The identification of positive cases and the tracing of people at high risk of infection is a key activity in the fight against the pandemic. It falls within the remit of the Health Directorate whose mission is to ensure public health protection both in terms of environmental health and surveillance and control of infectious diseases, including taking the necessary emergency measures to protect health.
In parallel and in order to control the evolution of the pandemic, the Luxembourg Government has set up a large scale testing programme from the very beginning of the pandemic. With the arrival of the first COVID vaccines, this programme was completed by an ambitious vaccination programme. Within the framework of these programmes a certain amount of personal data is collected and processed.
The gathering and processing of personal data are important aspects of the fight against the COVID-19 pandemic and of the vaccination. They serve the general public health interest and enable decision-makers to take informed action. Indeed, effectively tackling the pandemic and providing citizens with the best possible protection against the SARS-CoV-2 virus would not be possible without processing personal data, both in terms of monitoring the spread and evolution of the pandemic and in terms of vaccination of the population. It must be possible to collect these data so that they can be analysed, studied and evaluated in order to protect the population and define the best health policy.
What are the purposes of the information system in place?
The information system in place has the following purposes:
- to detect, evaluate, monitor and combat the COVID-19 pandemic
- to acquire fundamental knowledge on the spread and evolution of the pandemic (statistical monitoring, studies, research)
- to guarantee citizens access to adequate means of protection and care
- to continuously monitor and evaluate the effectiveness and safety of the vaccines and the state of health of the people vaccinated
- to monitor and evaluate the large scale testing programme and the vaccination programme
It also intends to meet the communication obligations and requests for information from European or international health authorities to which Luxembourg must respond.
Who is responsible for the processing of personal data?
Several entities are responsible for the processing of personal data:
1. The Health Directorate, which, as part of its missions, monitors the evolution of the current pandemic and defines the epidemiological strategy while coordinating the measures put in place.
The Health Directorate is also responsible for the organisation and management of the vaccination campaign, as well as its monitoring and evaluation. It is primarily responsible for the safety and quality of the vaccines.
Both programmes require the acquisition and processing of a certain amount of personal data.
2. The General Inspectorate of Social Security, which is also involved in the large scale testing and vaccination programmes, whereas it is responsible for identifying the categories of persons to be invited to these programmes.
At the level of the implementation of the large scale testing programme, the medical analysis laboratories in charge of the tests within the framework of this programme, as well as the National Health Laboratory are among the entities that are required to process personal data. While the former are responsible for organising samples, taking samples, carrying out the tests and sending the results, the latter carries out the same analyses in the context of serological tests.
Which personal data is processed?
The data collected from infected persons and persons at high risk of being infected (surnames, first names, date of birth, address, telephone number, social security number, contact details of the treating physician, data which make it possible to determine whether a person is infected, i.e. test results, diagnosis or, for persons at high risk of being infected, the date of last contact, the existence and date of the onset of symptoms).
Data intended to identify categories of people to be invited for the large scale testing programme and the vaccination programme (socio-demographic data, employment data, testing history and, in the context of the vaccination programme, the date of the appointment for vaccination and the administration of the vaccine).
It should be noted that, as far as vulnerable persons are concerned, it is the treating physicians who, at the request of their patient who wishes to be vaccinated, transmit personal data to the Health Directorate. However, sensitive data relating to the pathology of the patient are only processed by the physicians and not transmitted to the Health Directorate, which is only informed that the patient is a vulnerable person because of his or her state of health.
The data collected in the framework of the vaccination programme (standard identification and contact information, but also information concerning the distribution of the vaccine, data to determine the presence of possible contraindications or health problems or other risk factors). Data is also collected on the decision to administer the vaccine, on the characteristics of the vaccination (vaccine product, injection site, batch number, administration number, expiry date) or on the vaccinator.
How is the collected data stored?
In general, personally identifiable data is pseudonymised before it is anonymised. In some cases, the data collected is immediately anonymised without the need for pseudonymisation. This applies in particular to data collected in connection with the invitation of vulnerable persons to be vaccinated, which is anonymised no later than three weeks after the invitation to be vaccinated has been sent out.
Pseudonymisation is a method of processing personal data which consists of processing said data in such a way that it is not possible to attribute the elements collected to a specific natural person without having recourse to additional information. Unlike anonymisation, this procedure is reversible. It constitutes a security measure for the persons whose data have been collected, providing them with a certain degree of confidentiality while at the same time making it possible to process these data within the framework of a specific health policy. It respects the principle of proportionality which guides the processing of personal data.
In practice, such a process consists of replacing directly identifiable data (surname, first name, etc.) with indirectly identifiable data (classification number, etc.) in order to reduce their sensitivity.
The data is then anonymised. Anonymisation consists of changing the content or structure of personal data in order to make it very difficult or impossible to "re-identify" the persons concerned. As a general rule, the period of time after which the data are anonymised is longer than that for pseudonymisation.
How long is the retention period?
Several retention periods are foreseen in order to comply with the principle of proportionality and depending on the purpose of the processing operations carried out.
(i) concerning personal data collected and processed for the purpose of fighting the pandemic
These data are pseudonymised no later than six months after collection for a period of three years, after which they are anonymised.
