Processing of personal data in connection with screening for the SARS-CoV-2 virus and antibodies to it
The Data Protection Authority (DPA) has completed its investigation into the processing of personal data in connection with the screening for the SARS-CoV-2 virus and antibodies to it. The conclusion of the investigation is that provisions of data protection legislation have substantially been complied with, including provisions on the obligation to supply information. However, the public should have been provided with better information on the purpose of the screening. Furthermore, the processing contract between the Chief Epidemiologist and Landspítali is not considered to be in full compliance with current legislation and the Chief Epidemiologist has therefore been instructed to enter into a satisfactory processing contract with Landspítali.
The investigation began following news coverage in March 2020 on a decision to outsource screening in Iceland for the SARS-CoV-2 virus that causes the COVID-19 disease from the Chief Epidemiologist to the genetic research company deCode genetics, in collaboration with the Landspítali Department of Clinical Microbiology. The DPA subsequently initiated an investigation of whether this processing was in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data. The DPA´s main cause for concern was that during the screening, health data would be collected about screened individuals and in the beginning, it was not clear whether this would be used for a scientific study carried out by deCode genetics. The company had stated unequivocally in the media that the company´s involvement in the screening did not involve scientific research but shortly afterwards applied for permission from the National Bioethics Committee (NBC) to carry out such research.
The DPA´s decision concludes that the Chief Epidemiologist is the controller of the processing of personal data in relation to the screenings in question and that the provisions of data protection legislation have substantially been complied with. The decision does not object to the information supplied to data subjects on account of the screening, referring in this regard to the exemptions in the Act on Data Protection and the Processing of Personal data from the right to supply information on account of the public interest and public health, as well as to the fact that in the screening process all samples were destroyed and data not recorded anywhere other than in the Chief Epidemiologist´s statutory register of communicable disease and the health records of the individuals concerned. However, it was concluded that with reference to the general transparency requirement of the law, the Chief Epidemiologist should have supplied clearer information to the public on the screening for antibodies at deCode genetics being part of communicable disease control only and not forming part of the company's scientific research.
The processing in question was subject to two processing contract, one between the Chief Epidemiologist and Landspítali and another between Landspítali and deCode genetics. This decision includes reference to the fact that the current data protection legislation makes much more detailed requirements for the content of processing contracts than the one that was in force when the above contract was made. As it does not fully comply with the provisions of current legislation, it was proposed that the Chief Epidemiologist enter into a satisfactory processing contract with Landspítali.
[Names deleted from this version]
Decision
I.
Procedure
1.
The initiation of the investigation
Because of news coverage in March 2020 on a decision to outsource screening in Iceland for the SARS-CoV-2 virus that causes the COVID-19 disease from the Chief Epidemiologist to the genetic research company deCode genetics, the DPA decided to investigate whether this processing was in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data. According to the website of the Directorate of Health for Iceland and the Department of Civil Protection and Emergency Management, Covid.is, the Chief Epidemiologist offered screening for the virus to the public, in collaboration with deCode genetics and the Landspítali Department of Clinical Microbiology. The DPA´s main incentive for the investigation was the concern that during the screening, health data would be collected about the screened individuals and in the beginning, it was not intended that these would be used for scientific research carried out by deCode genetics. Later, other questions related to screening and antibody testing for the SARS-CoV-2 virus were added to the investigation, as will be discussed below.The DPA notified the Directorate of Health by letter, dated 16 September 2020, that the Authority had decided to investigate the processing of personal data that the screening in question entailed, in addition to requesting certain explanations, as outlined in Chapter 3 below, in connection with the Directorate's answers.
2.
More on the background of the case
i. Screening for the SARS-CoV-2 virus
One week before the screening at deCode genetics began, on Saturday 7 March 2020, the company notified the DPA by e-mail of its intention to screen for the SARS-CoV-19 virus. deCode genetics declared that the project did not involve scientific research but only clinical work. This assessment of deCode genetics´ was agreed to in a joint statement by the National Bioethics Committee (NBC) and the DPA on Sunday 8 March 2020. Twelve days later and one week after screening began, i.e. on March 20 2020, deCode genetics applied for permission from the NBC for the research study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes.The application to the NBC stated that [...], the CEO of deCode genetics, would be the principal investigator and that co-investigators would be [...] the Chief Epidemiologist, [...] the Medical Director of Health, [...], the Head of the Department of Infectious Disease at Landspítali and [ ...], Head of the Department of Clinical Microbiology at Landspítali. [...] would be the principal investigating doctor of the study. The research was to be carried out in a collaboration between deCode genetics, the Chief Epidemiologist, the Directorate of Health and Landspítali and would be funded by deCode genetics.
According to the application, the research was to be both a retrospective study and a research project on human subjects. deCode genetics intended to obtain the consent of individuals who had been screened, from whom biological samples for genetic research would be obtained, and who had not already provided the company with biological samples for research on its behalf with broad consent.
According to the application, the data the researchers intended to use was available data from the Chief Epidemiologist on sample numbers and results of measurements of the virus for all who had undergone testing at Landspítali's Department of Clinical Microbiology and in deCode genetics´ screening campaign. The study also intended to use answers to questions that had been asked of those who had undergone testing for analysis of the virus in deCode genetics´ screening campaign, at the request of the Chief Epidemiologist. In addition, the researchers planned to examine the health records of those who had been diagnosed with the virus to gather data on the severity of infections caused by the virus, the progression of the disease, underlying diseases, treatment, and recovery.
The application stated that, to begin with, the study would only be based on available data. No other data would be collected at that time. If necessary, a permit for an addition would be applied for separately. It also stated that data would be collected regularly during the epidemic and after it had mostly run its course.
In connection with the application, the Chief Epidemiologist signed a letter to [...], the CEO of deCode genetics, in which he confirmed his willingness to provide access to the data in question.
The DPA sent the NBC its opinion on the above application on 23 March 2020. The DPA raised no objections to the NBC accepting the application for substantive processing, as the investigation could take place within the framework of Act No. 44/2014 on Scientific Research in the Health Sector.
ii. Antibody testing
In mid-April 2020, deCode genetics began testing for antibodies in individuals in Iceland, i.e. measuring antibodies to the SARS-CoV-2 virus. A news item published on the website of the Directorate of Health on 12 May 2020 stated that the collection of blood samples had begun so that the Chief Epidemiologist could assess the spread of antibodies against the SARS-CoV-2 virus in Icelandic society. The measurements involved the collection of blood samples from individuals who came for blood tests for other reasons. It was not stated that the blood samples would be sent to deCode genetics. In the same news article, it said that Landspítali's Department of Clinical Microbiology had begun to receive blood samples and measure antibodies against the virus in individuals who thought they had contracted COVID-19. A news item published the following day on the website of the Health Care Centre of the Capital Area, said that the collection of blood samples for antibody tests in individuals who underwent a blood test for other reasons had begun and that samples would be analysed by deCode genetics.A news item published on the website of the Directorate of Health on 9 July 2020 stated that the results from the antibody tests for the SARS-CoV-2 virus, which deCode genetics had carried out on behalf of the Chief Epidemiologist from 3 April to 20 June 2020, were available. The tests had reached more than 30 thousand individuals who had sought health care for reasons other than COVID-19 and had been requested to donate blood for antibody testing. Those taking the blood samples would were required to obtain individual consent for antibody testing. No informed or written consent had been sought. deCode genetics had measured the antibodies on behalf of the Chief Epidemiologist under the auspices of communicable disease control measures. Individuals who tested positive for antibodies might subsequently be invited to take part in a follow-up study, which would be a formal scientific study. No informed or written consent was sought, and the blood samples were only tested for COVID-19 antibodies.
