Dutch hospitals and healthcare institutions are increasingly testing their own staff for corona, but that may be in violation of the privacy law. The Dutch Data Protection Authority warns that testing personnel is not allowed just like that.
In Groningen and Drenthe, among others, more and more healthcare institutions such as GPs are using rapid tests to test their staff for the corona virus, the Dagblad van het Noorden writes . They do this because waiting for the official GGD result often takes too long. However, testing its own personnel may violate the General Data Protection Regulation, a spokesperson for the Dutch Data Protection Authority told the newspaper: “According to the GDPR, an employer is not allowed to process medical data of an employee.” Medical data is under the GDPR ‘special personal data’ and therefore has a special status. To process these, an organization must meet strict requirements.
A medical test may only be administered by a GGD doctor or a company doctor, the AP warns. According to the Dagblad van het Noorden, some institutions adhere to this rule by having the results of the medical microbiologist immediately forwarded to the company doctor. But the newspaper also says that there are institutions that do not. How often the situation occurs is not known. An institution that breaks the law can in theory be fined heavily. As far as is known, the privacy watchdog has not yet investigated such situations.
It is not the first time that the regulator has spoken out against the collection of medical data during the corona crisis. When it just broke out , the AP warned that employers were not allowed to just take the temperature of employees. Companies and governments have been complaining for some time that privacy legislation disrupts the fight against the pandemic, but the European regulator has already contradicted this .