Privacy policy - Processing of personal data
Article
|Updated
This content is archived and will not be updated.
The Norwegian Institute of Public Health (NIPH) processes personal data about you in connection with the Smittestopp app. This privacy policy explains how we process personal data about you and what rights you have.
The Norwegian Institute of Public Health is the data controller and you can contact us at these addresses:
Folkehelseinstituttet/Norwegian Institute of Public Health
Postboks 222 Skøyen
0213 Oslo
Telephone: 21 07 70 00
E-mail: folkehelseinstituttet@fhi.no
1. Purpose and voluntary use
The purpose of the Smittestopp app is to prevent and stop the spread of coronavirus (Covid-19) by breaking infection chains when a user of Smittestopp has received confirmation that he or she is infected.
The personal data cannot be processed for any purpose other than what you have consented to. The purpose of Smittestopp is to allow you to be notified that you have been in contact with a person who is infected with coronavirus. Smittestopp also allows you to tell people you have been close to if you become infected with coronavirus. This applies to both people you do not know and people with whom you do not remember that you have been in contact.
Smittestopp will make infection tracking faster and easier by allowing the process to take place without any kind of manual processing after you or others have taken the initiative to send a notification.
The use of Smittestopp is completely voluntary. You can stop using Smittestopp at any time and stop receiving notifications of infection from others. Once you have advised that you are infected yourself, this message, and the consent to process personal data about you in this regard, will not be withdrawn.
If you receive a notification of infection, you will also be given advice on what to do. Smittestopp or information processed in connection with Smittestopp cannot be used to initiate measures such as quarantine, for example. Even if you don't use Smittestopp, you will still be contacted by the infection tracking team in your municipality if they become aware that you have been near someone who is infected.
You must be 16 to use Smittestopp. Minors under the age of 16 will not be able to notify of infection, but they will be able to receive notifications of infection if they download the app. NIPH cannot check whether people under the age of 16 are downloading the app.
The Norwegian Institute of Public Health can take out statistics that show how many people use Smittestopp and how many people choose to warn of infection. This is not personal data and cannot be associated with you as a user. We use this information to evaluate the effect of Smittestopp.
Smittestopp is part of a European collaboration that uses identical technology on mobile phones across different countries. This collaboration includes a common European server (the European Federation Gateway Service) for exchange of data. The purpose is to support exchange of data across different countries contact tracing apps so that infection tracing and warning can happen across borders. Further information about the European cooperation is included in this Privacy statement, chapter 2.1, 2.4 and 5.
2. How Smittestopp works
2.1 Registration of telephones you have been in contact with (contact registration)
When you use Smittestopp, the Bluetooth connection on your mobile phone is used to record and store data about other Smittestopp users near you.
Neither NIPH nor the other users of Smittestopp can see who you are, who you have been in contact with or when and where the contact has occurred.
To ensure that others won't be able to see who is reporting infection, your phone first creates one-way keys called Temporary Exposure Keys on your phone. These Temporary Exposure Keys change every 24 hours. These keys are used to create new one-way keys called Rotating Proximity Identifiers every ten to twenty minutes. These Rotating Proximity Identifiers are exchanged between phones that have Smittestopp installed using Bluetooth. The Rotating Proximity Identifiers are stored together with contact strength information indicating how far away the phones are from each other. However, the Rotating Proximity Identifiers cannot be traced back to the phone they come from or where they are exchanged.
In the same manner as your phone exchange keys with other users of Smittestopp, your phone will also exchange keys with phones belonging to users that have activated similar contact tracing apps from other countries. The reason of this is that the different countries’ contact tracing apps are based on similar technology on the user’s phones. The technology is the same regardless of which countries contact tracing app the user has downloaded. This means that you can receive warnings about infection from users of other countries contact tracing apps, without getting information identifying that the user is using another contact tracing app than Smittestopp.
2.2 When you want to notify of infection (infection alert)
If you test positive for coronavirus, you can alert the other users of Smittestopp who you have been close to. No one receives a message without you first approving this.
When you use Smittestopp to notify of coronavirus infection, Smittestopp will first check that you are registered as being infected in the Norwegian Surveillance System for Communicable Diseases (MSIS), for which the Norwegian Institute of Public Health is responsible. Your national ID number will be used to check whether or not you are registered as being infected. You must therefore log in via the ID portal.
MSIS is updated twice a day. It is possible that you may receive a message that you have tested positive for Covid-19 before this is registered in MSIS. It is not possible to report infection via Smittestopp before the positive test is recorded in MSIS. You may be notified that you will need to try again later.
