Persónuvernd (Iceland) - 2020061954

From GDPRhub
Persónuvernd (Iceland) - 2020061954
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 14(1) GDPR
Article 28(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.11.2021
Published:
Fine: None
Parties: Chief Epidemiologist of the Office of the Medical Director of Health
Icelandic Genetics
Íslensk erfðagreiningar ehf
Landspítali
National Case Number/Name: 2020061954
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA ordered the Chief Epidemiologist to enter into a new processing agreement with a processor used for SARS-CoV-2 screening and antibody testing.

English Summary

Facts

Upon learning that the Chief Epidemiologist had outsourced screening for the SARS-CoV-2 virus as well as antibody testing to a hospital and a genetic research company, the Icelandic DPA initiated an investigation into the lawfulness of the processing.

Holding

The Icelandic DPA first highlighted that, in connection with the virus screening and antibody testing, the Chief Epidemiologist acted as a controller in accordance with the Icelandic Epidemiology Act. The Icelandic DPA further found that Landspítali (the Hospital) was only processing personal data on behalf of the Chief Epidemiologist, and was thus acting as a processor, while the company Icelandic Genetics (Icelandic Genetics) was acting as a sub-processor of the personal data.

The Icelandic DPA held that the processing of personal data for SARS-CoV-2 screening and testing by the the Chief Epidemiologist and the Hospital was overall compliant with data protection law. However, the Icelandic DPA found that the data processing agreement between the Chief Epidemiologist and the Hospital was incomplete with regards to several requirements set in Article 28(3) GDPR, and notably points b, c, e, f, g and h. For example, the processing agreement did not contain any information on the deletion or return of personal data (Article 28(3)(g) GDPR). In addition, the processing agreement was referencing outdated data protection legislation. The DPA therefore ordered the Chief Epidemiologist to enter into a new data processing agreement with the Hospital which would comply with all the requirements of Article 28(3) GDPR.

Furthermore, the Icelandic DPA held that the data subjects should have received more information on the purpose of the processing by Icelandic Genetics pursuant to Article 14(1) GDPR. In particular, it was unclear whether the screening and testing only served as a measure for disease control or whether it could also be used for scientific research. The Icelandic DPA therefore concluded that Icelandic Genetics should better inform the concerned data subjects about the purposes of the processing.

The Icelandic DPA did not impose any fine on the parties, but required them to confirm that the DPA's instructions had been complied with, and to provide the DPA with a copy of the new data processing agreement no later than 10 January 2022.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Processing of personal information in
associated with screening for the SARS-CoV-2 virus and antibodies to it
      Case no. 2020061954
    

    

     
      
      
        11/29/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority has completed its own initiative study on the processing of personal data in connection with screening for the SARS-CoV-2 virus and antibodies to it. The conclusion of the examination was that the provisions of the data protection legislation had been complied with in principle, including provisions on the obligation to provide education. However, the public should have been provided with better information on the purpose of the screening. Furthermore, the processing agreement between the Epidemiologist and Landspítali was not considered to be in full compliance with current legislation, and the Epidemiologist was therefore instructed to enter into a satisfactory processing agreement with Landspítali.
The investigation began following a news broadcast in March 2020 that a decision had been made to outsource screening in Iceland for the SARS-CoV-2 virus that causes the COVID-19 disease from the epidemiologist to the genetic research company Íslensk erfðagreiningar ehf., In collaboration with the Bacteria and Department of Virology at Landspítali. The Data Protection Authority subsequently initiated an initiative examination of whether this processing was in accordance with Act no. 90/2018 on personal protection and processing of personal information. This was mainly the reason for the Data Protection Authority's investigation that during the screening, health data was collected about the individuals who were screened and that in the beginning it was not intended that they would be used in a scientific study carried out by Icelandic Genetics. The company had stated unequivocally in the media that the approach to screening did not involve a scientific study, but shortly afterwards applied for permission from the Science Ethics Committee to carry out such a study.
The decision of the Data Protection Authority concludes that the Chief Epidemiologist is responsible for the processing of personal data in connection with the screenings in question and that the provisions of the Data Protection Act have generally been complied with. The decision does not comment on the training provided to the data subject for the screening, referring to the exceptions to the Privacy Act from the right to education in the public interest and public health, as well as the fact that during the screening all samples were deleted and information not recorded elsewhere. the statutory infectious disease register of the epidemiologist and the medical records of the individuals concerned. On the other hand, it was concluded that on the basis of the general transparency requirement of the law, the epidemiologist should have taken better care to inform the public that screening for antibodies at Icelandic Genetics was only a factor in infection control and not the company's scientific research.
The processing in question was subject to two processing agreements, on the one hand between the Chief Epidemiologist and Landspítali and on the other hand between Landspítali and Íslensk erfðagreining. The decision includes e.g. referred to the fact that the current data protection legislation makes much more detailed requirements for the content of processing agreements than the one that was in force when the aforementioned agreement was made. As it did not fully comply with the provisions of current legislation, it was proposed that the Chief Epidemiologist enter into a satisfactory production agreement with Landspítali.

    

    
    
Decision
On 23 November 2021, the Data Protection Authority made the following decision in case no. 2020061954:
I. Proceedings
1. Beginning of a case
On the occasion of a news broadcast in March 2020 that a decision had been made to outsource screening in Iceland for the SARS-CoV-2 virus that causes the COVID-19 disease from the epidemiologist to the genetic research company Íslensk erfðagreiningar ehf. The Data Protection Authority decided to initiate an investigation into whether this processing was in accordance with Act no. 90/2018 on personal protection and processing of personal information. According to the website of the Office of the Medical Director of Health and the Civil Protection Department of the National Commissioner of Police, Covid.is, the Chief Epidemiologist offered screening for the virus to the public, in collaboration with Icelandic Genetics and the Department of Pathology and Virology at Landspítali. This was mainly the reason for the Data Protection Authority's investigation that during the screening, health data was collected about the individuals who were screened and that in the beginning it was not intended that they would be used in a scientific study carried out by Icelandic Genetics. Later, other issues related to screening and antibody testing for the SARS-CoV-2 virus were added, as will be discussed here.
By letter dated On 16 September 2020, the Data Protection Authority announced to the Office of the Medical Director of Health that it had decided to investigate further the processing of personal data that the screening in question entailed, in addition to requesting certain explanations, as outlined in Chapter 3 below, in connection to the office's answers.
2. More on the background to the case. Screening for the SARS-CoV-2 virus
One week before the screening of Icelandic Genetics began, on Saturday 7 March 2020, the company announced by e-mail to the Data Protection Authority its intention to screen for the SARS-CoV-19 virus. Icelandic Genetics then declared that the project did not involve scientific research but only clinical work. This assessment of Icelandic Genetics was agreed to in a joint statement by the Science Ethics Committee and the Data Protection Authority on Sunday 8 March 2020. Twelve days later and one week after the screening began, i.e. On March 20, 2020, Icelandic Genetics applied for permission from the Scientific Ethics Committee for the study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes.
The application to the Science Ethics Committee stated that [...], the director of Icelandic Genetics, would be responsible for the study and that the co-investigators would be [...] the Chief Epidemiologist, [...] the Medical Director of Health, [...], the Chief Physician of Landspítali's Infectious Diseases, and [ ...], chief physician of the Department of Pathology and Virology at Landspítali. [...] would be the responsible doctor of the study. The research would be carried out in collaboration between Icelandic Genetics, the Epidemiologist, the Office of the Medical Director of Health and Landspítali and would be funded by Icelandic Genetics.
According to the application, the study was to be both a data study and a human study. Icelandic Genetics intended to obtain the consent of individuals who had been screened, from whom biological samples would be obtained for genetic research and who had not already provided the company with biological samples for research on its behalf with extensive consent.
According to the application, the data that the researchers intended to use were available information from the Epidemiologist on sample numbers and results of measurements of the virus for all who had undergone sampling at Landspítali's Department of Microbiology and Virology and in the Icelandic Genetics screening campaign. It was also planned to use in the study answers to questions that, at the request of the epidemiologist, had been asked of those who had undergone sampling for the diagnosis of the virus in the screening campaign of Icelandic Genetics. The researchers also planned to examine the medical records of those who had been diagnosed with the virus in order to gather information on the severity of infections caused by the virus, the progression of the disease, the underlying diseases, treatment and fate.
The application states that, to begin with, the study will only be based on available data. No other data will be collected at this time. If necessary, a permit would be applied for separately. It states that data will be collected regularly during the epidemic and after it is largely completed.
In connection with the application, the Epidemiologist signed a letter to [...], the director of Icelandic Genetics, in which he confirmed his willingness to provide access to the data in question. that the Science Ethics Committee accept the application for substantive processing, as the research could take place within the framework of Act no. 44/2014 on scientific research in the field of health.

