The Information Commissioner’s Office (ICO) has issued a reprimand to the Scottish Government and NHS National Services Scotland (NSS) over the implementation of the NHS Scotland Covid Status app.
It said they have failed to provide people with clear information about how their personal information - including sensitive health data – is being used.
The app is one method people can use to demonstrate their vaccination status to satisfy mandatory Covid status checks that are still in place for certain venues, including nightclubs, in Scotland.
The ICO has been working with governments across the UK to help achieve the right balance between protecting public health and maintaining trust in the sharing of personal data in the response to the pandemic. This included publishing a guidance paper in May of last year on keeping certification schemes in line with data protection law.
In September the Scottish Government and NSS provided details on how the app would use personal information, just three days before mandatory status checks were due to be rolled out.
Facial recognition concerns
After a review, the ICO said it had a number of concerns, particularly with plans for sharing images of passport details with the software company providing the facial recognition technology used in the app. This was intended to help the company improve the software, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the user. Also, it had not been previously communicated to the ICO.
The ICO advised that the app should not be launched until its concerns had been addressed, which prompted the Scottish Government and NSS to halt plans to share personal data with the software company. But the app was launched on 30 September 2021 as planned without fully addressing the ICO’s wider concerns about compliance with data protection law.
This prompted an investigation that has led to the reprimand over the initial failure to provide adequate privacy information and an ongoing failure to provide concise information to support people’s understanding of how their data is being used.
The ICO has decided to make this reprimand public because of the significant public interest in the issues raised.
It said it now expects the Scottish Government and NSS to act swiftly on these findings and apply the wider learning from the roll out of the app to any similar activities in the future.
If both bodies fail to take action it will consider whether further regulatory action is required.
Need for public trust
ICO deputy commissioner Steve Wood said: “The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
“The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.
“The ICO, including our office in Scotland, remains committed to working with both bodies to address these outstanding issues and ensure this learning is applied to future activities, including the development of any future government apps that store and use people’s information.”