NHS Covid Status app criticised by information watchdog
The Scottish Government has been rapped by the information watchdog over its failure to inform users of the NHS Covid app how their health data would be stored.
The Information Commissioner’s Office (ICO) has issued a reprimand to the Scottish Government and NHS National Services Scotland over both organisations’ failure to provide people with clear information about how their personal information - including sensitive health data – is being used by the NHS Scotland Covid Status app.
The app is used by Scots to demonstrate their vaccination status for entry into certain venues, such as nightclubs, in Scotland.
The ICO said it was particularly concerned by plans to let the NHS Scotland Covid Status app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.
The ombudsman also said it had raised concerns with the Scottish Government and NHS National Services Scotland after information on the scheme was only supplied to the ICO three days before mandatory status checks were due to be rolled out in Scotland.
The ICO advised that the app should not be launched until its concerns about potential non-compliance had been addressed, and although the Scottish Government and NHS National Services Scotland halted plans to share personal data with the software company, the app was launched as planned on 30 September 2021.
Steve Wood, deputy commissioner of the ICO, said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.
“The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
“The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action. The ICO, including our office in Scotland, remains committed to working with both bodies to address these outstanding issues and ensure this learning is applied to future activities, including the development of any future government apps that store and use people’s information.”
The ICO says it has been working with governments across the UK to make sure that the introduction of mandatory vaccination and Covid status checks “achieve the right balance” between protecting public health and maintaining responsible sharing of personal data.
A Scottish Government spokesperson said:“The NHS Scotland Covid Status app was an important tool in our response to Covid-19, and has served a vital public health role during the pandemic. Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people’s data was held securely and used appropriately.
“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”
NHS National Services Scotland has been contacted for comment.