Frequently asked questions on data protection and the coronavirus

Health data refers to information about an individual’s health, diseases, disability or treatment.

Health data belongs to the special categories of personal data. Special categories of personal data require specific protection.

• The information that someone has contracted the coronavirus is health data.
• The information that a person has returned from a risk zone is not health data.
• Information on a person's exposure to the coronavirus is health data
• The information that someone is in quarantine (without specifying the reason) is not health data.

All of the above-mentioned information is personal data, however, and data protection legislation thus applies to its processing.

In addition to the EU’s General Data Protection Regulation (GDPR), the processing of employees’ personal data is subject to the Act on the Protection of Privacy in Working Life. The Act on the Protection of Privacy in Working Life specifically provides for the processing of health data and stipulates that the personal data of employees may only be processed when necessary. The Contagious Diseases Act and other legislation related to occupational safety may also apply.

More information on the processing of special categories of personal data

Anonymous data refers to data that cannot be used to identify individuals. Data protection legislation does not apply to the processing and publication of anonymous data, but identifying individuals from the data must be irreversibly prevented. Data remains identifiable if combining it with other information permits the identification of individuals, for example. Publishing anonymised statistics is permitted.

Patient data is data generated by the health care system and recorded in patient records. The confidentiality and disclosure of patient data, including data related to deceased persons, is provided for in section 13 of the Act on the Status and Rights of Patients (Patients Act, 785/1992). The General Data Protection Regulation (2016/679) does not apply to the personal data of deceased individuals.

Under the Communicable Diseases Act, a COVID-19 passport can be used as an alternative to restrictions. If no restrictions are in force, there are no legal grounds for checking the validity of a COVID-19 passport.

The Regional State Administrative Agencies supervise the use of COVID-19 passports as an alternative to restrictions and have issued guidelines for it.

Additional information on the guidelines is available on the Regional State Administrative Agency website

Infected persons can tell those they come into contact with that they have a coronavirus infection. The information can also be shared when asked. If the person asking the question does not record the information, data protection legislation does not apply to the situation, but the asker may not discriminate against the potentially infected person.

In Sweden, for example, people with a generally hazardous communicable disease are required to inform those at risk of infection due to close contact with the carrier. No such obligation exists in Finland, however. The Communicable Diseases Act stipulates that infected persons are obliged to inform the physician investigating the matter of their infection. The patient must inform the physician of their view of the manner, date and place of infection, as well as the names of persons who may have been the source of infection or may have been infected.

If an employee is diagnosed with COVID-19, the employer may not, as a rule, name the employee in question. The employer can inform other employees of the infection or potential infection in general terms and instruct them to work from home.

An employee’s health data may only be processed by people whose job description includes such processing. The employer must either designate such individuals in advance or specify the tasks that involve processing health data. Individuals who process health data are subject to a confidentiality obligation.

More information on processing the health data of employees

The employer is under an obligation of confidentiality concerning the health data of employees. If necessary, the employer can inform third parties in general terms and according to the organisation’s practices that the employee is prevented from carrying out their duties. If an employee is diagnosed with COVID-19 or placed in quarantine, the employer may not, as a rule, name the employee in question.

More information on processing the health data of employees

The Occupational Safety and Health Act obliges employers to ensure safety at the workplace. The employer’s obligation to arrange medical examinations and tests by virtue of the Act is provided for in legislation such as the Occupational Health Care Act. It is also possible to organise voluntary medical examinations.

According to the Act on the Protection of Privacy in Working Life, examinations and tests concerning the employees’ state of health shall be performed and samples taken by health care professionals, properly trained laboratory personnel and health care services as provided for in the health care legislation.

Medical examinations shall be performed by a physician or another trained health care professional under the supervision of a physician. It is permitted to take necessary samples and perform other examinations that do not cause significant detriment to the subject as part of the medical examination. Employees have the right to go to a medical examination or procedure during their working hours.