With the launch of Smittestopp, it is users of Smittestopp who meet the following criteria who will receive an infection alert:
- Contact with someone infected lasted more than about 15 minutes.
To assess whether the criteria have been met, Smittestopp makes calculations based on data related to the Rotating Proximity Identifiers on users' phones. For example, to calculate whether the distance was less than about 2 metres, the measurements of signal strength are converted to an approximate distance.
Smittestopp has been developed so that no data is disclosed concerning who issues the infection alert. Smittestopp users whom you have been in contact with will not be notified that you are the one who is infected. However, when a notification of infection is sent, it may still be possible in exceptional cases to find out who sent the message. If someone who receives an alert has only come into contact with a very small number of people recently, in some cases they may be able to work out who issued the alert.
2.3 How an infection alert occurs
If a check against MSIS, as described above in point 2.2, confirms that you are registered with a positive test for Covid-19, Smittestopp will upload the Temporary Exposure Keys from your phone that were used to generate the Rotating Proximity Identifiers on your phone to a common server (backend) so that they are made available to other phones that have Smittestopp enabled. The Temporary Exposure Keys are one-way keys and cannot be traced back to you.
The Smittestopp app on other phones downloads the Temporary Exposure Keys that are accessible from the common server, comparing them to Rotating Proximity Identifiers that have been received from phones they have been near in the last 14 days. If it becomes apparent that other phones have been near your phone, the users of these phones will be alerted on their phones. They will also receive recommendations on what they should do.
Similarly, you will receive a notification of infection if you have been near a Smittestopp user who chooses to send an infection alert and you meet the criteria in point 2.2 above. You won't be notified who you have been in contact with or when the contact occurred.
The information that you have been in contact with an infected person does not represent a diagnosis for you or confirmation that you are infected, but on the other hand that you have been exposed to a risk of infection.
If you receive a notification of infection, you will receive information about what you should do at the same time. The information you receive in the message will follow the current recommendations of the health authorities at any given time. The information is only advisory and whether or not you choose to follow the advice is voluntary. No action can be taken against you if you do not follow the advice. However, the Norwegian Institute of Public Health would encourage you to follow the advice. You can read more about how Smittestopp works and the technology behind it in the article Lagringsteknologi (fhi.no, in Norwegian).
2.4 Notification to users of other countries' apps
Smittestopp also gives you the opportunity to notify about infection to users of contact tracing apps from other countries in the EU / EEA. Such notification only takes place if you have given your own consent to this.
Such notification across different countries' apps is relevant if you have been traveling to another European country or if you have been in contact with users of foreign contact tracing apps in Norway, e.g. because they work or have been on holiday in Norway. In both cases, there may be people who should be notified that they have been near someone infected with covid-19.
In order for such notification to take place, it is necessary that your one-way keys, which cannot be traced back to you, but which other telephones can use to check if they have been near your telephone, are forwarded to a common European server where they are made available for download to other countries contact tracing apps.
To better understand which European country's apps that are particularly relevant for notifying that you are infected with covid-19, Smittestopp asks that you tick what you think are the relevant countries. It is relevant to mark countries where you yourself have been traveling and other countries you think may be relevant, because you may have been in contact with people from these countries. However, your country listing does not limit which countries' contact tracing apps can download your one-way keys.
2.5 Processing of information at Apple and Google
Smittestopp is based on a technology developed by Google and Apple. You can read more about the technology on Contacttracing (apple.com) and Exposure Notifications (google.com).
The use of Smittestopp may result in data on use of the app being sent to Google and Apple. This includes data such as patterns of use (e.g. starting and stopping of the app) and fault situations. This data will be stored for up to 90 days and used to fix bugs and understand how the app is being used. This information cannot be linked to personal data such as telephone numbers or infection contacts. This is not a form of processing that is done specifically for the Smittestopp app, but applies to many apps downloaded from the App Store and Google Play. Read more on the website for support from Google (google.com).
Google and Apple may also collect other data from your mobile phone regardless of Smittestopp, in accordance with the companies' privacy policy (apple.com).
3. The legal basis for the processing of personal data
The legal basis for storing Temporary Exposure Keys and Rotating Proximity Identifiers on your phone, and for the exchange of such keys with other phones, is consent, cf. the General Data Protection Regulation articles 6 and 9 no. 1 a). You give your consent before activating the app. This consent includes only the right to exchange contact keys and to store information on your mobile so that you can receive notifications.
If you become infected with Covid-19 and wish to notify others through Smittestopp you will be asked to give your specific consent to this. The consent also covers checks in MSIS, to verify that you are registered with infection, and implementation of the alert.