iii. Border screening
As of 15 June 2020, passengers arriving in Iceland were invited to test for COVID-19 rather than go into quarantine for 14 days, cf. Regulation No. 580/2020 on quarantine, isolation and testing at the Icelandic border due to COVID-19. Testing was offered to arriving passengers at Keflavík Airport and other airports and ports. The screening was for the SARS-CoV-2 virus and antibodies to it. The samples were initially sent for examination at deCode genetics but later to the Department of Clinical Microbiology at Landspítali. A few days before the screening began at the border, the Directorate of Health consulted with the DPA and sent the Authority an assessment of the impact on data protection due to the measures. The DPA provided advice to the Directorate by letter dated June 14 2020.iv. Screening to investigate the spread of COVID-19
A news item published on the website of the Directorate of Health on 31 July 2020 stated that deCode genetics was again screening individuals for the SARS-CoV-2 virus in collaboration with the Chief Epidemiologist to investigate the spread of the virus in Iceland so the need for further action necessary could be assessed. It would also be possible to trace the origin of infections. The screening was to be based on a sample and three groups would be invited:- Individuals in quarantine due to contact with individuals who had recently tested positive for the virus.
- Individuals connected in some way to individuals in isolation but who had not had to quarantine.
- Random sampling in areas where infections had occurred recently.
It was therefore the DPA's assessment, with reference to the above, that there was such uncertainty about the use of the data in question that there was reason to investigate the screening arrangements. The DPA therefore wrote to the Directorate of Health on 16 September 2020 requesting firstly, information regarding data controller, processor, and processing contracts and secondly, information on transparency and information supplied to patients.
3.
Explanations from the Directorate of Health
The DPA received explanation from the Directorate of Health by letter on 26 October 2020. The letter is signed by [...] Chief Epidemiologist, [...] Medical Director of Health and [...] Data Protection Officer. It states that in March 2020, when the COVID-19 epidemic was gaining considerable ground in Iceland, it soon became clear that Landspítali's Department of Clinical Microbiology's ability to detect the SARS-CoV-2 virus was so limited that it could inhibit official communicable disease control measures such as they were defined in the Act on Health Security and Communicable Diseases. The letter stated that deCode genetics offered to assist the Chief Epidemiologist and the Department of Clinical Microbiology regarding the diagnosis of patients, sequencing of the virus and screening in the community.According to the processing contract between the Chief Epidemiologist and Landspítali from 2015, on registration and processing of data on notifiable diseases and pathogens, Landspítali's laboratories in clinical microbiology must conduct screening for communicable diseases that pose a threat to the public good in accordance with further instructions from the Chief Epidemiologist. According to the contract, the laboratories are permitted to work with other parties, i.e. third parties, outside Landspítali, for the collection and processing of personal data due to notifiable diseases. COVID-19 is a notifiable disease and in accordance with the provisions of the processing contract, Landspítali entered into an agreement with deCode genetics on the processing and collection of personal data for the analysis of COVID-19.
The Directorate of Health's letter stated that all negative samples were destroyed once the result was available. Positive samples were sequenced, i.e. the genetic material of the virus itself, after which they were also destroyed. It reaffirmed that the genetic material of the individuals screened had not been sequenced.
It was the assessment of the Chief Epidemiologist and the Medical Director of Health that the diagnosis of patients with a PCR test and the sequencing of the virus had been a key factor in the official communicable disease control measures against COVID-19. Sequencing would not have been possible without the involvement of deCode genetics, but the company is the only one in Iceland that can carry out such research. Analysis and screening would have been less extensive and in fact unsatisfactory without the involvement of the company, which also played a key role when the equipment of Landspítali's Department of Clinical Microbiology failed.
In addition to measurements of the virus, deCode genetics had, in accordance with its processing contract, measured the prevalence of antibodies against SARS-CoV-2 in the Icelandic population at the request of the Chief Epidemiologist. The result was important for the Chief Epidemiologist's assessment of the spread of the virus in Iceland. No other institution or company could have carried out such extensive antibody testing.
Regarding scientific research, the letter referred to Article 4(k) of Act No. 41/2007 on the Medical Director of Health and Public Health, which states that one of the main roles of the Medical Director of Health is to be responsible for the implementation of infectious-disease control measures, cf. Act on Health Security and Communicable Diseases. It says that at the Directorate of Health, this obligation is fulfilled by hiring an efficient Chief Epidemiologist and supporting his work and the area of communicable disease control. It also refers to the Directorate of Health´s other obligations referred to in Article 4 of the Act, such as to regularly evaluate the results of public health activities and to promote research in the spheres of the Directorate´s work. Participation in scientific research related to epidemiological subjects and shedding light on the natural course of a new global pandemic of the SARS-CoV-2 virus is therefore compatible with the work of the Medical Director of Health and the Chief Epidemiologist.
It is stated at the end of the letter that without the involvement of deCode genetics, the official response to the epidemic would have been less effective and with unforeseen health consequences for the Icelandic public. It is also stated that all processing of personal data which has taken place has resulted from the statutory role of the Chief Epidemiologist, in accordance with the Act on Health Security and Communicable Diseases, to curb the spread of a global pandemic.
Regarding the DPA´s individual questions, the replies of the Directorate of Health are as follows:
i. Controller, processor, and processing contracts
- "What is the Directorate of Health´s assessment of whether it is the Directorate of Health or the Chief Epidemiologist that is the controller of the processing of personal data that falls under the communicable disease control measures, cf. Article 3(6) of Act No. 90/2018 and Article 4(7) of Regulation (EU) 2016/679, cf. also Article 4(1) and (2) of the Act on Health Security and Communicable Diseases No. 19/1997? "
The Directorate of Health´s reply states that SARS diseases, one of which is COVID-19, are notifiable diseases, cf. Article 5 of Regulation No. 221/2012 on reporting of communicable diseases and agents posing a threat to public health, and therefore those who diagnose such a disease must notify the Chief Epidemiologist with the information cited in Article 6 of the Regulation.
The Chief Epidemiologist shall keep a register of communicable disease in accordance with Article 5(1) of Act No. 19/1997 on Health Security and Communicable Diseases. Its purpose is to gather detailed data on the diagnosis of communicable diseases, from laboratories, hospitals, and physicians. The register of communicable disease is also intended to be of use in preventive measures and in epidemiological research, cf. Article 3 of the Act on Health Security and Communicable Diseases.
According to Article 4(1) of Act No. 19/1997 on Health Security and Communicable Diseases, the Directorate of Health shall be responsible for the implementation of communicable disease control and prevention and Article 4(2) states that at the Directorate of Health a physician, the Chief Epidemiologist, shall be responsible for measures against communicable diseases. The Chief Epidemiologist therefore works at the Directorate of Health and is the controller of all data processed in connection with his work, cf. Article 3(6) of Act No. 90/2018 and Article 4(7) of Regulation (EU) 2016/679.
