection of patient data and to improve it where necessary. '</p><p> Healthcare institutions can consult the AP site for <a href="/nl/onderwerpen/gezondheid/zorgverleners-en-de-avg" target="_blank">information about proper protection of personal data</a> .</p><h2> Improvements made</h2><p> During the investigation of the AP, the OLVG made improvements. From that moment on, the hospital systematically checks the logging and has since then arranged two-factor authentication in the hospital.</p><p> The hospital will not object or appeal against the fine of the AP. </p></div></div><div id="side-content" class=""><a name="publications"></a><div id="side-content-publications"><h2> Publications</h2><ul class="article-list"><li><div class="article-info"> <span class="type">Decision</span> / <span class="date">11 February 2021</span></div> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_olvg.pdf" class="download external"><span class="pdf">Download</span> <span class="linktitle">PDF OLVG Fine Decree</span> <span class="linkbutton">Download</span></a> </li></ul></div></div></div></article><nav><div class="center"><div id="mainnav"><div id="mainMenuSkip" tabindex="-1"></div><ul class="topnav"><li> <a href="/nl" title="Home">Home</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona">Corona</a></li><li class="foldout"> <a href="/nl/over-privacy">About privacy</a><ul class="subnav"><li> <a href="/nl/over-privacy/waarom-is-privacy-belangrijk">Why is privacy important?</a></li><li> <a href="/nl/over-privacy/jouw-privacy-voor-jongeren">Your privacy (for young people)</a></li><li> <a href="/nl/over-privacy/privacyverhalen" title="Privacy Stories">Privacy Stories</a></li><li> <a href="/nl/over-privacy/privacyblogs" title="Privacy blogs">Privacy blogs</a></li><li> <a href="/nl/over-privacy/persoonsgegevens">Personal data</a></li><li> <a href="/nl/over-privacy/wetten">Laws</a></li><li> <a href="/nl/over-privacy/het-werk-van-de-ap">The work of the Dutch Data Protection Authority</a></li></ul></li><li class="foldout"> <a href="/nl/onderwerpen" title="subjects">subjects</a><ul class="subnav"><li> <a href="/nl/onderwerpen/corona">Corona</a></li><li> <a href="/nl/onderwerpen/avg-europese-privacywetgeving">General information AVG</a></li><li> <a href="/nl/onderwerpen/beveiliging">Security</a></li><li> <a href="/nl/onderwerpen/financien" title="Finances">Finances</a></li><li> <a href="/nl/onderwerpen/foto-en-film" title="Photo and film">Photo and film</a></li><li> <a href="/nl/onderwerpen/gezondheid" title="Health">Health</a></li><li> <a href="/nl/onderwerpen/identificatie" title="Identification">Identification</a></li><li> <a href="/nl/onderwerpen/internationaal-gegevensverkeer" title="International data traffic">International data traffic</a></li><li> <a href="/nl/onderwerpen/internet-telefoon-tv-en-post">Internet, telephone, TV and post</a></li><li> <a href="/nl/onderwerpen/onderwijs" title="Education">Education</a></li><li> <a href="/nl/onderwerpen/overheid" title="Township">Government</a></li><li> <a href="/nl/onderwerpen/politie-en-justitie" title="Police and justice">Police and justice</a></li><li> <a href="/nl/onderwerpen/werk-en-uitkering" title="Work and benefits">Work and benefits</a></li></ul></li><li class="foldout"> <a href="/nl/zelf-doen" title="Do it yourself">Do it yourself</a><ul class="subnav"><li> <a href="/nl/zelf-doen/privacyrechten">Use your privacy rights</a></li><li> <a href="/nl/zelf-doen/voorbeeldbrieven-privacyrechten">Sample privacy rights letters</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmeldenfg">Register FG</a></li><li> <a href="/nl/zelf-doen/avg-guidelines" title="AVG guidelines">AVG guidelines</a></li><li> <a href="/nl/zelf-doen/avg-certificaat" title="AVG certificate">AVG certificate</a></li><li> <a href="/nl/zelf-doen/avg-gedragscode">GDPR Code of Conduct</a></li><li> <a href="/nl/zelf-doen/data-protection-impact-assessment-dpia">Data protection impact assessment (DPIA)</a></li><li> <a href="/nl/zelf-doen/voorafgaande-raadpleging">Prior consultation</a></li><li> <a href="/nl/zelf-doen/vergunning-aanvragen">Apply for a permit</a></li><li> <a href="/nl/zelf-doen/register-vergunningen">Permits register</a></li><li> <a href="/nl/zelf-doen/zwarte-lijst">Black list</a></li></ul></li><li class="foldout"> <a href="/nl/publicaties" title="Publications">Publications</a><ul class="subnav"><li> <a href="/nl/publicaties/feiten-en-cijfers-over-de-ap">Facts and figures about the AP</a></li><li> <a href="/nl/onderzoeken" title="To investigate">To investigate</a></li><li> <a href="/nl/publicaties/boetes-en-sancties">Fines and other penalties</a></li><li> <a href="/nl/publicaties/wob-besluiten">Wob decisions</a></li><li> <a href="/nl/wetgevingsadviezen" title="Legislative opinions">Legislative opinions</a></li><li> <a href="/nl/jaarverslagen" title="Annual reports">Annual reports</a></li></ul></li><li class="foldout"> <a href="/nl/melden">Contact</a><ul class="subnav"><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy">I have a question about the GDPR</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-de-ap">I want to report a privacy complaint</a></li><li> <a href="https://datalekken.autoriteitpersoonsgegevens.nl">I want to report a data breach</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmelden-nieuwsbrieven">I want to receive the newsletter</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/contactgegevens-algemeen">General contact information</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-voor-de-pers">Information for the press</a></li></ul></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving/functionaris-gegevensbescherming-fg">Info for DPOs</a></li></ul> <a class="drop_menu" title="back to the menu">Menu</a></div></div></nav><footer><div class="center"><div class="footerblock"><h3> Contact with the Dutch Data Protection Authority</h3><ul class="linklist"><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy">Information and Reporting Point Privacy</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/contactgegevens-algemeen">General contact details</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-voor-de-pers">Information for the press</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/de-fg-van-de-autoriteit-persoonsgegevens">Contact with the DPO of the AP</a></li><li> <a href="/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap">Report a complaint</a></li><li> <a href="https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0">Report data breach</a></li><li><a href="/nl/contact-met-de-autoriteit-persoonsgegevens/klacht-over-de-autoriteit-persoonsgegevens">Complaint about the AP</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/bezwaar-maken-tegen-een-besluit" title="To object">Object to a decision</a></li></ul></div><div class="footerblock"><h3> About the Dutch Data Protection Authority</h3><ul class="linklist"><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/organisatie">Organization</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/missie-ambitie-kernwaarden">Mission, ambition, core values</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/focus-ap-2020-2023">AP Focus 2020-2023</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/taken-en-bevoegdheden">Duties and powers</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/het-bestuur-van-de-autoriteit-persoonsgegevens">The board of the AP</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/nationale-samenwerking">National cooperation</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/internationale-samenwerking">International cooperation</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/werken-bij-de-autoriteit-persoonsgegevens">Working at the AP</a></li></ul></div><div class="footerblock"><h3> Privacy & about this site</h3><ul class="linklist"><li> <a href="/nl/privacy-over-deze-site/privacyverklaring-autoriteit-persoonsgegevens" title="Privacy statement AP">Privacy statement AP</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/privacybeleid_ap_okt_2019.pdf">Privacy policy AP</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/ap_verwerkingsregister_juni_2020.pdf">Processing register AP</a></li><li> <a href="/nl/privacy-over-deze-site/cookieverklaring">Cookie statement</a></li><li> <a href="/nl/over-deze-site/publiciteitsbeleid">Publicity policy</a></li><li> <a href="/nl/over-deze-site/copyright">Copyright</a></li><li> <a href="/nl/privacy-over-deze-site/disclaimer">Disclaimer</a></li><li> <a href="/nl/privacy-over-deze-site/toegankelijkheid">Accessibility</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/rss">RSS</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmelden-nieuwsbrieven">Subscribe to newsletters</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/afmelden-nieuwsbrieven">Unsubscribe from newsletters</a> </li></ul></div></div></footer><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_dMlv91-WqHpW4RNI9DLymtuvRG59Ep1kATVRcEl0u6I.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_Xk8TsyNfILciPNmQPp9sl88cjH71DQWyeHE0MB62KO4.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_5aaEJDT1Wbn_U23UMb5pg5MgdUTJ4z2w4EXp5Bm-s5Q.