According to the Communicable Diseases Act, The Regional State Administrative Agency may order a health examination to be organised for persons in a specific workplace, institution, vehicle or other such location if such an examination is necessary to prevent the spread of a generally hazardous communicable disease. Participating in the health examination is voluntary.

Belonging to the group at elevated risk from coronavirus is health data if the data is processed for assessing the employee’s state of health (is the employee at risk due to chronic illness). Health data may not be disclosed to third parties without the employee’s explicit consent or another legal basis. The employer is under an obligation of confidentiality concerning the health data of employees.

Simply being of a certain age can put someone at elevated risk from coronavirus. An employee’s age is not health data.

For the purpose of protecting the employee’s health, the employer can inform partners on a general level that the employee is prevented from performing their duties.

According to the authorities’ instructions and the Occupational Safety and Health Act, the employer has an obligation to refer at-risk employees to occupational health care for an assessment on rearranging their duties. The processing of health data is permitted if the employee specifically requests an assessment of their ability to work based on their state of health. The processing basis provided for in the Act on the Protection of Privacy in Working Life (Finlex) applies due to the rights and obligations involved in an employment relationship. The employee’s specific consent is not required separately.

The requirements of immediate necessity and the non-disclosure obligation related to the processing of health data must be taken into account in internal communications on the relocation of employees.

According to the Communicable Diseases Act, an attending physician must submit a notification to the physician in charge of communicable diseases in the municipality or joint municipal authority for hospital district, if they discover that their patient is suffering, or has suffered in their lifetime, of a generally hazardous or monitored communicable disease which may constitute a risk of infection to another person. In such case, the physician in charge of communicable diseases has the right to notify the person at risk of the risk of infection without disclosing the source of infection.

The infected person can also inform the desired parties of their infection.

Information about viral infection or exposure to the virus entered in the patient records is subject to data protection regulations. If health care services disclose such information to parties such as the patient’s family members, it constitutes the disclosure of patient records to third parties. Disclosing patient information is possible on the grounds provided for in section 13 of the Act on the Status and Rights of Patients (Patient Act).

Patient information can be given to outsiders with the patient’s written consent. If a patient is not capable of assessing the significance of the consent, information may be given by their legal representative’s written consent. In addition, information about the identity and state of health of a patient may be given to a family member of the patient or to other person close to the patient, if the patient is receiving treatment because of unconsciousness or for other comparable reason, unless there is reason to believe that the patient would forbid this. The application of this provision must be evaluated on a case-by-case basis.

If a patient cannot decide on their own treatment due to mental illness, mental disability or other reasons, the patient's legal representative, family member or other person close to the patient must be heard before making important treatment decisions in order to determine which treatment would best correspond to the patient’s will. The consulted person’s consent must be obtained for the treatment in such cases. The patient’s legal representative, close relative, or other person closely connected with the patient is entitled to receive any information regarding the patient's state of health that may be required to enable them to express an opinion and give their consent.

Regardless of the above, a health care organisation may give general information on matters such as visiting arrangements, preparing for the COVID-19 epidemic or measures related to the management of the epidemic.

Information about viral infection or exposure to the virus entered in the Social Welfare Services’ customer records is subject to data protection regulations. If such information is given to a family member of the customer, for example, this constitutes a disclosure of social welfare customer information. The matter is thus subject to sections 14-16 of the Act on the Status and Rights of Social Welfare Clients (Social Welfare Customer Act).

According to section 16 of the Social Welfare Customer Act, information contained in confidential documents may be disclosed with the customer’s explicit consent or as specifically provided for in law. If a customer is not capable of assessing the significance of the consent, information may be given by their legal representative’s consent.                    

