Downloading and using the Smittestopp app is entirely voluntary. You are also free to decide whether or not you wish to take your mobile phone with you when you leave your home. The Norwegian Institute of Public Health (NIPH) processes personal data pursuant to the Regulation relating to digital contact tracing and epidemic control arising from the COVID-19 outbreak.
You can erase personal data that is collected about you and stop using Smittestopp at any time. You must be 16 years-old to use Smittestopp.
How the Smittestopp app works
The COVID-19 outbreak is a major outbreak of an infectious disease which could have serious health consequences for many people. The disease has now entered a new phase where we have been unable to identify the chain of infection for everyone who becomes infected. Manual contact tracing takes time, is inaccurate and takes up considerable resources. The Norwegian Institute of Public Health (NIPH) has therefore developed the Smittestopp app.
The Smittestopp app enables the automated and digital tracing of people with whom infected people have come into contact (close contacts) using GPS positioning and Bluetooth proximity, so that close contacts can be alerted and take precautions to protect both themselves and others. The app also enables the effects of social distancing measures to be monitored, so that other measures can be extended, scaled down or ended as and when appropriate. The benefits of the Smittestopp app increase as more people use it.
Smittestopp involves the storage of data concerning users’ movement patterns and contact with other mobile phones on which the Smittestopp app has also been downloaded. The information is stored for a maximum of 30 days. Contact is recorded using both GPS and Bluetooth. It is not necessary for those who are registered to know each other.
Smittestopp automatically detects all phones on which the Smittestopp app has been downloaded and enabled which come into proximity with each other. Only when one of the users is registered as being infected will any analysis be carried out to determine which phones the person’s phone has been sufficiently close to for long enough in order to cause a risk of infection.
At the time of Smittestopp’s launch, any contact closer than 2 metres for more than 15 minutes over a 24-hour period is defined as being close contact entailing a risk of infection. You will be notified if this definition changes.
When a person tests positive for COVID-19, this will be recorded by NIPH in what is known as the ‘MSIS database’; see the Regulation relating to a messaging system for infectious diseases. Entry in the MSIS database takes place electronically and NIPH is the controller for the collection and processing of health data in MSIS. The MSIS database contains 11-digit national ID numbers and can add the mobile phone number of anyone who has tested positive for COVID-19.
Using national ID numbers, data on infections can be linked to the mobile phone numbers of people who have downloaded the app. The mobile phone number is obtained from ‘The common contact register’ (Kontakt- og reservasjonsregisteret). You will not be able to receive alerts by text message if you have not registered your mobile phone with this register. You can update your data in this register at http://eid.difi.no/nb/oppdater-kontaktinformasjonen-din-kun-ett-sted.
By monitoring and storing movement patterns and which other mobile phones have been in close contact with the mobile phone of someone who has been infected during the past two weeks, close contacts can be alerted that they have been in close proximity to an infected person and that they should take precautions in order to protect their own health and that of others.
An example: Kari, Georg, Sheila and Per have all downloaded the Smittestopp app. They are all healthy. They meet regularly. After a while, Kari tests positive for COVID-19. When this is registered by NIPH, Georg, Sheila and Per receive an alert telling them they have been in close contact with an infected person. They can then monitor their own health and go into quarantine. They will not be informed when or where this contact occurred. They will not be told that it was Kari who was the "reason" why they were alerted, but it is possible they will deduce it was her. They will be told the date on which they came into close contact with an infected person, so that they know the start date for their quarantine period.
The personal data that are collected will not be used to monitor whether individuals are complying with any official recommendations or rules. Health and location data will not be released to the police or prosecution authority or be used for insurance purposes or by employers, even with your consent. The personal data cannot be used for commercial purposes.
The Smittestopp app is a new technological solution which the NIPH hopes will reduce the consequences of COVID-19 for both individuals and the population as a whole. NIPH cannot guarantee that Smittestopp will produce the desired outcome. Under no circumstances can NIPH be held responsible for any loss of life or health, profits or any other financial loss that may arise in connection with the use or provision of Smittestopp, or as a result of NIPH's failure to provide the service.
