Privacy statement
This privacy statement concerns all personal data used by the Netherlands Comprehensive Cancer Organisation (IKNL), which is established at the address Rijnkade, 3511 LC Utrecht, the Netherlands. IKNL’s Data Protection Officer (DPO) monitors the use of those data. If you have any questions or concerns, you can contact the DPO via fg@iknl.nl
In the Netherlands, IKNL is the organisation that collects, stores and studies data about cancer. Our aim is to find new ways to prevent cancer, to detect it sooner, and to cure the disease, so that we can help improve the treatment and the quality of life (and death) of people with cancer. We do this in collaboration with doctors and researchers, and we share the information with them.
We store medical data about you as a patient or data about you as one of our professional relations, for instance because you are a doctor, you supply products to us, you request data, or you apply for a job with us. IKNL protects your privacy and handles your data with the greatest possible care. Your interests are our number one priority!
Our commitments to you:
- We will handle your data with care, we will keep them confidential, and we will secure them properly.
- We will not use more data about you than is necessary.
- We will not use your data for any other purpose than for which they were collected.
In this privacy statement you can read how we collect, protect, use and share medical data and/or other data about you. A description of your rights is also included. IKNL may amend this privacy statement from time to time. You will always find our current privacy statement on our website: www.iknl.nl/en/privacystatement.
IKNL makes use of personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and other laws and regulations on the protection of personal data.
1. Use of data within IKNL
IKNL may use medical data and/or other data about you. Such use occurs:
- in the Netherlands Cancer Registry (‘NCR’) – see Section 5.1
- during research into the quality of life of former and current cancer patients – see Section 5.2
We will also use data about you if you have a professional relationship with us – see Section 5.3. This can be, for example, because you:
- take part in one of our training courses or education programmes
- attend one of our meetings
- order a leaflet from us
- supply products to us
- apply for a job with us
- have another type of professional relationship with us (e.g. as a researcher, doctor or collaborative partner).
IKNL also uses personal data on behalf of other parties (in which case IKNL is the ‘data processor’). This happens:
- when we support research groups and hospitals that conduct scientific research – see Section 6.1
- when we support research groups that conduct quality of life research – see Section 6.2.
1.1 How do we collect the data?
IKNL obtains data in various ways:
- We receive them from organisations that we work with.
- We actively retrieve the data from the systems of organisations that we work with.
- People outside IKNL enter data into our systems.
1.2 What does IKNL do with the data?
- We collect, record, organise and sort the data.
- We assign codes to data, and we update and link, store or remove them.
- We search for data, offer data to others, or make sure others can use them.
- We conduct research with the data.
2. How does IKNL protect your data?
We use your data securely, in accordance with our policy and the laws and regulations that apply in the Netherlands. We have implemented several technical and organisational security measures. As a result, your data are protected against loss, abuse, modification, distribution, destruction and theft, as well as against use or access by unauthorised parties.
In our organisation we regularly devote attention to the importance of data protection and information security:
- We train new and existing employees on these topics.
- All IKNL employees have signed a confidentiality statement.
- IKNL has clear procedures in place for reporting events relating to information security.
Examples of technical measures implemented are:
- server security
- data encryption. Data encryption means that data are converted to a code before they are stored or sent. People with the wrong intentions cannot use these encrypted data in any way. They do not have the ‘key’ to gain access.
- logging on via two-factor authentication. To open the digital lock, a user has to use two keys rather than one, as it were. This means that besides the entry of a user name and password, a second step is needed. For example, they may need to enter a code that is sent to their phone in a text message or that appears in an authentication app. Use of a fingerprint is another possible second step.
We are certified according to NEN7510, the Dutch standard for information security in healthcare. We are ISO 27001-certified as well.
IKNL employees can only access your data if this is necessary for the purpose for which we have collected the data.
IKNL concludes contracts with external organisations that process data on our behalf. These contracts are referred to as ‘data processing agreements’. In these contracts we lay down what is and is not permitted, who has access, and how data are to be secured. We also lay down arrangements for proper technical security in accordance with NEN7510 and ISO 27001. All our data are stored on servers in the European Union.
If you think that your data may not be secured properly, or that they may be used unlawfully, please contact our Data Protection Officer (DPO). You can use the e-mail address fg@iknl.nl for this.
3. Who can see your data?
Only IKNL employees who are authorised for this can access your data. Such authorisation will be granted only if the IKNL employee really needs the data to be able to do their work. We replace some traceable data with a code, so that our employees cannot see which patient the data belong to.
