The National Health Care Institute treats personal data confidentially. Any personal data you provide to us that is necessary to perform a statutory duty, we will only use to perform that duty.

Personal data protection

Any information you provide to us will be kept confidential. Personal or address data will only be used for the purpose for which you have provided them. We therefore treat your personal data with care and in accordance with the General Data Protection Regulation (GDPR).

Privacy statement

As a data subject, you have the right to receive information about, access and correct your data. You can make a request for this. You can also submit a complaint to the National Health Care Institute if you believe we are not complying with the legal provisions. The National Health Care Institute has drawn up a privacy statement (Dutch) detailing the legal protection for handling personal data.

Report vulnerability

The National Health Care Institute is continuously working on the security of its ICT systems. Nevertheless, a vulnerability in one of our systems or websites cannot be ruled out. If you detect such a flaw, we would greatly appreciate it if you report it via e-mail to info@zinl.nl. By reporting the vulnerability to us before sharing it with others, you enable the National Health Care Institute to take action at an early stage. This is called Responsible Disclosure. In this regard, the Health Care Institute follows the policy of the central government.

Prudent data use at the National Health Care Institute

To implement its statutory duties, the National Health Care Institute is using health data of residents in the Netherlands. We receive data from health insurance companies, but also from other parties. We examine this health data to inform our advisory reports on the health insurance package in health insurance and long-term care. We also use the data to calculate the contribution an insurer receives from the central healthcare funds (risk equalisation). In addition, we draw up national developments in healthcare based on this data, and advise the Ministry of Health, Welfare and Sport (VWS) on these developments. 

Privacy and security

We believe it is of the utmost importance that health data is safe and that citizens' privacy is safeguarded. Therefore: 

  • We only request data that are necessary for our legal duties. 
  • We only process health data that are already pseudonymised with the data provider. In the next paragraph, we explain what we mean by this. 
  • Only authorised employees have access to these data. 
  • We secure our systems according to applicable national and international criteria and regulatory frameworks. 
  • We ensure that the quality of the data is high so that our conclusions are reliable. 
  • The data protection officer of the CIO Office of the National Health Care Institute ensures that we comply with current legal requirements and guidelines when collecting, processing and managing data.

Explanation of pseudonymisation

Pseudonymisation is a technique that strengthens privacy. This technique makes it possible to process personal data on health, for example, without the need to know to whom the data relates. This is done by attaching an encryption key to the data (pseudonym). With that encryption key, it is possible to track an individual over time for research purposes and combine data from different sources. This way, it is not possible to trace the specific individuals the data refer to. Pseudonymisation is in principle reversible, but only under strict conditions.

Learning from data and cyclical working

In healthcare, information is cyclically processed at many levels. For example, a physician performs a measurement to make a diagnosis and reassesses the patient's health after treatment. And care institutions use data to improve quality of care, improve processes and assess outcomes. The National Health Care Institute works in a similar way, but on a national scale:

  • We collect and analyse available data to identify areas where our efforts can have a major impact. 
  • We advise VWS on policy based on those analyses, such as assessments based on established medical science and medical practice.
  • We monitor the outcomes with new data to evaluate whether we are achieving the desired effects.
  • Based on the evaluation, new signals may be picked up that we will work on.

Balancing public interest and privacy

Good healthcare for everyone requires reliable data. At the same time, it is not an appropriate choice to collect and share all available data indefinitely, partly because of privacy risks. We therefore always carefully balance the public interest in good, accessible and appropriate care against the protection of citizens' privacy.