This privacy statement outlines:

• What RIVM means by infectious disease diagnostics;
• How RIVM uses personal data in infectious disease diagnostics;
• Whose personal data RIVM uses;
• Your rights if RIVM uses your personal data.

The Minister for Health, Welfare and Sport (VWS) is responsible for RIVM’s use of personal data for infectious disease diagnostics. The Minister has commissioned RIVM to organise the diagnostics.

What does diagnostics mean?

Diagnostics refers to taking samples of bodily material from a patient, such as blood or urine, to test if the person has a specific infectious disease. The person who requests the test, usually a doctor, is notified when the test result is known.

Diagnostics usually take place in a medical microbiology lab (MML): a laboratory where a doctor has final medical responsibility for diagnostics and advisory services.

What task related to diagnostics has been assigned to RIVM?

RIVM serves as the medical microbiology lab for a number of infectious diseases, such as new (emergent) infectious diseases and specific infectious diseases that people bring to the Netherlands from abroad. The Diagnostisch Vademecum Infectieziekten (Diagnostic Guide for Infectious Diseases, in Dutch) specifies which infectious diseases are included on this list.

This Privacy Statement on Infectious Disease Diagnostics is about the diagnostics that are performed by RIVM. There are also other medical microbiology labs that carry out diagnostics, but those laboratories are not part of RIVM. This privacy statement does not extend to external labs.

What is the purpose for which RIVM uses personal data?

RIVM is working towards a healthy population and a sustainable, safe and healthy living environment. In order to safeguard public health, it is important to know which infectious diseases could occur and how to treat them. Sometimes this requires laboratory diagnostics.

In order to safeguard public health, it is also important to detect outbreaks of infectious diseases. Part of the information from laboratory testing is used for that purpose, sometimes including diagnostics. This form of systematic data collection is called surveillance. RIVM also uses some of the data from diagnostics for surveillance purposes.

More information about the use of personal data in this context is available in the privacy statement for Surveillance of Infectious Diseases. 

What types of personal data does RIVM use?

An item of personal data is information that is about a person or information that can be traced back to a person. Examples of personal data include a home address, a citizen service number (BSN), a telephone number or an email address.

Some personal data is extra sensitive because its use can have a significant impact on a person’s life, such as information about a person’s race, religion or health. These special categories of personal data have stricter legal protections. 

Exactly which types of personal data are used by RIVM may vary significantly depending on the infectious disease for which RIVM is carrying out diagnostics. RIVM always follows the guiding principle of data minimisation: we do not request or use more personal data than necessary for the purpose of the research. RIVM always carefully contemplates which types of personal data are necessary.

For infectious disease diagnostics, RIVM has identified two categories of personal data:

1. Personal data that RIVM receives and then uses for the purpose of performing diagnostics;
2. Personal data that RIVM generates itself and uses for the purpose of performing diagnostics.

1.    Personal data that RIVM receives and then uses to perform diagnostics 

Such data may include (only if necessary):

• Last name
• Initials
• Gender
• Date of birth
• Whether a person has travelled abroad (and where and when)
• Address (street address, postcode, place of residence)
• Sample details (requested by, sample number, sample date)

Legally identifiable personal data (only if necessary)

• Citizen service number (BSN)

Health data (only if necessary). This may include:

• First day of illness
• Symptoms related to the disease
• Other health information (such as pregnancy status, medicines, other diseases, side effects)
• Type of bodily material (such as pus, blood or urine)
• Vaccination data

Data related to race or ethnic origin (only if necessary).  For example:

• Birth country or region

2.    Personal data that RIVM generates itself and uses for diagnostics

Such data may include:

• Date on which RIVM received the sample
• Test type
• Test result
• Assessment of the result
• Determining potential public health risks

Whose personal data does RIVM use?

For the purpose of infectious disease diagnostics, RIVM uses personal data from patients for which RIVM is performing diagnostics.

RIVM also performs diagnostics for other countries, using personal data of patients living in Europe and beyond.

Medical microbiology labs in other countries sometimes also perform diagnostics for RIVM. When that happens, the lab in the other country is verifying whether the diagnostic result from RIVM is correct. To that end, the lab in the other country uses personal data of patients living in the Netherlands. RIVM only works with medical microbiology labs in Europe for this verification step.

How does RIVM obtain personal data?

The care provider submits a diagnostic request to a medical microbiology lab. If the lab cannot fulfil the request itself, the lab asks RIVM to do so. The diagnostic request sent to RIVM contains: 

• the sample
• an accompanying form with the patient details needed for the request, such as: 
  • name
  • citizen service number (BSN)
  • city

To perform diagnostic testing, RIVM also generates and processes a test result.

What does the law say about the use of personal data?

