Data watchdog raps Scottish Government over Covid Status app privacy issues
The UK’s data watchdog has reprimanded the Scottish Government and NHS National Services Scotland over their failure to inform people how their personal information is used by the NHS Scotland Covid Status app.
The app is one method people can use to demonstrate their vaccination status for mandatory Covid status checks that are still in place for large events and nightclubs, though the vaccine passport scheme will end on Monday.
The Information Commissioner’s Office (ICO) has issued a reprimand to both bodies over their initial failure to provide adequate privacy information within the NHS Scotland Covid Status app when it launched to explain how people’s information is being used.
It said there has also been an ongoing failure to provide concise privacy information so that the average person can realistically understand how the NHS Scotland Covid Status app is using their information.
The ICO said it now expects the Scottish Government and NHS National Services Scotland to act swiftly on the findings and that if they fail to take action it will consider whether further regulatory action is required.
ICO deputy commissioner Steve Wood said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.
“The law enables responsible data sharing to protect public health but public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
“The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”
The watchdog said it received the full details setting out how the NHS Scotland Covid Status app would be using people’s information on September 27 2021, only three days before mandatory checks were due to be rolled out.
It said it had a number of concerns about the way the app was going to use people’s information, particularly the plans to let the NHS Scotland Covid Status app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.
The ICO said this proposal was there to help the company improve the facial recognition software behind the app, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user, while the proposal had also not been previously communicated to the ICO.
The watchdog advised that the app should not be launched until its concerns about potential non-compliance had been addressed and the Scottish Government and NHS National Services Scotland halted plans to share personal data with the software company.
However, the ICO said the app was launched on September 30 2021 as planned without fully addressing its wider concerns about compliance with data protection law.
A Scottish Government spokesman said: “The NHS Scotland Covid Status app was an important tool in our response to Covid-19, and has served a vital public health role during the pandemic.
“Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people’s data was held securely and used appropriately.
“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”
Copyright (c) PA Media Ltd. 2022, All Rights Reserved. Picture (c) Jeff J Mitchell / PA.