4. For how long will we keep your data?
We will store your data in accordance with the relevant provisions of the GDPR. The data will not be stored for longer than is strictly necessary to realise the purposes for which the data were collected. The storage period depends on the purpose for which we process your personal data and on any specific statutory retention periods that apply to us. The data in the NCR will be stored for as long as the NCR exists. (For an explanation on the NCR, see Section 5.1.) In case of scientific research with patients, the data will be stored for up to 15 years after the end of a study. After a job application, data will not be stored if you have been rejected – unless you give us permission to retain your data for longer.
5. Detailed information on data use
Below you can read more about our use of data. We will provide answers to the following questions:
- For what purpose do we collect the data?
- What data do we collect?
- Where do the data come from?
- Who can see the data?
- What is the legal basis for the use of the data?
- To whom do we provide the data?
5.1 Netherlands Cancer Registry (NCR)
5.1.1 For what purpose do we collect the data?
The data in the NCR are used for scientific research and statistics relating to cancer. This use helps us gain a better understanding of the disease and the treatment for it, and enables us to improve the care for people with cancer.
5.1.2 What data do we collect?
In the NCR we collect data from patients with cancer:
- Details of the patient, such as their name, date of birth and sex.
- The name of the hospital where they were diagnosed and the name of the hospital where they are or have been treated.
- Data on their disease, such as the date of diagnosis, the type of cancer and the stage of their disease.
- Information on the way in which the disease was diagnosed, and on whether it is an inherited type of cancer.
- Information on the patient’s treatment.
Under the header ‘NCR’, this website contains more information on the data listed above.
5.1.3 Where do the data come from?
Doctors and nurses in hospitals record data in a medical file. This is required by law. Every hospital provides some data to IKNL on their cancer patients. This partly occurs via automatic transfer from another database (such as the pathology database and the national medical register), and it is partly done manually. Only authorised IKNL employees (data managers) have access to part of the medical file. They enter certain data from the medical file in the NCR. IKNL also receives data from the Personal Records Database (BRP).
5.1.4 Who can see the data?
Only IKNL employees who are authorised for this (data managers and researchers) can inspect personal data in the NCR. Other IKNL employees can only inspect data without being able to see which patient the data belong to, because the name and date of birth have been replaced with a code.
5.1.5 What is the legal basis for the use of the data?
The legal basis for the collection of data in the NCR is: ‘scientific research and statistics in the interest of public health, for which requesting permission is not possible or not appropriate for multiple reasons’. IKNL’s interest in promoting research into cancer and improving the care for cancer patients forms the basis for the use of the data in the NCR.
5.1.6 To whom do we provide the data?
The NCR is the number one source for scientific research into cancer in the Netherlands. IKNL regularly publishes overviews of data from the NCR. Anyone can review these via ‘NCR data & figures’ on this website. These overviews do not include any personal data, so that people cannot see which patients the data belong to. In addition, IKNL makes available a synthetic dataset which can be downloaded on request. The data in this set are all fake, and it therefore does not contain any patient data.
We provide the data from the NCR to:
- Doctors and hospitals. Doctors can request data from their own patients. They will then see who the data subjects are, of course.
- Others. Other people wishing to use NCR data for scientific research and statistics must submit a request to this end. These may be doctors, researchers, health insurers, pharmaceutical companies, government bodies or professional associations, for example. They cannot see which patients the data relate to. Researchers who request data may also be from other countries within or outside the EU. Sometimes it is necessary to combine the data from the NCR with data from other databases.
- International collaborative partners. IKNL supplies information from the NCR to the European database of the European Network of Cancer Registries (ENCR) and the International Agency for Research on Cancer (IARC).
IKNL acts with the greatest possible care when supplying data from the NCR. An independent committee – the NCR’s Supervisory Committee – protects patients’ privacy. This Committee reviews whether data can be used for the purpose for which they have been requested. The Committee sometimes demands the use of special security measures. Patient representatives are also among the members of this Committee. IKNL concludes contracts with data recipients on how they are required to handle the data.
5.2 Quality of life research
5.2.1 For what purpose do we collect the data?
IKNL conducts research into the quality of life of former and current cancer patients. We invite participants to complete and return questionnaires (online or on paper). We enter the data from the completed questionnaires into a database and investigate the outcomes.
5.2.2 What data do we collect?
For research into the quality of life of former and current cancer patients, we collect:
- the participant’s name, phone number, home and/or e-mail address
- the name of the study in which they participate
- data from the completed questionnaires on the participant’s quality of life, such as data on how they are coping with the disease and medical or other particulars.