2. "What is the Directorate of Health´s assessment of which data is controlled by the Chief Epidemiologist in relation to communicable disease control measures, cf. Article 27(2) of Act No. 44/2014, and what authority does he have over that data? Is the Chief Epidemiologist e.g. to be considered the controller of the health records of those who have been diagnosed with the SARS-CoV-2 virus? "
The reply from the Directorate of Health states that the Chief Epidemiologist is the controller for data prepared in connection with communicable disease control measures, including data obtained by testing for COVID-19. The data received by the Chief Epidemiologist, including data from screening and antibody testing, is under his authority.
The Chief Epidemiologist is not the controller for the health records of those who have been diagnosed with the SARS-CoV-2 virus. The guardian of health records is the healthcare facility or premises of a healthcare practitioner where health records are entered, cf. Article 3(12) of Act No. 55/2009 on Health Records. However, as mentioned in the answer to question 1, those who diagnose a notifiable disease must pass certain information on to the Chief Epidemiologist and that data is registered in the register of infectious disease.
3. "What is the Directorate of Health´s assessment of who is the controller of the processing of personal data that has taken place in connection with the deCode genetics screening in question […], i.e. who determined the purpose and methods of the processing and what processing took place exactly? E.g., who decided at the beginning of the deCode genetics screening, before applying for permission for the above scientific research, that viral RNA should be sequenced from the pharynx / nasopharynx? "
The Directorate of Health´s reply states that the Chief Epidemiologist should be considered the controller for the processing that has taken place in connection with the deCode genetics´ screening and that he has determined the scope and organisation of the screening in collaboration with Landspítali and the Directorate of Health. The decision to sequence the RNA of the SARS-CoV-2 virus from the pharynx / nasopharynx was made to facilitate the tracing of transmissions and other communicable disease control measures.
Under normal circumstances, Landspítali would have taken care of such work on behalf of the Chief Epidemiologist, in accordance with the above processing contract. However, due to the enormous scope of the measures needing to be taken, it was considered necessary to seek assistance and a processing contract was made between Landspítali and deCode genetics in this regard. deCode genetics is therefore in fact a sub-processor.
4. "What is the Directorate of Health´s assessment of whether deCode genetics is the controller of the processing of personal data that has taken place in connection with the screening in question, in collaboration with the Directorate of Health or Chief Epidemiologist, or the processor, cf. Article 3(7) of Act No. 90/2018 and Article 4(8) of the Regulation? "
The Directorate of Health´s reply refers to what is stated in the answer to question 3, i.e. that a contract is in place between the Chief Epidemiologist and Landspítali on the necessary analysis of infectious diseases. A valid processing contract is also in place between them. When deCode genetics was contacted, Landspítali entered into a processing contract with the company for the services it was providing. The Chief Epidemiologist is therefore the controller of the processing of the data collected from the Chief Epidemiologist's register of communicable disease, while deCode genetics is the processor.
5. "Was a processing contract made with deCode genetics for the processing of personal data in connection with the screening in question, cf. Article 25(3) of Act No. 90/2018 and Article 28(3) of the Regulation? If this has been done, a copy of the contract is requested. "
The Directorate of Health´s response states that the Chief Epidemiologist did not enter into a processing contract with deCode genetics. A contract is in place between the Chief Epidemiologist and Landspítali on screening for communicable diseases. Landspítali and deCode genetics entered into a processing contract on the basis of that contract.
ii. Transparency and information
1. "How has the processing of personal data, for which the Directorate of Health is the controller or, as the case may be, the Chief Epidemiologist, cf. Article 3(6) of Act No. 90/2018 and Article 4(7) of Regulation (EU) 2016/679, fulfilled the fairness and transparency requirements of the Act on Data Protection and the Processing of Personal Data, in relation to deCode genetics´ screening for:a. SARS-CoV-2 virus in individuals in Iceland. "
The Directorate of Health´s reply states that during the screening for the virus at the beginning of the epidemic, those who requested it were invited to register for testing at deCode genetics. It was therefore clear to them from the beginning that deCode genetics was involved in the project. There was also a great deal of media coverage of testing in general and the public had been encouraged to go out and be tested, whether at health care centres due to symptoms or for a general screening with deCode genetics. The purpose of the processing should have been clear to all who attended as was the need for it to take place. Only necessary data was collected, i.e. demographic data about the person and the result of the test. Samples were not used for any other purpose, and they were destroyed after analysis. During the testing, consent was also requested of those who tested to participate in a scientific study on behalf of the company, when that study had started with the required permits.
b. "[screening for] antibodies to the SARS-CoV-2 virus in individuals in Iceland."
The Directorate of Health´s response states that a letter had been sent to health service providers where blood tests were taken, and a request made that they obtain patients' consent for an additional blood sample to be taken to check whether antibodies to COVID-19 were found. It was considered an important part of getting a true picture of the actual number of those who had been infected with the disease. Those who gave consent therefore knew for what purpose the sample would be used. Many other countries conducted such seroprevalence studies.
c. "[screening for] the SARS-CoV-2 virus and antibodies to it at the border."
The Directorate of Health´s reply refers to the fact that border screening is based on Regulation No. 580/2020 on quarantine, isolation and testing at the Icelandic border due to COVID-19. In addition, it says that those passengers who have undergone such testing have given informed consent in this regard instead of being subject to a 14-day quarantine. A special registration form was made available to passengers on their way to Iceland on the website 2-3 days before their scheduled flight. In Article 4(7) of the Regulation, it is stipulated that biological samples shall only be analysed with regard to the SARS-CoV-2 virus and that they will be deleted after analysis. The Directorate of Health´s reply also states that if the sample was positive, antibodies would be analysed to check whether the infection was active. The data subject´s interests were substantial, as if they were found to have antibodies, they did not have to isolate, as infected individuals would have to do. Testing was arranged in such a way that the laboratories that analysed the samples, i.e. at the Department of Clinical Microbiology at Landspítali and deCode genetics, received a sample with a bar code only and data related to the data subject then had to be linked in the Chief Epidemiologist's database. Those involved in the analysis of samples therefore did not know which individuals they belonged to.
2. "What information has been supplied and how, regarding items a-c above?"
The Directorate of Health's reply states that no particular information was provided on the processing of personal data discussed in item a above, other than what is stated in the Directorate of Health's general personal data protection policy and at the relevant health care centres, which includes coverage of the rights of data subjects. This is in line with what is generally accepted regarding information on the processing of personal data in the health sector in connection with the provision of such service. It was not specified that deCode genetics was involved in the processing of data, as it is generally not customary in data protection policies or information to data subjects to identify processors or sub-processors.
Individuals were also able to sign up for testing on a website run by deCode genetics. To those individuals, it was therefore certainly clear that the company would be involved in processing, in addition to which there was a great deal of coverage of the screening in the news and at the information meetings of the Department of Civil Protection and Emergency Management. deCode genetics also requested consent for taking biological samples for genetic research.
Regarding antibody testing, according to item b above, the consent of those who came for blood sampling was requested, but no special information was supplied regarding the antibody testing.
