Plans drawn up by the government for the use of personal information of patients have been given a damning response from the data protection authority (DPA).
The campaign of vaccination of the public against Covid-19 is still officially set to start on 5 January, although some groups such as care home staff may receive the vaccine before then.
In the meantime, the government has drawn up a set of plans on how to handle the information relating to people who receive the vaccine. The Royal decree on the matter was rushed through parliament this last week, by the health committee on Monday and the plenary session on Thursday.
The decree covers mainly the treatment of information on antigen tests, but also covers vaccinations. And it fails to give any details on the regime of data protection to be applied, instead referring all such matters back to the King – in other words, to the government itself.
The alarm was first raised by Absym, the association of medical trade unions. “This leaves far too much power at the discretion of the government,” commented Absym’s honorary president, Jacques de Toeuf.
His misgivings were amplified by opposition MP Catherine Fonck (cdH).
“This is a remake of the law on tracing. This legislation is empty, late and unconstitutional. There is nothing in it, and it will have to be settled by a cooperation agreement,” she said.
That, she said would have taken more time, but there has been time already.
“It’s not as if we’ve only been talking about vaccines for the last two weeks. This just goes to show how ill-prepared the government is.”
The law was sponsored by home affairs minister Annelies Verlinden (CD&V) together with health minister Frank Vandenbroucke (sp.a). Where details of the data regime are missing from the decree itself, they were provided by Vandenbroucke.
The plan involves recording the details of the person receiving the vaccine and the person administering it, the location, the vaccine in question and any negative side effects. Those details will be stored and made available to “instances with a mission of general interest”.
As part of the rush to legislation, the decree was submitted to the DPA for their opinion, and that has been issued (pdf, NL).
The authority points out that, urgency or not, a law that has such a profound impact on the protection of private information must contain detailed provisions for the storage and handling of such information, as well as clear indications of who may use the information and for what purpose.
The decree as it stands, however, contains none of these provisions, and constitutes, the DPA said, “a considerable interference with the right to the protection of personal information”.
The opinion goes on to criticise the length of time data is to be kept (until the death of the person concerned), the vague and general terms used to describe the aims of the database, the centralised storage of non-anonymous information on members of the public, and the access allowed to various administrations.
Finally, the DPA raises the spectre of the misuse of the data by the broad and ill-defined group of “instances” who may have access. There is, the opinion concludes, “a risk of discrimination in access to certain government services, based on vaccination status”. In other words, a person who was not vaccinated could be refused certain benefits or access to employment, even though the vaccine is not compulsory.