COVID Status: Cookies policy

All information we get through cookies will be treated in confidence. NHS Scotland will never sell, trade or give your details to third parties, unless required to by law.

This policy sets out how we use cookies and similar technologies on the NHS Scotland COVID Status app. Cookies fall into one of the following categories:

  • category 1 – strictly necessary (essential)
  • category 2 – performance
  • category 3 – functionality

Currently the app uses cookies that fall into categories 1, 2 or optional only.

What is a cookie?

Cookies are small data (text) files that are stored in your browser when you visit the app.

What cookies do and why they’re used

They allow us to understand things like your visit to the app and how you use and interact with us, together with which parts of the app are of most interest to you. This in turn helps us to understand what is actually working for you, the ‘user’ and what is not. This enables us to be proactive in enhancing the areas that are not working as effectively as you would like and to improve, where possible, your experience moving forward.

We use cookies to:

  • validate a user’s session – these are authentication cookies and have no embedded user information
  • identify a user’s active session on a specific application node

Cookies are also used to store the following on the device:

  • your chosen PIN code
  • the public key coming from our backend server to verify the QR codes generated
  • your certificate as long as it’s valid (so that you do not have to be connected to the internet to show it)

Are the cookies able to identify individuals (‘users’)?

No, any information on app usage is received in a way that we can’t identify individuals and is encrypted. For example, we never receive or collect your name or address and we do not make any attempts to find out the identities of our users who visit the app.

However, some indirect information collected may be defined under data protection legislation, as personal identifiable data (PII), such as your device information or IP address.

No device information or IP addresses will be stored on your device using cookies.

Persistent cookies stay on your device until they are either removed by the individual or your browser removes them once they expire. Session cookies are temporary, similar to when you shop online and put items in a basket. Once the goods have been paid and the transaction has completed the session or your close your browser the cookie is removed.

Can individuals manage cookies?

Yes, you’ll normally see a message on the app that enables you to manage your cookie consent. In addition, you can also manage your preferences such as opt-in or opt-out of cookies using your settings in your web browser.

The majority of these are initially set to ‘accept cookies’ as default. However, altering these settings will enable you to choose whether you wish to accept or reject any cookies, including those from a third party.

You can set the browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it. You can also delete cookies from the computer.

Category 1: strictly necessary (essential)

Information on how you use the app, using cookies and page tagging techniques to help us improve the app, enable authentication and security (these cookies aren’t used to identify you personally).

The following table lists these cookies.

NamePurposeSession / PersistentDuration
JSessionidIdentify a user’s active session on a specific application node using ‘Should this fail, the load-balancer will re-route users’ traffic to an alternative node.’ This prevents the user from being disconnected and having to re-establish their session.SessionValid until a user session ends
PassportItemsViewModelKeep your certificates stored for offline use, as long as they are valid.PersistentValid for 3 days
PinCodeBiometricsModelUse your chosen pin to log in to the app.PersistentValid until app is deleted or you sign out
AuthDataAuthentication token used for communicating with the backend.PersistentValid until app is deleted or user sign out
PublicKeyStorageModelSave the public key used for verifying the QR codes.Persistent
Until next app start-up, where key is downloaded again
UserStorageModelAnonymous user ID of the user created on B2C. Used to communicate with the backend.PersistentUntil app is deleted or user signs out

Category 2: performance

This cookie enables us to improve our website by monitoring how you use it, such as which pages you visit and whether you experience any errors when using the site.

The following table lists these cookies.

NamePurposeSession / PersistentDuration
__gaThis cookie is used to distinguish users and expires after 2 years.Persistent cookie2 years
__gatThis cookie is used to throttle the request rate and expires after 10 minutes.Session cookieDeleted when the user exits the browser

Category 3: functionality

There are no cookies relating to functionality.


Privacy and data protection enquiries relating to the COVID Status app may be made by email
or in writing to:

NSS Data Protection Officer
NHS National Services Scotland
Gyle Square
1 South Gyle Crescent
EH12 9EB

Terms and conditions

The use and access of the app is subject to the terms and conditions and disclaimer set out on this page. By using or accessing the app, you agree to be bound by these terms and conditions.


All information provided is copyright to NHS National Services Scotland.  

Copyright enquiries may be made by email
or in writing to:

Communications Manager
NHS National Services Scotland
Gyle Square
1 South Gyle Crescent
EH12 9EB


The resources contained on the app, including all files that are authorised for public and password-protected download or access, are provided on an ‘as is’ basis and without any warranties. Although files are virus-checked we cannot guarantee that files or downloads are free from computer viruses. No warranties are made as to fitness-for-purpose, quality or completeness of information.

Reliability of information

NHS National Services Scotland uses its best efforts to ensure the accuracy and reliability of information on its app. However, no guarantees are made that the information contained on the app, or associated or linked-to websites, is accurate, complete and current at any given time. Information presented on the app or associated sites may be changed at any time. The resources made available on the app are intended to assist users in Scotland in their use of the National Health Service and are for information only. The app is not intended in any way to replace the advice of your doctor. Nothing on the app is intended to constitute advice to you. Specific advice should be sought in specific situations from a properly qualified health worker.

Availability of the app

The app is provided by Netcompany. The user verification is provided by Jumio. Although the app has been tested and should work correctly under normal circumstances there are many factors both within and outside of the control of NHS National Services Scotland which may prevent the app from being available to users of the world wide web. No responsibility is accepted by NHS National Services Scotland for any losses that may arise from an inability to access resources. Where a user finds a specific error in the coding of an app page, or where he or she considers a page to be in breach of accessibility, it is a condition of use of the app that the NHS National Services Scotland’s web team be notified by email in order that appropriate action may be taken.

Governing laws

The terms and conditions of use of the app as provided by the Common Services Agency of the National Health Service in Scotland shall be governed by the laws of Scotland.

Links to third party internet sites

The provision on the app of a link to another website does not constitute any authorisation to access material held at that location. Links to sites are provided for informational purposes only and no responsibility is accepted for the quality of resources to be found on such websites. The contents and material made available on linked sites are completely out with our control and as such no liability is accepted for any damages resulting from accessing or failing to access these sites. No endorsement is expressed or implied by the presence of a link on the app. The contents of a linked-to website may change without our knowledge and, as a result, links may break or may terminate on pages which were not the original targets of a link. No responsibility or liability for the privacy of personal information is accepted for linked-to websites, as these are beyond our control.

Terms and conditions enquiries may be made via email
or in writing to:

Director of Digital and Security
NHS National Services Scotland
Gyle Square
1 South Gyle Crescent
EH12 9EB

Last updated:
09 November 2022