During border screenings, according to item c, those who registered for testing received information on the processing of personal data during the registration process. There was a link to further information on the processing of personal data on Covid.is, where there is also a personal data protection policy due to communicable disease control measures at the border.
3. "Was there any change in the information supplied to individuals in Iceland after deCode genetics received permission from the NBC for the scientific study "The epidemiology of the SARS-CoV-19 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes" and then later, for the addition to this study? "
The Directorate of Health´s reply states that there was no change in the information supplied when obtaining consent after permission had been granted for deCode genetics´ study.
4. "Was there any change in information supplied to individuals in Iceland after Amgen began to use the above study for the development and production of medication for the COVID-19 disease?"
The Directorate of Health´s reply states that the Chief Epidemiologist and the Medical Director of Health are not aware that the above research is being used in the development and production of Amgen medication for the COVID-19 disease.
However, it should be noted in this context that in response to the current epidemic, researchers, pharmaceutical companies, healthcare professionals and others involved in responding to COVID-19 in any way, have shared information about their findings in an unprecedented way. This is indicative of the severity of the epidemic and the enormous public interest in improving the quality of diagnostic methods, treatment, disease control and the fast-paced development of a vaccine that is both safe and provides lasting protection against the SARS-CoV-2 virus that causes the COVID-19 disease. deCode genetics has published several scientific articles based on its research and findings from screening, antibody testing and sequencing, which are available in scientific journals.
5. "Why were individuals who sought a doctor for a blood test for reasons other than COVID-19, and were asked for an extra sample to be taken for antibody testing, not asked for informed and written consent? What information did these individuals receive in general and regarding the fact that they might be invited to take part in a follow-up study that would be a formal scientific study? Were or will the blood samples or results from a study of these be used in scientific research in the health sector? "
The Directorate of Health´s reply states that in general, written consent is not requested for the processing of personal data within the health sector. However, individuals were informed of the purpose for giving an additional blood sample. This was not a case of collecting data for a scientific study, but infection control measures due to COVID-19, i.e. for communicable disease authorities to get a better picture of the actual number of those who had contracted the disease.
6. "What information has been supplied, and how, to those individuals who have been offered screening at deCode genetics, i.a. to examine the spread of the virus in this country […], including with regard to what information formed the basis for an invitation to be extended to them? "
The Directorate of Health's reply states that when the second wave of the epidemic began at the end of July / beginning of August 2020, the SARS-CoV-2 virus was screened for in three different ways to examine to what extent it had spread in the community.
1. It was decided to offer screening to those individuals who were in quarantine so that the spread of the virus could be quickly assessed. This data has since proved to be important in being able to shorten the quarantine from 14 days to seven, with great benefits for individuals and society. It was not specifically stated in the invitation by text message that this screening was due to the person in question being in quarantine, but it may be presumed that people would be aware of this after phone conversations with the tracing team.
2. It was decided to offer random screening in the capital area and in Akranes, to examine the spread in society. Few were diagnosed and such screening was therefore discontinued. In a text message inviting people for such a screening, it was stated that the participants had been selected at random.
3. Instead of random screening, it was decided to offer screening based on cases, e.g. in workplaces. The tracing team decided who should be offered screening. This proved to be an important step in tackling the second wave. Reasons for the invitation to attend screening were not stated. deCode genetics also offered screening at certain workplaces and in schools, in collaboration with these parties, but this has not been in collaboration with the Chief Epidemiologist. The results were nevertheless passed on to him, as this is a notifiable disease.
4.
Further explanation from the Directorate of Health
The DPA requested further explanation by letter to the Directorate of Health on November 3 2021. The DPA subsequently received a letter from the Directorate of Health on the 15th of the same month, where the following answers are given to the DPA´s questions.1. "What personal data was recorded in connection with the study of blood samples, where was it recorded and by whom?"
The Directorate of Health's reply states that those who did the testing returned samples marked with a personal identification number. In addition, deCode genetics was sent a locked Excel spreadsheet by e-mail and a password to it by e-mail in a separate document. deCode genetics´ employees entered data into a special system that managed this processing. Samples were assigned a random number and the following analysis of the sample at deCode genetics laboratory took place under that number. The results were passed to the Chief Epidemiologist, where the random number was decoded and the results of the individual in question communicated to him through the website Heilsuvera.
Personal data had therefore been processed by those doing the testing and by a deCode genetics employee who entered the data into a system where samples were assigned random numbers. In this way, it was ensured that those who worked on the analysis of samples did not know which individuals they belonged to.
2. "Was a processing contract entered into with deCode genetics for the screening for antibodies in the additional blood samples taken in locations other than Landspítali?"
The Directorate of Health's reply states that no special processing contract had been entered into with deCode genetics for the screening for antibodies in the additional blood samples taken in locations other than Landspítali. This was important analysis of the status of the epidemic, which could provide the communicable disease control authorities with information useful for making decisions in the next weeks and months, with the aim of proposing measures with the least restrictions possible. Furthermore, this was a service Landspítali would have carried out had it had the possibility of doing so and the processing took place on the basis of the Chief Epidemiologist´s contract with Landspítali and Landspítali's contract with deCode genetics.
3. "Were samples destroyed after antibody testing was completed or were they stored in a biobank and if so, which biobank?"
The Directorate of Health's reply states that all samples were destroyed after the antibody test was completed.
II.
Criteria and conclusion
1.
Scope
The scope of Act No. 90/2018 on Data Protection and the Processing of Personal Data, and Regulation (EU) 2016/679, cf. Article 4(1) of the Act, and thereby the authority of the DPA, cf. Article 39(1) of the Act, apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a filing system.Personal data includes information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier or one or more factors specific to him, cf. Article 3(2) of the Act and Article 4(1) of the Regulation.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, cf. Article 3(4) of the Act and Article 4(2) of the Regulation.
This case concerns the processing of personal data in connection with firstly, screening for the SARS-CoV-2 virus in Iceland and secondly, measurements of antibodies to the virus. This processing began with the taking of biological samples, which clearly falls within the scope of freedom from interference with privacy, in accordance with Article 71 of the Constitution but which alone does not constitute the processing of personal data, according to the above. However, it is clear that in connection with the handling of the samples, data was recorded and processed in other ways, including due to invitations issued to individuals to come for testing and analysis of the samples. In this respect, and taking the above provisions into account, this case concerns the processing of personal data which comes under the authority of the DPA.
2.
Controller and processors
The party responsible for the processing of personal data complying with Act No. 90/2018 and Regulation (EU) 2016/679 is called the controller. This refers to a natural or legal person, public authority or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data, cf. Article 3(6) of the Act and Article 4(7) of the Regulation.The Chief Epidemiologist is required, according to Article 5(2) of the Act on Health Security and Communicable Diseases No. 19/1997, to maintain a register of communicable disease. Its purpose is to gather detailed data on the diagnosis of communicable disease from laboratories, hospitals, and physicians. Its purpose is also to support preventive measures and epidemiological research, cf. Article 3 of the Act on Health Security and Communicable Diseases. According to Article 4(1) of Act No. 19/1997 on Health Security and Communicable Diseases, the Directorate of Health is responsible for the implementation of communicable disease control and prevention and according to Article 4(2), the Directorate of Health shall employ a Chief Epidemiologist who is responsible for measures against communicable diseases. The Chief Epidemiologist is therefore an employee of the Directorate of Health but is the controller for all data that is processed in connection with his work. In this case, the Chief Epidemiologist is therefore the controller of the processing in question.
