Data Protection in Denmark during Covid-19

In Denmark health information generally enjoys strong protection both from a public and private perspective. The spread of COVID-19 has caused this protection to be temporarily weakened. Not long after the first citizens of Denmark were infected by COVID-19, the Danish parliament introduced a new law that forced physical and legal persons to provide otherwise protected and private data to public health authorities and the police upon request. The order is no longer in force but has been replaced as of 17th April 2020 by a less far reaching order that permits public and private employers to share their employees’ identity number in order for Serum Institute of Denmark to offer them a COVID-19 test.

Danish citizens are also protected by the rules laid down in the General Data Protection Regulation (“GDPR”). Furthermore, it is assessed by The Danish Data Protection Agency that private employers can within the boundaries of GDPR register information about their employees in relation to COVID-19 as long as this information cannot be classified as health information as defined by GDPR. The following information can be collected and passed on to public authorities; (i) an employee has returned from an area of risk, (ii) an employee is in quarantined and (iii) an employee is sick. 

The Danish public health authorities in cooperation with Netcompany are developing an app in order to prevent further spread expected to be released in May 2020. The app will trace the connection to other users by Bluetooth and thus be able to trace chains of infection and evaluate the risk of infection for the individual. In more concrete terms the app will count how many other users you have been near – that is within two meters distance in more than 15 minutes. The Serum Institute of Denmark will also be able to access the data in order to further evaluate in detail if the social distancing is being complied with. Of course, it is optional if the citizen wants to use the app. 

In connection with the development of the app, the Danish Data Protection Agency has expressed the concern that the upcoming app is potentially intrusive in the citizens’ privacy, as an app to be used for detection of infections can provide a detailed overview of the citizens' behavior and possibly their health. Therefore, once the app is launched, the Danish Data Protection Agency will focus on verifying that technical solutions in the app have the necessary security and that all data attributable to a given citizen will also be deleted as soon as the extraordinary purpose ceases.

Center for Cyber Security in Denmark assess the level of risk of hacking as very high, due to many employees working from home. Many employees working from home give hackers very favorable conditions for tricks such as phishing and many may use services unfit for storing data safely. Public authorities’ and businesses’ systems are under pressure because of altered use, whilst the availability of them remain even more vital. This combination can lead to a weakening of normal safety procedures.

Therefore, if the employee works from home, it is recommended by the Danish Data Protection Agency that companies, be sure to establish and announce some clear guidelines for working from home. Furthermore, employees should use the designated secure access to professional systems (VPN, direct connection or other secure services). Whenever possible, employees should use the company’s management system in place, including access control, document versioning, backup and general security in regard to handling company files.