Neighbourhood team organisation Sociaal Utrecht, Lokalis and the municipality of Utrecht have made agreements about privacy. These agreements are based on the General Data Protection Regulation (GDPR) and are included in this privacy statement.
We expect all professionals working at Buurtteam to work in accordance with this privacy statement.
If you have any questions about your personal data or how we handle it, you can contact us. You can approach your neighbourhood team employee for this.
If you would rather speak to someone else, you can also contact our Data Protection Officer. You can find the contact details on the www.buurtteamsutrecht.nl/privacy.
Privacy is about more than just sharing personal data. It is not always easy to decide which data may be shared in which situation. A careful balance must always be struck between the right to privacy and the right to appropriate service provision. The right to privacy means that the possibility to share data must be limited, while the right to appropriate service provision requires the ability to share data if this improves service provision.
It is not possible to make fixed rules for all daily situations, because some questions are more complicated than others and require customization. That is why we use four basic principles. All employees of the neighborhood teams in Utrecht endorse these principles and are guided by them in their work.
The basic principles are:
We will further explain basic principles A to C below.
A. The customer file
The employees of the Neighbourhood Team explain to the client how the neighbourhood team works, including recording the necessary data in the client file. For clients who fall under the Youth Act, it is mandatory to create a file. If clients agree to the help offered and the support is voluntary, personal data is recorded in a digital file. The employees involve the client and his/her representative in completing the file. Persons involved with the client are only registered if they have been informed of this and have given permission for this.
Only necessary personal data is recorded and exchanged. Customer data is not transferred from other systems, unless it is necessary to comply with a legal obligation.
The customer registration system is set up as openly as possible. This means that the employee, together with the customer, continually reviews whether and which personal data are needed to be added to the file.
B. Consent
Neighborhood team members always ask permission from the customer or their representative before sharing data with others. If the customer is a child under 12, the parent with parental authority or guardian must give permission. For children between 12 and 16, both the parent with parental authority or guardian and the child must give permission. From 16 onward, the customer can give their own consent. Each time data is shared, it must be considered whether it contributes to the intended purpose.
Consent alone is not sufficient to exchange customer data. Data is only shared if it is necessary for the purpose of the processing. When exchanging data, a three-way conversation between the employee, the customer and the third party is sought. This allows the customer to retain control over what is shared. If a three-way conversation is not successful, the customer is asked for consent. A one-time consent at the start of the support is not sufficient. This applies to both written and verbal exchange of data.
If the safety of the customer, their environment or an employee is at risk, an employee may choose to record data and/or share it with other parties without permission. This may be mandatory under laws and regulations. Before an employee makes a decision on this, they will consult with a colleague or manager – without mentioning the customer’s name – and record this in the customer’s file. They will also inform the customer, where possible, about the steps they are going to take, even if the customer has not given permission.
Sometimes it is useful to exchange customer data with third parties, even if there is no direct purpose. For example, for monitoring, intervisions or case discussions. Neighbourhood team organisation Sociaal Utrecht and Lokalis do this to learn and improve their services. The privacy of customers is never violated, because data is made anonymous or because the customer has given permission to discuss his case.
C. Customer rights
Customers have certain legal rights regarding their personal data. These rights include the following:
Customers can exercise these rights by means of a request to their neighbourhood team employee. Customer requests are handled in accordance with the provisions of the GDPR.
When you become a client of Buurtteam, we create a file about you containing the necessary personal data. This concerns data that is necessary to store, so that we can help you properly. We only do this if there is a legal basis for it. For example, because you have asked us to help you. In other cases, we ask for your permission. In cases of emergency, we can also take action without your permission.
The neighbourhood team works with a special registration system, in which the customer data is stored securely. The neighbourhood team uses the WIZ application for this, which is owned by the municipality of Utrecht. The municipality ensures that the data is stored securely and that the system is used properly. The system is secured and hosted by the municipality of Utrecht. It is not possible to store customer data locally on laptops or tablets.
Only employees directly involved with a client are allowed to view the data of the client in question. They have a duty of confidentiality. If employees directly involved are not available, other employees can gain access to the client file. This is called the 'breaking glass' principle and is recorded in the file. The coordinator and his replacement are responsible for checking whether this access was justified. This method is also used in the medical sector.
The functional administrators have access to the WIZ application with the aim of being able to process the data technically correctly and safely. These employees are also subject to a confidentiality obligation. The authorization model can be requested from Buurtteamorganisatie Sociaal Utrecht and Lokalis.
Individual provisions under the Youth Act and customized provisions under the WMO are provided by the municipality of Utrecht. The municipality of Utrecht stores customer data in a secure environment. Customer data is only sent by post when necessary. This only happens if customers do not have access to the customer portal and are unable to collect their file at the neighborhood team location. The personal data that is sent is confidential and is always sent in a closed envelope with the word 'confidential'. This applies to sensitive information such as medical data, income data and other financial matters that fall under the GDPR.
Data shared with parties in supplementary care, such as individual provisions under the Youth Act and customized provisions under the WMO, are kept to a minimum. Exchange takes place via the WMO and youth message traffic: this is a secured (online) environment designed for this purpose.
Customer data is stored according to the statutory terms. For files that fall under the Youth Act, this is twenty years and files under the WMO fifteen years. After the retention period, personal data is deleted and destroyed within one year.
The GDPR obliges Buurtteamorganisatie Sociaal Utrecht and Lokalis to immediately inform the Dutch Data Protection Authority if they are confronted with a serious data breach. If necessary, the data subjects, namely the persons whose personal data have been leaked, will also be informed. Buurtteamorganisatie Sociaal Utrecht and Lokalis keep an overview of all data breaches that have occurred.
If you have complaints about the way the neighbourhood team handles your personal data, you can file a complaint about it. You can use the complaints procedure for this, you can find more information about this at www.buurtteamsutrecht.nl/ complaints-en-bezwaar.
You also have the right to file a complaint with the Dutch Data Protection Authority. On the website www.autoriteitpersoonsgegevens.nl you will find more information about this.