The controller may entrust the processing of personal data to another party on his behalf. This would be a processor in accordance with Article 3(7) of Act No. 90/2018 and Article 3(8) of Regulation (EU) 2016/679, i.e. a party which processes personal data on behalf of a controller, but such processing shall be governed by a contract with the processor in accordance with Article 25(3) of the Act and Article 28(3) of the Regulation. The Chief Epidemiologist has made a contract with Landspítali on the processing of personal data for which he is the controller, and the hospital is thus the processor, as far as that processing is concerned.
Pursuant to Article 25(2) of Act No. 90/2018, cf. Article 28(2) of the Regulation, the processor may employ another processor, provided that he has the specific or general written authorisation of the controller. Landspítali and deCode genetics entered into a contract where Landspítali entrusts deCode genetics with the processing of personal data resulting from Landspítali's obligations according to its processing contract with the Chief Epidemiologist. deCode genetics is therefore a sub-processor, according to the Article above, as there is written authorisation in the processing contract between the Chief Epidemiologist and Landspítali that Landspítali may use such a sub-processor in its processing.
Biological samples from health care providers other than Landspítali have also been transferred to deCode genetics for antibody testing and the Directorate of Health states in its reply that these would otherwise have been sent to the hospital. According to Article 1.1 of Landspítali's processing contract with deCode genetics, the contract covers the processing of personal data on behalf of Landspítali for screening for the COVID-19 virus in biological samples which deCode genetics receives from the hospital. It also covers processing on behalf of the hospital for the same purpose in the case of test samples collected by deCode genetics itself. Taking into consideration the explanations provided, the processing of the samples from parties other than Landspítali must be considered to be covered by the contract on that basis.
It should be noted, due to the use of data for the purposes of the above scientific study by deCode genetics, that in the scientific study, deCode genetics does not have the status of processor but that of controller. According to information reviewed in this case, an application had not been made to the NBC for a scientific study when screening began at the beginning of the epidemic, but when the screening had been ongoing for twelve days, i.e. an application was sent to the NBC March 20 2020. Yet deCode genetics had unequivocally stated in the media on 8 March that the company's involvement did not form part of a scientific study, and this could have given those who went for screening reason to believe that such a study would not take place. Nevertheless, the study in question was initiated and involves a retrospective study according to Section VI of Act No. 44/2014 on Scientific Research in the Health Sector, as it is not based on the consent of the data subjects. It should be noted that although the study falls outside the DPA investigation discussed in this Decision, it formed part of the reason why the DPA decided to initiate an investigation, cf. discussion in Part I, Chapter 1 of the Decision. It is therefore right to note the above.
3.
Legality of processing
All processing of personal data must be subject to one of the provisions of Article 9 of Act No. 90/2018, cf. Article 6(1) of Regulation (EU) 2016/679. It should be noted that personal data may be processed if it is necessary for compliance with a legal obligation to which the controller is subject, cf. Article 9(3) of the Act and Article 6(1)(c) of the Regulation, or if the processing is necessary for the performance of a task carried out in the public interest, cf. Article 9(5) of the Act and Article 6(e) of the Regulation. In addition, the processing of data concerning health, as defined in Article 3(3)(b) of the Act, must comply with any of the additional conditions of Article 11(1) of the Act and Article 9(2) of the Regulation. As is the case here, Article 11(1)(9) of the Act and Article 9(2)(i) of the Regulation are of particular interest, stating that the processing of sensitive personal data is permitted if it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, and is carried out on the basis of law which provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. In assessing the authorisation for processing, the provisions of other applicable laws must also be considered, where applicable. According to Article 5(2) of Act No. 19/1997 on Health Security and Communicable Diseases, the Chief Epidemiologist is required, as stated above, to keep a register of communicable disease to monitor the spread of communicable diseases by obtaining accurate information about their diagnosis from laboratories, hospitals, and physicians. In addition, Article 3(3) of the Act states that the purpose of the register is to obtain the above data to be of use in preventive measures and in epidemiological research. The same provision also states that the utmost confidentiality shall be maintained regarding all private information appearing in the register of communicable disease and that the register is subject to the same rules as other medical records. The communicable diseases covered by this are discussed in Article 2 of the Act, to the extent that they apply to diseases and agents that can cause epidemics and pose a threat to public welfare, as well as other serious infectious diseases. To the extent that data on the diseases in question is used for healthcare services for an individual, one must consider Article 4(1) of Act No 55/2009 on Health Records, which prescribes the obligation of a healthcare practitioner who treats a patient to keep a health record on the treatment of a patient, but such a record must, among other things, record test results, cf. Article 6(1)(8) of the Act. Accordingly, it must be concluded that the processing in question, which was carried out to screen for the SARS-CoV-2 virus and antibodies to it, complied with the law.
In addition to authorisation according to the above, the processing of personal data must comply with all the principles of Article 8(1) of Act No. 90/2018, cf. Article 5(1) of Regulation (EU) 2016/679. This includes provision for personal data being processed lawfully, fairly and in a transparent manner in relation to the data subject (Item 1), that it shall be collected for specified, explicit, legitimate, and objective purposes and not further processed in a manner that is incompatible with those purposes (Item 2), and that it shall be processed in a manner that ensures appropriate security of the personal data (Item 6).
The controller shall be able to demonstrate that the processing of personal data complies with the above principles, cf. Article 8(2) of the Act and Article 5(2) of the Regulation.
It should be noted that the principles in question test in particular the general transparency requirement of Article 8(1)(1) of the Act, cf. further provisions on information in Articles 13 and 14 of the Regulation, cf. Article 17 of the Act. Questions relating to this are discussed in Chapter 5 below.
4.
Processing contracts
As stated above, the controller is the party who determines the purposes and means of processing the personal data. The controller has an obligation to ensure that processing takes place in accordance with the legal rules outlined above. This means that the processor must conduct processing in accordance with the instructions of the controller. Those instructions shall, according to Article 28(3) of the Regulation, be governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.The processing contract or other legal act, according to Article 28(3) of the Regulation, shall stipulate in particular, that the processor:
a. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c. takes all measures required pursuant to Article 32 of the Regulation, i.e. implement appropriate technical and organisational measures to ensure a level of safety appropriate to the risk, e.g. considering the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This means that the controller and the processor shall, as appropriate:
i. use pseudonymisation and encryption of personal data,
ii. have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii. have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
iv. have a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
d. respects the conditions of Article 28(2) and (4) of the Regulation regarding the engagement of another processor;
e. considers the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller´s obligation to respond to requests for exercising the data subject´s rights laid down in Chapter III of the Regulation;
f. assists the controller in ensuring compliance with obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor;
g. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
h. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the Regulation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Where controllers and processors operate on the basis of law, it may be necessary to consider the relevant legal provisions to supplement the processing contract. These provisions can be considered to include other legal proceedings according to Article 28(3) of the Regulation, to the extent that they meet the conditions specified therein.
i. Processing contract between the Chief Epidemiologist and Landspítali
The Chief Epidemiologist has a processing contract with Landspítali. The contract is dated 21 December 2015.In Article 2 of the contract, reference is made to the fact that according to the Act on Health Security and Communicable Diseases, the Chief Epidemiologist is responsible for maintaining a register of communicable disease which is intended to support preventive measures in Iceland. It says that he is therefore the controller of the file. It is stated that the register of communicable disease contains "e.g. personally identifiable information on notifiable cases and pathogens coming from laboratories and treating physicians ".