ii. Antibody testing
In mid-April 2020, Icelandic Genetics began testing for antibodies in individuals in Iceland, i.e. to detect antibodies to the SARS-CoV-2 virus. A news item published on the website of the Office of the Medical Director of Health on 12 May 2020 stated that the collection of blood samples had begun so that the epidemiologist could assess the spread of antibodies against the SARS-CoV-2 virus in Icelandic society. The measurements involved the collection of blood samples from individuals who came for blood tests for other reasons. It was not stated that the blood samples would be sent to Icelandic Genetics. In the same article, he said that Landspítali's Department of Pathology and Virology had begun to receive blood samples and measure antibodies against the virus in individuals who thought they had received COVID-19. A news item published the next day on the website of the Capital Area Health Service said that blood samples had been collected for antibody tests in individuals who underwent a blood test for other reasons and that samples would be examined at Icelandic Genetics.

A news item published on the website of the Office of the Medical Director of Health on 9 July 2020 stated that the results of antibody tests against the SARS-CoV-2 virus were available, which Icelandic Genetics had carried out on behalf of the Chief Epidemiologist from 3 April to 20 June 2020. The measurements had reached more than 30 thousands of individuals who had sought health care for reasons other than COVID-19 and had been offered blood donations for antibody testing. Blood transfusions would have been required to obtain individual approval for antibody testing. No informed or written consent had been sought. Icelandic Genetics had measured the antibodies on behalf of the epidemiologist under the auspices of epidemiological measures. Individuals who had been tested for antibodies could subsequently be invited to take part in a follow-up study, which would then be a formal scientific study. No informed or written consent had been sought and the blood samples had only been examined for COVID-19 antibodies.

iii. Border screening
As of 15 June 2020, passengers who came to Iceland were invited to go for sampling for COVID-19 rather than to go on a 14-day quarantine, cf. Regulation no. 580/2020 on quarantine, isolation and sampling at the Icelandic border due to COVID-19. Sampling was offered for arriving passengers at Keflavík Airport and other airports and ports. The SARS-CoV-2 virus was screened for and treated with antibodies. The samples were initially sent for examination at Icelandic Genetics but later sent to the Department of Pathology and Virology at Landspítali. A few days before the screening began at the border, the Office of the Medical Director of Health consulted with the Data Protection Authority and sent the agency an assessment of the impact on privacy protection due to the implementation. The Data Protection Authority provided advice to the office by letter dated. June 14, 2020.


iv. Screening to detect the spread of COVID-19
A news item published on the website of the Office of the Medical Director of Health on 31 July 2020 stated that Íslensk erfðagreining is now again screening individuals for the SARS-CoV-2 virus in collaboration with the Epidemiologist to investigate the spread of the virus in Iceland so that the need for further action. It would also be possible to trace the origin of the infection. The screening would be based on a sample and three groups would be invited:



Individuals in quarantine due to contact with individuals who have recently been diagnosed with the virus.
Individuals who connected with individuals in isolation in any way that would have been deemed not to need to quarantine.
Random sampling in the areas where infections have occurred recently.

According to the Data Protection Authority, the above-mentioned individuals, either all or certain groups, were not informed when they received an invitation to participate by text message which group of these three they belonged to or what information otherwise formed the basis of the invitation.

It was therefore the Agency's assessment, with reference to all of the above, that there was such uncertainty about the use of the data in question that there was reason to initiate an examination of the screening arrangements. In a letter from the Data Protection Authority to the Office of the Medical Director of Health, dated 16 September 2020, information was therefore requested regarding guarantors, processors and production agreements on the one hand and transparency and education on the other.
3.
Notes from the Office of the Medical Director of Health
Privacy The explanations of the Office of the Medical Director of Health were received by letter on 26 October 2020. The letter is signed by [...] the Chief Epidemiologist, [...] the Medical Director of Health and [...] the Privacy Officer. It states that in March 2020, when the COVID-19 epidemic was booming in Iceland, it soon became clear that Landspítali's Department of Pathology and Virology's diagnostics of the SARS-CoV-2 virus was so small that it could inhibit official disease control measures such as they were defined in the Epidemiological Control Act. It is referred to that Íslensk erfðagreining has offered to assist the epidemiologist and the Department of Virology regarding diagnosis of patients, sequencing of the virus and screening in the community.

According to the processing agreement between the Chief Epidemiologist and Landspítali from 2015, on registration and processing of information on notifiable diseases and pathogens, Landspítali's laboratories in bacteriology and virology must conduct screening for infectious diseases that are important for the public good according to further instructions from the Epidemiologist. According to the same agreement, laboratories are allowed to work with other parties, ie. third parties, outside Landspítali for the collection and processing of personal information due to notifiable diseases. COVID-19 is a notifiable disease and in accordance with the provisions of the production agreement, Landspítali has entered into an agreement with Íslenska erfðagreining on the processing and collection of personal information for the analysis of COVID-19.
The office's letter states that all negative samples were removed when the result was available. Positive samples have been sequenced, ie. the genetic material of the virus itself, after which they were also destroyed. It is emphasized that the genetic material of the individuals who were screened has not been sequenced.
It is the opinion of the Chief Epidemiologist and the Medical Director of Health that the diagnosis of patients with a PCR test and the sequencing of the virus was a key factor in the official epidemiological measures against COVID-19. Sequencing would not have been possible without the involvement of Icelandic Genetics, but the company would have been the only one in Iceland that could have carried out such a study. Diagnosis and screening would have been less extensive and in fact unsatisfactory without the involvement of the company, which also played a key role when the equipment of Landspítali's pathology and virology department failed.
In addition to measurements of the virus, Íslensk erfðagreining has, in accordance with a production contract, measured the prevalence of antibodies against SARS-CoV-2 in the Icelandic population at the request of the epidemiologist. The result was important for the epidemiologist's assessment of the spread of the virus in Iceland. No other organization or company has been able to carry out such extensive antibody testing.
With regard to scientific research, it is referred to that according to Art. Act on the Medical Director of Health and Public Health no. 41/2007, it is one of the main roles of the Medical Director of Health to be responsible for the implementation of disease control, cf. Epidemiology Act. Says that the Director General of Health should fulfill this obligation by hiring a powerful epidemiologist for the office and by supporting his work and the Department of Epidemiology. Reference is also made to other roles of the Medical Director of Health mentioned in Article 4. of the Act, such as evaluating the results of public health work and promoting research in the areas of work of the office. Participation in scientific work related to epidemiological material and shedding light on the natural course of the new pandemic SARS-CoV-2 virus is therefore compatible with the work of the Medical Director of Health and the Chief Epidemiologist.
It is stated at the end of the letter that without the involvement of Icelandic Genetics, the public response to the epidemic would have been less effective with unforeseen health consequences for the public in Iceland. It states that all the processing of personal information that has taken place has resulted from the statutory role of the epidemiologist according to the Epidemiology Act in order to curb the spread of the pandemic.
With regard to individual questions from the Data Protection Authority, the answers of the Office of the Medical Director of Health are as follows:

i. Responsible party, processor and processing agreements

"What is the assessment of the Office of the Medical Director of Health as to whether the office or the Epidemiologist is considered to be responsible for the processing of personal information that falls under the Epidemiological Measures, cf. Point 6 of Article 3 Act no. 90/2018 and item 7 of Article 4. of Regulation (EU) 2016/679, cf. and the first and second paragraphs. Article 4 Epidemiology Act no. 19/1997? "

