Appeal by Privacy First to Lower House on SPD

Today, Privacy First sent the email below to SPD spokespersons in the House of Representatives:

Honourable MPs,

A important General Consultation (AO) with Minister Schippers on the Electronic Patient Record (EPD) place. In preparation and possible interpretation of this debate, Privacy First would like to hereby give you the following points of interest:

1) As Privacy First understands, an opportunistic sham solution is currently being worked towards privately, namely regional exchange of data via the Rural Switch Point (LSP). By definition, this leads to function creep by design. Indeed, the digital 'regional partitions' in and around the LSP will be easy to bypass or remove. The entire system can therefore return to its old, centralised form at any future time, with all the privacy and security risks that this entails.

2) The same risks around the LSP are also not removed by referring to the SPD as a 'personal health record' (PGD) from now on. This only constitutes privacy by semantics which, moreover, is misleading. After all, the underlying infrastructure (LSP) remains virtually unchanged.

3) A privacy-friendly EHR requires, first of all, an independent Privacy Impact Assessment (PIA) involving various solution approaches with privacy by design can be mapped out. Until such a PIA is carried out and parliamentary review is conducted, no irreversible steps around the design and possible expansion of the SPD should be taken.

4) The further design of the SPD should explicitly allow for research, innovation and competition. The recent DigiNotar affair shows that dependence on one (or a select group of) party or parties should be avoided. Besides suboptimal, privacy-unfriendly products, this prevents economic cartelisation.

5) Privacy-friendly patient transparency requires individual freedom of choice in addition to good security. For example, patient access to their own records should not be made dependent on connection to the LSP. Such access via the internet also creates new privacy risks.

6) In the governance structure around the EHR should include independent privacy and security experts.

7) From a human rights perspective, the Dutch government remains fully responsible for protecting the medical privacy of its citizens, even under a privatised SPD. At initiative of Privacy First the Netherlands will have to be able to answer for this at the UN Human Rights Council in May 2012.

Sincerely,

Privacy First Foundation