5.2.3 Where do the data come from?
IKNL receives the phone number and home and/or e-mail address of a (former) hospital patient when the patient enrols in the study and gives consent for the use of their phone number and address. Participants complete the questionnaires themselves.
5.2.4 Who can see the data?
Only IKNL employees who organise the study and are authorised for this can see the participant’s phone number and home and/or e-mail address. They are the ones who send the questionnaires to the participants, for example. They record the completed questionnaires in a database. The data from the questionnaires are replaced with a code, so that employees cannot see which patients the data belong to.
5.2.5 What is the legal basis for the use of the data?
The legal basis for the use of the data is the informed consent given by a study participant for the use of their personal data. A participant can withdraw their consent at any time. Data which have already been processed will still remain part of the study.
5.2.6 To whom do we provide the data?
We collect the data for scientific research into the quality of life of former and current cancer patients. People who use the data cannot see which patients the data belong to. Researchers who request data may also be from other countries within or outside the EU.
5.3 Maintaining professional relationships
5.3.1 For what purpose do we collect the data?
We use personal data from all our professional relations. You are a ‘professional relation’ if you:
- are taking part in one of our training courses or education programmes
- attend one of our meetings
- order a product or service from us, like a leaflet
- supply products to us
- have applied for a job with us
- work with us, for example as a researcher or doctor
- have registered for our newsletter
We use personal or professional data for:
- the delivery of our services and products. Think of a leaflet ordered, data requested, a training course or a meeting.
- improvement of our services and products.
- the purchase of our services and products, such as the placement of a purchase order
- sending out or payment of invoices
- maintaining contact
- selecting and inviting people who want to work for us
- sending out information on IKNL or on our services and products. Think of letters, electronic newsletters, invitations for meetings, conferences or training courses, for example.
5.3.2 What data do we collect?
Personal data, such as:
- name, sex, address, e-mail address, position and phone number
- date of birth and BIG number (for accreditation and proof of participation in a training activity)
- payment details
- job application and CV
Information on:
- participation in training courses or meetings
- web shop order history
- correspondence with our relations
- open and click behavior (when you receive email newsletters)
- meeting minutes and call histories of consultations with our relations
- invoices which we have sent
- invoices which we have received
- purposes of data requests
5.3.3 Where do the data come from?
The professional relation has given the data to us themselves:
- during contact with our employees, such as when concluding a contract
- when ordering a product in our web shop
- by registering for one of our working groups, training courses or meetings
- by registering for one of our newsletters
- by applying for a job at IKNL.
5.3.4 Who can see the data?
Only IKNL employees who are authorised for this can access the data, for example because they administer the financial accounts, maintain contact with a relation, or send out newsletters.
5.3.5 What is the legal basis for the use of the data?
The legal basis for the use of these data lies in the permission given by the relation. It is also possible that the use of the data is necessary for the performance of a contract between IKNL and the relation.
5.3.6 To whom do we provide the data?
- IKNL does not provide the data to any other parties without the relation’s permission. IKNL only provides the data if this is necessary to adhere to the provisions of the contract with the relation.
- Sometimes IKNL is required by law to provide the data to others, such as the Netherlands tax authorities.
- Sometimes IKNL must provide data to others to protect our rights, ownership or safety. This is always done in accordance with the laws and regulations that apply in the Netherlands.
6. Detailed information on the use of data on behalf of others
IKNL also uses data on behalf of other people. In those cases, IKNL is not the data controller but rather the data processor. Below we will describe the use of these data. We will provide answers to the following questions:
- For what purpose do we collect the data?
- What data do we collect?
- Where do the data come from?
- Who can see the data?
- What is the legal basis for the use of the data?
- To whom do we provide the data?
6.1 Support for scientific studies
6.1.1 For what purpose do we collect the data?
IKNL’s Clinical Trials Office supports research groups and medical specialists in their scientific studies into cancer and palliative care. In a study, a new treatment may be compared to an existing treatment, for example. Among other things, IKNL takes care of the collection and storage of medical data of participants in the study database. This is done at the request of the researchers and medical specialists.
6.1.2 What data do we collect?
During scientific research, IKNL collects data from study participants, such as:
- Details of the patient, such as their name, date of birth and sex.
- The name of the hospital where they were diagnosed and the name of the hospital where they are or have been treated.
- Data on their disease, such as the date of diagnosis, the type of cancer and the stage of their disease.
- Information on the way in which the disease was diagnosed, and on whether it is an inherited type of cancer.
- Information on the patient’s treatment.
The sponsor establishes in advance which data need to be collected. This varies between studies.
