COVID Status: NHS Scotland COVID Status app privacy notice
The NHS Scotland COVID Status app (“COVID Status app”) has been created to help you show your current COVID status when travelling abroad, if necessary. The COVID Status app is a voluntary service for citizens aged 12 or over, which needs to be downloaded in the Google Play or Apple App Store.
If you have any COVID Status app queries or concerns please call the COVID Status helpline on 0808 196 8565.
This privacy notice explains how we handle and use your personal information.
Who we are
The Scottish Government, with NHS National Services Scotland (“NHS NSS”), manage the COVID Status app as "joint data controllers".
Public Health Scotland (PHS) use data in this programme for research and statistics. The reports contain anonymous statistical information only and do not contain any details that could identify you. These reports are shared with the Scottish Government and NHS Scotland Health Boards. More information can be found within the privacy notice on the PHS website.
We also use the following suppliers, who act as processors of personal data on behalf of the Scottish Government and NHS NSS. These organisations are under contract of NHS NSS:
- Netcompany, which provides [and supports] the technical infrastructure for the COVID Status app,
- Jumio which provides the biometric identity/ID verification process to enable you to use the COVID Status App and;
- iProov, who are a processor of Jumio, providing the ‘liveness’ test during the biometric ID verification process
- Microsoft Azure, a processor of NHS NSS, who provide and maintain the infrastructure to help provide your COVID status
The following supplier is also used and acts as a processor under contract of NHS Education for Scotland:
- Amazon web services, who provide and maintain the infrastructure to help provide your COVID status
What personal data will be collected and processed?
Your full name, email address, date of birth and unique password will be collected during the registration process in order for you to access the COVID Status app. You will be given the opportunity to enter your CHI Number (your unique NHS number) if you are aware of it. If not, we will retrieve this through the Community Heath Index database. We may also use your gender if you have supplied this.
If you decide to use our facial recognition process, we use the information on your photo ID document (for example your passport or driving licence), including your photograph, along with a selfie photograph. This is for the liveness test to ensure linkage to the correct COVID Status.
If you decide to use our form process, we use the information you provide around your previous vaccinations to ensure linkage to the correct COVID Status.
We also use the IP address of your phone to understand what country you are in at the time of registering.
We then retrieve:
- your COVID vaccination history
What is our lawful basis to use your information?
We rely on the following lawful bases to process your personal data:
- the processing is necessary for the performance of a task carried out in the public interest
- the processing of your health, and any other sensitive information about you, is necessary for the management of health and social care systems
- for reasons of public interest in relation to public health
- for scientific and statistical research in the public interest
How long do we keep your data?
The data you enter for registration is kept for 365 days.
If the app is inactive for a period longer than 365 days, your registration data will be deleted.
The information on your photo ID document, including your photograph, and the selfie you take (the “biometric ID verification data”) is held for 24 hours by Jumio then deleted.
PCR test results are kept for a period of 180 days.
Vaccination data used within the COVID Status app forms part of your health record, and will be kept by your health board and GP for your lifetime, plus 3 years.
Where is my personal data stored?
Your data, other than the biometric ID verification data, is stored securely on NHS servers within the United Kingdom.
Jumio stores the biometric ID verification data in Dublin, with back up facilities in Frankfurt.
If the fully automated biometric identity verification is not successful, the process will be diverted to a staff member at Jumio who will undertake this role manually. This occurs within the European Union under EU GDPR legislation.
NetCompany does not hold any personal data.
Microsoft Azure and Amazon Web Services do not have direct access to your personal data. They each host information within their respective cloud platforms, helping support, maintain and host our services.
Although your data is transferred outside the UK to the EU for verification purposes, the Information Commissioner’s Office (which is the supervisory authority responsible for data protection in the UK) has deemed a transfer in these circumstances to provide individuals with equivalent rights as those under the data protection legislation applicable here in the UK.
What are my rights?
- The right to be informed – about how we are using your personal data, which is done through this privacy notice.
- The right of access – information held on the COVID Status app, such as your vaccination status, can be accessed on the COVID Status app. Read further information about accessing your health records
- The right to rectification – if the COVID Status app displays inaccurate information you should contact the COVID Status Helpline on 0808 196 8565.
- The right to erasure – you can erase your information from the COVID Status app through the settings panel, selecting ‘permanently delete my account’.
- The right to restriction of processing – if you want to exercise this right, please email firstname.lastname@example.org
- The right to object – If you want to exercise this right, please email email@example.com
- The right to data portability - as we are processing data using lawful basis 6(1)(e), the right to data portability does not apply
- Rights in relation to automated decision-making – these rights are not applicable because there is no solely automated decision making carried out by the COVID Status app.
Not all rights apply all of the time – for example, where there is a legal requirement for us to use your personal data, we would not be able to erase your data from our systems. All requests will be considered on a case-by-case basis.
How to contact us
If you'd like to get in touch with us, please call the COVID Status helpline on 0808 196 8565.
How to exercise your data protection rights
You can raise any privacy and data protection concerns with the NHS National Services Scotland Data Protection Officer (“NHS NSS DPO”) or the Scottish Government Data Protection Officer (“SG DPO”):
Contact details of the NHS NSS DPO
Email address: firstname.lastname@example.org
Data Protection Officer
1 South Gyle Crescent
Contact details of the SG DPO
Email address: email@example.com
Data Protection Officer
If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.
The Information Commissioner
ICO main helpline number: 0303 123 1113
ICO Scotland office contact number: 0303 123 1115
10 August 2022