Select Page

Healthguard Privacy Policy

Privacy Policy

1. Purpose and Voluntary Use

The purpose of Healthguard is to help prevent and stop the spread of infectious diseases such as coronavirus (Covid-19) by supporting employers in managing sensitive staff health data related to pandemic measures and reporting requirements as deemed necessary to safeguard the work environment, maintain operations and avoid dire consequences such as customer cancellations, restricted opening hours, staff layoffs, and operational lockdowns.

The personal data cannot be processed for any purpose other than what you have consented to. The purpose of Healthguard is to help your company manage its measures against infectious diseases and continuously assess their operational impact based on staff vaccination statuses, test results, quarantines, symptom reports, active infections, pandemic related sick leaves and corresponding severe health implications and hospitalizations among staff.

Healthguard respects that your need to protect your sensitive health data may sometimes be in conflict with your employer’s need to organize your work effectively. With Healthguard, you are therefore able to view and delete all data that has been stored about you, such that you are voluntarily sharing this information to help your employer protect its revenues, avoid cancellations and lockdowns, and thereby protect your job and your health, as well as the jobs and well being of your colleagues. 

It is important to note Healthguard is your data processor, whereas your employer is your data controller. This relationship is governed by an agreement between Healthguard Systems AS and your company that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2. How Healthguard Works

2.1 Registrations Related to the Spread of Infectious Diseases

You or your direct line managers use a web database application from a computer, tablet or mobile phone to register status events related to the spread of infectious diseases, such as vaccinations and test results. These registrations enable your company to control and manage its pandemic response and measures. Without registering such data, your company has no way of knowing to what extent their measures are working or how to act based on facts in their pandemic response.

To achieve this Healthguard includes a set of simple data entry forms accompanied by advanced lists, charts, graphs, and filters to help management quickly visualize larger data sets for all staff. Healthguard is built with usability and simplicity in mind, and everything is web based, which means no sensitive data is permanently stored on your computer, tablet or mobile phone. When you create or update a registration form, your data is immediately stored encrypted in a secure cloud database.

Healthguard is built using a so-called serverless cloud computing architecture, which means the software application runs mainly in your web browser using top modern web technologies, tools and platforms such as Typescript, Material UI, React, and NodeJS. All data is persistently stored in the backend using a distributed Firestore database, and protected by Google’s Firebase authentication service. This way Healthguard seamlessly supports two factor authentication using your email and phone number, optionally in combination with your existing Google Apps or Microsoft Active Directory users.

Healthguard understands that your health data is highly privacy sensitive, and therefore encrypts your data three times. First, each data field is persistently encrypted in your browser using 256bit symmetric keys, before it is encrypted again as it is transmitted using standard HTTPS encryption using Healthguard’s public SSL certificate. In addition the back end cloud database is encrypted in its entirety with standard Google Firestore encryption mechanisms. These encryption layers ensure only you and your company managers with authorized web browser access to the Healthguard web app can make sense of your data, and that your data is gibberish for anybody else that obtains direct database access to your data. 

Access to your registrations is also governed by strict role based database security rules that directly follow your organization chart. Only you and your direct line managers can view your data. Your colleagues cannot. And your line managers can not store or see any registration data about you that you can not see yourself.

2.2 Your Organization and Work Environment

In order for your company to organize work in a responsible manner, and to target its measures appropriately and help public health officials track outbreaks, your employer may combine your company organization structure with registration data. Healthguard therefore allows management to configure a complete organization chart, as well as to correlate your work categories, projects, locations and organization unit with your infectious disease registration data. 

You can at any time view at which part of your organization you are currently included to help ensure your company measures are based on accurate information.

2.3 Notifications of Important Registrations

When you register an event that may have implications for your company’s infectious disease measures, or a line manager or health professional enters such data on your behalf, you should expect your line managers, project managers and office location health and safety representatives to be notified about your registration so they can take necessary action, e.g. to prevent further spread. If they are notified via email or SMS these messages will not contain your sensitive data, managers are instead required to logon to Healthguard to view your new or updated registration.

2.4 Deletions

Your data will be automatically deleted as per your company’s settings when it is no longer required in the context of managing measures for infectious diseases or associated reporting or data analysis. Briefly put data that are collected to detect, stop and manage outbreaks will be stored as long as they are medically relevant, such as vaccinations, symptom reports and test results, whereas data that have significant impact on your company’s financials and staff well being may be stored for a period long enough to allow management to write accurate annual reports etc, such as sick leaves, quarantines, illnesses and hospitalizations.

Irrespective of the above, Healthguard allows you to see all sensitive data stored about you, and you may request that your data is deleted at any time.

3. The Legal Basis For The Processing of Personal Data

The legal basis for storing infectious disease related registration data is consent, cf. the General Data Protection Regulation articles 6 and 9 no. 1 a). You give your consent the first time you login to Healthguard. This consent includes only the right to store such data with the purpose as described herein.

4. What Data is Processed and How Long Is It Stored

For all registrations, the governing principle is that only the minimum amount of data that allows your company to effectively manage its infectious disease response, associated measures and subsequent reports are collected. Your company may decide to gather some data anonymously and / or identified to you. 

The following sensitive health data may be registered with Healthguard:

  • Vaccinations: Your vaccination status may be registered with Healthguard, including when you had your vaccine, which type vaccine you received and its sequence number.
  • Tests: Test registrations include which type test you took, whether the test was positive or negative, or if a positive result was reported, which mutation was discovered.
  • Symptoms: You may use Healthguard to report symptoms that are relevant for infectious diseases and as such can alert management to new outbreaks as well as screening testing.
  • Quarantines: If you have to quarantine it is important for your company to know so they can organize work accordingly, get temps in case you cannot work from home, and also regularly check on your well being.
  • Incidents: If you have been diagnosed with an infectious disease, your employer is expected to help public help officials track your contacts and implement necessary measures so your colleagues and customers are not infected too. So it is important to register your incident as quickly as possible.
  • Sick Leaves: Only sick leaves that are caused by infectious diseases or their associated quarantines should be registered with Healthguard. Sick leaves are very expensive for your employer, and it is important to track this data to be able to accurately report and manage financials related to pandemic measures.
  • Hospitalizations: To assess the severity of its measures is important for your employer to know the real impact a pandemic outbreak has on the health and well-being of its staff. It therefore may need to track hospitalizations and deaths among its workers that relates to outbreaks of infectious diseases.
  • Illnesses: If you have a prolonged illness of an infectious disease, your employer should know so they can take necessary steps to help you and your team manage the situation and better be able to assess the danger of the spread of infectious diseases at your location.

5. Disclosure of Personal Health Data to Others

Healthguard does not disclose your personal data to personnel outside your company. The exception is if your company has given consent to health professionals or other outside consultants to register health data for staff on its behalf.

As your data controller, your company may be obliged to share your registration data with public health officials to help them track the spread of infectious diseases. 

6. Your rights

Healthguard is your data processor, whereas your employer is your data controller. You may withdraw your consent to the processing of your personal health data at any time. 

You can do this inside the Healthguard web app by selecting your personal dashboard and remove any registration data under ‘My Registrations’.

7. Complaints

You can complain about our processing of personal data. In such a case, we would ask you to contact us so that we have the opportunity to decide on the enquiry and possibly change the way we process your data.

You can also complain to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is an independent authority that oversees compliance with the rules on data protection in Norway. You can find information about the Norwegian Data Protection Authority, and how to complain, on the Norwegian Data Protection Authority’s website: https://www.datatilsynet.no