Privacy First sends fire letter to House of Representatives on SPD
Today afternoon, Privacy First sent the following letter to SPD spokespersons in the House of Representatives:
Quite rightly, the Senate recently pointed unanimously rejected the bill to introduce a national Electronic Patient Record (EHR), especially given the enormous privacy risks it would pose. It is therefore with great concern that Privacy First has now learned of developments indicating a possible 'relaunch' of this same SPD by private, extra-parliamentary means. Such a 'relaunch' not only shows contempt for the democratic process, but also denies the risks and concerns on the basis of which legal introduction of a national SPD (L-EPD) recently failed to go ahead. Privacy First therefore hereby urges you to put a stop to this development and hold the relevant government minister to account. After all, in a privacy-law sense, in Privacy First's view the Dutch government remains fully responsible for the privacy violations that will result from a 'private L-EPD', especially given the fact that such a system was explicitly rejected by the Senate on privacy grounds.
In line with the recently adopted Franken motion In this regard, Privacy First also urges you to conduct an independent, public Privacy Impact Assessment (PIA) into 1) a national EPD as envisioned by the private parties involved and 2) possible alternatives for this L-EPD. In carrying out this PIA, the criteria of necessity, proportionality, subsidiarity and freedom of choice should be leading. An important role in the PIA should be played by privacy by design and privacy enhancing technologies, including, for example, advanced patient passes or personal health records. Until this PIA will be completed, no irreversible steps towards a private relaunch of the L-EPD should be taken.
In Privacy First's view, the Landelijk Schakelpunt (LSP) of the L-EPD should be transformed into small-scale regional systems in line with the wishes of the Senate. For regional exchange, an LSP is unnecessary: after all, regional switching points (RSPs), possibly supplemented by supra-regional push-communication. This enhances security and reduces the risks of misuse inherent in an L-EPD."