The Scottish Government and NHS National Services Scotland have been reprimanded by the Information Commissioner’s Office ("ICO") over their failure to provide people with clear information about how their personal information – including sensitive health data – is being used by the NHS Scotland COVID status app.
It covers the initial failure by both bodies to provide adequate privacy information at the launch of the app to explain how people’s information would be used; and an ongoing failure to provide concise privacy information so that the average person can realistically understand how the app is using their information.
The ICO said it had received the full details setting out how the app would be using people’s information on 27 September 2021, only three days before mandatory status checks were due to be rolled out in Scotland. After "reviewing the details at pace", it advised the Scottish Government and NHS National Services Scotland of a number of concerns, particularly at plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.
This proposal was there to help the company improve the facial recognition software behind the app, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user. The proposal had also not been previously communicated to the ICO. The ICO advised that the app should not be launched until its concerns. Plans to share personal data with the software company were halted, but the app was launched on 30 September as planned without fully addressing the ICO’s wider concerns about compliance with data protection law.
The ICO said it had decided to make the reprimand public because of the significant public interest in the issues raised. "The decision to issue a reprimand in this case reflects that this is the most effective and proportionate way to make sure the issues identified are swiftly resolved", it commented.
"The ICO now expects the Scottish Government and NHS National Services Scotland to act swiftly on these findings and apply the wider learning from the rollout of the NHS Scotland COVID Status app to any similar activities in the future to make sure people can continue to have trust in the way both organisations use their information.
"If both bodies fail to take action to address the ongoing issues with the NHS Scotland COVID Status app then the ICO will consider whether further regulatory action is required."
ICO Deputy Commissioner Steve Wood added: "The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in COVID status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used. The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland COVID Status app.
"We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action."
A Scottish Government spokesman said the Government accepted that the privacy information in the app could have made it clearer to users how their information would be used. "However, it is important to stress that at all times people's data was held securely and used appropriately.
"Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work."