4. What personal data is processed and how long is it kept?
Smittestopp processes the following personal data about you:
4.1 Information that is processed on your mobile phone
The following personal data is processed on your mobile phone in connection with the use of Smittestopp:
- Rolling Temporary Exposure Keys (see section 2.1 above) that are used to create one-way keys called Rotating Proximity Identifiers on your phone.
- Your Rotating Proximity Identifiers are exchanged with other phones via Bluetooth so they can register that they have been near your phone.
- Rotating Proximity Identifiers from phones you have been near
- Signal strength, which is stored together with Rotating Proximity Identifiers received by your phone.
- Any self-reported information on symptoms of Covid-19, (health information)
All the information stored on your phone is continuously deleted after 14 days or if you withdraw your consent.
4.2 Information processed by the Norwegian Institute of Public Health
The following information is processed by the Norwegian Institute of Public Health in connection with verification and checking against MSIS:
- NIPH receives your social personal ID number from the ID port when you log in to verify that you are infected.
- Pseudonyms issued by the ID port and unique to the combination of personal ID number and verification solution so as to be able to store infection status verifications for up to 24 hours (see below).
- Information on positive/negative tests for Covid-19 (health information).
- Time of positive Covid-19 test (health information).
Your Norwegian Institute of Public Health, which is collected at login with the ID port, is stored for as long as you have an active connection to the solution, but the Norwegian Institute of Public Health will not store this information after the "session" has ended. NIPH stores the time of infection status verifications, along with your pseudonym, for 24 hours. This is done to prevent the solution from being misused by sending reports of infection many times.
The following information is uploaded from your mobile to the common server in connection with notification:
- Temporary Exposure Keys that are associated with a diagnosis. The Temporary Exposure Keys are highly pseudonymised and therefore cannot be traced back to you. Because the Temporary Exposure Keys are linked to a diagnosis, they are still considered to be health information.
The Temporary Exposure Keys are stored for 14 days on the common server.
You can read more about what assessments we have made for the processing of your personal data and, among other things, how long it is stored in the Data Protection Impact Assessment (DPIA, in Norwegian). You can also read more about MSIS (fhi.no, in Norwegian).
5. Disclosure of personal data to others
NIPH does not disclose your personal data to others. The exception is if you have given consent to notify users of contact tracing apps from other countries in the EU / EEA. See more about this below.
NIPH uses Norsk Helsenett and Netcompany as data processors in connection with the operation of the solution.
Smittestopp is part of a European collaboration (see the description in chapter 1 above). When you report yourself infected through the app, and at the same time give an explicit consent to notify users of other countries' contact tracing apps, your one-way keys will be forwarded to a common European server. The keys are then made available for download to other countries' official contact tracing apps within the EU / EEA. Smittestopp in Norway similarly receives one-way keys from other European countries, so that users of Smittestopp can be notified of infection from users of contact tracing apps from other countries in the EU / EEA.
The solution is made available by the EU Commission. Norwegian Institute of Public Health (NIPH) is joint controller together with the authorities in the other participating EU / EEA countries for the processing of personal data that takes place in connection with the exchange of data. Technical and organizational details related to this collaboration are set out in:
A list of all joint controllers:
6. Your rights
Deletion
You may withdraw your consent to the processing of your personal data at any time. You can do this inside the app by selecting Menu > Personal Data Processing. You can also withdraw your consent by uninstalling the app. If you withdraw your consent, all stored information will be deleted from your mobile phone. However, you may not withdraw your consent to notify others that you are infected after such notice has already been given.
Inspection or correction
The Norwegian Institute of Public Health does not have access to the information stored on your phone. The information that is temporarily stored to send messages is only stored as long as you are logged in via the ID port. Once verification is completed, this information is deleted. The keys that are stored in the common server can also not be associated with individual users because they are highly pseudonymised. In the way that the solution is designed, it is therefore not possible for the Norwegian Institute of Public Health to provide you with access to this information or correct this information.
To access the information processed about you in MSIS, you can request it via helsenorge.no or by submitting a form (in Norwegian) to the Norwegian Institute of Public Health:
If you have any questions about how the Norwegian Institute of Public Health processes your personal data, please feel free to contact our Data Protection Officer by sending an email to personvernombud@fhi.no.
7. Complaints
You can complain about our processing of personal data. In such a case, we would ask you to contact us so that we have the opportunity to decide on the enquiry and possibly change the way we process your data.
You can also complain to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is an independent authority that oversees compliance with the rules on data protection in Norway. You can find information about the Norwegian Data Protection Authority, and how to complain, on the Norwegian Data Protection Authority's website: https://www.datatilsynet.no