These durations reflect the concern to monitor the impact of the epidemic on the basis of the knowledge recently acquired on the SARS-CoV-2 virus and in particular on the immunity of people who have been infected. Indeed, according to this knowledge, a person who has contracted COVID-19 generally has immunity for an average of six months. Moreover, in the event of reinfection, this usually occurs with seasonal coronaviruses within a relatively short period of time, usually less than 12 months.
From a public health perspective, it is essential to monitor reinfections in order to determine whether or not they are due to the presence of a new, more contagious variant of the virus, and to align health policy accordingly. It is therefore important to keep personal data related to a first infection in order to be able to identify a reinfection. However, the identification of a possible reinfection must take place as soon as possible in order to initiate the necessary steps for the implementation of adequate sanitary measures. It is therefore important to proceed as quickly as possible.
The retention of data in pseudonymised form for a period of three years coincides with the full duration of a pandemic, which often experiences several successive waves. This duration allows a complete follow-up.
(ii) concerning the data collected and processed in the framework of the vaccination programme
Personal data collected
- of the vaccinator are anonymised no later than two years after collection.
- of the person to be vaccinated are anonymised no later than 20 years after their collection, with the exception of certain data, i.e. identification data and contact details which are anonymised no later than two years after their collection as they are subject to change, or data which make it possible to determine the presence of possible contraindications, other risk factors which are anonymised after 10 years.
The 20-year data retention period is justified in the light of pharmacovigilance, which consists of recording and evaluating the side effects or undesirable effects resulting from the administration of medicinal products, in this case vaccines. It is in the patient's interest that records are kept for a long period of time. Practice shows that it is not uncommon for side effects of medicines or vaccines to appear after several years or even after 10 years or more. It is therefore important to be able to link the administration of a specific medicine or vaccine to side effects. A long retention period of certain data allows such links to be made.
- In the event of refutation of the indication of vaccination by the vaccinator, the personal data, in so far as they have been collected, shall be rendered anonymous at the latest at the end of a period of 2 years after their collection. In the event of withdrawal of the person's agreement to be vaccinated, the data shall be anonymised after 3 months.
Who has access to the data of those infected or at high risk of infection?
Only physicians and health professionals as well as civil servants or employees appointed by the Minister of Health or any other person, designated by the Director of Health and therefore attached to the national authorities, have access to the data of infected persons or persons at high risk of being infected.
Moreover, these persons may only have access to health-related data to the extent strictly necessary for the performance of the legal or conventional tasks entrusted to them in the context of the fight against the pandemic. These persons are also subject to professional secrecy, and any violation of the latter is punishable under Article 458 of the Criminal Code.
It should be noted, however, that the data may be transferred by the various parties responsible for data processing. Among the recipients to whom data may be transferred are the following:
- the Government IT Centre (CTIE) as an IT subcontractor of the Health Directorate
- the eSanté Agency as responsible for the technical transfer of PCR and serological test results to the Health Inspectorate, which is a division of the Health Directorate
- the General Inspectorate of Social Security, which pseudonymises the personal data collected and processed in the context of the pandemic in order to make them available to public research bodies, in accordance with their missions
- the service provider in charge of the hotline, who can make testing and vaccination appointments at the request of people who do not have a means of accessing the dedicated online services
Can the data be processed for scientific, historical or statistical research purposes?
Yes, data may be processed for such purposes under the conditions laid down in the European General Data Protection Regulation and the law of 1st August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, subject to being pseudonymised, i.e. processed in such a way that the data cannot be attributed to a given natural person without additional information.
Is it possible to object to the processing of data?
Infected persons or persons at high risk of being infected cannot oppose the processing of their data in the information system whose main purpose is to fight the pandemic as long as they cannot provide a negative test result. For public health reasons, it is imperative to keep the data of people whose test results clearly show an infection with the SARS-CoV-2 virus.
What are the data protection rights of natural persons?
Any natural person whose data is processed has the right to request access to his or her personal data and to obtain a copy and, in the event that these personal data are incomplete or erroneous, to have them corrected. They also have the right to limit the processing of their personal data, the right to object to their use and the right to obtain their erasure, under the conditions and limits laid out by the amended law of 17 July 2020 on measures to combat the COVID-19 pandemic and by the European Union's General Data Protection Regulation (2016/679).
It is possible to request to exercise these rights by submitting a written request, with proof of identity:
- for processing related to the monitoring of the pandemic and the organisation and management of the vaccination, to the Direction de la santé (Health Directorate) - firstname.lastname@example.org - 13a, rue de Bitbourg, L-1273 Luxembourg
- for processing relating to the identification of categories of persons to be invited to large scale testing and vaccination programmes, to the Inspection générale de la sécurité sociale (General Inspectorate of Social Security) - email@example.com - 26, rue Zithe, L-2763 Luxembourg
- for processing relating to PCR tests carried out as part of the large scale testing programme, to the Laboratoires Réunis - firstname.lastname@example.org - 38, rue Hiehl, Z.A.C. Laangwiss, L-6131 Junglinster
- for processing relating to serological tests, to the Laboratoire national de santé (National Health Laboratory) - email@example.com - 1, rue Louis Rech, L-3555 Dudelange
It is also possible to lodge a complaint to the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) by post at the following address: 15, boulevard du Jazz, L - 4370 Belvaux or by completing the online form which is available on the CNPD website in the "Individuals -> Assert your rights" section.