Section 9 of the Social Welfare Customers Act stipulates the right to self-determination under special circumstances. In the situation provided for in the section, the customer’s will must be determined together with their legal representative, family member or other person if the customer is not able to participate in and influence the planning and implementation of the customer’s services or other social welfare measures without assistance.  But please note that, even in this special circumstance described in the Act, information not specifically related to the arrangement of the specific customer’s social welfare services cannot be disclosed to the customer’s family. The application of the section also requires that the customer’s ability to function and make decisions on the matter is significantly impaired. The party responsible for the social welfare service will determine whether the customer’s situation fulfils the criteria provided for in section 9 of the Social Welfare Customer Act.

Like health care organisations, social welfare services may give general information on matters such as visiting arrangements, preparing for the COVID-19 epidemic or measures related to the management of the epidemic.

In the opinion of the Data Protection Ombudsman, patient records can be used for such surveys, if they are part of the health care unit’s duties and are done for the purpose of assessing the individual’s need for medical care.

If the person expresses a need or desire for services provided by other bodies when contacted, the information can be passed on to such bodies with the consent of the person in question. In some cases, providing the information can also be possible by law.

The processing of personal data in connection with the survey must be planned in advance (data protection by design and by default as provided for in Article 25 of the EU’s General Data Protection Regulation). In particular, the unit needs to ensure that personnel taking part in the survey take considerations of confidentiality and data minimisation into account in their work.

Organisations can make such decisions also during a pandemic. But a pandemic does not give grounds to ignore data protection regulations, which must be observed even in emergencies when making decisions related to the processing of personal data.

Particular attention must be paid to the data security of the chosen device in order to prevent outsiders from gaining access to the data. According to Article 32 of the EU’s General Data Protection Regulation, controllers and processors of personal data must implement technical and organisational measures to ensure a level of data security appropriate to the risk to the rights and freedoms of individuals.

The controller must assess whether an impact assessment provided for in Article 35 of the GDPR should be made of the adoption of the new device.

Decisions and measures should be documented in order to meet the requirement of accountability.

The EU General Data Protection Regulation states that a Data Protection Officer may not be dismissed for performing their tasks. The GDPR does not specifically provide for lay-offs. As a rule, labour legislation is thus applied to lay-offs.

If the General Data Protection Regulation requires an organisation to appoint a Data Protection Officer, the organisation must continue to fulfil this obligation also in the event of lay-offs.

The requirements specified in the GDPR for individuals appointed as Data Protection Officers cannot be waived because of lay-offs. The Data Protection Officer must have expert knowledge of data protection legislation and the ability to fulfil the tasks provided for in the GDPR. Organisations can refer to their practices for arranging deputies for the Data Protection Officer during holidays without violating the principles of the GDPR, for example.

The Data Protection Officer is the organisation's internal data protection expert who monitors the organisation's processing of personal data and assists the management and personnel with compliance with data protection legislation. In this regard, the Office of the Data Protection Ombudsman would like to point out that several issues concerning the protection of personal data have arisen in connection with the coronavirus emergency. The Data Protection Officer has crucial expertise in identifying such issues and maintaining compliance with data protection legislation.

Some of the hospital districts have recommended that restaurants and event organisers collect customers’ contact information so that it can be used to trace coronavirus infections and exposures, if necessary.

If you collect information, pay special attention to the following issues.

1. Confirm the legal basis for processing and the lawfulness of consent

There must always be a legal basis for the processing of personal data. A recommendation by an authority alone does not constitute a basis for processing personal data.

In Finland, companies do not have a legal obligation to collect contact information for tracing infections. Collecting information is possible based on data subject's consent, however. This means that customers can decide if they wish to provide their information to the restaurant or event organiser for tracing people who have been exposed to coronavirus.

The consent must be freely given, specific, informed and unambiguous. The customers must be clearly informed of the purpose, for which the information is collected. Customers also have the right to refuse to provide information. Providing information cannot be used as a condition for entering a restaurant, for example.

Further information on the legal basis for processing data
Further information on asking for the consent of the data subject

2. Limit the purpose of processing the information

The information can only be used for tracing infection chains, not for marketing or other customer communications, for example.