The reply from the Office of the Medical Director of Health states that SARS diseases, to which COVID-19 belongs, are considered notifiable diseases, cf. Article 5 of Regulation no. 221/2012 on the preparation of reports for epidemic prevention, and therefore the parties who diagnose such a disease must notify the epidemiologist together with the information mentioned in Article 6. of the Regulation. The Chief Epidemiologist shall keep a register of infectious diseases in accordance with point 1 of Article 5. Epidemiology Act no. 19/1997. Its purpose is to obtain accurate information on the diagnosis of infectious diseases from laboratories, hospitals and doctors. Its purpose is also to support disease control work and epidemiological research, cf. Article 3 According to the first paragraph. Article 4 Epidemiology Act no. 19/1997, the Office of the Medical Director of Health is responsible for the implementation of disease control and according to para. the same articles of the Act, the office shall be staffed by an epidemiologist who is responsible for infection control. The Chief Epidemiologist therefore works at the office of the Medical Director of Health and is responsible for all the information that is processed in connection with his work, cf. 6. tölul. Article 3 Act no. 90/2018 and point 7. Article 4 Regulation (EU) 2016/679.

2. What is the assessment of the Office of the Medical Director of Health on what data is the responsibility of the Chief Epidemiologist in connection with epidemiological measures, cf. Paragraph 2 Article 27 Act no. 44/2014, and what control does he have over that data? An epidemiologist is considered e.g. responsible for the medical records of those who have been diagnosed with the SARS-CoV-2 virus? "
The reply from the Office of the Medical Director of Health states that the Chief Epidemiologist is responsible for the data prepared in connection with epidemiological measures, e.g. á m. data obtained by sampling for COVID-19. The data received by the epidemiologist, e.g. for screening and antibody testing, are under his control.
The Chief Epidemiologist is not responsible for the medical records of those who have been diagnosed with the SARS-CoV-2 virus. The person responsible for medical records is the health institution or office of health professionals where medical records are entered, cf. Number 12 Article 3 Act no. 55/2009 on medical records. As mentioned in the answer to question 1, on the other hand, the parties who diagnose a notifiable disease must communicate certain information to the epidemiologist and that information is registered in the infectious disease register.
"What is the assessment of the Office of the Medical Director of Health as to who is considered to be responsible for the processing of personal information that has taken place in connection with the screening in question of Icelandic Genetics […], ie. who decided the purpose and methods of the processing and what processing exactly took place? For example, who decided at the beginning of the screening of Icelandic Genetics, before applying for a permit for the above-mentioned scientific research, that viral RNA should be sequenced from the throat / nasopharynx? "
The reply from the Office of the Medical Director of Health states that the Chief Epidemiologist is considered responsible for the processing that has taken place in connection with the screening of Icelandic Genetics and that he has decided on the scope and organization of screening in collaboration with Landspítali and the Office of the Medical Director of Health. It has been decided to sequester the RNA SARS-CoV-2 virus from the pharynx / nasopharynx to facilitate transmission and other disease control measures.
Under normal circumstances, Landspítali would have taken care of such work on behalf of the epidemiologist according to the aforementioned processing contract. Due to the enormous scope of the measures that had to be taken, however, it was deemed necessary to seek assistance and a production agreement had been made between Landspítali and Íslensk erfðagreiningar in this regard. Icelandic Genetics is therefore in fact a sub-processor.
4. What is the assessment of the Office of the Medical Director of Health as to whether Icelandic Genetics is considered to be responsible for the processing of personal information that has taken place in connection with the screening in question, in collaboration with the Office of the Medical Director of Health or the Chief Epidemiologist, or processor, cf. Point 7 of Article 3 Act no. 90/2018 and point 8 of Article 4. of the Regulation? "
In the answer of the Office of the Medical Director of Health, reference is made to what is stated in the answer to question 3, i.e. that an agreement is in force between the epidemiologist and Landspítali on the necessary diagnoses of infectious diseases. A production agreement between them is also valid. When Icelandic Genetics was contacted, Landspítali entered into a production agreement with the company for the services provided by the company. The Chief Epidemiologist is therefore responsible for the processing of the data collected in the infectious disease register of the Epidemiologist, while Íslensk erfðagreining is the processor.
5. "Processing agreements were made with Icelandic Genetics for the processing of personal information in connection with the screening in question, cf. Paragraph 3 Article 25 Act no. 90/2018 and the third paragraph. Article 28 of the Regulation? If this has been done, a copy of those agreements is requested. "
The response from the Office of the Medical Director of Health states that the Chief Epidemiologist has not entered into a production agreement with Icelandic Genetics. An agreement is in force between the epidemiologist and Landspítali on screening for infectious diseases. On the basis of that agreement, Landspítali and Íslensk erfðagreining have entered into a production agreement.

ii. Transparency and education
1. "How has the processing of personal information, which is the responsibility of the Office of the Medical Director of Health or, as the case may be, the Epidemiologist, cf. Point 6 of Article 3 Act no. 90/2018 and item 7 of Article 4. Regulation (EU) 2016/679, fulfilled the fairness and transparency requirements of the Personal Data Protection Act, in connection with the screening of Icelandic Genetics for:


a. SARS-CoV-2 virus in individuals in Iceland. "
The response from the Office of the Medical Director of Health states that during the screening for the virus at the beginning of the epidemic, those who requested it were invited to register for sampling at Icelandic Genetics. It had therefore been clear to them from the beginning that Icelandic Genetics would be involved in this project. There has also been a great deal of media coverage of sampling in general and the public has been encouraged to attend sampling, whether at health care centers due to symptoms or at general screening at Icelandic Genetics. The purpose of this process should have been to all those who came to light and the need for it to take place. Only the necessary information has been collected, ie. demographic information about the person and the result of the sampling. Samples were not used for anything else and they were destroyed after analysis. During the sampling, the consent of those who went to it was also requested before participating in a scientific study on behalf of the company, when that study had started with the required permits.


b. "[Screening for] antibodies to the SARS-CoV-2 virus in individuals in Iceland."
The Office of the Medical Director of Health's response states that a letter was sent to health service providers requesting blood tests and requesting that they obtain patients' consent for an additional blood sample to be taken to check for the presence of antibodies to COVID-19. It has been considered an important factor in getting a true picture of the actual number of those who had been infected with the disease. Those who gave permission for it therefore knew for what purpose the sample should be used. Many other nations have conducted such sero-prevalence studies.


c. "[Screening for] SARS-CoV-2 virus and antibodies against it at the border."
The reply of the Office of the Medical Director of Health refers to the fact that border screening is based on Regulation no. 580/2020 on quarantine, isolation and sampling at the Icelandic border due to COVID-19. In addition, it states that those passengers who have undergone such sampling have made an informed decision in this regard instead of being subject to quarantine for 14 days. A special registration form has been made available to passengers on their way to Iceland on the website 2-3 days before the scheduled flight. In the 7th paragraph. Article 4 of the Regulation specifically stipulates that biological samples shall only be examined with regard to SARS-CoV-2 virus and that they should be deleted after diagnosis. The response from the Office of the Medical Director of Health states that if the sample turned out to be positive, antibodies were detected to check whether it was an active infection. The interests of the data subject were great because those who were found to have antibodies did not have to be isolated, as infected individuals have to do. The sampling was arranged in such a way that the laboratories that analyzed the samples, ie. at the Department of Pathology and Virology at Landspítali and Íslenski erfðagreining, had received samples delivered only with a bar code and information had been linked to the relevant registered individual in the epidemiologist's database. The parties involved in the analysis therefore did not know which individuals they belonged to.