It is stated in Article 3 of the contract, that Landspítali, or specifically the hospital's laboratories in clinical microbiology, as a processor according to the definition of the then applicable Act No. 77/2000 on the Protection of Privacy as regards the Processing of Personal Data, is entrusted with keeping a record and store data on notifiable diseases and their causes. It says that in accordance with this, the laboratories are the processors of the register of communicable disease on behalf of the Chief Epidemiologist and that they are therefore authorised to obtain data about morbidities and to register these if they are relevant to the epidemiological analysis. The processing contract authorises the processor to process personal data for an individuals' health care service, communicable disease control measures and / or scientific research, provided necessary permits have been granted by the NBC and the DPA.
It also states that all processing of personal data by the processor is subject to the instructions of the Chief Epidemiologist and shall be carried out in accordance with personal data protection legislation and rules set on the basis of that Act. Furthermore, it is specified that the conditions that the DPA deems necessary at any given time shall be complied with.
In addition, it is stipulated that the laboratories may work with other parties and health organisations outside the hospital to collect and process personal data on notifiable diseases.
Article 4 of the contract stipulates that Landspítali shall guarantee the security of personal data in accordance with its policy on the protection of sensitive personal data in health records, without this being further defined.
This processing contract was made having regard to the now repealed Act No. 77/2000 on the Protection of Privacy as regards the Processing of Personal Data and legal references in it bear this mark. In Article 13 of that Act, it was stipulated that the controller is permitted to contract a third party to perform the processing, in whole or in part, which the controller is responsible for in accordance with the provisions of the Act. However, this is contingent upon the controller having beforehand verified that the processor in question is able to carry out the required security measures and conduct internal audits in accordance with Article 12 of the Act.
In Article 13(2) of the Act, it is stipulated that a contract shall be in writing and at least in duplicate. The contract must in particular stipulate that the processor shall act only on instructions from the controller and that the obligations set out in the Act shall also be incumbent on data processing carried out by the processor. In Article 13(3) of the Act, it was stipulated that anyone who acts in the name of the controller or the processor, including the processor himself, and has access to personal data, may only process personal data according to the instructions of the controller, unless legislative acts stipulate otherwise.
Act No. 90/2018 on Data Protection and the Processing of Personal Data took effect on 15 July 2018. The Act introduced into national law the Regulation of the European Parliament and of the Council (EU) 2016/679. As discussed above, Act No. 90/2018 and Regulation (EU) 2016/679 have much more detailed requirements regarding the content of processing contracts than previous legislation, and it is clear that the processing contract between the Chief Epidemiologist and Landspítali does not contain provisions in accordance with requirements pursuant to Article 28(3)(b), (c), (e), (f), (g) and (h) of Regulation (EU) 2016/679 and Article 25(3) of Act No. 90/2018.
However, Act No. 19/1997 on Health Security and Communicable Diseases, Act No. 41/2007 on the Medical Director of Health and Public Health, Act No. 55/2009 on Health Records, Act No. 110/2000 on Biobanks and Health Data Banks and Act No. 34/2012 on Healthcare Practitioners all have provisions that complement the above processing contract. These include the provision of Article 17 of Act No. 34/2012 and Article 13 of Act No. 55/2009, which stipulate the confidentiality of healthcare practitioners, Article 24(1) of Act No. 55/2009, and Article 5(1)(9) of Act No. 110/2000 which provide for the appropriate security of personal data and Article 7(1) of Act No. 41/2007, which stipulates the monitoring authority of the Medical Director of Health to which the Chief Epidemiologist belongs, cf. Article 4(2) of Act No. 19/1997.
However, with regard to the requirements of Article 28(3) of the Regulation, it would be appropriate for the processing contract to contain references to the above provisions and the issues specified therein. In addition, the contract does not contain instructions from the Chief Epidemiologist on the destruction or submission of personal data in accordance with Article 28(3)(g) of the Regulation. The contract's references to personal data protection legislation are therefore based on repealed legislation in that area, as stated above.
From what has been discussed here, it is therefore clear that the Chief Epidemiologist's processing contract with Landspítali does not comply with the requirements currently made for such contracts.
ii. Processing contract between Landspítali and deCode genetics
In addition to the processing contract between the Chief Epidemiologist and Landspítali, a processing contract was made between Landspítali and deCode genetics on March 12 2020, where the company deCode genetics is defined as a sub-processor. This processing contract is based on the provisions of Act No. 90/2018 and the relevant provisions of Regulation (EU) 2016/679. Authorisation for a contract such as this is found in Article 25 of the Act, cf. Article 28 of Regulation (EU) 2016/679. It is also clear that the contract could be made on the basis of the processing contract between the Chief Epidemiologist and Landspítali.Landspítali´s contract with deCode genetics describes the purpose and implementation of the processing that is outsourced, in addition to reviewing, among other things, the issues specified in Article 28 of the Regulation. The DPA therefore does not consider it necessary to comment further on the contract.
5.
Transparency and information supplied to the data subjects
As stated above, all processing of personal data must comply with all the principles of Article 8(1) of Act no. 90/2018 and Article 5(1) of Regulation (EU) 2016/679. It stipulates, i.a. that personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject, cf. Article 8(1)(1) of the Act and Article 5(1)(a) of the Regulation. This requirement implies that it should be clear to individuals when personal data about them is collected or used, viewed, or otherwise processed, to what extent it is or will be processed and for what purpose. In order for the processing of personal data to meet this requirement, the controller must take special measures regarding information to the data subject. Such information is discussed in Article 13 of Regulation (EU) 2016/679, cf. Chapter III of Act No. 90/2018. According to the provision, the controller, who collects personal data from the data subject, has the obligation to inform him of certain matters concerning the processing. Paragraph 1 of the provision states that the data subject shall be supplied with information on the identity and the contact details of the controller; the contact details of the data protection officer, if applicable; the purposes of the processing for which the personal data is intended as well as its legal basis; and the recipients or categories of recipients, if any.
In addition to the information above, the controller shall, according to Article 13(2) of the Regulation, provide the data subject with further information necessary to ensure fair and transparent processing, including how long personal information will be stored or, if that is not possible, the criteria used to determine this; that there is a right to request from the controller access to personal data, to have them corrected, deleted or restricted in their processing with regard to the data subject or to object to processing, in addition to the right to transfer own data; that there is a right to withdraw consent at any time without prejudice to the lawfulness of processing on the basis of the consent up until the time of the revocation; and on the right to lodge a complaint with a regulatory body in the field of personal data protection.