Further information on limiting the purpose of processing

3. Minimise the amount of information collected

Only information necessary for tracing infections can be collected. For example, a customer’s name and telephone number can be requested. A combination of contact information and an alias can also be sufficient for tracing infection chains.

Further information on the minimisation of data

4. Determine the data storage period

Information can only be processed for as long as it is needed for tracing infection chains. For example, in the Koronavilkku application, the data are stored for 21 days, after which they are destroyed. The data must be destroyed carefully after they are no longer needed.

Further information on determining the data storage period

5. Implement the rights of the data subject

Data subjects have many rights, and their fulfilment must be ensured. Customers must be told clearly and comprehensively about how and for which purpose the personal data will be used. Customers can also withdraw their consent for the processing of data, and the data must be removed if the customers request it.

Further information on the rights of the data subject

6. Make sure that the data are processed safely

Only the persons, whose duties involve the processing of personal data are permitted to access the data.

Customers must not be instructed to submit their contact information in such a way that other customers can see the information.

7. Describe the roles of parties processing personal data

Does another party process the data on behalf of the restaurant or the event organiser by using an application, for example? In that case, a processing agreement must be drawn up.

Further information on processors
Further information on processors’ responsibilities

Legislation does not restrict discussion about coronavirus vaccines. Employees can discuss their own coronavirus vaccinations if they so wish, but cannot be obliged to tell whether they have been vaccinated or not.  

Even though data protection legislation does not restrict spoken conversations, workplaces should make arrangements to take the private needs of employees into consideration, such as providing a possibility for confidential discussions. Such discussions are subject to confidentiality rules.

Read more about processing coronavirus vaccination information under the following question: “Is the information that someone has received a coronavirus vaccination health data? Can the employer process the coronavirus vaccination data of its employees?”

Health data describes an individual's state of health. All information about, for example, illnesses, risk of illness or treatments administered is health data, regardless of its source. 

Information on whether or not someone has taken a coronavirus vaccine is health data. Some examples of the purposes for processing coronavirus vaccination information include processing vaccination information in connection with a medical procedure, or in order to determine an individual's state of health or assess their risk of contracting an illness. For example, a coronavirus vaccination certificate is health data.

Health data falls under the special categories of personal data defined in the General Data Protection Regulation. Processing an employee’s health data is only permitted if directly necessary with regard to the employment relationship. Employers must carefully consider whether this necessity requirement is met. It is not possible to derogate from the necessity requirement with the employee's consent.

The employer is permitted to process and employee’s health data if it is necessary for the payment of sick pay or comparable health-related benefits, or to determine whether the employee has a justified reason for absence. Processing health data is also permitted if an employee specifically requests their capacity for work to be determined on the basis of health data. 

In addition, the employer is entitled to process an employee's health data in situations specifically provided for elsewhere in law.

Employers cannot oblige employees to disclose their health data in other situations than those described above. Individuals who process health data are additionally under an obligation of confidentiality and are not permitted to disclose the employee's health data to third parties.

Employers can ask for statistical data on their employees’ vaccination coverage from occupational health care.

Also read the answer to the question ”Can the employer ask employees about their coronavirus vaccination situation?”

More information on processing employee health data

More information on processing special categories of personal data

In addition to the EU General Data Protection Regulation, the Act on the Protection of Privacy in Working Life (Occupational Data Protection Act) applies to the processing of employees’ personal data where applicable.

The health data of job applicants falls under the special categories of personal data defined in the GDPR, and its processing must be directly necessary with regard to the employment relationship. The employer must carefully consider whether the necessity requirement is met in any given case. It is not permitted to derogate from the necessity requirement with the employee's consent.

The employer has an obligation to inform the job applicant of how the requested personal data is directly necessary for the employment relationship. If the question is not directly necessary for the employment relationship, the job applicant can refuse to answer the question or answer it only partially. Giving a partial or incomplete answer may not have negative consequences for the job applicant.