"What instruction has been given and how, regarding items a-c above?"
The Office of the Medical Director of Health's reply states that no special training was provided on the processing of personal information discussed in item a above, other than what is stated in the office's general privacy policy and at the relevant health centers, where, among other things, a discussion of the rights of the data subjects. This is in line with what is generally accepted regarding information on the processing of personal data in the health service in connection with the provision of such a service. It has not been specifically stated that Íslensk erfðagreining is involved in the processing of information, as it is generally not customary in data protection policies or information to the registered parties to identify processors or subprocessors.

Individuals were also able to register for sampling on a website run by Icelandic Genetics. It was therefore certainly clear to them that the company would be involved in that implementation, in addition to which there had been a lot of discussion about that screening in the news and at civil defense information meetings. Icelandic Genetics has also requested approval for the acquisition of biological samples for genetic research.
Regarding antibody testing, according to point b above, the consent of those who came for blood sampling was requested, but no special training was given regarding the antibody measurement.
During border screening, according to point c, those who registered for sampling received instruction on the processing of personal data during the registration process. There was a link to further information on the processing of personal information on Covid.is, where in addition there is a privacy policy for border control measures.

"Was there any change in education for individuals in Iceland after Icelandic Genetics received permission from the Scientific Ethics Committee for the scientific study" The epidemiology of the SARS-CoV-19 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes "and so on for additions to it? "
The reply from the Office of the Medical Director of Health states that there has been no change in education when obtaining consent after permission has been granted for the study of Icelandic Genetics.

"Was there any change in education for individuals in Iceland after the above-mentioned study began to be used in the development and production of Amgen drugs for COVID-19 disease?"
The response from the Office of the Medical Director of Health states that the Chief Epidemiologist and the Medical Director of Health are not aware that the above-mentioned research is being used in the development and production of Amgen drugs for COVID-19 disease.
However, it should be noted in this context that in response to the current epidemic, researchers, pharmaceutical companies, healthcare professionals and others involved in responding to COVID-19 have in some way shared information about their findings in an unprecedented way. This is indicative of the severity of the epidemic and the enormous public interest in improving the quality of diagnostic methods, treatment, disease control and the development of a fast-paced vaccine that is both safe and provides lasting protection against the SARS-CoV-2 virus that causes COVID. -19 disease. Icelandic Genetics has published several scientific articles based on its research and findings in screening, antibody testing and sequencing, which are available in scientific journals.

5. "Why were individuals who came to the doctor for blood transfusions for reasons other than COVID-19 and were asked to take an extra glass for antibody testing not asked for informed and written consent? What education did these individuals receive in general and regarding the fact that they may be invited to take part in a follow-up study that would be a formal scientific study? Were or will the blood samples or results from a study of them be used in scientific research in the field of health? "
The reply from the Office of the Medical Director of Health states that in general no written consent is requested for the processing of personal information within the health service. Individuals, however, have been informed of the purpose of administering extra blood samples. This was not a case of collecting data for a scientific study, but for infection control measures due to COVID-19, ie. in order for the epidemiological authorities to get a better picture of the actual number of those who had contracted the disease.


6. "What education has been provided, and how, to those individuals who have been offered screening at Icelandic Genetics, e.g. to examine the spread of the virus in this country […], e.g. á m. regarding what information has been the basis for their participation? "
The Office of the Medical Director of Health's response states that when the second wave of the epidemic began at the end of July / beginning of August 2020, the SARS-CoV-2 virus was screened in three ways to examine how much it had spread in the community.



It was decided to offer those who were in quarantine a screening so that they could quickly assess the spread of the virus. This data has since proved to be important in being able to shorten the quarantine from 14 days to seven with great benefits for individuals and society. It was not specifically stated in the announcement by text message that this screening was due to the person in question being quarantined, but presumably people were aware of this after calls to the tracking team.
It has been decided to offer random screening in the capital area and in Akranes to examine the social spread. Few have been diagnosed and such screening has been discontinued. In a text message sent to those who were invited to such a screening, it was stated that the participants had been selected at random.
Instead of random screening, it has therefore been decided to offer screening based on cases, e.g. in the workplace. The infection control team has decided who should offer screening. This has proved to be an important step in tackling the second wave. It was not specifically stated in the announcement why it was caused. Íslensk erfðagreining has also offered screening at certain workplaces and in schools in collaboration with them, but this has not been in collaboration with the epidemiologist. The results were nevertheless returned to him, as it was a notifiable disease.

4.
Further explanations from the Office of the Medical Director of Health
By letter to the Office of the Medical Director of Health, dated November 3, 2021, the Data Protection Authority requested further explanations. The agency subsequently received a letter from the office, dated. 15 p.m., where the following answers are given to individual questions of the Data Protection Authority.


1. "What personal information was recorded in connection with the blood sample examination, where was it recorded and by whom?"
The Office of the Medical Director of Health's response states that those who took care of sampling returned samples marked with an ID number. In addition, Icelandic Genetics sent a locked Excel document and a password sent by e-mail in another document. ÍE's employees entered information into a special system that managed this processing. Samples had been assigned a random number and the following analysis of the sample in the ÍE laboratory had been performed with that number. The results were communicated to the epidemiologist, where the random number was decoded and the results of the individual in question were communicated to him through Heilsuvera.

Personal information was therefore processed by the parties in charge of sampling and by an ÍE employee who entered information into a system where samples were given random numbers. In this way, it was ensured that those who worked on the analysis did not know which individuals they belonged to.

"Was a processing agreement made with Icelandic Genetics for measurements of antibodies in extra blood samples taken elsewhere than at Landspítali?"
The Office of the Medical Director of Health's response states that no special processing agreement has been made with ÍE for measurements of antibodies in extra blood samples taken elsewhere than at Landspítali. This was an important analysis of the status of the epidemic, which could have provided information that could be useful in the decisions of the epidemiological authorities in the coming weeks and months, with the aim of proposing the measures that would have the least restrictions. It was also considered that Landspítali would have carried out this project if it had had the opportunity to do so and that the processing would therefore take place on the basis of an epidemiologist's agreement with Landspítali and Landspítali's agreement with Íslenska erfðagreining.


"Were the samples deleted after antibody testing or were they stored in a biobank and then which biobank?"
The Office of the Medical Director of Health's response states that all samples were deleted after the antibody test.
II.
Assumptions and conclusion
Scope
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.
Processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.
This case concerns the processing of personal data in connection with, on the one hand, screening for the SARS-CoV-2 virus in Iceland and, on the other hand, antibody testing for the virus. This processing began with the taking of biological samples which clearly fall within the scope of privacy protection according to Article 71. of the Constitution but which alone does not involve the processing of personal data according to the above. At the same time, however, it is clear that in connection with the treatment of the samples, information was recorded and processed in other ways, e.g. á m. due to recall in sampling and examination of the samples. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.
2. Responsible party and processors
The person responsible for the processing of personal information complies with Act no. 90/2018 and Regulation (EU) 2016/679 is called the responsible party. This refers to an individual, legal entity, government authority or other party that decides alone or in collaboration with other purposes and methods of processing personal information, cf. 6. tölul. Article 3 of the Act and point 7. Article 4 of the Regulation.

