On March 10, 2020, the Norwegian Supervisory Authority (“Datatilsynet”) issued guidance on the processing of personal data in the context of the corona virus (“COVID-19”) crisis (see here, in Norwegian).

Datatilsynet stressed that the GDPR allows the processing of special categories of data (e.g., health data) if the processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment.  In this context, Datatilsynet took the view that:

  • Information on whether someone is infected by COVID-19 qualifies as health data;
  • Information on whether an individual has returned from a “risk area” does not qualify as health data;
  • Information on whether an individual has been quarantined (without mentioning the specific reason) is indeed personal data, but does not qualify as health data.

Datatylsinet also warns that Norwegian labor and health laws provide for specific restrictions on the information that employers may process or ask of their employees.  However, it stated that an employer may disclose within its organization that an employee has been infected by the virus or quarantined, if this is necessary to ensure a safe working environment and is done in accordance with “common sense”.  In other words, the agency appear to adopt a reasonable person standard, where proportionate and necessary disclosures will be permitted.  Conversely, Datatylsinet stressed that information on whether an employee has been infected or quarantined should normally not be disclosed outside his/her organization.

As we have reported previously, other European supervisory authorities have issued related guidance over the course of the last few weeks (see our previous blogs here, here, and here).  However, such different guidance documents are not always aligned, which might call for the intervention of the European Data Protection Board (“EDPB”) at some point.  Moreover, in the event that the spread of the virus accelerates, as is feared, it is possible that regulators will revisit their guidance and accept more aggressive efforts by employers to collect and share information in an effort to halt the spread and protect their workforce.  Covington will continue to closely monitor developments in this area.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.