KCE procedures for using personal health data in its studies
In the context of the conditional exemption from informing the person concerned in advance under the terms of article 9, §2 of the law of 8 December 1992 concerning the protection of privacy with regard to the processing of personal data, the Sector Committee for social security (hereafter SCSSH) asked the KCE to inform the general public via publication on its website. This is the purpose of this document.
In order to carry out its studies, the KCE needs access to certain personal health data relating to Belgian citizens. The purpose of the processing carried out on personal health data by the KCE is clearly regulated by articles 262 et seq of the Programme Law (1) of 24 December 2002.
As a general rule, the KCE does not receive data directly from citizens, but mainly via:
- The Federal Public Service (SPF) Public Health (https://portal.health.fgov.be/)
- The Institut National d’Assurance Maladie-Invalidité (INAMI - http://www.inami.fgov.be/homefr.htm)
- The Technical Cell (TCT - https://tct.fgov.be/etct/).
Other data are obtained from the following sources:
- The Intermutualistic Agency (IMA - http://www.nic-ima.be/ )
- The sickness funds
- The Belgian Cancer Registry ( http://www.kankerregister.org/ )
- And occasionally from healthcare centres.
Since May 2008, the KCE has also had access to data governed by the Permanent sampling law. This is a anonymous, representative sample of the Belgian population, composed of data available at the sickness funds within the framework of compulsory healthcare insurance. In order to prevent any direct identification of the patient, the social security identification number (NISS) undergoes double encryption in the sample. (see http://www.riziv.fgov.be/information/fr/sampling/index.htm)
Since 1992, Belgium has a privacy protection law governing the processing of personal data, better known as the ‘Privacy Law’. This law, and its implementation decree of 2001, defines precisely how and under what circumstances personal data can be processed or transmitted. As part of its statutory mission, the KCE has direct access to the health data concerning hospital stays of the TCT (Art. 35 of the law concerning various health provisions (1) of 13 December 2006). In the majority of cases, for example when data from the IMA or the Fondation Registre du Cancer are transferred, or when data from several sources are combined, the KCE must first request and obtain a data transfer authorisation from the Privacy Commission (http://www.privacycommission.be), and more specifically from the Sector Committee of Social Security and of Health (http://www.privacycommission.be/en/sectoral_committees/social_security/ ) or from the Permanent Sampling Technical Commission for data resulting from such sampling.
The SCSSH takes all necessary measures to protect the privacy of citizens. SCSSH decisions are published and can be consulted at: http://www.privacycommission.be/fr/decisions/social_security/ or at http://www.ksz.fgov.be/fr/bcss/page/content/websites/belgium/security/security_06.html.
In its request, the KCE must clearly describe the data that it wishes to use, the purpose of the planned processing, and the measures that will be taken to guarantee the confidentiality of the source data. Only after authorisation has been granted by the Sectoral Committee data are sent to the KCE, where they are stored on a high-security server. These data remain permanently encrypted. The fields ‘date of birth’, ‘name/forename’, ‘street’ and ‘street number’ are erased and replaced by a unique, non-distinctive identification code. Only the fields ‘year of birth’ and ‘postal code’ are retained. This method makes individual identification as good as impossible. In addition, only KCE computer analysts or approved subcontractors are authorised to process these data, and always under the control of a supervising physician. At the end of the study, the data are destroyed (by default after a period of two years).
All personal data processing carried out by the KCE is subject to a declaration to the Privacy Commission. The public register for such declarations can be found at: https://www.privacycommission.be/elg/searchPR.htm