Privacy policy

1.   Scope and Policy

Yes We Can Youth Clinics stands for optimal data security and guarantees the right to privacy. To this end, Yes We Can takes all necessary measures to keep the risks of its violation manageable. The board is end responsible, yet staff members Quality, Policy and ICT take the lead. Where necessary, we call in external expertise, for example when it comes to estimating risks. The risk inventory is updated annually and measures/policy are adjusted if necessary. This as part of the annual management assessment, which is carried out with a view to iso 9001. The policy is set out in the privacy regulations and the processing register. Both are public and retrievable. Internal supervision is carried out by the Data Protection Officer. These regulations apply within Yes We Can Youth Clinics and relate to the processing of data of those who are under treatment at Yes We Can, have been under treatment, have registered or have contacted. These regulations apply to both paper and electronically processed data.

2.   Definitions 

2.1 Descriptions
Personal data: Any data that is to be traced back to a person.
Health data: Data about the physical or mental health of a person.
Special data: Data on religion or belief, race, political affiliation, health, sexual orientation. Criminal related data are also part of this.
Processing of personal data: All actions relating to personal data, including in any case the collection, recording, organising, storage, updating, modification, retrieval, consultation, use, disclosure by means of transmission, dissemination or making available in another form, bringing together, relating to each other, as well as encrypting, blocking, erasure or destruction of data.
File: Any structured set of personal data.
Employee: The person involved in the relevant file. In all cases, this concerns a practitioner, treatment coordinator, main practitioner and an employee of the care administration and / or secretariat.
Processor: The person who processes personal data independently and on his own responsibility for Yes We Can Youth Clinics (for example, an external quality auditor or a research agency).
Data subject: The person to whom a personal data relates, usually the young person, or his (legal) representative.
Third party: Any person or body that is not a data subject, processor, or a person who processes personal data on behalf of Yes We Can Youth Clinics or the processor, such as a care provider or P&O employee.
Consent of the data subject: Consent to the processing of his or her personal data freely given by the data subject, specific and based on good information.
Dutch Data Protection Authority (AP): The supervisory authority, the independent body that ensures that personal data is processed carefully and securely and can, if necessary, impose sanctions if this does not happen.
Data breach: breach of the security of personal data (as referred to in Article 13 of the WBP). In the event of a data breach, the personal data are exposed to loss or unlawful processing – i.e. to what the security measures must protect. A data breach involves access to or destruction, modification or release of personal data at an organization without this being the intention of this organization. A data breach therefore includes not only the release (leakage) of data, but also unlawful processing of data.
Cookie: a small file that is sent along with pages from this website and is stored by your browser on your hard drive of your computer.

2.2 Proper and secure processing of patient data
2.2.1 For what purposes may data be processed?
Within Yes We Can Youth Clinics, personal data is only processed:

  1. for a clear purpose and no more than necessary: personal data are only processed for specific, explicitly defined and legitimate purposes and must be sufficient, relevant and not excessive.
  2. with the consent of the data subject;
  3. necessary for the performance of an agreement to which the data subject is a party, for example the treatment agreement;
  4. necessary to comply with a legal obligation, for example the obligation to file in the Wgbo or the provision of data in the event of the transfer of a forcibly admitted patient from the moment of transfer, the person responsible for the treatment;
  5. necessary to combat serious danger to the health of the data subject, for example transfer information to third parties in the event of a crisis or camera surveillance in the observation room;
  6. necessary for the proper performance of a public law task by an administrative body, for example the information that the municipality needs in connection with a re-indication of support under the Wmo 2015 or
  7. necessary for the interests of Yes We Can Youth Clinics or of a third party and the interest of the person whose data is processed does not prevail;

2.2.2 What security measures are taken? 
Yes We Can Youth Clinics secures personal data against loss or any form of unlawful or unnecessary processing. When taking security measures, a balance is made between, on the one hand, the state of the art and the costs of implementation and, on the other hand, the risks associated with the processing and the nature of the data to be protected. For the provision of data via e-mail, the secure email connection is used if possible. 

2.2.3 Who is allowed to process health data?
Care providers and employees of Yes We Can Youth Clinics may only process health data that is necessary for the proper treatment or care of the data subject or the management of Yes We Can Youth Clinics. Every employee within Yes We Can Youth Clinics has signed up for confidentiality in the terms and conditions of employment. If interns or other external parties are (temporarily) employed there, confidentiality must also be signed.

