Privacy Policy for the COVID-19 Certificate Norway
Article
|Updated
This content is archived and will not be updated.
The Norwegian Institute of Public Health (NIPH), acting as controller, processes personal data about you in connection with your use of the COVID-19 certificate. This privacy policy explains how we process personal data about you and what rights you have.
You can contact us at the following addresses:
Norwegian Institute of Public Health
Postboks 222 Skøyen
NO-0213 Oslo, Norway
Telephone: (+47) 21 07 70 00
E-mail: folkehelseinstituttet@fhi.no
1 Purpose and voluntary use
The COVID-19 certificate is a system for the secure and verified documentation of vaccination status, immunity after having had COVID-19 disease and negative test results. The certificate is based on the EU framework COVID-19 vaccination, test and recovery certificates. The purpose of the COVID-19 certificate is to enable you to prove and present a personal, valid certificate when travelling within the EU/EEA. The COVID-19 certificate provide access to exemptions which other EU/EEA countries grant their citizens based on a COVID-19 certificate.
Using the COVID-19 certificate is entirely voluntary. There is no requirement for you to have a COVID-19 certificate. There is also no requirement for you to present your COVID-19 certificate, unless stated otherwise in applicable law or regulations.
The use of COVID-19 certificates will cease when the level of infection and vaccination indicates that restrictions are no longer necessary. The EU regulations will also have an expiry date. It is up to each country to decide on the national use of COVID-19 certificates.
2 How the COVID-19 certificate works
2.1 General information concerning the issuing and use of COVID-19 certificates
You can be issued with a COVID-19 certificate if you have either 1) been vaccinated, or 2) registered a negative COVID-19 test result that is no more than a certain number of hours old and/or you have previously been infected with COVID-19 and registered a COVID-19 test to confirm this. See section 2.2 below for more information on this.
You can be issued with a COVID-19 certificate as a service via helsenorge.no or if you are unable to log in to helsenorge.no using an electronic ID or unable to use a smartphone, PC or tablet, you can order a COVID-19 certificate by post. Data on vaccination status, previous COVID-19 history and test results is retrieved from the National Immunisation Registry SYSVAK and the Norwegian Surveillance System for Communicable Diseases (MSIS).
On helsenorge.no, you can choose whether you want the certificate to be displayed digitally, or downloaded to your mobile phone for use when you do not have an internet connection. You can also print it out on paper.
It is Norsk Helsenett which is the product owner and responsible for the operation of helsenorge.no. In addition, helsenorge.no requires the use of other digital services or solutions, as for example BankID, for identification before issuing the COVID-19 certificate.
NIPH hereby disclaims any liability for damages, including direct and indirect losses of any kind and regardless of the basis of liability, related to the operation and function of and/or technical, substantive or other errors at helsenorge.no and other related services that may cause financial loss to persons as a result of using the corona certificate.
To avoid the risk of outages with these services, NIPH reminds that it is also possible to download the COVID-19 certificate to your mobile phone or print it out on paper.
When your COVID-19 certificate is checked, the inspector may also access the information which is given on the certificate. The certificate has a QR code which is used in the verification process. The person checking the certificate will scan the QR code to verify that the certificate is valid, but not to verify the identity of the certificate holder.
From 24 June 2021, the EU/EEA control page has been used for border crossings into Norway, into EU/EEA countries which have the same type of regulations, and other uses as stipulated in applicable law or regulations. Please note that both the prevalence of infection and local restrictions can change at short notice and there may be sudden updates and travel advice for individual countries, including Norway. You should check the entry rules and status at your destination.
2.2 What is a COVID-19 certificate?
The COVID-19 certificate contains information that identifies you as an individual (name and date of birth) and three medical sections. The medical sections comprise a section which shows your vaccination status, a section which shows your COVID-19 disease history and a section which shows negative test results.
The test results include both PCR tests and rapid antigen tests. However, for test results to be available in the COVID-19 certificate, the test must have been performed by the health and care service and the test result must have been registered in the laboratory database belonging to the Norwegian Surveillance System for Communicable Diseases (MSIS). MSIS is used as the information source for results. Both positive and negative test results will be shown in the certificate. Positive test results are only used to document that you have been infected and had COVID-19 disease. The results of self-tests performed and read by the person being tested (without the assistance of a healthcare professional) will not be shown on the COVID-19 certificate. Results from mass testing performed at schools and elsewhere will also not be shown.
As of November 2021, persons who have been confirmed as having SARS-CoV-2 (the virus that causes COVID-19 disease) via a PCR test will be be immune during the period between 11 and 180 days after the date of a positive test.
Negative test results may be valid for different periods of time for different areas of use (see Section 19 of the COVID-19 Regulations), while they may be valid for up to 72 hours in other countries, depending on the rules applicable in the country concerned.
2.3 COVID-19 certificates for use in the EU/EEA
The EU has decided that a European COVID-19 certificate is to be created to facilitate movement across borders; see Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic and Regulation (EU) 2021/954 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) with regard to third-country nationals legally staying or residing in the territories of Member States during the COVID-19 pandemic.