The Chief Epidemiologist is required according to point 2. Article 5 Epidemiology Act no. 19/1997 to keep a register of infectious diseases. Its purpose is to obtain accurate information on the diagnosis of infectious diseases from laboratories, hospitals and doctors. Its purpose is also to support disease control work and epidemiological research, cf. Article 3 Epidemiology. According to the first paragraph. Article 4 Epidemiology Act no. 19/1997, the Office of the Medical Director of Health is responsible for the implementation of disease control and according to para. the same articles of the Act, the office shall be staffed by an epidemiologist who is responsible for infection control. The Chief Epidemiologist therefore works at the Office of the Medical Director of Health but is responsible for all the information that is processed in connection with his work. As in this case, the epidemiologist is therefore considered to be responsible for the processing in question.
The responsible party may entrust another party to work with personal information on its behalf. More specifically, it is a processor according to point 7. Article 3 Act no. 90/2018 and point 8. Article 3 of Regulation (EU) 2016/679, i.e. a party that processes personal data on behalf of the responsible party, but with such a processing party a special agreement shall be made in accordance with the third paragraph. Article 25 of the Act and para. Article 28 of the Regulation. It is known that the Chief Epidemiologist has agreed with Landspítali to process personal information for which he is responsible, and the hospital is considered to be a processing party as far as processing is concerned.
According to para. Article 25 Act no. 90/2018, Coll. Paragraph 2 Article 28 of the Regulation, the processing party may employ another processing party, provided that it has the specific or general written authority of the responsible party. It is known that an agreement was made between Landspítali and Íslensk erfðagreining, where Landspítalinn entrusts Íslensk erfðagreining with the processing of personal information resulting from Landspítali's obligations according to the processing agreement between the epidemiologist and Landspítali. Íslensk erfðagreining is therefore a sub-processor in the sense of the aforementioned legal article, as there was a written authorization in the processing agreement between the epidemiologist and Landspítali to the effect that Landspítalinn could use such a sub-processor in the implementation of the processing.
It is known that biological samples from health services other than Landspítali have been transferred to Icelandic Genetics for antibody testing, and it is stated in the explanations of the Office of the Medical Director of Health that they would otherwise have been sent to the hospital. According to Article 1.1 of Landspítali's processing agreement with Íslenska erfðagreining, it covers the processing of personal information on behalf of Landspítali for screening for the COVID-19 virus in biological samples that Íslensk erfðagreining receives from the hospital. On the other hand, it is processed on behalf of of the hospital for the same purpose in the case of samples collected by Icelandic Genetics itself. Based on the explanations provided, the processing of the samples in question from parties other than Landspítali must be considered covered by the agreement on that basis.
In addition, due to the use of information for the purpose of the aforementioned scientific research at Icelandic Genetics, it should be noted that in that research, Icelandic Genetics did not have the status of a processor but a responsible party. According to the case file, an application had not been made to the Scientific Ethics Committee for a scientific study when screening began at the beginning of the epidemic, but when it had lasted for twelve days, ie. March 20, 2020, the application was sent to the committee. On the other hand, Íslensk erfðagreining had stated this unequivocally in the media at 8 p.m. that the company's involvement did not involve a scientific study and could give those who went for screening a reason to believe that such a study would not take place. Nevertheless, the study in question was initiated, which includes, among other things, a data study according to VI. section of Act no. 44/2014 on scientific research in the field of health, as it is not based on the consent of the data subjects. It should be noted that although the investigation falls outside the subject of the Data Protection Authority, which is discussed in this decision, it is nevertheless involved in the commencement of the investigation, cf. the discussion in Chapter 1 of Part I of the Decision. It is therefore considered appropriate to maintain the above.
3. Legality of processing
All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act and point c of the first paragraph. Article 6 of the Regulation, or if the processing is necessary for a project carried out in the public interest, cf. 5. tölul. of the article of law and e-point of the regulation provision. In addition, the processing of health information, as defined in point 3 (b). Article 3 of the Act, to comply with any of the additional conditions of para. Article 11 of the Act and the second paragraph. Article 9 of the Regulation. As is the case here, point 9 comes into consideration in particular. Paragraph 1 Article 11 of the Act and item i of the second paragraph. Article 9 of the Regulation, that the processing of sensitive personal data is permitted if it is necessary for reasons of public interest in the field of public health, such as to defend serious cross-border health threats or ensure the quality and safety of health services and medicines or medical devices, and carried out on the basis of law which provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

In assessing the authorization for processing, the provisions of other applicable laws must also be taken into account, as the case may be. According to point 2. Article 5 Epidemiology Act no. 19/1997, the Epidemiologist is required, as stated above, to keep a register of infectious diseases, but it is stated in the provision that he keeps that register to monitor the spread of infectious diseases by obtaining accurate information about their diagnosis from laboratories, hospitals and doctors. In addition, the third paragraph of Art. Article 3 of the Act that the purpose of the register is to obtain the aforementioned information and to be a support for epidemiological work and epidemiological research. The same provision states that the utmost confidentiality shall be maintained for all private information that appears in the Infectious Diseases Register and that the same rules apply to the register as to other medical records. The infectious diseases covered by this are discussed in Article 2. of the Act, to the extent that they deal with diseases and pathogens that can cause epidemics and threaten the public good, as well as other serious epidemics. To the extent that information on the diseases in question is used for healthcare services to an individual, the first paragraph shall be considered. Article 4 Act no. 55/2009 on medical records, which prescribes the obligation of a healthcare professional to keep a medical record for the treatment of a patient, but such a record must, among other things, record the results of research, cf. 8. tölul. Paragraph 1 Article 6 of the Act. Accordingly, it must be considered that the processing in question, which was carried out to screen for the SARS-CoV-2 virus and antibodies to it, complied with the proviso that it was carried out on the basis of law.
In addition to the authorization according to the above, the processing of personal information must comply with all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 Regulation (EU) 2016/679. Is there m.a. provides that personal data shall be processed in a lawful, fair and transparent manner towards the data subject (point 1), that it shall be obtained for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2). ), and that they shall be processed in such a way as to ensure their appropriate safety (point 6).
The responsible party shall be able to demonstrate that the processing of personal information complies with the above principles, cf. Paragraph 2 Article 8 of the Act and the second paragraph. Article 5 of the Regulation.
It should be noted that the principles in question test in particular the general transparency requirement of point 1. Paragraph 1 Article 8 of the Act, cf. further provisions on education in Articles 13 and 14. of the Regulation, cf. Article 17 of the Act. Issues in this connection are discussed in Chapter 5 below.
4.Employment contracts
As stated above, the responsible party is the one who decides the purpose and methods of processing personal information. It has an obligation to ensure that processing takes place in accordance with the legal rules outlined above. This means that the processing party shall conduct processing in accordance with the instructions of the responsible party. Those instructions are required, according to para. Article 28 of the Regulation, to be recorded in a contract or other legal document specifying the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of registered persons and the obligations and rights of the responsible party.

In a production contract or other legal act according to the third paragraph. Article 28 of the Regulation shall in particular stipulate that the processor:


only work with personal information according to the documented instructions of the responsible party, incl. in the case of the transfer of personal data to a third country or an international organization, unless otherwise required by the law of the Union or the law of a Member State to which the processor belongs; in that case, the processor shall inform the responsible party of that legal condition before processing, unless the law prohibits such disclosure due to important public interests;
ensure that persons authorized to process personal data have entered into a duty of confidentiality or are subject to the relevant statutory duty of confidentiality;
take all measures required under Article 32 of the Regulation, i.e. take appropriate technical and organizational measures to ensure adequate risk safety, e.g. taking into account the latest technology, the cost of implementing the measures, the nature, scope, context and purpose of the processing and the risks, different and less serious, for the rights and freedoms of individuals. This means, among other things, that the responsible party and the processing party shall, as appropriate: i. use pseudo-identity and encrypted personal information; ii. can ensure lasting confidentiality, continuity, availability and the load-bearing capacity of processing systems and services; may make personal data available and recover access to it in a timely manner in the event of a material or technical event; iv. establish processes for testing and regularly evaluating the effectiveness of technical and organizational measures to ensure the safety of processing;
worth the conditions of paragraphs 2 and 4. Article 28 of the Regulation regarding the employment of another processor;
assist, taking into account the nature of the processing, the responsible party with appropriate technical and organizational measures, as far as possible, in fulfilling its obligation to respond to requests for the exercise of the rights laid down in Annex III by registered persons. chapter of the regulation;
the guarantor's assistance in ensuring that obligations under Articles 32-36 gr. of the Regulation are complied with, taking into account the nature of the processing and the information to which the processor has access;
deletes or returns, at the choice of the guarantor, all personal information to the guarantor after the provision of the service related to the processing is completed and deletes all copies unless the law of the Union or the law of a Member State requires that personal data be stored;
make available to the guarantor all the information necessary to demonstrate that the obligations laid down in Article 28 of the Regulation, are complied with, allows for audits, incl. the supervisory inspections carried out by the responsible party or another auditor on his behalf, and contribute to them.

