1 Transparency builds trust
2 Introducing ZorgTTP All organisations that process privacy-sensitive information are subject to the Dutch Personal Data Protection Act, the Wet Bescherming Persoonsgegevens (WBP). The independent Dutch Data Protection Authority (DPA) strictly monitors the compliance with the regulations. And so they should, as our privacy should be handled with care. It is by no means easy to ensure that your sensitive data is fully protected according to the existing laws and regulations. Fortunately, you are not alone. Wouldn t it be nice to have a reliable third party by your side, to advise and support you? Please meet ZorgTTP. ZorgTTP is a so-called Trusted Third Party ; an experienced and straightforward partner offering support with the exchange and sharing of privacy sensitive data. We have the knowledge, experience and competence to process personal data in such a way that it is completely anonymous and ready to be used within all legal boundaries. ZorgTTP services ZorgTTP offers a complete range of services in the field of privacy protection of personal data. Our integral services allow us to do and achieve more. ZorgTTP is proud to offer high quality services. Contents Introducing ZorgTTP 3 It s all about trust! 5 Our services 7 About Tres (encryption/decryption) 8 Extensive network 9 Some of ZorgTTP s clients 10 Being an academic, I am used to looking at things from different perspectives and finding shortcomings in just about everything. However, I can t seem to find any in the ZorgTTP services. Jaap van Lakerveld, PhD Executive Director Plato BV, Leiden University 2 3
3 It s all about trust! With delicate matters like the careful processing of sensitive personal information, you have to be able to fully trust our services and integrity. Your trust is the foundation of our success. Therefore, together we will make sure that your wishes comply with the starting points and guaranteed services of ZorgTTP. ZorgTTP operates from the following starting points: Before closing any agreement, ZorgTTP and the customer carefully investigate if the client s demands concur with ZorgTTP s basic principles and objectives; Data collection, processing and opening up remain strictly separated at all times; In all respects, in any situation, during the entire process, ZorgTTP assumes an open and transparent professional attitude; All processes, the software as well as the procedures are regularly audited, by independent audits. Thus, we guarantee high quality, secure services. Clients ZorgTTP aims to secure privacy sensitive information streams in health care as well as in other fields. When it is essential to be able to monitor individuals over periods of time or link several sources of information, pseudonymization provides great value. ZorgTTP has increasingly been working with companies and partners in the fields of justice, welfare and education. ZorgTTP is without a doubt the most used pseudonymisator of the important actors in the care sector. It considerably simplifies the exchange of data files. Eric Hans Eddes, MD Managing Director DICA and surgeon, Deventer Hospital 5
4 Our services About Tres (encryption/decryption) ZorgTTP has developed a number of services to meet the particular needs and demands of their potential clients. They are: Quick scan: preliminary inquiry dealing with identifying personal data and information security; Advising on security, unique client coding and privacy protection; Key development, anonymization; Pseudonymization; Authentication /encryption: Tres (Trusted Reversible Encryption Service); Secured data archives. ZorgTTP is an expert in pseudonymizing care data and enjoys an impeccable reputation. Barry Egberts, senior manager Kenniscentrum Zorg and Gezondheid, Achmea About pseudonymization With pseudonymization all data that can lead to identification of individuals is replaced by unique pseudonyms that cannot be traced back to these individuals. These irreversible pseudonyms allow stakeholders to exchange information without jeopardizing any person s privacy in any aspect. The conversion of sensitive personal data to an irreversible pseudonym has two stages. The party owning the personal data that needs to be shared (the source) uses the pseudonymization software to convert the data to a so-called pre-pseudonym, following Dutch DPA requirements. Then, ZorgTTP converts the pre-pseudonym to a final pseudonym. The final pseudonym with the data attached to it, is disclosed to the receiving party. Only ZorgTTP knows how the final pseudonym is created. Neither