The EU regulations establish a common legal and technical framework for the issuance, verification and acceptance of COVID-19 certificates within the EU/EEA. Citizens of Member States will be entitled to be issued a COVID-19 certificate, either digitally or in paper format. It will be possible to verify certificates in a Member State other than that in which it was issued, enabling travellers to prove their vaccination status, COVID-19 history and test results. A valid COVID-19 certificate will not be a precondition for travel in the EU/EEA. It will be up to each Member State to decide how the certificates will be used and the entry restrictions and infection control restrictions that are to apply. The main purpose is to facilitate the free movement of individuals during the pandemic. The regulations also state that citizens of countries outside the EU/EEA area who are staying or residing in the common travel area will be covered by the COVID-19 certificate scheme.
3 Legal basis
As regards the processing of personal data that is necessary for the issuing and verification of COVID-19 certificates to facilitate free movement within the EEA (the European COVID certificate), the legal basis is Section 4A-1 of the Norwegian Control of Communicable Diseases Act (smittevernloven) and EU Regulations 2021/953 and 2021/954 on the EU Digital COVID Certificate for EU/EEA citizens and citizens of third countries; see the GDPR, Article 6 (1)(c) (legal obligation) and/or (e) (task in the public interest), see 3 and Article 9 (2)(g) on the processing of special categories of personal data which is necessary for reasons of substantial public interest.
No one may be treated differently as a result of being unable to present a COVID-19 certificate, unless provisions issued in or pursuant to the law permit otherwise. Provisions stipulating that COVID-19 certificates are the only acceptable documentation can only be introduced when deemed necessary with effective and secure verification, and when such provisions would not be disproportionate given the nature of the infection control measure concerned and the circumstances. This means that it must be stipulated in a law or regulation that an inspector must have legal access to use COVID-19 certificates as a basis for the control and positive discrimination of you, and that such use cannot be disproportionate. More detailed regulations concerning the use of COVID-19 certificates may be introduced in the COVID-19 Regulation and the Regulation on entry restrictions for foreign nationals for public health reasons.
You can read the latest information on areas of use at Helsenorge.
The legal basis for the use of COVID-19 certificates in other countries will follow from the national law of the country concerned.
4 What personal data is processed and included in the COVID-19 Certificate
4.1 EU COVID-19 certificates
4.1.1 Common information
The EU COVID-19 certificate includes three medical sections regarding vaccination, tests and immunity respectively. The following personal data is covered by all three sections: the sub-certificates:
- Full name
- Date of birth
The medical sections also contain the information stated below.
4.1.2 Vaccine
- Vaccine type and manufacturer
- Date of vaccination
- Number of doses
- Country
- Unique identifier for vaccine dose
4.1.3 Test
- Test method
- Date of sampling and result
- Test result
- Place where the test was performed
- Country in which the test was performed
- Unique identifier
4.1.4 Immunity
- Which disease
- Date of positive test result
- Valid from date
- Valid to date
- Unique identifier
4.215 Other information included in the certificate:
-
- Issuer of certificate. This information is retrieved from the Norwegian Institute of Public Health
- When the certificate was issued. Timestamp indicating when the citizen retrieved the data from Helsenorge
- ID of key used for signing
Find out more about Data Protection Impact Assessment - COVID-19 certificate (in Norwegian).
5 Disclosure of personal data to others
NIPH does not disclose your personal data to others.
As processor on behalf of NIPH, Norsk Helsenett SF will issue COVID-19 certificates as a service to inhabitants on helsenorge.no.
An alternative solution for issuing COVID-19 certificates is available from Helfo. Helfo will then be acting as NIPH's processor for this process. Helfo cannot issue certificates based on test results.
If you can be issued with a COVID-19 certificate based on the result of a test taken at a test centre, the healthcare provider will act as processor for NIPH.
When you use a COVID-19 certificate and opt to show it to an inspector in connection with verification of the certificate, the inspector will be able to access the information provided in the COVID-19 certificate when they scan the QR code, but the information will not be stored on the inspector’s device.
6 Your rights
In connection with processing of your personal data by the NIPH, you have the right to request access to the data we process about you and to ask for inaccurate information to be corrected or deleted. It is the vaccination centre or test station, which is often the municipality in which you live, that has the authority to correct or delete information in the MSIS and/or SYSVAK systems.
To view the data that is being processed about you in MSIS and/or SYSVAK, you can request access to it via submitting a form to the Norwegian Institute of Public Health:
- Request access to health registries (application form, in Norwegian)
- Access to and correction and erasure of health data
If you have any questions about how the Norwegian Institute of Public Health processes your personal data, please feel free to contact our Data Protection Officer by sending an e-mail to personvernombud@fhi.no
7 Complaints
You can complain about the way in which NIPH processes personal data. In such a case, we would ask you to contact us so that we have the opportunity to decide on the enquiry and possibly change the way we process your data. You can also complain to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is an independent authority that oversees compliance with the rules on data protection in Norway. You can find information about the Norwegian Data Protection Authority, and how to complain, on the Norwegian Data Protection Authority website.