Go to content

Newsletter: The coronavirus and data protection at the workplace

In this special situation that we are facing, and almost two years after the implementation of the General Data Protection Regulation (GDPR) in Norway, we have received many questions about the data protection of employees when sharing personal information within the company and to external recipients, such as customers, suppliers and health authorities.

Based on a number of guidelines, and in particular the Norwegian Data Protection Authority's guidance of March 10, 2020, we have gathered here the most important information regarding what you as an employer need to know about your employees' data protection in this particularly difficult situation. This newsletter is intended to give you specific advice based on our data protection experts' assessments.

You may collect, compile, and store ("process") personal information about your employees in order to fulfil your obligation as an employer to ensure a fully satisfactory working environment. This includes general personal information about the employee's private and business travels that have occurred since the outbreak of the coronavirus and will occur in the near future, as well as sensitive personal information limited to the employee's symptoms and / or contagion (health information).

More on that: we do mean that the most relevant legal basis for processing sensitive personal information such as health information is GDPR Article 9 (2) (b), which allows employers to process health information about their employees in order to fulfill their obligations to secure a "fully satisfactory working environment", cf. Section 4-1 of the Norwegian Working Environment Act.

You can record information about which employees are in quarantine and whether the employee is contagious or has a risk of being infected, if the employee is waiting to be tested / waiting for results.

More on that: be aware that the information that your employees have symptoms, are infected and / or are in quarantine due to the contagion is considered to be  health information and must be processed under more stringent requirements. However, the information that your employees are in quarantine without stating any reason, have traveled abroad or been in contact with a person who is infected, is not to be regarded as health information. Furthermore,  be aware that your employees must fulfill their duty to contribute to a safe working environment according to section 2-2 of the Norwegian Working Environment Act by notifying you as an employer of any symptoms, contagion and / or quarantine, where this can have consequences for the security of the working environment. This entitles you as an employer to encourage your employees to provide such information by themselves.

You may, in consultation with the concerned employees, share within the company information about their infection or risk of infection you are aware of, if this is limited to the employees who may need this information, such as employees who have been in close contact with infected or potentially infected persons. Sharing of information must in all cases, be kept to a minimum. 

You can share absence information about your employees to external parties (eg customers or suppliers), though limited to the very fact that they are working from home and can be contacted as usual, unless you and the concerned employee have agreed on something else. However, you cannot (without the consent of the concerned employee(s)) disclose information to external parties about the fact that your employees have symptoms, are infected and / or in quarantine.

You can ask visitors to share with you information about the fact that they have experienced symptoms when visiting your workplace.

More on that: The Norwegian Data Protection Authority has not concluded yet on this matter. The French and Italian Data Protection Authority have so far adopted a stricter approach, where the collection of visitor´s health information should not be allowed as a general rule. We do mean that as long as the employer can justify that the collection of such health information is necessary to prevent / limit the risk of infection within the company, for example, to protect the lives and health of their own employees in accordance with Section 4-1 of the Norwegian Working Environment Act, the employer will have a legal basis for collecting such information. In any case, we recommend that you, as an employer, remind potential visitors that, in case of symptoms, they should follow the health authorities' advice to stay at home.

You can share personal information, including health information, about your employees with health authorities at their request.

More on that: GDPR Article 9 (2) (i), cf. among others the Norwegian Infection Control Act, authorizes health authorities to require access to the health information that the employer have collected for the purpose of public health. 

You must provide your employees with information about how their personal information is processed in such a situation, who will access it,   length of the storage period, etc. We recommend that you, as an employer, provide your employees with a standard privacy policy that will be specifically describe the processing of your employees' personal information in situation of crisis such as this one. This privacy policy should be made available on the company's intranet or sendt to all employees by e-mail.

You can store health information about your employees as long as necessary, but probably no longer than 30 days.

More on that: The Norwegian Data Protection Authority has not concluded yet on the storage period of health information during this sanitary crisis. The health authorities believe that one can be a contagious for up to 14 days after being infected. Research has also shown that in some cases, a person may be contagious for up to 20 days after being infected. According to the WHO, the incubation period is 5 to 6 days, but this can range from 0 to 14 days. Based on these figures, we do mean that a reasonable retention period of health information about your employees will be a maximum of 30 days.

You cannot collect health information about your employees' relatives unless this is necessary to adapt and organize your manpower according to the situation.

More on that: It is currently unclear whether an employer can ask its employees to provide information about their family's health status. In France and Italy, the general rule is that this should not be allowed. In Norway, based on our assessment, an employer should still be able to access information about its employees in order to adapt and organize its manpower to the particular work situation they are facing. Where an employee must care at home for his/her infected relatives, we do mean that the employer has good reasons to process information about the health status of its employees´ infected relatives for the purpose of correct distribution of tasks during the corona crisis, in accordance with GDPR Article 9 (2) (b).

Please note that the advice in this newsletter may change depending on the development of the corona virus, governmental decisions and measures, as well as the Norwegian Data Protection Authority's updates. Everyone should keep oneself updated by following information from the Norwegian Institute of Public Health, the Government and the Norwegian Data Protection Authority. If you have questions about how your company should handle measures related to the spread of the coronavirus, contact our expert team:

Tommy Dahlen, Andreas Nordby, Florine Wettly and Andrea Tolo Alver.

If you have questions related to employment law issues, contact our employment law department. Inquiries can be sendt directly to Frode Martin Toftevåg