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_iMQOhl7FDU5EmAHplneFqG5Tz1oSZvWXMlv4zPNaPCI.js"></script><script type="text/javascript"> <!--//--><![CDATA[//><!-- jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"nl\/","ajaxPageState":{"theme":"cbp","theme_token":"qcnjUk4_3rwMcRTby8B_9oZAeo7lSJkBCCIaute_fJs","jquery_version":"1.7","js":{"profiles\/cbp\/themes\/cbp\/js\/cbp_external_links.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_placeholder.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_related_search_links.js":1,"profiles\/cbp\/themes\/cbp\/js\/jquery.tabSlideOut.v1.3.js":1,"profiles\/cbp\/themes\/cbp\/js\/edit_sidebar.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_autocomplete_overwrite.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/idangerous.swiper-2.6.min.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/raphael-min.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/g.raphael.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/g.pie.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/video-js\/video.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/plugins.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/frontpage-swiper-engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/frontpage-subjects-swiper-engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/normal-subjects-swiper-engine.js":1,"profiles\/cbp\/modules\/contrib\/jquery_update\/replace\/jquery\/1.7\/jquery.min.js":1,"misc\/jquery-extend-3.4.0.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1,"misc\/ajax.js":1,"profiles\/cbp\/modules\/contrib\/jquery_update\/js\/jquery_update.js":1,"public:\/\/languages\/nl_ArqMxmzZx4vTfSmHJU8q_DQcJ3zqgd-vjIEVEDXW7u4.js":1,"misc\/progress.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/jquery.history.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/topic_slider.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/backbutton.js":1,"misc\/autocomplete.js":1,"profiles\/cbp\/modules\/contrib\/webform\/js\/webform.js":1,"profiles\/cbp\/modules\/contrib\/search_api_autocomplete\/search_api_autocomplete.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/modernizr.dev.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/head.js":1},"css":{"modules\/field\/theme\/field.css":1,"profiles\/cbp\/modules\/contrib\/scald_file\/scald_file.css":1,"profiles\/cbp\/modules\/contrib\/ctools\/css\/ctools.css":1,"profiles\/cbp\/modules\/contrib\/panels\/css\/panels.css":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/layouts\/twocols\/twocols.css":1,"profiles\/cbp\/modules\/contrib\/search_api_autocomplete\/search_api_autocomplete.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/screen.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/ie7.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/ie9.css":1,"profiles\/cbp\/themes\/cbp\/css\/edit-sidebar.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/print.css":1,"profiles\/cbp\/themes\/cbp\/css\/override-print.css":1,"profiles\/cbp\/themes\/cbp\/css\/system.base.css":1,"profiles\/cbp\/themes\/cbp\/css\/alerts.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/video-js\/video-js.min.css":1,"profiles\/cbp\/themes\/cbp\/css\/overrides.css":1,"profiles\/cbp\/themes\/cbp\/css\/override-form.css":1}},"backs":{"search":{"text":"Terug naar de zoekresultaten","link":"javascript:history.back();"},"subtopic-7682":{"text":"Terug naar Privacy \u0026 corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/privacy-corona"},"subtopic-7740":{"text":"Terug naar Temperaturen tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/temperaturen-tijdens-corona"},"subtopic-8019":{"text":"Terug naar Sneltesten tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/sneltesten-tijdens-corona"},"subtopic-8001":{"text":"Terug naar Gezondheidscheck en contactgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/gezondheidscheck-en-contactgegevens"},"subtopic-7731":{"text":"Terug naar Onderwijs tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/onderwijs-tijdens-corona"},"subtopic-7684":{"text":"Terug naar Veilig thuiswerken tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/veilig-thuiswerken-tijdens-corona"},"subtopic-7685":{"text":"Terug naar Corona op de werkvloer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/corona-op-de-werkvloer"},"subtopic-5805":{"text":"Terug naar Introductie AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/algemene-informatie-avg"},"subtopic-6307":{"text":"Terug naar Mag u persoonsgegevens verwerken? ","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/mag-u-persoonsgegevens-verwerken"},"subtopic-5806":{"text":"Terug