The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) has issued a reprimand to the Scottish Government and NHS National Services Scotland over both organisations failure to provide people with clear information about how their personal information - including sensitive health data – is being used by the NHS Scotland COVID Status app.

The NHS Scotland COVID Status app is one method people can use to demonstrate their vaccination status to satisfy mandatory COVID status checks that are still in place for certain venues, including nightclubs, in Scotland.

ICO Deputy Commissioner, Steve Wood, said:

“People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.

“The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in COVID status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used. The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland COVID Status app.

“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action. The ICO, including our office in Scotland, remains committed to working with both bodies to address these outstanding issues and ensure this learning is applied to future activities, including the development of any future government apps that store and use people’s information.”

The ICO’s concerns over the NHS Scotland COVID Status app

The ICO has been working with governments across the UK throughout the COVID pandemic to make sure that the introduction of mandatory vaccination and COVID status checks schemes achieve the right balance between protecting public health and maintaining the trusted and responsible sharing of personal data.

This included the ICO publishing a guidance paper in May last year setting out expectations around how organisations should be developing COVID-status certification schemes in line with data protection law.

The ICO received the full details setting out how the NHS Scotland COVID Status app would be using people’s information on 27 September 2021. The ICO raised concerns with the Scottish Government and NHS National Services Scotland that this critical information was only supplied three days before mandatory status checks were due to be rolled out in Scotland.

After reviewing the details at pace, the ICO advised the Scottish Government and NHS National Services Scotland that they had a number of concerns about the way the app was going to use people’s information. The ICO was particularly concerned by plans to let the NHS Scotland COVID Status app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.

This proposal was there to help the company improve the facial recognition software behind the NHS Scotland COVID Status app, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user. The proposal had also not been previously communicated to the ICO.

The ICO advised that the app should not be launched until its concerns about potential non-compliance had been addressed. The Scottish Government and NHS National Services Scotland halted plans to share personal data with the software company, but the app was launched on 30 September 2021 as planned without fully addressing the ICO’s wider concerns about compliance with data protection law.

At this point an investigation was launched by the ICO and the regulator has now issued a reprimand to the Scottish Government and the NHS National Services Scotland over:

  • their initial failure to provide adequate privacy information within the NHS Scotland COVID Status app at launch to explain how people’s information is being used; and
  • an ongoing failure to provide concise privacy information so that the average person can realistically understand how the NHS Scotland COVID Status app is using their information.

The ICO has decided to make this reprimand public because of the significant public interest in the issues raised. The decision to issue a reprimand in this case reflects that this is the most effective and proportionate way to make sure the issues identified are swiftly resolved.

The ICO now expects the Scottish Government and NHS National Services Scotland to act swiftly on these findings and apply the wider learning from the roll out of the NHS Scotland COVID Status app to any similar activities in the future to make sure people can continue to have trust in the way both organisations use their information.

If both bodies fail to take action to address the ongoing issues with the NHS Scotland COVID Status app then the ICO will consider whether further regulatory action is required.

Notes to editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO has been working with governments across the UK throughout the COVID pandemic to make sure that the introduction of mandatory vaccination and COVID status checks schemes achieve the right balance between protecting public health and maintaining the trusted and responsible sharing of personal data in compliance with UK data protection laws. This work included:
    • On 14 May 2021, the ICO published a guidance paper setting out the ICO’s expectations around how organisations should be developing COVID-status certification schemes in line with the data protection law.
    • On 29 September 2021, the ICO issued a reminder setting out the data protection considerations that governments across the UK must consider when launching COVID status check schemes. This statement was accompanied by simple introductory guide to help venues responsible for carrying out the checks.