Privacy during corona
Measures to combat the virus and at the same time make society work, means that privacy considerations and the data subjects' rights under privacy legislation must in some cases be taken into account. What legal basis do we have for this? Where are the limits of what we can do?
In several cases, the institutions must make the necessary assessments and weigh the benefits to society against privacy.
There will be more information as new issues arise.
- Information from the Norwegian Data Protection Authority during Corona
Privacy in a time of crisis, a column by Bjørn Erik Thon 6 April 2020 (NO).
The Danish Data Protection Authority has a less strict definition of what constitutes health information than the Norwegian Data Protection Authority.
The Danish Data Protection Authority (DA) believes that the word "sick" is not health information. They believe that a more detailed description of what "sick" entails is needed in order to call it health information, e.g. that the person is infected with Covid-19 or has broken his leg. The institution should make an assessment of which interpretation they want to apply.
- Legal basis related to infection control
- General Data Protection Regulation (GDPR) art. 6 no. 1 a) consent, and art. 9 no. 2 a) for «special categories».
- GDPR art. 6 no. 1 b) agreement, including employment contract, and art. 9 no. 2 b) for «special categories» cf. infection control legislation with regulations, health legislation, the Working Environment Act and National Contingency Plans.
- GDPR art. 6 no. 1 d) «the processing is necessary in order to protect the vital interests of the data subject or another natural person», as well as art. 9 no. 2 c) for "special categories". See foreword 46.
- GDPR art. 6 no. 1 e) "processing is necessary for the performance of a task carried out in the in the public interest", cf. no. 3 b), cf. infection control legislation with regulations, health legislation, the Working Environment Act and National Contingency Plans. For "special categories", it is also proposed to use GDPR art. 9 no. 2 i) «processing is necessary for reasons of public interests in the area of health», cf. national legislation as mentioned above. See also foreword 52-54.
- Can the employer inform other employees about specific cases of infection?
An infection with Covid-19 is a health information and subject to a duty of confidentiality according to the Public Administration Act § 13.
- Pursuant to the Public Administration Act § 13 a) no. 1, the manager must first try to obtain the consent of the infected person or the person who has symptoms before information is given to colleagues.
- If it is not possible to obtain the consent of the infected person or the person who has symptoms, it follows from the Employer Portal that one can use the exemption provision in the Public Administration Act § 13 a) no. 3: «that the information is used when no legitimate interest indicates that they kept secret…. », e.g. based on a balance between consideration for the individual and consideration for other employees.
You can also refer to the above-mentioned legal basis "necessary for reasons of public interests in the area of health".
The information provided to other employees should not contain more information than necessary to prevent infection.
What kind of information can the employer demand from the employee?
Working Environment Act § 3-1 about the employer's responsibility for the employees' health, environment and safety might be considered as a national legal basis for GDPR art. 9 no. 2 i). There is a requirement for the employer to also protect employees who are not infected with Covid-19. The employer can therefore ask an employee:
- whether the person has been travelling recently and
- whether the person has symptoms.
If the employee has been at home for more than 14 days, it will not be legal to ask for answers to the above questions.
- Can the institution provide information to external parties/customers/students that an employee is infected with Covid-19?
- Distribution of lists of students / employees to the Norwegian Directorate of Health
- Inquiries from KD/Directorate of Health about an overview of students and employees who can be contacted to be extra personnel in the health service as long as the pandemic lasts, are treated as a request for access under the «Public Administration Act». The Norwegian Directorate of Health must itself have a legal basis for its treatment.
- The list must be deleted from the institution's systems after it has been submitted to the Norwegian Directorate of Health.
- Provide information on the available website for students / staff about the transfer; ie to whom, purpose and what information is transferred.
If the institution keeps the list for its own purposes, there are requirements for a legal basis, where the list is kept, for how long, who has access, etc. The institutions must, on an accessible website, inform students/employees about the use of the list, where further information is provided about the privacy rights and contact persons. The processing must also be registered in the institution's overview of the processing of personal data.
The list may be relevant to keep as part of the emergency preparedness. You collect information, make lists and store these of relevant employees and students (having a health professional background or are in training as a nurse) who can contribute to a crisis where the health service quickly needs to know who they can contact. Getting health professionals in place quickly when needed can mean life and death for a third person.
Unit's guidelines on digital teaching and privacy (Unit.no) (NO) can be used as a starting point for a privacy routine at your own institution. The Norwegian Data Protection Authority has approved these guidelines and emphasized that solutions must be practical.
Unit recommends to create two guidelines, one that is aimed for the lecturer and one for the students.
Recommended legal basis:
- Recording of teachers can be authorized in GDPR art. 6 no. 1 b) «necessary to fulfill an agreement» and / or the employer's right to control.
- Recording of students can be authorized in GDPR art. 6 no. 1 e) «in the public interest», cf. no. 3 b), cf. the Universities and University Colleges Act §§ 1-3, 3-8, 4-2 and 4-3. If students are to record during the lecture, they should ask for consent (GDPR art. 6 no. 1 a)) from those who participate in the recording, regardless of whether they record for their own use or if they are going to share this with others.
- Recording of teaching can hardly be regarded as a "purely personal or family activity", please see GDPR art. 2 no. 2 c) and the website of The Norwegian Data Protection Authority states the following on monitoring, and tracking / sound recordings: «In situations where sound recordings of meetings or teaching are made, the situation is different. Then the context in which the recording takes place and the consideration for those who are present and are recorded, could point in the direction that it is not a purely personal activity within the meaning of the law».
The institution should carry out an evaluation of this processing of personal data afterwards.
The lecturer must consider the need for recording the lecture. The lecturer must ask themselves whether it is necessary to record. Do the students who do not want to participate in the recording have other possibilities to participate? According to The Norwegian Data Protection Authority students cannot be forced to show a picture / join in on audio recordings either during compulsory or non-compulsory teaching. They should be able to join via chat or send questions by email, or the institution must have other solutions for anonymous participation.
Information shall be provided about the recording, purpose, legal basis, storage (where and for how long), who shall have access and whether the recording shall be shared. How long the recording can be stored will vary according to who and what is on the recording. The guideline and routine should address this matter.
The information should be posted on the students' information platform at the institution.
It should be stated that you must follow your own institution's regulations for recording audio and video.