Health Service still not careful with Covid patient data: report

Health service GGD still has issues dealing safely with people's data, De Gelderlander reports based on its own research. Former GGD employees can still access the health service's database, containing data on almost all Netherlands residents, from home over a month after their dismissal. And in at least one training class, the current data of a real person was used to teach new GGD employees, according to the newspaper.

This is after the GGD improved its data handling by order of the Dutch Data Protection Authority (AP). In January last year, GGD data sets containing millions of Netherlands residents' address details, phone numbers, and citizens' registration numbers were sold online. Employees could easily access the data and export it from the GGD systems.

The incident in which a real person's details - address, citizen registration number, email address, and even medical issues and medication use - were used in training happened at GGD Gelderland-Midden in December last year, a freelancer who was at the training said. A spokesperson for umbrella organization GGD GHOR Nederland told the Gelederlander it was an isolated incident. "This is not our usual way of doing things. Each training is given from a test environment with fictitious persons and data."

A former GGD employee told the newspaper that they could still log into the GGD's coronavirus systems at least a month and a half after they left the service. They could view whatever details they wanted from their laptop at home. "Like the citizen service number and the email address, and that is a dangerous combination if you're in the mood."

AP told De Gelderlander that it is worrying that adjusting or withdrawing access to the GGD systems "does not always go well." The watchdog is also concerned by the fact that employees can access the GGD systems from home, with computers that aren't as well secured as the health service's.

The GGD told the newspaper that the issues stem from how quickly the health service had to scale up its operations for Covid-19 testing, vaccinations, and now booster shots. According to the spokesperson, temporary workers have less access to personal data than permanent workers, and they only see relevant data. "The medical data recorded during vaccinations are protected and not visible to employees who are involved in testing," the health service used as an example.

All workers also sign a confidentiality statement and must submit a Certificate of Good Conduct, the GGD said.