2.2.4 Data processing by (external) Processor
Yes We Can Youth Clinics can outsource the processing (externally) to an processor. The processor, to which part of data processing has been outsourced, is also independently liable for damage or part of the damage resulting from his work. How 3 that liability is divided is assessed by the non-life insurer or the court. Yes We Can Youth Clinics has laid down good agreements in a processor agreement.  

2.2.5 Liability Yes We Can Youth Clinics and /or processor / processor agreement
Yes We Can Youth Clinics is in principle responsible and liable for damage resulting from the attributable failure or insufficient compliance with the Wbp, including the security requirements in Article 13.

2.2.6 When may special data be processed? 
Special data may only be processed as a supplement to health data if this is necessary for the proper treatment or care of the data subject.

2.2.7 When can data be provided to another person for scientific research and statistics in the field of public health?
If the data are anonymised, with which these data cannot be traced back to the data subject and then only with the consent of the data subject, unless: a. requesting permission is not reasonably possible but such safeguards apply when carrying out the research, such that the privacy of the patient is not disproportionately harmed, or b. requesting permission, in view of the nature and purpose of the research, cannot reasonably be required and the care provider ensures that data is provided in such a form that traceable to individual natural persons is reasonably prevented. Furthermore, the research must serve a public interest and demonstrate that the research cannot be carried out without the data.

2.2.8 Agreements with the researcher
Yes We Can Youth Clinics and the researcher make written agreements about the measures that the researcher takes to protect the privacy of the person concerned.

2.2.9 Duty of confidentiality
Personal data are only processed by persons with a duty of confidentiality on the basis of the law or agreement. When providing data to third parties, the regulations of GGZ Nederland are followed: “Wegwijzer Beroepsgeheim in samenwerkingverbanden” and “Handreiking Beroepsgeheim”.

2.2.10 How are personal data stored?
Yes We Can Youth Clinics stores data in a secure manner, which is in accordance with the applicable laws and regulations.

2.2.11 How long is personal data stored?
Personal data will not be kept longer than is necessary to achieve the purposes for which the data are processed, unless a. they are anonymised or b. insofar as they are stored exclusively for historical, statistical or scientific purposes. In the Wgbo, the general rule is that data is stored fifteen years after the end of the treatment. YWCC also uses this as a maximum. Camera images made for security and images taken in the watch room are intended to be viewed live and will be deleted within 1 week at the latest.

2.2.12 Obligation to report data breaches
Yes We Can Youth Clinics is obliged to report a data breach to the DPA if the data breach/breach leads to serious adverse consequences for the protection of personal data. Or if there is a significant chance of this happening. This is done via the data breach notification desk. Yes We Can Youth Clinics is obliged to inform the data subject(s) about a data breach if the data breach is likely to have adverse consequences for their privacy. When determining whether there are serious adverse consequences for general privacy or in particular the privacy of data subject(s), the Policy Rules on the obligation to report data breaches of the DPA are used.

2.3 Rights of the data subjects
2.3.1 Duty to provide information
If Yes We Can Youth Clinics requests data from the data subject himself/herself, he shall inform the data subject prior to obtaining his or her personal data about: a. the identity of the applicant; b. the purposes for which his data are intended and c. why it is necessary for the requested data to be processed. d. additional information if this is necessary for good care. e. the rights of the data subject and how the data subject can invoke these rights.

If Yes We Can Youth Clinics (employee) requests data of the data subject from another person, he informs the data subject, insofar as he does not already know this, about his identity and the purposes of the processing and gives him the necessary further information: at the time of recording of the data concerning him or her, or b. when the data are intended to be provided to a third party,  at the latest at the time of the first provision. Yes We Can Youth Clinics does not have to inform the data subject if informing the data subject proves impossible or requires a disproportionate effort or if the provision is mandatory on the basis of laws and regulations. In that case, Yes We Can Youth Clinics must inform the data subject at his or her request about the legal requirement that obliges him to record or provide the data concerning him or her.

2.3.2 Inspection and copy/copy
The data subject aged 12 years or older has the right to inspect and a copy of the processed data relating to his or her person. This concerns information in both the digital and the paper patient file. This does not include notes from the practitioner. The same applies to the person who, as a legal representative, must give permission for the treatment agreement. The requested inspection and/or the requested copy must be made as soon as possible, but at the latest within four weeks, respectively. Yes We Can Youth Clinics may charge a fee for the provision of a copy. Access or copy may be refused if this is necessary in the best interests of the child or if the privacy of another person is harmed, for example in the event of a suspicion of child abuse, a parent may be refused access to the child file and divorced parents do not have access to information about each other.