In cases where the guarantors and processors operate on the basis of law, it may be necessary to consider the relevant legal provisions to supplement the production contract. Those provisions can be considered to include other legal proceedings according to the third paragraph. Article 28 of the Regulation, to the extent that they meet the conditions specified therein.


i. Processing agreement between the epidemiologist and Landspítali
It is known that the epidemiologist has entered into a processing agreement with Landspítali. The agreement is from 21 December 2015.

In Article 2 of the agreement refers to the fact that according to the Epidemiological Control Act, the Epidemiologist is responsible for maintaining an infectious disease register which is intended to support epidemiological work in Iceland. Says he is therefore the person responsible for the file. It is stated that the infectious disease register contains "e.g. personally identifiable information on notifiable cases and pathogens coming from laboratories and treating physicians ".
It is stated in Article 3. of the agreement that with it is Landspítali, more specifically the hospital's laboratories in bacteriology and virology, as a processor in the sense of the then applicable Privacy Act no. 77/2000, entrusted with keeping a record and preserving information on notifiable diseases and causes. Says that the laboratories are according to this the processors of the infectious disease register under the auspices of the Epidemiologist and they are therefore allowed to obtain information about disease cases and register them if it is relevant to the epidemiological diagnosis. The processing agreement authorizes the processing party to process personal information for the benefit of individuals' medical services, disease control measures and / or scientific research, provided that the necessary permits are met by the Science Ethics Committee and the Data Protection Authority.
It is also stated that all processing of personal information by the processing party is subject to the instructions of the epidemiologist and shall be carried out in accordance with the Act on Personal Data Protection and rules set on the basis of that Act. It is also specified that the conditions that the Data Protection Authority deems necessary at any given time shall be complied with.
In addition, it is stipulated that the laboratories may work with other parties and health institutions outside the hospital to collect and process personal information on notifiable diseases.
This is provided for in Article 4. of the agreement that Landspítali shall guarantee the security of personal information in accordance with the institution's security policy on the protection of sensitive personal information in medical records without it being further defined.
This production agreement was made during the period of validity of the older Act no. 77/2000 on the protection of personal data and the handling of personal data, and legal references in it bear this mark. In Article 13 of that Act stipulated that the responsible party may negotiate with a specific party to handle, in whole or in part, the processing of personal data for which he is responsible in accordance with the provisions of the Act. However, this was subject to the condition that the responsible party had previously verified that the processor could take appropriate security measures and carry out internal controls in accordance with Article 12. of the Act.
In the second paragraph. Article 13 of the Act stipulated that a production contract should be in writing and a.m.k. in two copies. It was stipulated that such an agreement should state that the processor was only allowed to operate in accordance with the instructions of the controller and that the provisions of the Act on the obligations of the controller also applied to the processing carried out by the processor. In the third paragraph. Article 13 of the Act, it was stipulated that anyone who worked on behalf of the guarantor or processor, including the processor himself, and had access to personal information, was only allowed to process personal information in accordance with the guarantor's instructions unless otherwise provided by law.
Act no. 90/2018 on the protection of personal data and the processing of personal data entered into force on 15 July 2018. They transposed into national law Regulation of the European Parliament and of the Council (EU) 2016/679. As discussed above, Act no. 90/2018 and Regulation (EU) 2016/679 much more detailed requirements regarding the content of processing agreements than previous legislation and it is clear that the processing agreement between the Chief Epidemiologist and Landspítali does not contain provisions in accordance with requirements pursuant to Art. points b, c, e, f, g and h of the third paragraph. Article 28 Regulation (EU) 2016/679 and para. Article 25 Act no. 90/2018.
On the other hand, it should be noted that in the Epidemiological Control Act no. 19/1997, Act no. 41/2007 on the Medical Director of Health and public health, Act no. 55/2009 on medical records, Act no. 110/2000 on biobanks and health information museums and Act no. 34/2012 on healthcare professionals are provisions that complement the processing agreement of the above-mentioned parties. These include the provisions of Article 17. Act no. 34/2012 and Article 13. Act no. 55/2009, which stipulates the confidentiality and confidentiality of employees in the health service, the first paragraph. Article 24 Act no. 55/2009 and point 9. Paragraph 1 Article 5 Act no. 110/2000 which provides for the appropriate security of personal information and the first paragraph. Article 7 Act no. 41/2007, which stipulates the supervisory powers of the Medical Director of Health to which the Chief Epidemiologist belongs, cf. Paragraph 2 Article 4 Act no. 19/1997.
With regard to the requirements of para. Article 28 of the Regulation, however, it was correct that the production agreement contained a reference to the above-mentioned provisions on matters specified therein. In addition, the agreement does not contain instructions from the epidemiologist on the deletion or submission of personal data in accordance with paragraph 3 (g). Article 28 of the Regulation. The agreement's references to privacy legislation are based on previous legislation in that area, as mentioned above.
From what has been discussed here, it is clear that the epidemiologist's processing agreement with Landspítali does not comply with the requirements currently made for such agreements.

ii. Production agreement between Landspítali and Íslensk erfðagreiningar
In addition to the processing agreement between the epidemiologist and Landspítali, a processing agreement has been made between Landspítali and Íslensk erfðagreining, dated March 12, 2020, where the company Íslensk erfðagreining is defined as a sub-processor. This production agreement is based on the provisions of Act no. 90/2018 together with the relevant provisions of Regulation (EU) 2016/679. Authorization for an agreement such as this can be found in Article 25. of the Act, cf. Article 28 Regulation (EU) 2016/679. It is also clear that the agreement could be made in accordance with the processing agreement between the Chief Epidemiologist and Landspítali.

The agreement with Icelandic Genetics describes the purpose and implementation of the processing that is outsourced, in addition to reviewing, among other things, the issues specified in Article 28. of the Regulation. The Data Protection Authority therefore does not consider it necessary to comment on the agreement.

5. Transparency and education for the registered
As stated above, all processing of personal information must comply with all the principles of the first paragraph. Article 8 Act no. 90/2018 and the first paragraph. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 of the Act and point a of the first paragraph. Article 5 of the Regulation. This requirement implies that individuals should be aware of when personal information about them is collected or used, viewed or otherwise processed, to what extent it is or will be processed and for what purpose. In order for the processing of personal data to meet this requirement, the responsible parties must take special measures regarding education to the data subject.