According to Article 13(4) of the Regulation, other provisions of the Article do not apply if and to the extent that the data subject has already become aware of the information listed above.
Article 14 of the Regulation stipulates the controller´s obligation to supply information when personal data has not been obtained from a data subject. The controller shall inform the data subject of the identity of the controller, his contact details and the identity of a data protection officer and the purpose and legal basis of the processing, cf. Paragraph 1 of the provision, which is for the most part identical to Article 13(1) of the Regulation. In addition, Paragraph 2 of the provision states the obligation to supply further information necessary to ensure fair and transparent processing. The provision contains an enumeration which for the most part is identical to that of Article 13(2) of the Regulation. E.g. it is stated that the data subject shall be informed about where his personal data has been obtained, cf. Item f on the list.
According to Article 14(5) of the Regulation, other provisions of the Article do not apply, if the data subject already has the information, the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for scientific research purposes or the collection or dissemination of data is clearly prescribed by law.
Article 23 of the Regulation further stipulates that the controller´s obligation to supply information may be limited according to Articles 13 and 14 of the Regulation with a legislative measure that must meet certain requirements, as appropriate, including on data protection measures. This applies to important objectives that serve the public interest of a Member State and examples of the interests that fall thereunder are listed in the Article, including public security and public health.
In light of the above, Article 17(4) of Act No. 90/2018 provides authorisation to restrict rights according to Articles 13 and 14 of the Regulation for the benefit of objectives according to Article 23 of the Regulation and are both public safety and public health specified therein, cf. Paragraph 4(3) and (5) of the provision. According to comments on the provision in the memorandum to the bill, it is intended to be an independent authorisation to limit the data subject's rights. In this regard, it should be noted that during the deliberations of Parliament, the provision was added that the restriction should be in accordance with the law, without it being specifically explained what this entails. As discussed in Chapter 3 above, the activities of the Chief Epidemiologist are governed by a special law, No. 19/1997, which defines his role, and which discussed measures for the protection of personal data. It must be assumed that together, the above items in Article 17(4) of Act No. 90/2018 and Act No. 19/1997 provide an adequate legal basis to restrict the rights of the data subject as necessary.
In addition, it should be noted that on 19 March 2020, the European Data Protection Board issued a statement on the processing of personal data due to the COVID-19 epidemic. The statement emphasises that rules on the protection of personal data, including Regulation (EU) 2016/679, do not prevent measures to defend against the epidemic, but furthermore states that the protection of personal data shall be ensured. The Data Protection Commissioner of the Council of Europe and the Chair of the Committee of Convention 108 issued a joint statement on 30 March 2020 stating that data protection can in no manner be an obstacle to saving lives and that the applicable principles always allow for a balancing of the interests at stake. It also says it is crucial that personal data is appropriately protected. A similar emphasis is found in the proviso to Article 23 of Regulation (EU) 2016/679 and Article 17(4) of Act No. 90/2018, that restrictions shall respect the nature of fundamental rights and human freedoms and be considered a necessary and moderate measure in a democratic society.
The DPA considers it clear that the circumstances that led to the processing discussed here were very urgent and called for extensive measures to be taken at short notice to combat a public danger. A similar assessment appears in the above statement from the European Data Protection Board and the Council of Europe. It should be reaffirmed that, as stated above, protection of personal data must be accorded the greatest importance in the response to the current threat. However, the DPA is of the opinion that restrictions of rights in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 can be considered appropriate here, in accordance with the criteria specified in Article 23 of the Regulation and Article 17(3) of Act No. 90/2018.
i. Screening for the SARS-CoV-2 virus
According to Directorate of Health´s replies, health data processed in connection with the screening for the SARS-CoV-2 virus at the beginning of the epidemic was entered in health records on the basis of Act No. 55/2009 on Health Records. Certain data was also recorded in the register of communicable disease, on the basis of Act No. 19/1997 on Health Security and Communicable Diseases. The data recorded was demographic data and test results.From the Directorate of Health's explanations it can be deduced that the individuals screened were not supplied with individual information, as they should have been aware of the processing of personal data that took place in connection with the screening and for what purpose. It is pointed out that there was a great deal of media coverage of the testing and that individuals who attended had previously had to register with deCode genetics. Only necessary data was collected, i.e. demographic data about the person and the test results. Test samples were not used for any other purpose, and they were destroyed on completion of the analysis. General information had been available in the Directorate of Health's data protection policy, as well as that of individual health care centres.
With regard to the health data processed in connection with the screening, it is the DPA´s opinion that the data was obtained due to the administrative role of the Chief Epidemiologist, cf. i.a. Article 5(2) of Act No. 19/1997, as well as for the provision of a health service as defined in Article 3(2) of Act No. 55/2009. Articles 4 and 6 of the Act contain clear instructions on healthcare practitioners' obligation to enter data in health records when providing healthcare services, as deemed necessary for the treatment of a patient, but at a minimum, e.g. patient's name, address, ID number, profession, marital status and next of kin, aspects of health and medical history relevant to the treatment, examination, description of treatments/procedures, test results and diagnosis. The Act also contains provisions on the guardian of the health records, storage, duration of storage and the security of personal data in health records. According to Article 1(3) of the Act, the provisions of the Act on Data Protection and the Processing of Personal Data apply to the processing of personal data in health records, unless otherwise stipulated in the Act. It has generally been considered that individuals seeking health care may be aware of the processing of personal data involved in the entry of health records and this must be considered to have been the case here as well.
According to the Directorate of Health´s explanations, all samples taken for the screening in question were destroyed and data was sent to the Chief Epidemiologist for entry into the register of communicable disease, in addition to which data was registered in the health records of the individuals concerned. It is also clear from the facts of the case that this data is not intended to be recorded with deCode genetics, but Article 7 of Landspítali's processing contract with deCode genetics prescribes the destruction of all personal data the company processes on the basis of the contract. Respecting this and the above, in addition to what is stated above on Article 17(4) of Act No. 90/2018 and related matters, the DPA is of the opinion that it was not necessary to supply individual information on the items specified in Article 13 of Regulation (EU) 2016/679.
ii. Antibody testing
In the case in question, a blood sample was taken to examine whether individuals had previously been infected with the SARS-CoV-2 virus and thus developed antibodies to it. The results of each individual were kept, and the result of the screening recorded in the individual's health record. The results of the study could therefore also be used to some extent in the treatment of those who gave samples.The purpose of the sampling was to conduct a so-called "seroprevalence" study, to investigate the spread of the SARS-CoV-2 virus in the community. The Directorate of Health´s explanations state that the research was carried out to fulfil the legal obligation resting on the Chief Epidemiologist according to Article 5 of Act No. 19/1997. According to that Article, it is within the remit of the Chief Epidemiologist to plan and coordinate communicable disease control and immunisation measures throughout the country and to provide information on the spread of infectious diseases, domestically and abroad, on a regular basis and as needed to physicians and other healthcare practitioners.
The Directorate of Health´s explanations further state that those who gave additional blood samples for antibody tests on arrival at health care centres were generally informed of the purpose of taking the sample. Their consent had been requested, but in general no written consent is requested for the processing of personal data within the health service. It also states that no special information was supplied on the processing of personal data in connection with the antibody testing. However, it would have been clear to the individuals in question what personal data processing took place in connection with the screening and for what purpose. There was also general information in the Directorate of Health´s data protection policy, as well as that of individual health care service providers.