After you have downloaded the Smittestopp app, NIPH will process personal data about you. Below, you will therefore find information about the personal data that are collected, why we collect these data and your rights relating to the processing of your personal data.
The controller for the personal data that we process is the Norwegian Institute of Public Health (NIPH) c/o Director- General Camilla Stoltenberg. NIPH’s address is Lovisenberggata 6 og 8, 0456 Oslo. NIPH’s telephone number is 21 07 70 00. The e-mail address is email@example.com.
If you have any questions regarding NIPH’s processing of your personal data, you can also contact our Data Protection Officer via firstname.lastname@example.org.
1. Why we collect personal data and the legal basis for the processing
The purpose of the Smittestopp app is to alert those who have come into close contact with anyone who is infected, so that they can protect both themselves and others by going into quarantine.
The legal basis that NIPH uses for the collection and processing of personal data is the General Data Protection Regulation (Article 6 (1)(e) and Article 9 (2)(i)) and the Regulation relating to digital contact tracing and epidemic control arising from the COVID-19 outbreak, which was laid down pursuant to Section 7-12 of the Communicable Diseases Act. The personal data will solely be used for the purposes specified in the Regulation, i.e. rapid tracing and dissemination of advice to people who may be infected.
By monitoring data at population level, Smittestopp will also make it easier to monitor the prevalence of infection and assess the effectiveness of infection control measures. No mobile phone numbers and other directly personally identifiable characteristics of users will be processed for this purpose.
Your personal data will not be used to monitor individuals, such as determining whether you are complying with Section 5 of the Regulation relating to quarantine, isolation and ban on staying at holiday homes, etc. arising from the COVID-19 outbreak.
Health and location data will not be released to the police or prosecution authority or be used for insurance purposes or by employers. The personal data cannot be used for commercial purposes.
NIPH will be able to anonymise the personal data and use them for research purposes. The resulting anonymous sub-datasets may be used for modelling the epidemic (forecasts). They can also be used to assess the effects of political measures and rules, such as quarantine and school closures, on the epidemic. It will, for example, be possible to create a social distancing indicator for every municipality. The data will also help us to understand movement patterns within the population and how people meet. These data could be used to assess whether there are any specific areas, age groups or activities which are more likely to result in infection ("hotspots").
2. Disclosure of personal data
Your personal data will be processed by NIPH. As a general rule, your personal data will not be processed by people, as automated processes will be used. Nevertheless, it may be necessary for authorised personnel to be given access to personally identifiable information in the register. A log is kept of who has looked up which personal data and when it occurred. You have the right to see this log.
When other people are alerted that they have been in close proximity to an infected person, no characteristics of the infected person will be disclosed. The close contacts will be told the date on which the contact occurred (within 24 hours), to enable them to work out how long they should go into quarantine for. However, in situations where people do not come into contact with many other people, we cannot rule out the possibility that some users who are alerted may be able to identify who the infected person was. Thus, we cannot rule out the possibility that other people may become aware that you have been infected.
NIPH uses processors to collect, store and otherwise process personal data on our behalf. Before the alert solution is applied nationally, NIPH will validate this part of the solution in collaboration with a limited number of specially selected municipalities. This is being done to ensure that the algorithm that the app uses can correctly identify relevant close contacts. The validation process will be carried out over a limited period of time, with a few specially selected municipalities, and only a limited number of people will have access to personally identifiable information about close contacts from Smittestopp.
NIPH has entered into agreements to safeguard information security at every stage of the processing chain. NIPH currently uses the following processors:
- Simula Research Laboratory AS, Simula Metropolitan Center for Digital Engineering AS (Simula Met) and Simula Consulting AS to develop the service
- Microsoft Ireland Operations Ltd for storing personal data in MS Azure
- Norsk Helsenett for the privacy solution
- Selected municipalities for validation of the alert solution
All processing of personal data which we carry out takes place within the EU/EEA area, and the GDPR therefore applies in its entirety.
