'Corona opt-in' puts medical confidentiality off limits

An emergency situation requires emergency measures. We are well aware of that. But emergency measures must also be proportionate, transparent and verifiable. And that is where the Personal Data Authority (AP) now seems to have dropped an important stitch.

Because it has given its approval to a problematic emergency measure, the so-called 'corona opt-in', which systematically sidelines medical confidentiality. This puts the medical privacy of all Dutch citizens at risk.

What is it all about? More than half of all Dutch people have not yet given permission for healthcare providers to exchange their medical data via the National Switch Point (LSP). As a result, there is a large no man's land of potential corona patients whose GP surgeries and hospitals do not know their medical background. While they need to know, if the need arises. Hence, they asked the Ministry of Health, Welfare and Sport to arrange something for that.

It's an 'Opt-out', but we call it 'Opt-in'

The Ministry of VWS has devised the so-called 'corona opt-in' for this purpose. A confusing term, because this measure in fact no longer requires explicit consent (opt-in); it assumes a kind of tacit consent that your data may be shared via the LSP. Unless you still object. The new practice thus becomes: silence means consent (opt-out). Which, legally speaking, is simply not allowed.

The Personal Data Authority does not find this 'corona opt-in' objectionable, with the proviso that the patient still has to give consent on the spot. In its response to the proposal, the AP states:
"Doctors at the GP surgery or emergency room are allowed to view the medical records at their GP's premises only with the consent of corona patients through an electronic exchange system. Those who have not yet given their consent can do so on the spot. This may also be done verbally in this case. Only if a patient is unable to give consent is inspection without consent allowed."

Medical confidentiality massively circumvented

Sounds logical and reasonable. Especially also because of the additional conditions added by the AP, such as: that this measure is temporary, and that the data should only be viewed by the GP or emergency room. Still, there are significant objections to this solution. We list four (but there are others).

First, there is a technical problem. As a patient, you can say you consent, but the doctor still cannot access your file. After all, the person who has to access your file is the GP who has recorded your medical data in his patient file. This emergency measure is precisely to circumvent the professional secrecy that rests on it. How this is to be achieved logistically is not clear from the AP's letter. But anyone initiated in the technical side of the LSP knows that this can only be done by opening up all records for which no consent for exchange has yet been given (via an update of GP systems). A completely disproportionate measure. And tricky too, as the second problem shows.

The second problem is also technical in nature: consultation of your file should be limited to healthcare providers directly involved in your treatment. But this is not technically possible in the LSP. This information system does not allow for targeted retrieval: it is all or nothing. In this case, that means all, or every healthcare provider connected to the LSP. That's tens of thousands of potential entries for hackers. The Senate, which unanimously rejected the LSP in 2011, therefore called the system at the time "a file with a thousand doors at the back."


The 'corona opt-in' thus provides only a sham say to the patient - the third objection. Indeed, regardless of whether the patient gives consent, their records will technically already be open for consultation from tens of thousands of access points. The consent that patients must give, according to the AP, is thus nothing more than a hollow formality. By falsely stating in its letter to the Ministry of Health that this consent is a hard requirement to make the file viewable, the AP ignores the far-reaching technical implications of this measure - and thus also the legal ones.

This brings us to the fourth and overarching objection. The AP officially monitors compliance with privacy laws, but nowhere in its letter is it clear on what legal basis the 'corona opt-in' is based. Nor is it clear why the AP believes that the proposed 'corona opt-in' is a necessary and proportionate measure and that this problem cannot be solved in a less intrusive way. From a privacy regulator in times of crisis, we should expect a transparent and more thoroughly reasoned opinion, explicitly taking into account the above consequences of the 'corona opt-in'.

Monitoring compliance with privacy legislation and privacy law principles are the AP's core tasks, especially in times of crisis. If anyone should now keep a cool head and not go along with hasty crisis measures with unforeseeable consequences, it is the national privacy regulator.

Civil Rights Protection Platform
Privacy First
Humanist Alliance
KDVP Foundation

This joint position was also previously published at https://platformburgerrechten.nl/2020/04/10/ap-sta-ons-bij/ and https://specifieketoestemming.nl/ap-sta-ons-bij/.