Such education is discussed in Article 13, among other things. of Regulation (EU) 2016/679, cf. III. section of Act no. 90/2018. According to the provision, the responsible party, who collects personal information from the data subject himself, has the obligation to inform him of certain matters concerning the processing. It is stated in the first paragraph. of the provision that he shall, inter alia, be informed of the name and contact details of the responsible party; the privacy information of the Privacy Officer, if applicable; the purpose of the proposed processing of personal data and its legal basis; as well as recipients or categories of recipients, if any.
In addition to the information previously mentioned, the responsible party shall, according to para. Article 13 of the Regulation, provide the data subject with further information necessary to ensure fair and transparent processing, e.g. á m. how long personal information will be stored or, if that is not possible, the criteria used to determine it; that there is a right to request from the responsible party access to personal data, to have them corrected, deleted or restricted for processing by the data subject or to object to processing, in addition to the right to transfer own data; that there is a right to withdraw its consent at any time without prejudice to the lawfulness of processing on the basis of the consent up to the withdrawal; and on the right to lodge a complaint with a regulatory body in the field of privacy.
According to para. Article 13 of the Regulation, the other provisions of the article do not apply if and to the extent that the data subject has already become aware of the issues listed therein.
In Article 14 of the Regulation stipulates the duty of the responsible party when personal information has not been obtained from a registered person. Among the things that the responsible party shall report are who the responsible party is, its communication information and the data protection officer and the purpose and legal basis of processing, cf. Paragraph 1 of the provision, which is for the most part identical to the first paragraph. Article 13 of the Regulation. In addition, in the 2nd paragraph. of the provision prescribes the obligation to provide further information that is necessary to ensure fair and transparent processing. The provision contains an enumeration which is for the most part identical to that in the second paragraph. Article 13 of the Regulation. It is stated that among the things that the data subject shall be informed about is where his personal information is obtained, cf. point f of the list.
According to para. Article 14 of the Regulation, other provisions of the article do not apply, e.g. to the extent that the data subject has already received the information, it is not possible to provide such information or it costs excessive effort, especially in the case of processing e.g. for the benefit of scientific research or the collection or dissemination of information is clearly prescribed by law.
In Article 23 of the Regulation further stipulates that the educational obligation of the responsible party may be limited according to Articles 13 and 14. of the Regulation with a legislative measure that must meet certain requirements as appropriate, e.g. on data protection measures. This applies in particular to important objectives that serve the public interest of a Member State and lists examples of the interests that fall under it, including public security and public health.
In the light of the above, in the 4th paragraph. Article 17 Act no. 90/2018 lays down an authorization to restrict rights according to Articles 13 and 14. of the Regulation for the benefit of objectives according to Art. of the Regulation and both public safety and public health are specified therein, cf. Points 3 and 5 Paragraph 4 of the provision. According to the comments on the provision in the explanatory memorandum to the bill, it is therefore intended to be an independent authorization to limit the data subject's rights. In this connection, it is to be considered that during the deliberations of the Althingi, the provision was added that the restriction should be in accordance with law, without it being specifically explained what this entails. As discussed in Chapter 3 above, the activities of an epidemiologist are governed by a special law, no. 19/1997, which delimits its role and which deals with measures for the protection of personal data. It must be assumed that together, on the one hand, the aforementioned items in the fourth paragraph can Article 17 Act no. 90/2018 and on the other hand Act no. 19/1997 include an adequate legal basis for curtailing the rights of the data subject as necessary.
In addition, it should be noted that on 19 March 2020, the European Data Protection Board issued a statement on the processing of personal data due to the COVID-19 epidemic. The statement states that rules on the protection of personal data, e.g. á m. Regulation (EU) 2016/679, does not prevent measures to prevent the epidemic, but also states that the protection of personal data shall be ensured. The Head of the Data Protection Authority at the Council of Europe and the Chairman of the Committee on the Council of Europe Convention on the Protection of Personal Data, no. 108/1981, issued a joint statement on 30 March 2020 stating that rules on the protection of personal data should not in any way prevent the saving of lives, and that such rules allow the interests at stake to be saved. are weighed and evaluated. It is also emphasized that personal information is provided with appropriate protection. A similar emphasis is placed on the proviso in Article 23. Regulation (EU) 2016/679 and para. Article 17 Act no. 90/2018 that restrictions shall respect the nature of fundamental rights and human freedoms and be considered a necessary and moderate measure in a democratic society.
The Data Protection Authority considers it clear that the circumstances that led to the processing in question here were very urgent and called for extensive measures to be taken at short notice to combat public danger. A similar assessment appears in the aforementioned statements from the European Privacy Council and the Council of Europe. It should be emphasized that, as stated above, care must still be taken to protect personal information in response to the danger that lies ahead. On the other hand, the Data Protection Authority also considers it clear that restrictions on rights according to Articles 13 and 14 of Regulation (EU) 2016/679 can here be considered entitled according to the criteria specified in Article 23. of the Regulation and para. Article 17 Act no. 90/2018.

i. Screening for the SARS-CoV-2 virus
According to the replies of the Office of the Medical Director of Health, health information prepared in connection with screening for the SARS-CoV-2 virus at the beginning of the epidemic was entered in the medical record on the basis of Act no. 55/2009 on medical records. It is clear that on the basis of the Epidemiological Control Act no. 19/1997, certain information was also registered in the Infectious Diseases Register. This was demographic information and information on the results of the sampling.

From the Office's explanations, it can be deduced that the individuals who were screened did not receive individual training, as they should have been aware of the processing of personal information in connection with the screening and for what purpose. It is pointed out that there has been a great deal of media coverage of the sampling and that individuals who attended had previously had to register with Icelandic Genetics. Only the necessary information has been collected, ie. demographic information about the person and the result of the sampling. Samples were not used for anything else and they were destroyed after analysis. General education has also been included in the office's privacy policy, as well as in individual health centers.
With regard to the health information that was processed in connection with the screening, it is the opinion of the Data Protection Authority that it was obtained due to the administrative role of the epidemiologist, cf. m.a. 2. tölul. Article 5 Act no. 19/1997, as well as for the provision of health services as defined in point 2. Article 3 Act no. 55/2009. In Articles 4 and 6 of that Act, there are clear instructions on the obligation of healthcare professionals to register information in the medical record when providing healthcare services, as deemed necessary for the treatment of a patient, but at a minimum, e.g. patient's name, address, ID number, job title, marital status and immediate relative, the health and medical history items relevant to the treatment, examination, treatment and operation description, research results and diagnosis. The Act also contains provisions on the person responsible for medical records, storage, duration of custody and security of personal information in medical records. According to para. Article 1 of the Act, the provisions of the Act on Personal Data Protection and the Processing of Personal Data on the Processing of Information in Medical Records shall apply to the extent that is not prescribed otherwise in the Act. It has generally been considered that individuals seeking health care may be aware of the processing of personal data involved in the entry of medical records and this must be considered to have been the case here as well.
According to the explanations of the Office of the Medical Director of Health, all samples taken for the screening in question were deleted and information was sent to the epidemiologist for entry in the infectious disease register, in addition to which information was registered in the medical records of the individuals in question. It is also clear from the case file that this information is not intended to be registered with Icelandic Genetics, but in Art. Landspítali's processing agreement with Íslenska erfðagreiningar prescribes the deletion of all personal information from the company that is processed on the basis of the agreement. In addition to this and other above-mentioned prestige, in addition to what is stated earlier in the 4th paragraph. Article 17 Act no. 90/2018 and related matters, the Data Protection Authority considers that it has not been necessary to provide individual education on the matters specified in Article 13. Regulation (EU) 2016/679.

ii. Antibody testing
In the case in question, a blood sample was taken to examine whether individuals had previously been infected with the SARS-CoV-2 virus and thus developed antibodies to it. The results of each individual were kept as the result of the study was recorded in the person's medical record. The results of the study could therefore also be used to some extent in the treatment of those who gave samples.