3. Which personal data are collected and how long it is stored for?
When Smittestopp is launched, the app will automatically send data concerning patterns of use (e.g. starting and stopping of the app) and error situations (e.g. when the app crashes) to Microsoft App Center. This data will be stored for up to 90 days and used to fix bugs and understand how the app is being used.
Smittestopp will collect the following personal data when you download and enable it on your phone:
- Mobile phone number
- GPS position, so that close contact with other people/mobile phones can be tracked, i.e. so that movement patterns can be continually recorded (longitude, latitude, speed, height above sea level, time spent at different locations) when Smittestopp is enabled and the phone is switched on
- Generated UUID from Smittestopp (a unique ID which follows the phone number)
- Operating system, mobile operator, version number and phone model - these data are used to improve the quality of collected data, as different phones and operating systems have differing precisions as regards location data
- Bluetooth data concerning Smittestopp apps on other phones which are within range of the phone (start and end time of contact, generated UUID for nearby phones, vector with signal strength for nearby phones) is logged continuously
In order to identify infected users and contact users who have come into close contact with an infected person, the personal data in the system may be linked to personal data in the Messaging system for communicable diseases (see Section 1-1 of the MSIS Regulation and the Common contact register; see Section 29 of the Regulations concerning electronic communication with and within the public administration.
As long as you have enabled the app, GPS data, information about where you have been and other mobile phones that you have been near will be recorded, stored and erased automatically after 30 days.
NIPH will store data on which mobile phone numbers have been alerted that they have been in close contact with an infected person for 30 days. NIPH will assess whether these data still need to be stored and will notify you if this time period changes or if the data are no longer being stored. You will then be notified accordingly.
Fixed information, such as mobile phone number, UUID and the version number of your mobile phone's operating system, will be stored for as long as you continue to use Smittestopp.
You can erase your personal data in Smittestopp by pressing the erase button in the app. Your personal data will then be erased both in your mobile phone and centrally. You can then remove the app itself from your mobile phone.
If you only delete Smittestopp from your phone (without pressing the delete button), your personal data will be erased centrally after a week.
All personal data that have been collected will be erased when the Regulation ceases to apply on 1 December 2020.
4. Your rights
You have the right to request access, correction or erasure of the personal data that we process about you. This applies for example to access to your location data and information on who has viewed your personal data. You also have the right to request limited processing and object to processing. You can read more about these rights on the Norwegian Data Protection Authority's website: www.datatilsynet.no.
You can access the GPS data we have stored for your phone by logging in on Helsenorge’s website (www.helsenorge.no/smittestopp). You will not be able to access Bluetooth data, as these will help to identify who is infected. If you do not wish to use Helsnorge in order to gain access, or if you wish to exercise any other rights, please contact our Data Protection Officer via email@example.com
We will respond to your enquiry as soon as possible and within no more than 30 days. We will ask you to confirm your identity or provide additional information before we allow you to exercise any rights. We do this to make sure that we only give access to your personal data to you - and not someone who is pretending to be you.
If you believe that the way in which we process personal data does not correspond with what we have described here or that we are breaching data protection or other relevant legislation in some other way, you can complain to the Norwegian Data Protection Authority, or you can contact us or our data protection officer.
For details of how to contact the Norwegian Data Protection Authority, visit the authority’s website: www.datatilsynet.no.
7. Changes as of 12th June 2020
So far the purpose of the Smittestopp app has been to alert those who have come into close contact with anyone who is infected in a limited number of specially selected municipalities, referred to in paragraph 2 above. Due to little transmission in Norway currently, the validation process of the alert system is delayed. Nationwide automatic notifications sent to those who have come into close contact with infected persons and advise to limit further transmission, are still not implemented in the solution, and you will not be notified through the app. If you continue using Smittestopp while the national notification system is implemented, you will contribute with data enabling NIPH to monitoring data at population level, making it easier to monitor the prevalence of infection and assess the effectiveness of infection control measures.