Also read the answer to the question ”Can the employer ask employees about their coronavirus vaccination situation?”

More information on processing employee health data ​​​​​​​

The Communicable Diseases Act contains temporary provisions (section 48a, in force until 31 December 2022) on protecting healthcare and social welfare clients and patients from COVID-19. Healthcare and social welfare service employees must prove that they are protected against COVID-19 by a vaccination or a previous infection if their duties involve close contact with clients or patients at risk of serious consequences from COVID-19. If an employee cannot be vaccinated due to medical reasons, they can show a negative COVID-19 laboratory test result to demonstrate that they are not carrying the disease.

According to the Communicable Diseases Act, an employer has the right to process the health data of an employee or a student in practical training concerning the suitability for the tasks referred to above. In other words, the employer can process data on coronavirus vaccinations or test results to ensure adequate protection against COVID-19.

Such data constitutes health data and must be processed in accordance with the other provisions of the Act on the Protection of Privacy in Working Life. For example, the employer must nominate the persons whose job description includes the processing of health data and specify the tasks that involve processing of such data.

Health care organisations have already been obliged to ensure the adequate vaccination of their employees in certain situations (Communicable Diseases Act, section 48). These existing procedures can probably also be used for assessing the adequacy of the protection provided by coronavirus vaccinations.

Information concerning vaccinations and previously suffered illnesses are requested from the individual themselves. If the individual fails to provide the information, the employer cannot be sure of adequate protection. As a rule, the individual cannot then work with clients and patients vulnerable to severe COVID-19.

The legislation does not specify precisely how or, for example, with what documents the employee should demonstrate that they are protected by vaccination. Existing practices can be used to demonstrate adequate vaccination protection at the workplace (Communicable Diseases Act, section 48). For example, the employee can show the employer a vaccination certificate or a negative laboratory test result. The employer then stores the necessary data in a manner deemed appropriate.

The legislation does not give employers the right to obtain coronavirus vaccination data from health care units. However, the employer can agree with occupational health care on ensuring adequate protection at the employer’s expense. In such cases, the information is also requested from the individual themselves and the principles described above must be followed.

The employee must store data concerning an employee's health separately from other personal data. The data must be stored for as long as it is necessary for the supervision of healthcare and social welfare services, but not for more than three years from the assessment of adequate protection. The employer can agree with, for example, the occupational health care provider on the storage of the data on behalf of the employer.

The employer should ensure that employees can submit the data in a secure manner. Employees cannot be required to disclose health data through non-secure channels, such as by unsecured email.

Healthcare and social welfare services is a broad concept covering both public and private service providers. The provision also applies to healthcare and social welfare services provided in the home of the client or patient.
The obligation applies to all individuals whose duties involve close contact with clients or patients at risk of severe COVID-19. In other words, the obligation is not limited to health care professionals alone. Tasks in the healthcare and social welfare services such as financial administration or working in the hospital kitchen, which involve no contact with clients or patients at risk of severe COVID-19, are not considered to constitute ‘close contact’ (HE 230/2021 vp, pp. 29–30).
According to the Finnish Institute for Health and Welfare (THL), the definition of ‘close contact’ includes face-to-face encounters of more than 15 minutes at a distance of less than 2 metres, physical contact, unprotected contact with secretions, spending more than 15 minutes in the same closed space during a 24-hour period, as well as situations in which personnel has treated an infected person without appropriate protective equipment and in which laboratory personnel has handled COVID-19 samples (HE 230/2021 vp, p.7).

Additional information in Finnish on the processing of the vaccination data of health and social service personnel is available on THL's website in Finnish

According to section 4, subsection 3 of the Act on the Protection of Privacy in Working Life, the collection of personal data during recruitment and during an employment relationship is governed by the co-operation procedure.