Coronavirus and data protection in the Nordics

The coronavirus outbreak poses a health risk to the management, employees and visitors at workplaces, and organisations should take the appropriate measures to counter this risk. Counter-measures often involve collecting and processing personal data to identify individuals who may be infected. This raises a number of questions in the context of the General Data Protection Regulation (GDPR) and national data-protection laws, notably, whether the information indicating that an individual may be infected is considered information about the individual’s health, i.e. “sensitive data”.

Denmark

In Denmark, processing of personal data is governed by the GDPR as well as the Danish Data Protection Act. Collection of health data regarding employees (and potential employees) is furthermore governed by the Act on the use of health data etc. on the labour market – which, however, is considered an employment law in Denmark.

The Danish Data Protection Agency (“Datatilsynet”) made a public announcement on 5 March 2020 regarding the coronavirus and data protection. The announcement addresses how employers may process their employees’ personal data regarding the coronavirus.

According to the announcement, the data controller in question must (naturally) comply with the general principles of the GDPR when processing personal data. The Danish Data Protection Agency furthermore states that very unspecific personal data will generally not qualify as personal data concerning health under the GDPR (sensitive data), hence an employer has ample access to collect and share such personal data, if necessary, in order to pursue legitimate interests. The Danish Data Protection Agency lists the following examples of such unspecific personal data:

1. whether an employee has visited an epidemiological risk area;
2. whether an employee is at home in self-isolation (without stating the reason); and
3. whether an employee is ill (without stating the reason).

Furthermore, the Danish Data Protection Agency states that – depending on the specific circumstances – an employer can collect and share personal data regarding the health of an employee (eg. that the employee has been infected with the coronavirus) if for example it becomes necessary to take the appropriate precautions. The Agency does not specify under which exception in Article 9(2) such sharing would take place.

However, the Danish Data Protection Agency does stress that collecting and sharing such information must have a legitimate purpose and should be limited to what is necessary to pursue the purpose. The Agency advises employers to carefully consider the following points before collecting and disclosing personal data concerning health:

1. whether there are compelling legitimate reasons to collect or disclose the information in question;
2. whether the purposes of the disclosure may be achieved by “saying less”; and
3. whether it is necessary to state names (eg. the name of the employee who is infected and/or at home in self-isolation).

Norway

The Norwegian Data Protection Authority has published a press release / guidance in relation to the outbreak of Corona ad data privacy. According to the Norwegian DPA:

• Information that an individual has COVID-19 is considered as a special category of personal data;
• Information that someone has returned from a risk area is not considered as a special category of personal data;
• Information that someone is put in self-isolation is not considered as a special category of personal data provided that the reason is not included.

The DPA further states that special restrictions apply to the processing of special categories of personal data. However, the DPA states that information that an employee has COVID-19 or is put in self-isolation may be disclosed to other employees in order to achieve a healthy working environment but not to third parties. Third parties should only be provided with information that an employee is absent / not at work, however, without stating the reasons thereof.

Sweden

The Swedish Data Inspection Board has published limited guidance on its website. In brief, the guidance says the following:

• Information that an individual has COVID-19 is considered as a special category of personal data;
• Information that someone has returned from a risk area is not considered as a special category of personal data;
• Information that someone is put in self-isolation is not considered as a special category of personal data provided that the reason is not included.

The DPA emphasizes that special restrictions apply to the processing of special categories of personal data but gives no further guidance.

Finland

The Office of the Data Protection Ombudsman, acting as the national data-protection supervisory authority in Finland, published a news release on 12 March 2020 regarding coronavirus and data protection. The news release focuses on providing guidance for employers on the processing of employee personal data in connection with measures to contain the spread of coronavirus.

Firstly, the Data Protection Ombudsman clarifies in its news release that personal data can be processed in order to prevent the spread of coronavirus. However, the Data Protection Ombudsman stresses that the processing must nevertheless be necessary and proportionate to its purpose. Furthermore, the Data Protection Ombudsman stresses that the rights of the data subjects must be fully adhered to when personal data is processed.

According to the Data Protection Ombudsman, the relevant legislation that employers need to consider when processing employee personal data in order to prevent the spread of coronavirus includes the GDPR, the Finnish Act on the Protection of Privacy in Working Life, the Finnish Communicable Diseases Act, and other Finnish occupational safety related legislation.

The Data Protection Ombudsman points out in the news release the type of personal data which it considers to be health data and therefore falls under the strict requirements for processing special categories of personal data, as set out in the GDPR.  In this regard, the Data Protection Ombudsman provides the following examples:

1. Information that an employee has been infected with coronavirus must be regarded as health data;
2. Information that an employee has returned from a risk area should not be considered as health data;
3. Information that an employee is put in self-isolation (without providing further information on the reasons) should not be considered as health data.

The Data Protection Ombudsman also mentions the preconditions for processing employee health data, as stipulated in the Finnish Act on the Protection of Privacy in Working Life, according to which employers must nominate the persons who are allowed to process employee health data within an organisation or at least specify the tasks that may involve such processing in an organisation. Finally, the Data Protection Ombudsman states that an employer should never name or list a specific employee who has been infected with the coronavirus; an employer should rather inform about the spread of the virus on a general level in the organisation in question.