THE UK information watchdog has reprimanded the Scottish Government for launching its Covid vaccine passport despite being warned the app broke data protection law.
Ministers also struck an “unlawful” deal with the firm behind the app to let it use people’s passport pictures to improve its own algorithm despite this being of no benefit to the public.
The UK Information Commissioner (ICO) said it was publicising its reprimand of the Government and an NHS quango because of the significant issues involved.
The ICO said it now expected the Government and NHS National Services Scotland to fix "ongoing" problems with the Covid status app or face “further regulatory action”.
Launched last autumn, the app let people prove their vaccination status for mandatory Covid checks for large events and nightclubs.
The mandatory scheme is now due to end this Monday, but Nicola Sturgeon said this week that the app will remain operational if any venues still wish to check people.
The ICO asked both the Government and its quango to provide adequate privacy information within the app when it launched to explain how people’s information was being used.
It said there has also been an ongoing failure to provide concise privacy information so that the average person could realistically understand how the app used their information.
The ICO said it had been working with governments across the UK throughout the pandemic to ensure Covid checks struck the right balance on the sharing of sensitive data.
It received the full details of how the Scottish app would work only three days before the scheme was due to go live on September 30 and found “a number of concerns”.
The ICO said it was “particularly concerned” at plans to the app’s ID verification provider retain images supplied by the public for five days merely “to train their proprietary facial recognition algorithms”.
This would have been “unlawful” as it was not necessary for the app to function and served no benefit to the app user, and had not previously been flagged up to the ICO.
The ICO therefore asked the Government to delay launching the app.
Its summary iof the case said: "The ICO provided comprehensive feedback on the [app] on 29 September 2021, and advised Scottish Government and NHS NSS to delay the app launch until our most serious concerns were addressed in full.
"This included revoking permission for the third party’s retention and re-processing of data to train their algorithms.
"It is important to note that the App would not have been the only way to obtain proof of COVID vaccination – other methods available at the time included downloading a copy from the NHS Inform website, or contacting the National Contact Centre for a paper copy sent via the post.
"Delaying the launch of the app would therefore not have prevented the implementation of the Scottish Government’s policy on mandatory COVID certification."
On September 30, the Information Commissioner Elizabeth Denham met Deputy First Minister John Swinney and stressed the need for the app to meet data protection law.
However the app was launched that evening regardless.
Although the planned sharing of data, including passport images, with the software firm was suspended prior to launch, other aspects of the app remained “non-compliant” with the law.
That prompted Ms Denham to meet Mr Swinney again and tell him that the ICO had launched a “formal investigation” into the app’s compliance.
ICO deputy commissioner Steve Wood said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.
“The law enables responsible data sharing to protect public health.
"But public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
“The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”
After the app launched, the ICO raised concerns about the lack of a privacy notice telling users how their data would be used.
This led to a link being added to the NHS Inform website, but it was “not easily accessible” and the ICO demanded improvement.
The notice itself was also complex, “unneccessarily long and difficult to navigate”.
Despite being updated several times, the ICO said this privacy notice remained defective.
It has therefore ruled that the app is still failing to comply with the transparency principle set out in UK data protection law.
The ICO said it might have considered imposing a fine had it received any complaints about the issue, but on balance had decided on a public reprimand instead.
The Government and NHS NSS must now rectify the privacy notice within 30 days or face enforcement action.
Scottish Liberal Democrat leader Alex Cole-Hamilton, who opposed the passport from the outset, said the revelations bore out his warnings about privacy risks.
He said: "Scottish Liberal Democrats warned that the Scottish Government's Covid ID scheme put people's privacy at risk.
"Now the Information Commissioner's Office has issued a stern rebuke, highlighting that personal information was passed to private firms and that people were not told how their data would be used.
"This project has been shrouded in secrecy and justified by ministers on the basis of hunches and assumptions about how effective it was.
"Rather than consign it to the dustbin, this week the First Minister allowed firms to continue to use Covid ID to restrict access to services.
"This astonishing intervention makes clear that she should be hitting delete and ensuring that all the private information held by the government and the firms who made this app is safely disposed of."
Tory MSP Murdo Fraser said: “As if the vaccine passport scheme had not been enough of a disaster, we now discover that the SNP Government launched the Covid Status app despite being warned that doing so would compromise users’ privacy and personal information.
“It’s disgraceful that the SNP arrogantly rushed ahead when the Information Commissioners’ Office expressly asked them to delay the launch until their concerns over the app’s flaws had been addressed.
“No wonder the ICO have issued this reprimand to the Scottish Government – not only did they compromise the privacy of the public, they did so knowingly.
“On top of all that, businesses then incurred huge expense and inconvenience implementing the vaccine passport scheme, and the SNP Government were subsequently unable to find any evidence that it had even succeeded in suppressing the spread of Covid.
“Thankfully, this hated scheme will finally end on Monday but the ICO findings put the tin lid on a fiasco and shambles that shames the SNP.”
A Scottish Government spokesman said: “The NHS Scotland Covid Status app was an important tool in our response to Covid-19, and has served a vital public health role during the pandemic.
“Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used.
"However, it is important to stress that at all times people’s data was held securely and used appropriately.
“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel