NHS Scotland's Covid Status app criticised over privacy failings

The NHS Scotland Covid Status app failed to provide people with clear details about how their personal information was being used.

The UK's data watchdog has issued a reprimand to both the Scottish government and NHS National Services Scotland over the move.

The Information Commissioner's Office urged both to act swiftly to address its concerns.

Ministers accepted that the privacy information could have been clearer.

Mandatory Covid passports are to be scrapped in Scotland from Monday, although venues can choose to keep using the scheme on a voluntary basis.

ICO deputy commissioner Steve Wood said: "People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.

"The law enables responsible data sharing to protect public health. But public trust is key to making that work.

"When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used."

Mr Wood said the Scottish government and NHS National Services Scotland failed to do this with the app, which launched on 30 September.

He warned: "We require both bodies to act now to give people clear information about what is happening with their data.

"If they don't, we will consider further regulatory action."

The ICO published a guidance paper in May last year setting out expectations around how organisations should be developing Covid-status certification schemes in line with data protection law.

But it said it only received the full details setting out how the NHS Scotland Covid Status app would be using people's information on 27 September - three days before mandatory status checks were due to be rolled out in Scotland.

The ICO had a number of concerns, principally plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind it.

It acknowledged this was designed to help the company improve the facial recognition software behind the app but concluded it would have been unlawful in these circumstances.

It was not necessary for the app to function and served no benefit to the user.

The ICO advised that the app should not be launched until its concerns about potential non-compliance had been addressed.

As a result, the Scottish government and NHS National Services Scotland halted plans to share personal data with the software company.

But the ICO said the app was launched as planned without fully addressing its wider concerns about compliance with data protection law.

An investigation followed and both have now been reprimanded over:

The ICO said it decided to make its ruling public due to the significant public interest in the issues raised.

It added that doing so was the most effective and proportionate way to make sure the issues identified were promptly addressed.

A Scottish government spokesman said: "The NHS Scotland Covid Status app was an important tool in our response to Covid-19, and has served a vital public health role during the pandemic.

"Following the ICO's investigation, the Scottish government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people's data was held securely and used appropriately.

"Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work."