RIVM only uses personal data if the law says we can. The General Data Protection Regulation (GDPR) says that organisations can only use personal data if they have a valid ‘ground’ for doing so.

The GDPR lists six legal bases for processing personal data: 

• consent from the person concerned
• performance of a contract
• legal obligation
• vital interest of the person concerned or other people
• public interest (exercise of official authority)
• legitimate interest

The legal base used for infectious disease diagnostics is the performance of a contract. RIVM performs diagnostics based on the medical treatment contract between the GP or other doctor and the patient. The Medical Treatment Contracts Act (WGBO in Dutch) is applicable here.

How long does RIVM retain personal data?

Pursuant to the Medical Treatment Contracts Act, RIVM is required to retain data for specified time periods. The Act states that data in a medical file must be retain for at least 20 years. For that reason, the retention term for such data at RIVM is usually 20 years.

RIVM may retain some data for longer, if it is necessary due to the type of infectious disease involved – for example if there is a risk that the symptoms may recur at some future point, making it vitally important to have access to the data from the original diagnosis. If you have any questions about this, please contact AVG-RIVM@rivm.nl.

Whit whom does RIVM share personal data with?

In some cases, RIVM may want or need to share personal data with others. When sharing personal data with other organisations, RIVM exercises all due care and is compliant with the rules of the GDPR. RIVM never shares data with commercial parties.

RIVM is permitted to share data with the following organisations: 

• Medical microbiology labs (MMLs) 
  When the diagnostic test result is known, RIVM shares it with the lab that submitted the diagnostic request. The result is accompanied by the personal data needed to know which patient is involved. The lab then sends the result on to the GP or doctor.  After that, the doctor can treat the patient as needed.
• Municipal Public Health Service (GGD)
  Some infectious diseases are subject to a mandatory reporting requirement. In its capacity as a medical microbiology lab, RIVM must always notify the Municipal Public Health Services (GGDs) if they encounter cases of these diseases.
• Care institutions in the Netherlands and in other countries. 
  RIVM sometimes shares personal data in order to have a different care institution verify if its diagnostic outcome is correct.

Your privacy rights

This privacy statement outlines your rights when your personal data is used for infectious disease diagnostics. It also explains how you can submit a GDPR request to exercise your rights.

• Right of access: You may ask RIVM to view your own personal data. If RIVM has personal data about you, RIVM will give you an overview of that data. Examples could include the diagnostic test result that RIVM sent to the medical microbiology lab, which was then sent to the doctor. 
• Right to rectification: If RIVM is using data about you that is incorrect or incomplete, you can ask RIVM to correct it. Examples include a spelling error in your name, or an incorrect date of birth. 
• Right to be forgotten: You may request deletion of your personal data, but it is not an absolute right. This means that you are only entitled to request deletion of your personal data in one of the following situations:
  • The personal data is no longer needed for the purpose for which RIVM originally collected or used it;
  • You withdraw your consent and there is no other legitimate basis for using your data;
  • You object to the use of your personal data and the law does not offer any reasons to continue using your data;
  • The use of personal data is not compliant with the law;
  • The personal data must be deleted by law.
• Right to restriction: Sometimes RIVM is not permitted to use your data, at least temporarily. This might be because there are errors in your data and you asked RIVM to correct the errors. In that case, RIVM will not delete your data.
• Right to transferability of your data: You may request your data from RIVM and have it transferred to a different organisation. This right only applies in one of the following situations:
  1. You provided the data to RIVM yourself.
  2. The use of your data is based on consent or for the performance of a contract;
  3. The use of your data is automated. 
     
     Does one of these situations apply to you? Then RIVM must provide your data in a structured, machine-readable format, either to you or to a different organisation.
• Right to object: The GDPR gives you the option of objecting to the use of your personal data at any moment. However, under the GDPR, this right does not apply to diagnostics. If you object to the use of your personal data for diagnostic purposes, RIVM will have to deny your request.

The general privacy statement of RIVM explains how to submit a general GDPR request to RIVM.

Any questions?

After reading the privacy statement, do you still have questions about how RIVM uses personal data? You may find the answer in the general privacy statement of RIVM.

If you have questions about the privacy statement for Infectious Disease Diagnostics, or think that RIVM is not respecting this statement, please send an email to: AVG-RIVM@rivm.nl.

Would you like to file a complaint? 

The RIVM website provides more information about our complaints procedure and how to file a complaint with RIVM. You can also send your complaint to the Data Protection Officer (DPO) of the Ministry of Health, Welfare and Sport (VWS): FG-VWS@minvws.nl.

The privacy statements in effect at RIVM may be subject to change

Laws and regulations about privacy change regularly. For that reason, RIVM may make changes to this privacy statement for Infectious Disease Diagnostics and the general privacy statement of RIVM.