2.3.3 Addition, correction or deletion, destruction and blocking of personal data
The data subject may ask in writing or by e-mail via  [email protected] to supplement his data or to add his or her own statement to his file, b. correction of his data if they are incorrect, incomplete or irrelevant, or in violation of the law, appear in the processing, c. to protect certain data from certain persons and to have them block access to those data, d. to destroy data relating to him or her. The right of destruction only applies to the data stored from the Wgbo in the context of the obligation to file and does not apply to financial and administrative data.

The applicant is asked to provide the document number of his/her Identity Document so that we can verify the identity of the applicant. The request for destruction is stored in the file for a possible material check or fraud investigation by a health insurer.

Yes We Can Youth Clinics informs the applicant within four weeks of receipt of a written request for completion, correction or destruction of his data, whether and in what way the request is fulfilled, stating reasons. The decision to delete and/or destroy health data is recorded in the patient's file. A request for data destruction may only be refused if: a. the law opposes the destruction; b. a third party has a significant interest in the retention of those data, for example a child of a patient has a hereditary disease; c. the patient has initiated proceedings against the care provider or it is likely that he will do so; d. the file contains information about (suspected) child abuse, these can only be destroyed on the basis of the Domestic Violence and Child Abuse Reporting Code at the request of the child himself and only if the child has reached the age of 16 years and can be considered capable of will.

2.3.4 Right of opposition
The Data subject may object to processing as necessary for the proper performance of a public law task by an administrative body, or in the interest of Yes We Can Youth Clinics or of a third party, unless they are legal public registers. Yes We Can Youth Clinics will assess whether the resistance is justified within four weeks of receipt of the resistance. If the objection is justified, he immediately terminates the processing.

2.4 Representation
The able-willed young person of twelve years or older independently exercises his rights over his personal and health data. Destruction of data about (suspicions of) child abuse only takes place with the consent of a young person of sixteen years and older who is in a position to consent.

If the person concerned is over eighteen years of age and incapacitated, the curator or mentor acts as a representative for him; if there is no trustee or mentor; the person who authorised the data subject in writing; if there is no authorised representative, the spouse or companion of the person concerned and, if this is also lacking, a child, brother or sister of the person concerned. In the extreme case, Yes We Can Youth Clinics ensures that a legal representative for the data subject acts as soon as possible. If necessary, if family or loved one cannot or will not, he asks the court to appoint a representative.

2.5 Mandatory notification of data processing operations
Processing of personal and health data within Yes We Can Youth Clinics will be reported to the AP to the extent required.

2.6 On-line data
2.6.1 How do we handle cookies?
Yes We Can Youth Clinics places "analytics cookies" from Google on your computer. We use this service to keep track of and receive reports on how visitors use the website and whether our site is working properly. Google may provide this information to third parties if Google is legally obliged to do so, or insofar as third parties process the information on behalf of Google. We have no influence on this. The information that Google collects is anonymized as much as possible. Your IP address is explicitly not provided. The information is transferred to and stored by Google on servers in the United States.

2.6.2 How do we deal with forms?
When submitting this form, you give permission that this data may be used for the purpose of the form. This can be the registration for a treatment, the contact form, the complaint form or a form to register for an information meeting. This data will not be used for purposes other than those for which you have given permission and will not be provided to third parties. The data will not be kept longer than is necessary for the proper handling of the completed form and the follow-up thereof. The data can be deleted at any time if you request us to do so.

2.7 In the event of a complaint
In the event of a complaint about compliance with these regulations or any other complaint, the data subject can contact the Data Protection Officer Brigitte de Jager, Laan van Diepenvoorde 325582 LA Waalre, [email protected].

2.8 Changes and inspection of these regulations
These regulations apply as of 1 January 2018 and can be seen on the website of Yes We Can Youth Clinics.

Sources: Laws and regulations via:  The website of the AP 6 Het naslagwerk Persoonsgegevens AP Beleidsregels handhaving door de AP, Hooghiemstra/Nouwt, Sdu Commentaar Wet bescherming persoonsgegevens, Sdu Uitgevers, Den Haag 2014, GGZ Nederland (editor), Vraagbaak Psychiatrie en recht, 400 frequently asked questions, second edition (2007) GGZ Nederland, Handreiking WGBO (2013) GGZ Nederland, Handreiking beroepsgeheim. stappen voor zorgvuldig handelen (2012). GGZ Nederland, About some patients you should talk (2012) KNMG, GGZ Nederland c.s. Guide to professional secrecy in partnerships (2014)