In the DPA´s opinion, the blood samples in question were primarily taken for statistical purposes, and it can be deduced from the Directorate of Health´s reply that the results were to be used to make decisions about the current epidemic. Considering this reply, the processing is considered to have fulfilled the role of the Chief Epidemiologist in organising and coordinating communicable disease control and prevention and immunisations, cf. Article 5(1) of Act No. 19/1997 on Health Security and Communicable Diseases, and thereby to have been for the purposes of health service, as defined in Article 3(2) of Act no. 41/2007 on the Medical Director of Health and Public Health. In addition, the results of the analysis of test samples were entered into the health records of the persons concerned and the blood sampling was in that respect directly related to the health service of the individuals in question. It is also clear that personal data was not to be retained with deCode genetics, cf. Article 7 of Landspítali's processing contract with the company.
Considering the purpose of the processing and the above, the same is considered to apply to supplying data subjects with information about the processing as outlined in section i. above, cf. also previous discussion on Article 17(4) of Act No. 90/2018 and related items. With reference to that discussion, it is the DPA´s conclusion that the Chief Epidemiologist was not obliged to supply individual information on the items specified in Article 13 of the Regulation.
iii. Border screening
It can be deduced from the facts of the case that individuals who were screened at the border for the SARS-CoV-2 virus and antibodies to it were supplied with individual information. Specifically, passengers on their way to the country had to fill out a specific registration form prior to arrival, which included information on the purpose of testing and the retention period of samples, as well as a link to further information on the processing of personal data and data protection policy. It is the DPA´s conclusion that this information was satisfactory according to Article 13 of Regulation (EU) 2016/679, cf. Article 8(1)(1) of Act No. 90/2018 and Article 5(1)(a) of the Regulation.iv. Screening at deCode genetics to investigate the spread of COVID-19
During the screening in question, three groups were invited to participate in screening at deCode genetics and individuals from one of these groups received information about the basis of the invitation, i.e. that they belonged to a random sample. However, the other two groups consisted of individuals in quarantine and individuals who had been in contact with infected individuals, e.g. in the workplace, and they were not informed of the reasons for the invitation.Here the question is whether information should have been supplied according to Article 14 of Regulation (EU) 2016/679, which covers the obligation to supply information to the data subject when personal data is obtained from someone other than himself. Furthermore, the obligation to supply information, according to Article 13 of the Regulation, in connection with the taking of samples also applies. Here it should be noted that according to the Directorate of Health´s explanation, this processing served the same purpose as the processing discussed in section ii. above. It has also been stated that test samples were destroyed, in addition to which it is clear from the processing contract between Landspítali and deCode genetics, as previously stated, that the company was not to retain personal data for registration. With reference to this, as well as the discussion in sections i. and ii. and preceding section i., it is not considered that an obligation was established to supply individual information on the items specified in Articles 13 and 14 of the Regulation.
Nevertheless, it should be noted that the DPA has received notifications from individuals who were invited to the screening in question about it being unclear whether this was a process that served as a measure for communicable disease control only or whether it was to be used for scientific research by deCode genetics. Such research, including on the human genome, are the core business of that company. The DPA is of the opinion that there was ample reason to make it clear in the information to the public that the screening in question did not form part of that activity. The DPA considers this not to have been adequately addressed and that the general transparency requirement of Article 8(1)(1) of Act No. 90/2018 was not fully complied with.
6.
Summary of conclusions
As stated above, Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679 make much more detailed requirements for the content of processing contracts than previous legislation and it is the DPA´s conclusion that the processing contract between the Chief Epidemiologist and Landspítali does not fully comply with the provisions of Article 28(3) of the Regulation and Article 25(3) of the Act.In accordance with this conclusion, and with reference to Article 42(4) of Act No. 90/2018, it is hereby proposed that the Chief Epidemiologist enter into a satisfactory processing contract with Landspítali, in accordance with Article 25 of the Act and Article 28 of Regulation (EU) 2016/679. Confirmation that these instructions have been followed shall be received by the DPA no later than 10 January 2022.
It is also the DPA´s conclusion that information in connection with border screening for the SARS-CoV-2 virus and antibodies to it fulfilled the conditions set in Article 13 of the Regulation, in addition to which there was no need for individual information on the basis of that Article in connection with said screening at the beginning of the epidemic and screening for antibodies to the SARS-CoV-2 virus, cf. Paragraph 4 of the Article. There was also no need for supplying information, according to Article 14 of the Regulation, in connection with antibody testing that took place at deCode genetics to investigate the spread of COVID-19.
However, the DPA concludes that it was not made sufficiently clear in the Chief Epidemiologist´s general information to the public that said antibody testing at deCode genetics took place solely for the purposes of communicable disease control and not for the company's scientific research. Therefore, insufficient attention was paid to the general transparency requirement of Article 8(1)(1) of Act No. 90/2018.
The DPA points out that the processing of personal data is governed by Act No. 90/2018 and Regulation (EU) 2016/679 and that legislation must be complied with despite a pandemic, as stated in the Declaration of the European Data Protection Board (EDPB) on the processing of personal data in connection with the spread of COVID-19, issued March 19 2020.
However, the DPA is also aware of the threat the COVID-19 disease has posed to Icelandic society since the beginning of the epidemic and the pressure Icelandic health authorities have been under. In view of these special circumstances, a fine has not been imposed in this case, cf. Article 47(1) of Act No. 90/2018.
D e c i s i o n:
The Chief Epidemiologist's processing contract with Landspítali is not in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679.The Chief Epidemiologist´s provision of information in connection with border screening for the SARS-CoV-2 virus and antibodies to it was in accordance with Article 13 of Regulation (EU) 2016/679, cf. Article 17(2) of Act No. 90/2018, cf., and Article 8(1)(1) of Act No. 90/2018 and Article 5(1)(a) of the Regulation.
The Chief Epidemiologist was not required to provide individual information on the basis of Article 13 of Regulation (EU) 2016/679, cf. Article 17(2) of Act No. 90/2018, in connection with screening for the SARS-CoV-2 virus in Iceland at the beginning of the epidemic and screening for antibodies to the virus. Furthermore, the Chief Epidemiologist was not required to provide information according to Article 14 of the Regulation in relation to an invitation for antibody screening at deCode genetics to investigate the spread of COVID-19.
The Chief Epidemiologist´s information to the public was not sufficiently clear that the above antibody screening at deCode genetics was part of communicable disease control only and did not form part of the company's scientific research, cf. the transparency requirement of Article 8(1)(1) of Act No. 90/2018.
With reference to Article 42(4) of Act No. 90/2018, it is proposed that the Chief Epidemiologist enter into a satisfactory processing contract with Landspítali in accordance with the provisions of Chapter IV of Act No. 90/2018, cf. Chapter IV of the Regulation. Confirmation that these instructions have been complied with, as well as a copy of the new processing contract, shall be received by the DPA no later than 10 January 2022.
The Data Protection Authority, 23 November 2021
Ólafur Garðarsson
Chair
Björn Geirsson Sindri M. Stephensen
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson