COVID Status: NHS Scotland COVID Status App privacy notice

The NHS Scotland COVID Status app (“COVID Status app”) has been created to help you show your current COVID status when travelling abroad or entering into domestic venues, if necessary. The COVID Status app is a voluntary service for adults aged over 16, which needs to be downloaded in the Google Play or Apple App Store.

If you have any COVID Status app queries or concerns please call the COVID Status helpline on 0808 196 8565.

This privacy notice explains how we handle and use your personal information.

Who we are

The Scottish Government, with NHS National Services Scotland (“NHS NSS”), manage the COVID Status app as "joint data controllers".

We also use the following suppliers, who act as processors of personal data on behalf of the Scottish Government and NHS NSS. These organisations are under contract of NHS NSS:

  • Netcompany, which provides [and supports] the technical infrastructure for the COVID Status app,
  • Jumio which provides the biometric identity/ID verification process to enable you to use the COVID Status App and;
  • iProov, who are a processor of Jumio, providing the ‘liveness’ test during the biometric ID verification process
  • Microsoft Azure, a processor of NHS NSS, who provide and maintain the infrastructure to help provide your COVID status

The following supplier is also used and acts as a processor under contract of NHS Education for Scotland:

  • Amazon web services, who provide and maintain the infrastructure to help provide your COVID status
What personal data will be collected and processed?

Your full name, email address, date of birth, postcode and unique password will be collected during the registration process in order for you to access the COVID Status app. You will be given the opportunity to enter your CHI Number (your unique NHS number) if you are aware of it. If not, we will retrieve this through the Community Heath Index database. We may also use your gender if you have supplied this.

We use the information on your photo ID document (for example your passport or driving licence), including your photograph, along with a selfie photograph. This is for the liveness test to ensure linkage to the correct COVID Status.

We also use the IP address of your phone to understand what country you are in at the time of registering.

We then retrieve:

  • your COVID vaccination history

If you've been tested, and this has been recorded in an NHS Scotland system or UK Government portal, we'll also receive your:

  • PCR test result and recovery information
What is our lawful basis to use your information?

We rely on the following lawful bases to process your personal data:

  • the processing is necessary for the performance of a task carried out in the public interest
  • the processing of your health, and any other sensitive information about you, is necessary for the management of health and social care systems
  • for reasons of public interest in relation to public health
  • for scientific and statistical research in the public interest
How long do we keep your data?

The data you enter for registration is kept for 365 days.

If the app is inactive for a period longer than 365 days, your registration data will be deleted.

The information on your photo ID document, including your photograph, and the selfie you take (the “biometric ID verification data”) is held for 24 hours by Jumio then deleted.

PCR test results are kept for a period of 180 days.

Vaccination data used within the COVID Status app forms part of your health record, and will be kept by your health board and GP for your lifetime, plus 3 years.

Where is my personal data stored?

Your data, other than the biometric ID verification data, is stored securely on NHS servers within the United Kingdom.

Jumio stores the biometric ID verification data in Dublin, with back up facilities in Frankfurt.

If the fully automated biometric identity verification is not successful, the process will be diverted to a staff member at Jumio who will undertake this role manually. This occurs within the European Union under EU GDPR legislation.

NetCompany does not hold any personal data.

Microsoft Azure and Amazon Web Services do not have direct access to your personal data. They each host information within their respective cloud platforms, helping support, maintain and host our services.

Although your data is transferred outside the UK to the EU for verification purposes, the Information Commissioner’s Office (which is the supervisory authority responsible for data protection in the UK) has deemed a transfer in these circumstances to provide individuals with equivalent rights as those under the data protection legislation applicable here in the UK.

What are my rights?
  1. The right to be informed – about how we are using your personal data, which is done through this privacy notice.
  2. The right of access – information held on the COVID Status app, such as your vaccination status, can be accessed on the COVID Status app. Read further information about accessing your health records
  3. The right to rectification – if the COVID Status app displays inaccurate information you should contact the COVID Status Helpline on 0808 196 8565.
  4. The right to erasure – you can erase your information from the COVID Status app through the settings panel, selecting ‘permanently delete my account’.
  5. The right to restriction of processing – if you want to exercise this right, please email nss.dataprotection@nhs.scot
  6. The right to object – If you want to exercise this right, please email nss.dataprotection@nhs.scot
  7. The right to data portability - as we are processing data using lawful basis 6(1)(e), the right to data portability does not apply
  8. Rights in relation to automated decision-making – these rights are not applicable because there is no solely automated decision making carried out by the COVID Status app.

Not all rights apply all of the time – for example, where there is a legal requirement for us to use your personal data, we would not be able to erase your data from our systems. All requests will be considered on a case-by-case basis.

Read further information about your rights

How to contact us

If you'd like to get in touch with us, please call the COVID Status helpline on 0808 196 8565.

How to exercise your data protection rights

You can raise any privacy and data protection concerns with the NHS National Services Scotland Data Protection Officer (“NHS NSS DPO”) or the Scottish Government Data Protection Officer (“SG DPO”):

Contact details of the NHS NSS DPO

Email address: nss.dataprotection@nhs.scot

Data Protection Officer
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB

Contact details of the SG DPO

Email address: dataprotectionofficer@gov.scot

Data Protection Officer
Victoria Quay
Commercial Street
Edinburgh
EH6 6QQ

Appeals

If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ICO main helpline number: 0303 123 1113

ICO Scotland office contact number: 0303 123 1115

Website: www.ico.org.uk