In the context of the conditional exemption from informing the person concerned in advance (art 9, §2, law of 8 December 1992 related to the protection of privacy with regard to the processing of personal data) the Sectoral Committee for social security (hereafter SCSSH) asked KCE to inform the general public via publication on its website. This is the purpose of this document.
In order to carry out its studies, KCE needs access to certain personal health data relating to Belgian citizens. The purpose of the processing carried out on personal health data by KCE is clearly regulated by articles 262 et seq of the Programme Law (1) of 24 December 2002.
In general, KCE does not receive data directly from citizens, but mainly via:
Other data are obtained from the following sources:
• The Intermutualistic Agency (IMA-AIM)
• Sickness funds
• The Belgian Cancer Registry (NL: http://www.kankerregister.org, Fr: http://www.registreducancer.be/Home_fr)
• And occasionally from healthcare centres.
Since May 2008, KCE also has had access to data governed by the Permanent sampling law. This is an anonymous, representative sample of the Belgian population, composed of data available at the sickness funds within the framework of compulsory healthcare insurance. In order to prevent any direct identification of patients, the social security identification number (NISS) undergoes double encryption in the sample. (see http://www.nic-ima.be/Permanente-steekproef-EPS)
Since 1992, Belgium has a privacy protection law governing the processing of personal data, better known as the ‘Privacy Law’. This law, and its implementation decree of 2001, defines precisely how and under what circumstances personal data can be processed or transmitted.
As part of its statutory mission, KCE has direct access to the health data concerning hospital stays of the Technical Cell (Art. 35 of the law concerning various health provisions (1) of 13 December 2006). In the majority of cases, for example when data from the IMA or the Cancer Registry are transferred, or when data from several sources are combined, KCE must first request and obtain a data transfer authorisation from the Privacy Commission and more specifically from the Sectoral Committee of Social Security and of Health Committee of Social Security and of Health or from the Permanent Sampling Technical Commission for data resulting from such sampling.
The SCSSH takes all necessary measures to protect the privacy of citizens. SCSSH decisions are published and can be consulted at NL: https://www.privacycommission.be/nl/beslissingen, or FR: https://www.privacycommission.be/fr/decisions.
In its request, KCE must clearly describe the data that it wishes to use, the purpose of the planned processing, and the measures that will be taken to guarantee the confidentiality of the source data. Only after authorisation has been granted by the Sectoral Committee data are sent to the KCE, where they are stored on a high-security server. These data remain permanently encrypted. The fields ‘date of birth’, ‘name/forename’, ‘street’ and ‘street number’ are erased and replaced by a unique, non-distinctive identification code. Only the fields ‘year of birth’ and ‘postal code’ are retained. This method makes individual identification as good as impossible. In addition, only KCE computer analysts or approved subcontractors are authorised to process these data, and always under the control of a supervising physician. At the end of the study, the data are destroyed (by default after a period of two years).
For more information see : "Privacy protection"