Danish Data Protection Agency Datatilsynet has launched an investigation into Medicals Nordic’s now-ended use of a WhatsApp group for staff to deal with information about people who have tested positive for coronavirus.

The company provides quick tests for Covid-19 at centres around Denmark.

After national newspaper BT revealed on 24 January the use of WhatsApp, Medicals Nordic announced the following day it would cease use of the messaging service.

“Information about citizens’ health is sensitive personal information, where we demand a higher level of protection,” said Allan Frank, an IT security specialist and lawyer at the DPA.

“Basically, if you are tested for Covid-19, the information about the results must be treated confidentially and only shared with the relevant parties.”

Aspects Datatilsynet will investigate in the Medicals Nordic case include who was responsible for the data, whether personal data was disclosed and if there were appropriate security measures.

Depending on the outcome, the DPA’s main options are expressing criticism, issuing prohibitions and injunctions, and recommending a fine.