From Iceland — Data Protection Authority Allowed Credit Card Tracing

Data Protection Authority Allowed Credit Card Tracing

Published October 6, 2020

Photo by

In a follow up to news that credit cards had been traced to help track the spread of COVID-19, the Data Protection Authority has announced that they were informed and gave permission, Vísir reports.

According to the Data Protection Authority, the Epidemiology Act gives epidemiologists very broad powers to process personal information, both general and sensitive, in order to tackle epidemics.

Infection tracking becoming difficult

Credit card tracing was used to locate people who had been at the Irishman in September when many people became infected with COVID-19 whilst at the pub. Víðir Reynisson, chief of police and officer for Civil Protection, reported that infection tracking had become more difficult since spring, as many people were withholding vital information from the infection tracking team.

Víðir went on to explain that the information had been obtained in three cases when tracking group infection. The infection control team do not receive an overview of card transactions, only the names and phone numbers of those who have used credit cards in certain places at certain times. Chief Epidemiologist Þórólfur Guðnason added that the information obtained was only stored in the Epidemiologist’s database and not the police’s.

Permission was granted by authorities

Helga Þórisdóttir, director at the Data Protection Authority, says that the epidemiologist has the authority to ask for any data and procedures he deems necessary to control and epidemic or group infection. “What needs to be considered is that he needs to follow the general rules of the Privacy Act concerning transparency and education. That everyone knows how this is done, that is one of the things that needs to be considered.”

She adds that the Data Protection Authority was informed when it was decided to request information about those who had used credit cards at the COVID-19 hotspots and that “It was not the case that an individual’s travel was being traced so that the person’s credit card entry was being monitored. It was mapping who was in a certain places and paid for services within a very limited time.” Once the infection control team had contacted those parties and invited them for sampling, their information was deleted form all databases.

According to the Data Protection Authority, financial information is classified as general personal information, not sensitive information. “This is an example of how the Privacy Act allows certain processing of privacy information during times of, for example, epidemics and group infections. There, the epidemiologist was allowed to do something that, in a normal season would not have been allowed”, says Helga.

More information and advice about COVID-19 can be found at the Icelandic Government’s COVID-19 website.

Note: Due to the effect the Coronavirus is having on tourism in Iceland, it’s become increasingly difficult for the Grapevine to survive. If you enjoy our content and want to help the Grapevine’s journalists do things like eat and pay rent, please consider joining our High Five Club.

You can also check out our shop, loaded with books, apparel and other cool merch, that you can buy and have delivered right to your door.

Support The Reykjavík Grapevine!
Buy subscriptions, t-shirts and more from our shop right here!

Show Me More!