The Netherlands Cancer Institute (Locally and formally known as Het Nederlands Kankerinstituut – Antoni van Leeuwenhoekziekenhuis; henceforth: NKI) is committed to the protection of personal data. The NKI processes the personal details of its patients, employees, and other parties involved with the hospital, such as patient contact persons, visitors to the NKI, newsletter subscribers, training program participants, volunteers, and suppliers. This privacy statement offers more information on our ways of handling and processing this personal data. Personal data is protected by law – the Medical Treatment Agreement Act (Wet inzake de geneeskundige behandelingsovereenkomst; WGBO) and the General Data Protection Regulation (EU GDPR). This privacy statement is in accordance with the data protection principles under the GDPR.
Which party is responsible for processing your personal data?
The NKI is responsible for processing your personal data. The NKI Data Protection Officer (Functionaris Gegevensbescherming; DPO) ensures that all data is processed in accordance with all rules and regulations that apply. You can contact the DPO at firstname.lastname@example.org.
What patient data do we processed at the institute?
The NKI processes the following personal patient data:
- Name, first name(s), initials, titles, social security number (BSN), gender, date of birth, address, postal code, place of residence, telephone number, e-mail address (if applicable), bank account number;
- Administration number;
- All data mentioned under 1 belonging to the parent(s) or legal caretaker(s) of underage patients;
- All data mentioned under 1 belonging to your family members;
- All data mentioned under 1 belonging to other involved parties who will need to be informed about your health and wellbeing;
- Data concerning your health;
- Data concerning the health of your family members in the case of hereditary disorders;
- Sensitive personal data concerning, for example, your ethnicity, religion or beliefs, or sexual history that is essential to your treatment or care;
- Data concerning your previous and current treatment, including imaging and body materials, drugs, or provisions;
- Data concerning the calculating, registering, and collecting of payment;
- Data concerning your insurance;
- Other data necessary to the practice of the profession as outlined in the Dutch Individual Health Care Professions Act (Wet op de Beroepen in de individuele gezondheidszorg; Wet BIG);
- Data concerning the use of the NKI WIFI network, such as the IP address, device specifications, and websites visited.
What personal data belonging to other involved parties do we process?
We process the contact information (such as names and e-mail addresses) of other parties involved. These parties include contact persons, newspaper subscribers, training program participants, volunteers, or suppliers. We process the IP addresses of all visitors using the NKI WIFI network, including the hostname (the name you gave the device), MAC address, the moment you connected and were given a local IP, all websites visited, and network protocols used. We also use cameras at our hospital that will record all visitors.
For which purposes do we process your personal data?
The NKI processes the personal data of patients in order to perform the medical tasks as defined in the treatment agreement. Your personal data will be stored in an electronic patient file. Personal data will be processed for quality and safety purposes to give you the best care possible. We process personal data in order to calculate, register, and collect treatment payment, and to handle complaints, disagreements, incidents, and calamities. The NKI provides personal data for the sake of audits, responsible business operations, legal tasks and/or responsibilities, and as part of the physical checks by health insurance providers, Your personal data will be used for scientific research, statistical analysis, or educational purposes in order to improve care. Finally, your personal data will be processed in order to deliver all requested information, guarantee the continuation and security of our network, and the protection of employees and visitors of the NKI.
The NKI processes your personal data in order to deliver the best care possible while complying with its legal obligations, such as the Healthcare Quality, Complaints and Disputes Act (Wet kwaliteit, klachten en geschillen zorg) and Healthcare Insurance Act (Zorgverzekeringswet). We process your personal data, imaging, and (remaining) body materials for medical scientific purposes. The specific purposes depend on the type of research and its purposes. We only process data that is relevant to the study. Please find an overview of several studies conducted over the past years on our website, (https://www.nki.nl).
Personal data of other parties involved
The NKI processes personal data recorded by cameras at our institute that have been placed for the protection of employees and visitors to the NKI and/or to prevent damage of NKI property and/or to locate people who may have committed a crime or illegitimate act.
On what grounds do we process your personal data?
