What is personal data?
According to the Dutch Data Protection Act (DPA), personal data is defined as any information relating to an identified or identifiable person (cf. Article 1(a)). As the Act itself leaves it open as to who can identify the data subject, the Guidelines to the DPA states that:
[Whether a person is identifiable] depends on the possibilities the controller has at his disposal. If actual identification is reasonably excluded because of encryption of the data and/or agreements about the access to the data, the person is not identifiable. The actual situation is always the determining factor (Ministry of Justice, Guidelines for Personal Data Processors 2001:14).
What is sensitive personal data?
Sensitive personal data (special personal data, cf. Article 16 of the DPA) are defined as information relating to a person's:
· religion or philosophy of life,
· political persuasion,
· health and sexual life,
· personal data concerning trade union membership,
· criminal behaviour,
· unlawful or objectionable conduct connected with a ban imposed with regard to such conduct
Conditions for processing of personal data
The conditions for the lawful processing of personal data in general, are set out in Chapter 2, Section 1 of the DPA. Unless a relevant alternative applies, the processing must be based on the data subject’s unambiguously given consent. (See also Conditions for consent). Moreover, it is required (among others) that:
· Personal data shall be processed in accordance with the law and in a proper and careful manner.
· Personal data shall be collected for specific, explicitly defined and legitimate purposes.
· Personal data shall only be processed where, given the purposes for which it is collected or subsequently processed, they are adequate, relevant and not excessive.
· The data controller shall take the necessary steps to ensure that personal data, given the purposes for which it is collected or subsequently processed, are correct and accurate.
· The data controller shall implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. These measures shall also aim at preventing unnecessary collection and further processing of personal data.
· Anyone involved in processing personal data must sign a confidentiality statement in respect of personal data; this includes temporary employment agency workers, student assistants, etc. who help process the data (de Cock Buning et.al: 2009).
The DPA imposes a number of independent obligations and restrictions for the use of data processors regarding the processing of personal data on behalf of the data controller. The Act states that (cf. Article 14 and 15):
· The data controller shall ascertain that the processor provides sufficient guarantees in respect of technical and organisational security
· The carrying out of processing by a processor shall be governed by an agreement that creates enforceable obligations between the processor and the data controller
· The data controller shall make sure that the processor:
o processes the personal data only on the data controller’s instructions
o fulfils the security obligations incumbent upon the data controller in accordance with the DPA (cf. Article 13)
· Where the processor is established in another country of the European Union, the responsible party shall make sure that the processor complies with the laws of that other country
· The parts of the agreement relating to personal data protection and the security measures shall be set down in writing or in another equivalent form
· The data controller must actually supervise the fulfilment of these security obligation, and stipulate the right to do so in the contract (cf. Ministry of Justice, Guidelines for Personal Data Processors 2001:42)
Obligation to notify the supervisory authority
The Dutch Data Protection Authority (College Bescherming Persoonsgegenes (CBP)) or the data controller’s appointed Data protection officer must be notified of the processing of personal data, unless the specific processing has been exempted from the notification obligation (See Exemptions from the notification obligation).
The effect of self-regulation for the different industries or sectors is however emphasized in the DPA, and CBP (among others) promotes the possibility of appointing a data protection officer and also advises different sectors to formulate their own code of conduct (CBP website).
Data Protection Officer
A data controller may appoint its own data protection officer. The officer has to be a natural person who possesses adequate knowledge for performing its duties and can be regarded as sufficiently reliable. The data controller shall give the officer the opportunity to perform its duties properly, without instructions and disadvantages as a consequence of performing its duties. The officer has to be registered with the Authority, who shall maintain an up-to-date list of registered officers. Officers shall produce an annual report on their activities and findings (cf. Article 63 of the DPA).
Code of Conduct
Article 25 of the DPA states that one or more organisations planning to draw up a code of conduct may request the CBP to declare that the rules contained in the said code properly implements the DPA or other legal provisions on the processing of personal data. Within the research sector, e.g. these codes of conduct are relevant:
· The Netherlands Code of Conduct for Scientific Practice
· Code of Conduct for the Use of Personal Data in Scientific Research (Dutch only)
· Code of Conduct for Medical Research
According to Article 27 of the DPA, in general these types of processing personal data are subject to advance notification:
· Processing of data wholly or partly by automatic means, and or
· Manual processing of data, provided it is subject to a prior check
The notification shall include information on the following (cf. Article 28):
· the name and address of the responsible party
· the purpose or purposes of the processing
· a description of the categories of data subjects and of the data or categories of data relating thereto
· the recipients or categories of recipients to whom the data may be supplied
· the planned transfers of data to countries outside the European Union
· a general description allowing a preliminary assessment of the suitability of the planned measures to guarantee the security of the processing (cf. Articles 13 and 14)
Both the CBP and the Data Protection Officer are obliged to keep an updated, public registry of notifications. This registry includes the above mentioned information provided in the notification, except the description on how data are protected (cf. Article 30).
