On March 10, 2020, the Norwegian Supervisory Authority (“Datatilsynet”) issued guidance on the processing of personal data in the context of the corona virus (“COVID-19”) crisis (see here, in Norwegian).
Datatilsynet stressed that the GDPR allows the processing of special categories of data (e.g., health data) if the processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment. In this context, Datatilsynet took the view that:
- Information on whether someone is infected by COVID-19 qualifies as health data;
- Information on whether an individual has returned from a “risk area” does not qualify as health data;
- Information on whether an individual has been quarantined (without mentioning the specific reason) is indeed personal data, but does not qualify as health data.
Datatylsinet also warns that Norwegian labor and health laws provide for specific restrictions on the information that employers may process or ask of their employees. However, it stated that an employer may disclose within its organization that an employee has been infected by the virus or quarantined, if this is necessary to ensure a safe working environment and is done in accordance with “common sense”. In other words, the agency appear to adopt a reasonable person standard, where proportionate and necessary disclosures will be permitted. Conversely, Datatylsinet stressed that information on whether an employee has been infected or quarantined should normally not be disclosed outside his/her organization.
As we have reported previously, other European supervisory authorities have issued related guidance over the course of the last few weeks (see our previous blogs here, here, and here). However, such different guidance documents are not always aligned, which might call for the intervention of the European Data Protection Board (“EDPB”) at some point. Moreover, in the event that the spread of the virus accelerates, as is feared, it is possible that regulators will revisit their guidance and accept more aggressive efforts by employers to collect and share information in an effort to halt the spread and protect their workforce. Covington will continue to closely monitor developments in this area.