naar Rechten van betrokkenen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/rechten-van-betrokkenen"},"subtopic-7416":{"text":"Terug naar Verwerkers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/verwerkers"},"subtopic-6098":{"text":"Terug naar Verantwoordingsplicht","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/verantwoordingsplicht"},"subtopic-5814":{"text":"Terug naar Functionaris gegevensbescherming (FG)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/functionaris-gegevensbescherming-fg"},"subtopic-2105":{"text":"Terug naar Beveiliging van persoonsgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/beveiliging-van-persoonsgegevens"},"subtopic-7316":{"text":"Terug naar Acties bij datalekken","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/acties-bij-datalekken"},"subtopic-5247":{"text":"Terug naar Meldplicht datalekken","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/meldplicht-datalekken"},"subtopic-1730":{"text":"Terug naar Belastingdienst","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/belastingdienst"},"subtopic-1940":{"text":"Terug naar Financi\u00eble ondernemingen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/financiele-ondernemingen"},"subtopic-6852":{"text":"Terug naar Betaaldiensten","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/betaaldiensten"},"subtopic-1946":{"text":"Terug naar Krediet, inkomen en faillisement","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/krediet-inkomen-en-faillisement"},"subtopic-1956":{"text":"Terug naar Slimme energiemeter","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financi%C3%ABn\/slimme-energiemeter"},"subtopic-7290":{"text":"Terug naar Beeldmateriaal","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/beeldmateriaal"},"subtopic-1866":{"text":"Terug naar Camera\u0027s bij huis en bij de buren","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameras-bij-huis-en-bij-de-buren"},"subtopic-1727":{"text":"Terug naar Cameratoezicht op openbare plaatsen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameratoezicht-op-openbare-plaatsen"},"subtopic-1859":{"text":"Terug naar Cameratoezicht op de werkplek","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-op-de-werkplek"},"subtopic-1724":{"text":"Terug naar Cameratoezicht op school","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameratoezicht-op-school"},"subtopic-1863":{"text":"Terug naar Cameratoezicht in winkels, horeca en sportclubs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-winkels-horeca-en-sportclubs"},"subtopic-5192":{"text":"Terug naar Cameratoezicht in een zorginstelling","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-een-zorginstelling"},"subtopic-1870":{"text":"Terug naar Cameratoezicht in het verkeer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-in-het-verkeer"},"subtopic-6163":{"text":"Terug naar Zorgverleners en de AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/zorgverleners-en-de-avg"},"subtopic-4407":{"text":"Terug naar Medische gegevens gebruiken en delen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/medische-gegevens-gebruiken-en-delen"},"subtopic-1721":{"text":"Terug naar Medisch dossier","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/medisch-dossier"},"subtopic-4408":{"text":"Terug naar Zorgverzekeraars","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/zorgverzekeraars"},"subtopic-1732":{"text":"Terug naar Identiteitsbewijs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/identiteitsbewijs"},"subtopic-1731":{"text":"Terug naar Burgerservicenummer (BSN)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/burgerservicenummer-bsn"},"subtopic-1880":{"text":"Terug naar Biometrie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/biometrie"},"subtopic-8064":{"text":"Terug naar Brexit","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/brexit"},"subtopic-1712":{"text":"Terug naar Doorgifte binnen en buiten de EU","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/doorgifte-binnen-en-buiten-de-eu"},"subtopic-5807":{"text":"Terug naar Een-loketmechanisme","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/avg-europese-privacywetgeving\/een-loketmechanisme-onestopshop"},"subtopic-8079":{"text":"Terug naar European Data Protection Board","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/european-data-protection-board"},"subtopic-1739":{"text":"Terug naar Binding corporate rules","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/binding-corporate-rules"},"subtopic-4420":{"text":"Terug naar Passagiersgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/passagiersgegevens"},"subtopic-1733":{"text":"Terug naar Internet en telecom","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/internet-en-telecom"},"subtopic-4415":{"text":"Terug naar Persoonsgegevens op internet","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/persoonsgegevens-op-internet"},"subtopic-6825":{"text":"Terug naar Direct marketing","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/direct-marketing"},"subtopic-7279":{"text":"Terug naar Internet of things","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/internet-things"},"subtopic-2077":{"text":"Terug naar Cookies","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/cookies"},"subtopic-1734":{"text":"Terug naar Smartphones en apps","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/smartphones-en-apps"},"subtopic-4416":{"text":"Terug naar Digitale televisie en smart tv\u0027s","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/digitale-televisie-en-smart-tvs"},"subtopic-6104":{"text":"Terug naar Gebruik van persoonsgegevens in het onderwijs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/onderwijs\/gebruik-van-persoonsgegevens-het-onderwijs"},"subtopic-1723":{"text":"Terug naar Leerlingdossiers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/onderwijs\/leerlingdossiers"},"subtopic-7600":{"text":"Terug naar Overheid \u0026 de AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/overheid-de-avg"},"subtopic-7843":{"text":"Terug naar Archivering door de overheid","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/archivering-door-de-overheid"},"subtopic-1680":{"text":"Terug naar Gemeenten","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/gemeenten"},"subtopic-4419":{"text":"Terug naar Sociaal domein","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/sociaal-domein"},"subtopic-6082":{"text":"Terug naar Jeugdhulp","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/jeugdhulp"},"subtopic-1682":{"text":"Terug naar Basisregistratie Personen (BRP)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/basisregistratie-personen-brp"},"subtopic-1681":{"text":"Terug naar Vereniging en kerk","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/vereniging-en-kerk"},"subtopic-8003":{"text":"Terug naar Voor professionals ","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-en-justitie\/voor-professionals"},"subtopic-4411":{"text":"Terug naar Politie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/politie"},"subtopic-4413":{"text":"Terug naar Bijzondere opsporing","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/bijzondere-opsporing"},"subtopic-4412":{"text":"Terug naar Justitie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/justitie"},"subtopic-4410":{"text":"Terug naar Europol en Eurojust","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/europol-en-eurojust"},"subtopic-4414":{"text":"Terug naar Europese informatiesystemen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/europese-informatiesystemen"},"subtopic-6909":{"text":"Terug naar Particuliere recherche","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-en-justitie\/particuliere-recherche"},"subtopic-7453":{"text":"Terug naar Mijn zieke werknemer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/mijn-zieke-werknemer"},"subtopic-1737":{"text":"Terug naar Mijn privacy bij ziekte","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/mijn-privacy-bij-ziekte"},"subtopic-2049":{"text":"Terug naar Sollicitaties","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/sollicitaties"},"subtopic-2050":{"text":"Terug naar Screening","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/screening"},"subtopic-2051":{"text":"Terug naar Controle van werknemers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/controle-van-personeel"},"subtopic-1738":{"text":"Terug naar Personeelsdossiers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/personeelsdossiers"},"subtopic-4588":{"text":"Terug naar Verstrekken van personeelsgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/verstrekken-van-personeelsgegevens"},"subtopic-2053":{"text":"Terug naar Ondernemingsraad","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/ondernemingsraad"},"subtopic-2054":{"text":"Terug naar Uitkering","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/uitkering"}},"urlIsAjaxTrusted":{"\/nl\/zoekresultaten":true},"theme_base_path":"profiles\/cbp\/themes\/cbp"}); //--><!]]> </script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_6Xa3otBMQzR9BLBh4gyNPzsaTEUoNBqL31bjHSJyOWs.js"></script></body></html>