The purpose of the sampling was to conduct a so-called "sero-prevalence" study, to investigate the spread of the SARS-CoV-2 virus in the community. It is stated in the explanations of the Office of the Medical Director of Health that the examination was carried out in order to fulfill the legal obligation that rests on the Chief Epidemiologist according to Article 5. Act no. 19/1997. According to that article of law, it is i.a. It is the responsibility of the Chief Epidemiologist to plan and coordinate infection control and immunization measures throughout the country and to provide information on the spread of infectious diseases, within the country and abroad, on a regular basis and as needed to doctors and other healthcare professionals.
The explanations from the Office of the Medical Director of Health further state that those who gave extra blood samples for antibody tests on arrival at health care providers were generally informed of the purpose of taking the sample. Their consent has been requested, but in general no written consent is requested for the processing of personal data within the health service. It also states that no special training has been provided on the processing of personal information in connection with antibody testing. On the other hand, the individuals in question should have been aware of the processing of personal data in connection with the screening and for what purpose. There was also general education in the office's privacy policy, as well as individual health service providers.
In the opinion of the Data Protection Authority, it is clear that the blood samples in question were primarily taken for statistical purposes, and it can be deduced from the answers of the Office of the Medical Director of Health that the results should have been useful in making decisions about the current epidemic. In the light of these answers, the processing is considered to have served the role of the epidemiologist in planning and coordinating infection control and immunization measures, cf. 1. tölul. Article 5 Epidemiology Act no. 19/1997, and thereby been in favor of health services as defined in point 2. Article 3 Act no. 41/2007 on the Medical Director of Health and public health. In addition, the results of examinations of the samples were entered in the medical record of the person concerned and the blood sampling was to that extent directly related to the health service of the individuals in question. It is also clear that personal information should not have been collected for storage at Icelandic Genetics, cf. Article 7 Landspítali's production agreement with the company.
In light of the purpose of the processing and other of the above, the same considerations will be considered to apply to education for those registered about the processing as outlined in Chapter i. above, cf. and a discussion there before about the 4th paragraph. Article 17 Act no. 90/2018 and related matters. With reference to that discussion, it is the conclusion of the Data Protection Authority that the Chief Epidemiologist was not obliged to provide individual training on the issues specified in Article 13. of the Regulation.

iii. Border screening
It can be deduced from the case file that individuals who were screened at the border for the SARS-CoV-2 virus and antibodies to it were given some individual training. Specifically, passengers on their way to the country had to fill out a specific registration form prior to arrival, which included information on the purpose of sampling and the retention period of samples, as well as a link to further information on the processing of personal data and privacy policy. Is it the conclusion of the Data Protection Authority that this instruction was satisfactory according to Article 13? of Regulation (EU) 2016/679, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018 and item a of the first paragraph. Article 5 of the Regulation.


iv. Screening at Icelandic Genetics to investigate the spread of COVID-19
It is known that during the screening in question, three groups were sent to participate in screening at Icelandic Genetics and that individuals from one of them were instructed on what basis, ie. that they belonged to a random sample. In the other two groups, on the one hand there were individuals in quarantine and on the other hand individuals connected to infected individuals, e.g. from the workplace, and they were not informed of the reasons for the proclamation.

Here it is tested whether education was required according to Article 14. Regulation (EU) 2016/679, which deals with the obligation to provide information to the data subject when personal information is obtained from someone other than himself. At the same time, the obligation to provide education according to Article 13 is tested. of the Regulation in connection with the taking of samples. In this connection, it should be noted that according to the explanations of the Office of the Medical Director of Health, this was processing for the same purpose as the processing discussed in Chapter ii. above. It has also been stated that samples were deleted, in addition to which it is clear from the processing agreement between Landspítali and Íslensk erfðagreining, as previously stated, that the company should not collect personal information for registration. With reference to this, as well as the discussion in sections i. and ii. and in front of Chapter i., it will not be considered that an obligation has been established to provide individual education on the issues specified in Articles 13 and 14. of the Regulation.
On the other hand, it should be noted that the Data Protection Authority has received comments from individuals who were invited to the screening in question that it was unclear whether this was a process that only served as a measure for disease control or whether it should also have been used for scientific research by Icelandic Genetics. Such research, e.g. á m. on the human genome, are the core business of that company. The Data Protection Authority is of the opinion that a special reason has been given to make it clear in education to the public that the screening in question is not a part of that activity. The Data Protection Authority also considers that this has not been adequately safeguarded and that the general transparency requirement of point 1 has not been fully complied with. Paragraph 1 Article 8 Act no. 90/2018.
6. Summarized conclusion
As stated above, Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679 much more detailed requirements for the content of processing agreements than previous legislation and it is the conclusion of the Data Protection Authority that the processing agreement between the Chief Epidemiologist and Landspítali does not fully comply with the provisions of para. Article 28 of the Regulation and para. Article 25 of the Act.

In accordance with this conclusion, and with reference to point 4. Article 42 Act no. 90/2018, it is hereby proposed that the Chief Epidemiologist enter into a satisfactory processing agreement with Landspítali, in accordance with Article 25. of the Act and Art. Regulation (EU) 2016/679. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 10 January 2022.
It is also the conclusion of the Data Protection Authority that education, in connection with border screening for the SARS-CoV-2 virus and antibodies to it, has fulfilled the conditions of Article 13. of the Regulation, in addition to which there was no need for individual education on the basis of that article in connection with the aforementioned screening at the beginning of the epidemic and screening for antibodies to the SARS-CoV-2 virus, cf. Paragraph 4 of the article. There was also no need for education according to Article 14. of the Regulation due to antibody screening that took place at Icelandic Genetics to investigate the spread of COVID-19.
However, the Data Protection Authority considers that it has not been sufficiently informed in the general education of the epidemiologist to the public that the aforementioned antibody screening at Icelandic Genetics takes place solely for the purpose of infection control and not for the company's scientific research. Therefore, insufficient attention has been paid to the general transparency requirement of point 1. Paragraph 1 Article 8 Act no. 90/2018.
The Data Protection Authority points out that Act no. 90/2018 and Regulation (EU) 2016/679 and that legislation must be complied with despite a pandemic, as stated in the Declaration of the European Data Protection Board (EDPB) on the processing of personal data in connection with the dissemination of COVID-19, which was issued March 19, 2020
However, the Data Protection Authority also states that the agency is aware of the threat posed by COVID-19 disease in Icelandic society since the beginning of the epidemic and the pressure that the Icelandic health authorities have been under. In view of these special circumstances, no attempt has been made to put this case on the fine track, cf. Paragraph 1 Article 47 Act no. 90/2018.
Note:
The epidemiologist's processing agreement with Landspítali is not in accordance with Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679.

The training of epidemiologists in connection with border screening for the SARS-CoV-2 virus and antibodies to it complied with Article 13. of Regulation (EU) 2016/679, cf. Paragraph 2 Article 17 Act no. 90/2018, Coll. and point 1. Paragraph 1 Article 8 Act no. 90/2018 and item a of the first paragraph. Article 5 of the Regulation.
The Chief Epidemiologist was not required to provide individual training on the basis of Article 13. of Regulation (EU) 2016/679, cf. Paragraph 2 Article 17 Act no. 90/2018, in connection with screening for the SARS-CoV-2 virus in Iceland at the beginning of the epidemic and screening for antibodies to the virus. Furthermore, the epidemiologist was not required to provide education according to Article 14. of the Regulation due to an invitation for antibody screening at Icelandic Genetics to investigate the spread of COVID-19.
It was not sufficiently informed about this in the general education of the epidemiologist to the public, cf. the transparency requirement of point 1. Paragraph 1 Article 8 Act no. 90/2018, that the above-mentioned antibody screening at Icelandic Genetics was only a factor in disease control and not the company's scientific research.
With reference to point 4. Article 42 Act no. 90/2018, it is proposed that the Chief Epidemiologist enter into a satisfactory processing agreement with Landspítali in accordance with the provisions of IV. section of Act no. 90/2018, Coll. IV. chapter of the regulation. Confirmation that these instructions have been complied with, as well as a copy of the new processing agreement, shall be received by the Data Protection Authority no later than 10 January 2022.
Privacy, November 23, 2021
Ólafur Garðarsson
chairman
Björn Geirsson Sindri M. Stephensen

Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson




    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter