Scottish Government reprimanded over Covid Status app privacy issues

The Information Commissioner's Office says there has been an 'ongoing failure' to provide concise privacy information.

Scottish Government reprimanded over Covid Status app privacy issues STV News
The NHS Scotland Covid Status mobile app was launched last September.

The Scottish Government has been reprimanded over its failure to inform people how their personal information is being used by the NHS Scotland Covid Status mobile app.

The Information Commissioner’s Office (ICO) also issued a reprimand to NHS National Services Scotland.

Both bodies were found to have initially failed to provide adequate privacy information within the app when it launched on 30 September last year.

The app is one method people can use to demonstrate their vaccination status for mandatory Covid status checks, which currently remain in place for large events and nightclubs, though the vaccine passport scheme will end on Monday.

The ICO said there has also been an ongoing failure to provide concise privacy information so that the average person can realistically understand how the NHS Scotland Covid Status app is using their information.

The authority also said it expects the Scottish Government and NHS National Services Scotland to act swiftly on the findings and that if they fail to take action it will consider whether further regulatory action is required.

ICO deputy commissioner Steve Wood, said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.

“The law enables responsible data sharing to protect public health. But public trust is key to making that work.

“When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used. The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.

“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”

The watchdog said it received the full details setting out how the NHS Scotland Covid Status app would be using people’s information on September 27, 2021, only three days before mandatory checks were due to be rolled out.

It said it had a number of concerns about the way the app was going to use people’s information, particularly the plans to let the NHS Scotland Covid Status app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.

The ICO said this proposal was there to help the company improve the facial recognition software behind the NHS Scotland Covid Status app, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user, while the proposal had also not been previously communicated to the ICO.

The watchdog advised that the app should not be launched until its concerns about potential non-compliance had been addressed and the Scottish Government and NHS National Services Scotland halted plans to share personal data with the software company.

However, the ICO said the app was launched on September 30, 2021, as planned without fully addressing its wider concerns about compliance with data protection law.

Murdo Fraser, the Scottish Conservative shadow secretary for Covid recovery, said: “As if the vaccine passport scheme had not been enough of a disaster, we now discover that the SNP Government launched the Covid Status app despite being warned that doing so would compromise users’ privacy and personal information.

“It’s disgraceful that the SNP arrogantly rushed ahead when the Information Commissioners’ Office expressly asked them to delay the launch until their concerns over the app’s flaws had been addressed.

“No wonder the ICO have issued this reprimand to the Scottish Government – not only did they compromise the privacy of the public, they did so knowingly.

“On top of all that, businesses then incurred huge expense and inconvenience implementing the vaccine passport scheme, and the SNP Government were subsequently unable to find any evidence that it had even succeeded in suppressing the spread of Covid.

“Thankfully, this hated scheme will finally end on Monday but the ICO findings put the tin lid on a fiasco and shambles that shames the SNP.”

A Scottish Government spokesman said: “The NHS Scotland Covid Status app was an important tool in our response to Covid-19, and has served a vital public health role during the pandemic.

“Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people’s data was held securely and used appropriately.

“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”