Data controllers are also obliged to provide any person upon request the same information concerning processing exempted from notification.
Exemptions from the notification obligation
Under the DPA, the Exemption Decree provides a large number of exemptions and simplifications to the notification obligation. Exemptions for research purposes are covered in different sections of the decree, one concerning individual health care and one concerning archives and scientific research.
According to Article 16.2 (d) of the Exemption Decree, medical healthcare professionals are exempted from the notification duty when processing personal data about their own patients for scientific or statistical research purposes. The provision specifies which personal data may be processed (cf. Article 16.3):
· name, sex, address and similar information necessary for communication as well as banking details
· identification number
· guardian information if it applies to minors or the cared for
· information about the health situation, treatment and care
· in case of inheritable characteristics, information about relative can be processed
In the two latter categories, the definitions of which data can be processed for health care purposes appear to be very broad (Wright and Terstegge: 2004). Further, it is specified that personal information only can be provided to e.g. researchers (cf. Article 16.4 (b)).
Archives and scientific research
According to Article 29 of the Exemption Decree, the notification duty does not apply to the storing of personal data for scientific, statistical or historical research purposes, provided that:
· No other personal data than data that is part of the records is being processed,
· Personal data will be deleted when it is no longer necessary for further research purposes
Article 30 in the decree deals with scientific research and statistics specifically, performed by a scientific research facility. The notification duty does not apply provided that:
· Processing takes place only for the specific stated research- or statistics purpose
· Only the following personal data is processed:
o name, sex, address and similar information necessary for communication as well as banking details,
o identification number
o any data concerning the research or statistics
· Personal data is provided only to those in charge of or involved in the research activity (including further processing for historical, statistical or scientific purposes)
· Directly identifying personal data are removed no later than six months after obtaining the actual research data
This means that notification is unnecessary if the research data is de-identified and the directly identifying data is also not kept for more than six months after they have been obtained from the data subject. It is however important to keep track of this six-month period and to notify the CBP or data protection officer of the processing if it is necessary to keep e.g. contact details for longer than six months (de Cock Buning et.al: 2009).
In any case, as the data controller, the institution of the researcher must be aware of studies involving the use of directly identifying data and the disclosure of directly identifying personal data to third parties (ibid).
If data is to be collected without the consent or knowledge of the persons concerned, a request must anyhow be submitted beforehand to the Data Protection Authority. Personal data may only be collected in this way if the Authority notifies the researcher that it does not consider an investigation to be necessary or if it decides that the proposed study is legally permissible (de Cock Buning et.al: 2009:43).
According to Article 31 of the DPA, a number of data processing operations are subject to a preliminary examination by the CBP. This is the case for processing which, according to the legislator, involves special privacy risks. These special privacy risks are specified as if the data controller plans to:
· process a number identifying persons for the purpose of linking data together (if this is for a purpose other than the one it is intended for)
· obtain data from own observations without the knowledge of the data subject (e.g. by using hidden camera surveillance)
· process data on criminal behaviour or on unlawful or objectionable conduct for third parties (other than under licence issued under the Private Security Organisations and Investigation Bureaus Act)(CBP website)
Personal Data Act:
The Exemption Decree:
The Dutch Data Protection Authority (CBP):
The Netherlands Code of Conduct for Scientific Practice
Code of Conduct for the Use of Personal Data in Scientific Research (Dutch only):
Code of Conduct for Medical Research http://www.federa.org/sites/default/files/bijlagen/coreon/code_of_conduc...
Ministry of Justice, 2001. Guidelines for Personal Data Processors (Personal Data Protection Act) [pdf]. Available at: <http://www.privacy.nl/uploads/guide_for_controller_ministry_justice.pdf>. [Accessed 7 June 2014].
The Dutch Data Protection Authority (CBP): Notification and preliminary examination [online]. Available at: <http://www.dutchdpa.nl/Pages/en_ind_cbp_taken_melden.aspx> [Accessed 7 June 2014].
The Dutch Data Protection Authority (CBP): Notification [online]. Available at: <http://www.dutchdpa.nl/Pages/en_ind_melden.aspx> [Accessed 7 June 2014].
The Dutch Data Protection Authority (CBP): Data protection officer [online]. Available at: <http://www.dutchdpa.nl/Pages/en_ind_wetten_zelfr_fg.aspx> [Accessed 7 June 2014].
de Cock Buning M, Ringnalda A. and van der Linden T, 2009. The legal status of raw data: a guide for research practice [pdf]. Available at:
<http://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2009/SU... [Accessed 18 August 2014].
Privireal, 2005. UK- Data Protection [Internet], Privireal: privacy in Research Ethics and Law. Available at: <http://www.privireal.org/content/dp/netherlands.php>. [Accessed 7 June 2014].
Wright, J. and J.Terstegge.2004. The Implementation of Directive 95/46/EC in Dutch Law and Medical Research. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 273-288.