Annual Report 2000
Summary
On 28th May 2001, the Dutch Data Protection Authority (DPA), the independent supervisory body in the field of the protection of personal data, presented its 2000 annual report to Minister of Justice Korthals. The report calls into question the use of video surveillance in public spaces. In the public health care sector the Authority warns of threats to privacy when information and communication technology are used within the sector and due to the changing relationship between health care and health insurance. The DPA criticises the approach taken to the waiting list issue. It also emphasises the need for further safeguards for the privacy of Internet users.
The Dutch Data Protection Authority draws attention to three developments of great influence on privacy protection: a) the technology to process personal data is offering greater and greater capabilities, b) society's desire to use this technology for the delivery of personal service and customized personal and tailored products and services is also growing and with it the necessity to know a great deal more about individual citizens or consumers, and c) intensifying cooperation between public and private parties for the sake of efficiency is leading to a clouding of the demarcation between the public and private domains.
The Personal Data Protection Act – which will come into force on 1st September 2001 – is therefore
strengthening the obligation of institutions and companies that collectpersonal data, to provide information to the data subjects. The individuals involved should be actively informed about the processing of their personal data and the purpose of this. The Dutch Data Protection Authority emphasises the finality principle : any further use of personal data should be compatible with the original purpose for which the personal data were collected. The Dutch Data Protection Authority also advocates restraint in the general use of the same unique personal identification number.
In particular, the Authority has a strong preference for specific personal numbers per
sector. In any case, the use of unique personal data should be explicitly regulated by law.
Video surveillance
In 2000, surveillance by video cameras in public spaces increased substantially. According to the Dutch Data Protection Authority, specific camera use can be a valuable part of a wider package of security measures. The drawback, however, is that ever more refined detection systems are enabling far-reaching supervision of citizens' behaviour. The DPA therefore urges a more deliberate policy of restricing application of video surveillance Also of importance is that the government continues to manage the public domain. The citizen must be seen, but not constantly watched.
Health care
For the improvement of the quality of health care (including accessibility and efficiency), much is expected from the potential offered by information and communication technology. Health care has to handle vast amounts of data, for direct patient care and financing, as well as for research and policymaking. The DPA points out that within this framework too little attention is being paid to the protection of personal data and professional medical secrecy. This applies especially to the conditions that pertain to the increasing role of health insurers. The Dutch Data Protection Authority also points out the consequences of this for the revision of the system of health care.
The recent plans in the sector for care assignment and waiting list management under the Exceptional Medical Expenses Act envisage an extensive collection of data on each patient. The Ministry of Health, Welfare and Sports, Dutch health insurers and the Health Insurance Board are seeking a national system of registration based on the Exceptional Medical Expenses Act, whereby the data can be identified at the level of the individual . The DPA has informed parties involved about its strong doubts with regard to the legitimacy of this approach.
Privacy and Internet
In response to public anxiety and questioning, the Data Protection Authority studied various aspects of the private use of Internet and e-mail. Many Internet Service Providers collect clients' data and behaviour on the Internet for commercial purposes. The Authority has come to the conclusion that the protection of personal data by Internet Service Providers is failing badly. A report was produced following research on controls applied by employers on the use of Internet and e-mail at work. Guidelineswere drawn up for a realistic approach to this control on the basis of specific consideration of the interests of the employer and the employee. In order to fight crime through the Internet, law enforcement institutions are pursuing extensive powers of investigation. The DPA has urged the Lower House to respect the limits of the constitutional state in the projected Convention on Cybercrime (Council of Europe).
Continuity and Change
In 2000, the Dutch Data Protection Authority spent much attention on the development of standards for the protection of personal data, notably by advising the government, through practical guidelines and by active participation in European cooperation in the field of privacy. The annual report gives an overview of this. In 2001 the Authority will also stand by the equilibrium chosen between the preservation of the rules and active contribution to the development of standards and technical solutions for the protection of personal data. With the introduction of the Personal Data Protection Act on 1st September 2001, the DPA (Registratiekamer) will continue its activities under a new name: Dutch DPA.