- Data processing is essential for the performance of an agreement of which you are part, such as the medical treatment agreement, educational agreement, or an agreement with a supplier;
- You have given us explicit consent for the processing of your data. This includes registering as a contact person, or signing up for our newsletter;
- Data processing is essential to comply with The NKI’s legal obligations, such as in the case of a court order;
- Data processing is essential to protect your vital interests, such as when bringing in health care providers in case of a calamity;
- Data processing is essential for the legitimate interest of the NKI, such as measures in order to ascertain occupational safety.
How long will we store your personal data?
We will only process your personal data if this is necessary for the purposes as outlined in this privacy statement. When your personal data is no longer deemed relevant, we will destroy or anonymize your data. All data we receive from you as part of our treatment agreement as well as all data we receive from you as a patient contact person will be added to the patient’s medical file. We are required by law to keep these medical records for a period of 20 years or longer following the treatment agreement. We can keep these details for longer if this is legally required or essential for adequate care or treatment. All data processed for the purpose of medical studies and/or improvement of our care will be stored as long as required for its research purposes.
With the volunteer’s consent, all contact details and the date of termination will be stored after the aforementioned retention period on behalf of relations management.
All logging details of the WIFI network or websites visited will be stored for 20 days. All camera recordings will be stored for four weeks (unless a crime was recorded, in which case the images will be stored as proof).
Who will receive my personal data?
We will also send third parties your personal data if required by law or court decision, or if essential to protect your vital interests.
Will your personal data be processed outside of the EEA?
The NKI may share your personal details with parties outside of the European Economic Area (EEA). Before sharing data with these parties, the NKI will thoroughly consider the level of protection of the concerning country. The NKI will sign an agreement with these parties, which will further outline the research goal for which the personal data is required, as well as the ways in which the data can be processed and which safety measures should be used.
Your IP address will be shared with parties outside of the European Union – including the US – through a cookie placement. We have an agreement will all third parties concerning the purposes of data processing, how all data should be processed, and what safety measures should be used.
How do we protect your personal data?
We have taken the appropriate technical safety measures or had them taken, to protect your data from loss or illegitimate use. We protect our systems in accordance with the current standards of information protection and we have established relevant agreements with all our service providers.
When possible, personal data used for research or health care improvements will be anonymized or pseudonymized, after which, no one will be able to connect your processed personal data to you. At the NKI, your personal data will only be accessible to the parties permitted to process personal data. In terms of your treatment agreement, these parties will be your doctors and nurses as well as employees at our financial department. They are sworn to secrecy regarding all personal data they process unless required to share by law or court order.
Automated decision-making and profiling
Automated decision-making and profiling currently do not apply to treatment agreements nor medical scientific research or improvements of health care.
Your rights as a patient concerning your personal data
The General Data Protection Regulation (GDPR) has documented the rights of parties involved. Some of these rights cannot be fully called upon if doing so may damage your health or the health of others. Please find a clarification of your rights below.
- Right to inspect. You can view your patient file and request a copy.
- Right to data portability. You can request the NKI to send all details you have digitally provided to other organizations. This includes data entered in ‘Mijn AVL’.
- Right to rectification. You can request the NKI to change your personal details, such as your address.
- Right to object. You can object to the processing of your personal data.
- Right to erasure. You can ask the NKI to erase your patient file or a part thereof. We may not be able to comply, such as in the case of potential damage to you or third parties. We can also object to erasure if erasure is at odds with legislature.
To exercise your rights, please contact us through email@example.com. We will ask for identification before we can comply with your request.
The NKI is committed to the protection of your personal data. If you have any questions about the ways in which we process your personal data, please contact our Data Protection Officer at firstname.lastname@example.org or our Patient Information Center in the NKI central hall (Plesmanlaan 121 in Amsterdam), or call +31 (0)20 – 512 9111.
If you have a complaint about the protection of your personal data, please contact the Data Protection Officer through the email address mentioned above. You can also raise your issue with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; Dutch DPA).
NKI reserves the right to change this Privacy Statement at any time. We recommend regularly consulting this statement.
Version dated: April 26, 2019