6.1.3 Where do the data come from?
Patients give their doctor consent for their participation in a study. They do this by completing an informed consent form. Doctors and nurses in hospital record patient data in a medical file. IKNL employees authorised for this by the hospital (data managers) have access to the medical file. They can also enter participant data in the study database.
In addition, it is possible that IKNL documents patients’ participation for the study and assigns patients to groups (randomisation). In that case doctors will register patients with IKNL as study participants.
6.1.4 Who can see the data?
Only IKNL employees who are authorised for this (data managers) have access to personal data of study participants. Other IKNL employees can only see data which cannot be traced back to the subjects, for instance to check whether all data have been entered properly.
6.1.5 What is the legal basis for the use of the data?
When supporting scientific studies, IKNL is not the data controller. In these cases, IKNL is the data processor. IKNL only uses the data on behalf of the sponsor and therefore does not require a legal basis of its own. IKNL concludes a contract with the sponsor for this purpose.
The legal basis for the sponsor is the consent given by participants for the collection of the data.
6.1.6 To whom do we provide the data?
IKNL can only provide the data from scientific studies to other parties at the request of the sponsor.
6.2 Support for quality of life research
6.2.1 For what purpose do we collect the data?
IKNL supports research groups in their scientific research into quality of life. IKNL takes care of the registration of study participants. We subsequently invite participants to complete and return questionnaires. We record the completed questionnaires in a database and send the data to the sponsor.
6.2.2 What data do we collect?
For research into the quality of life of former and current cancer patients, we collect:
- the participant’s name, phone number, home and/or e-mail address, and the name of the study.
- data from the completed questionnaires on the participant’s quality of life, such as data on how they are coping with the disease and medical or other particulars.
6.2.3 Where do the data come from?
IKNL obtains the name, phone number, home and/or e-mail address when a patient enrols in a study and gives consent for the use of their phone number and address. Participants complete the questionnaires themselves.
6.2.4 Who can see the data?
Only IKNL employees who organise the study and are authorised for this can see the participant’s phone number and address. They are the ones who send the questionnaires to the participants, for example. They record the completed questionnaires in a database. Other IKNL employees can view the answers to questions, but cannot see whose answers they are.
6.2.5 What is the legal basis for the use of the data?
When supporting quality of life research, IKNL is not the data controller. In these cases, IKNL is the data processor. IKNL only uses the data on behalf of the sponsor and therefore does not require a legal basis of its own. IKNL concludes a contract with the sponsor for this purpose.
The legal basis for the sponsor is the consent given by participants for the collection of the data.
6.2.6 To whom do we provide these data?
IKNL only provides the data to other parties at the sponsor’s request.
7. Cookie policy
IKNL’s websites and apps use cookies. Cookies are small files which are stored on a computer. We use various types of cookie:
- Session cookies to ensure that the website or app works properly.
- Permanent cookies to adapt the websites and apps to your wishes.
- Analytic cookies to find out how many visitors there are and how they behave. IKNL makes use of Google Analytics.
- Cookies from LinkedIn and Twitter to facilitate the use of LinkedIn or Twitter directly from our websites.
In our cookie policy you can read more about IKNL’s use of cookies.
Third-party privacy policies
The IKNL website may include links to other websites which do not belong to IKNL. We do not accept any responsibility for how these parties handle personal data. IKNL advises you to acquaint yourself with the privacy policies of these parties or to contact them for a further explanation on their policy for personal data use.
8. Your rights
- You have the right to access your data, to rectify them or to have them erased.
- You have the right to withdraw your consent for the use of your data.
- You have the right to object to the use of your data by IKNL.
- Moreover, you have the right to data portability. This means that you can ask us to transfer your personal data to you or to another organisation.
You can send a request to this end to fg@iknl.nl. To be able to verify your identity, we may ask you to provide a copy of your identity document in this case. On this copy, at least your name (maiden name if applicable), date of birth and sex must be visible. We will respond to your request as soon as possible, but at least within one month.
It is not always possible for IKNL to reverse or undo research with data or the provision of data to other parties. If you request to have your data rectified or erased, or if you withdraw your consent for the use of your data, this will only have an effect from that moment onwards.
9. Contact
Are you not happy with the way in which IKNL handles your personal data? Or do you have questions about it? Then please contact our Data Protection Officer. You can do this by sending an e-mail to fg@iknl.nl. IKNL will be happy to help you find a solution. If the situation is not resolved to your satisfaction, you can contact the national supervisory body: the Dutch Data Protection Authority.
November 2021