Coronavirus: Danish Data Protection Authority issues new statement on virus-tracking apps
As a result of the continuous risk of infection, several countries have already introduced or are in the process of developing apps with functions to track coronavirus. Since a similar app is expected in Denmark within the upcoming weeks, the Danish Data Protection Authority has just emphasized that although nothing in principle prevents the introduction of such a function, the new app will trigger difficult assessments with respect to the protection of the users’ privacy.
Several countries both in and outside the EU are currently developing apps with functions allowing for the tracking of individuals infected with coronavirus in an attempt to limit further spreading. In Norway, the voluntary “Smittestopp”-app has already been downloaded by more than one million users and in Denmark, a similar function is currently being developed. For this reason, the Danish Data Protection Authority has emphasized the fundamental requirements which data controllers must be aware of in this connection. Among other things, this is because the new app may provide detailed overview of the behaviour and health of users.
Just as in other scenarios where high risks may arise for the data subject, the data controller must first conduct an impact assessment and thoroughly incorporate data protection as part of the design. In addition, it’s important for data controllers to ensure:
- That the same measure could not have been achieved with less intrusive means
- That it’s voluntary for the user to install the app
- That it’s clear who has developed the app and how information is processed
- That processing is conducted safely and responsibly
- That the app provides for a temporary solution whereafter information is deleted
It remains unclear how the new tracking-function will work in practice, including whether the app provides for a centralized or decentralized solution.
While data controllers must be aware of the applicable rules in connection with processing of health information when developing new apps, IUNO recommends that companies are also aware of the obligations and risks which arise if testing for coronavirus is offered at the workplace. We have previously written about reopening the workplace here.
We are following the developments closely.
Read more about how we can assist your company with ensuring compliance under the applicable data protection rules here.
Several countries both in and outside the EU are currently developing apps with functions allowing for the tracking of individuals infected with coronavirus in an attempt to limit further spreading. In Norway, the voluntary “Smittestopp”-app has already been downloaded by more than one million users and in Denmark, a similar function is currently being developed. For this reason, the Danish Data Protection Authority has emphasized the fundamental requirements which data controllers must be aware of in this connection. Among other things, this is because the new app may provide detailed overview of the behaviour and health of users.
Just as in other scenarios where high risks may arise for the data subject, the data controller must first conduct an impact assessment and thoroughly incorporate data protection as part of the design. In addition, it’s important for data controllers to ensure:
- That the same measure could not have been achieved with less intrusive means
- That it’s voluntary for the user to install the app
- That it’s clear who has developed the app and how information is processed
- That processing is conducted safely and responsibly
- That the app provides for a temporary solution whereafter information is deleted
It remains unclear how the new tracking-function will work in practice, including whether the app provides for a centralized or decentralized solution.
While data controllers must be aware of the applicable rules in connection with processing of health information when developing new apps, IUNO recommends that companies are also aware of the obligations and risks which arise if testing for coronavirus is offered at the workplace. We have previously written about reopening the workplace here.
We are following the developments closely.
Read more about how we can assist your company with ensuring compliance under the applicable data protection rules here.
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing