COVID Status: Privacy policy

Your rights in connection with the processing of your personal data when using the COVID Status app.

Read the Privacy Notice for the Covid-19 Vaccination status scheme.

Key things to know

The download and use of the app are voluntary.

Your data is always encrypted, held by NHS Scotland and only temporarily shared with the trusted parties required to deliver this service.

The app only uses secure infrastructure and services provided by security accredited organisations.

You decide who you want to share your COVID Status with.

This is an official NHS Scotland app. We do advise you to keep up to date with common scams and how to avoid them.

How the app works

When you first install the app, you will need to register as a user and you will be required to provide certain information in order to verify your identity.

Once you are registered and your identity is verified, the app will present a COVID Status which will state details of your vaccination doses.

On the basis of your data, the app will display your COVID Status in a format that is compatible with international travel standards.

Automated and Manual Identity Verification Processes

In order to provide you with your COVID Status, we are first required by law to verify your identity. In order to verify your identity, we use an approved I.D. verification supplier (Jumio) to complete a secure, online I.D. verification process.   Jumio provides a fully automated I.D. verification process, and, where an automated identification cannot be made successfully, a manual verification process.

The verification process uses an image of your face photographed using the camera in your mobile device and this is a type of information is known as “biometric” data.

As part of the automated online I.D. verification process, you will be asked to present photo I.D. documentation (e.g. your driving license, passport, etc.) to the app. Then, using your device’s camera to take a selfie picture, and using Biometric I.D. verification technology, a verification process will be undertaken to decide whether or not you are the same person as is shown on the photo I.D. documentation that you have provided. You may be asked for camera permission to scan your ID and take a selfie.

If this process verifies your identity, the personal data (such as your name and address) from your photo I.D. document will then be used and checked against the details held within an NHS Scotland database in order for us to locate and present to you, via the app, your COVID Status.

If, however, this automated biometric verification process cannot verify your identity, trained I.D. verification staff from Jumio, our approved supplier, will complete a manual online verification process using the documentation and biometric information (facial image) you have provided.

You will also still be able to obtain your COVID Status using alternative means. Read for further information.

The information provided by you as part of the online I.D. verification process (including both the photo I.D. documentation and your Biometric information) is only processed by our approved I.D. verification supplier for the minimum time required to provide this secure I.D. verification service.  As soon as the I.D. verification is complete (and regardless of whether it has successfully identified you or not), the information provided by you is then securely deleted within 24 hours.

In the unlikely event that the online I.D. verification process has incorrectly identified you and, as a result, has retrieved records that are not yours, you should contact the helpline on 0808 196 8565.

Please note that both the automated and manual online I.D. verification processes are subject to regular quality assurance and audit checks.

The secure, fully automated online I.D. verification process is subject to regular quality assurance and audit checks.

What is recorded and stored on your phone

When you use the app, the data about whether you are vaccinated against COVID-19 will be encrypted and stored on your phone.

The following data will be collected and stored on your phone when you download, register and activate the app:

  • Your COVID-19 vaccination doses.
  • Your security pin code.
  • Information enabling your app to communicate with the app’s underlying technology, verifying whether you are logged in.
  • A public key that the app uses to verify whether the QR codes associated with each of your vaccinations have been signed by the relevant authorities.
  • Once you have registered, you can see the data stored on your phone at any time. The data will remain on your phone and will be refreshed each time you use the app.

What is displayed on your phone or device

The following data will be displayed on your phone or device when you download, register and activate the app: 

  • Your name
  • Your date of birth
  • Your dates of vaccination
  • What vaccine you received

Who has access to the data?

No one will have access to the data stored on your phone unless you decide to show your COVID Status to them.

Neither the Scottish Government nor NHS Scotland, (except NHS National Services Scotland as described below) get or have access to the data that you supplied for the online I.D. verification process. 

The Scottish Government does not get or have access to the data that you supplied for the online I.D. verification process. A limited number of NHS National Services Scotland personnel will have access to the data in order to produce anonymous aggregated metrics.

Your privacy rights

You are entitled to stop the app processing data at any time. You can do that by going to “Settings” and clicking on “Sign out of this App”.  

Doing so will remove your details from the app and you will have to log in again to access your COVID Status. Alternatively, you can also delete the app from your device at any time.

Read about your rights and the processing of your personal data in the Privacy Notice.