the source nor the recipient can retrace the original personal information. This way, data can be exchanged without violating privacy. Furthermore, if necessary, researchers are able to file transparent and controlled requests for additional information with the source without jeopardizing the security of sensitive personal data. Tres (Trusted Reversible Encryption Service) is developed by Advanced Data Management (ADM) of the LUMC (University Medical Centre of Leiden) and ZorgTTP. Tres is based on reversible encryption to shield personal data for non-authorized use. Tres is developed for registrations which have legal grounds to register personal information. Examples of typical data are our social security number (BSN) or an individual s name combined with other identifying data. The user uses his/her own information system to log on to Tres. While saving the information the designated variables are simultaneously encrypted through Tres. In the end, it is only ZorgTTP is always ready and prepared to keep searching for acceptable solutions for all parties. This constructive attitude is exactly what we will be needing in the future. Mrs ir. Hannelore Hofhuis, PhD Secretary of the board, PALGA Foundation the encrypted data that is saved in the user s information system. Only authorized users are able to decrypt the values. By trusting ZorgTTP with your encryption and decryption you can be sure that no other party than the authorized users have access to the converted data. The pseudonymization and Tres can be used complementary. 6 7
5 Extensive network We have built an extensive network of companies, organizations and clients with whom we work closely. In recent years we have been working with the independent Dutch Data Protection Authority (CBP), the Ministry of Health, Welfare and Sport, the Dutch umbrella organization for health insurers (Zorgverzekeraars Nederland), Medical Specialists in mental care, the Dutch National Tax Services, various research bureaus, and many more. Thousands of data sources all over the Netherlands To date, ZorgTTP has contributed largely to the realization of a large number of projects in the field of data exchange. The data sources that are providing personal data through an operational pseudonymization chain contain from twelve to thousands of records per chain. Finally For the future, ZorgTTP has but one goal, which is to provide the best services possible in the field of personal data protection. We intend to reach this goal by staying true to our key values: transparency, innovation and effectiveness, and by always putting the client first. By doing so, ZorgTTP has been able to become a Trusted Third Party with high quality and client-oriented services. Together with our clients and partners, we look forward to continuing and expanding this position. ZorgTTP works apt and effective. Communication lines are short and they are readily available at any given time. Their power lies in the fact that they know their responsibilities and maintain clear and open communications. Eise Douma, manager DBC Informatie Systeem (DIS), DBC Onderhoud 9
6 Some of ZorgTTP s clients AGIS / ACHMEA, Amersfoort; CAK, The Hague; Centraal Bureau voor de Statistiek (CBS), The Hague; Centrum Indicatiestelling Zorg (CIZ), Driebergen; Informatie Voorziening Zorg (IVZ), Houten; Leids Universitair Medisch Centrum (authentication in developmental stage, Tres ); Menzis, Enschede; Ministerie van Volksgezondheid, Welzijn en Sport (VWS), The Hague; College voor zorgverzekeringen (Cvz), Diemen; DBC Onderhoud, Utrecht; Dutch Hospital Data (DHD), Utrecht; Dutch Institute for Clinical Auditing (DICA), Leiden; Expertisecentrum Forensische Psychiatrie (EFP), Utrecht; Gemeente Leiden en Plato BV Universiteit Leiden; GG&GD, Amsterdam; Hans Mak Instituut (HMi), Naarden; Ministerie van Defensie, The Hague; Nederlands Instituut voor Onderzoek Eerste Lijn (NIVEL), Utrecht; Nederlandse Vereniging van Heelkunde (NVvH), Utrecht; Pathologisch Landelijk Geautomatiseerd Archief (PALGA), Utrecht; Perinatale Registratie Nederland (PRN), Utrecht; Regio Twente van de Provincie Overijssel; Stichting Benchmark GGZ (SBG), Bilthoven; Vektis, Zeist. The utmost care had been taken with this publication. However, nothing from this publication may be duplicated and/or published without the written consent of Zorg TTP Summer
7 Visiting address: Randhoeve GA Houten The Netherlands Postal adddress: Postbus GH Houten The Netherlands Telephone: Servicedesk: Pseudonymization allows exchange of sensitive information without privacy violating.