Scottish COVID status app non-compliant with privacy rules, government reprimanded
Both the Scottish government and National Health Service (NHS) National Services Scotland have been publicly reprimanded by the UK Information Commissioner’s Office (ICO) over their ongoing failure to provide clear information on how personal information and sensitive health data are being used by the NHS Scotland COVID Status app, announces the ICO.
What the ICO refers to as “facial recognition” features that the office deemed “unlawful” were removed at the last minute. The timeline provided by the ICO shows that Scottish authorities ignored the office’s warnings on data protection law when they went ahead with the app launch and have not made adequate amends in the meantime. If they do not make changes soon, the ICO will consider further regulatory action.
The office has gone public on its reprimands, just days before the end of some mandatory uses of the app, due to the significant public interest in the issues raised. The authorities have 30 days to update the privacy notice, which is still non-compliant.
Health pass mandatory for venue access
The app in question is a COVID digital health pass which allows holders to prove their vaccination status which were still required for entry at some venues in Scotland until 28 February 2022. Health is a devolved issue in the UK and Scotland chose to implement its own health pass and restrictions.
The app had teething problems at launch and then Scottish media began reporting allegations on how it shares data with the likes of iProov (which provides the facial authentication capabilities for the NHS England app), Jumio and Amazon. These reports were found to contain technical inaccuracies during an ensuing ICO investigation, but the office still points the finger at the authorities for this: “However the information within the articles appears to have been drawn directly from the privacy notice which illustrates the risk of the content of the privacy notices being misunderstood by the public.”
In the report accompanying the reprimand, ICO Deputy Commissioner Steve Wood says, “When governments brought in COVID status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used. The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland COVID Status app.”
Facial recognition removed, but app launched despite data protection warnings
When the ICO received details of the NHS Scotland COVID Status app in September 2021 it raised concerns with the Scottish government and NHS National Services Scotland that this information was issued only three days before mandatory COVID status checks were due to begin in Scottish venues.
The ICO also advised both bodies of concerns over the app’s use of people’s information and in particular to not let the app share the images and passport details of Scottish users with the company providing the facial authentication service to be used as biometric training data.
“Of significant concern was the intention to allow the App’s third party ID verification provider to retain images provided by the user during the registration process to verify their identity for five days in order to train their proprietary facial recognition algorithms,” states the reprimand issued to the bodies.
Such use “would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user,” states the ICO’s report, noting that the proposal had also not previously been mentioned to the ICO
The office advised that the app not be launched until its concerns over non-compliance were addressed. The Scottish government and NHS National Services Scotland removed the data sharing element for face biometrics and launched the app without addressing the wider concerns around compliance with data protection law.
This triggered a formal investigation by the ICO. The former Information Commissioner, Elizabeth Denham, met with the Deputy First Minister to inform him of the investigation.
It found that from the 30 September launch until 4 October, the app contained a misleading statement asking users to provide their consent to the processing of their data. “However, processing of personal data within the App was not predicated on the user’s consent given that the controllers were relying on public task as their lawful basis. This statement was therefore misleading and unfair, giving users the impression of greater control over their personal data than was the case,” notes the reprimand.
The ICO considers this statement a failure, one which affected between 554,504 and 615,639 people. The reprimand lists the failures of the Scottish authorities, such as not using transparent and intelligible language, an initial lack of information held off-app for people to read and a failure to address the issues when privacy notices were updated.
Reprimand countdown begins
“Given that the privacy notice remains non-compliant, prompt rectification is a priority to ensure that the people of Scotland can be informed about the processing of their data, as is their right,” states the reprimand.
An updated privacy notice must be submitted by 28 March 2022. The ICO decided that a reprimand was the most suitable course of action at this stage rather than a fine as it believes the Scottish government and NHS NSS require all their resources for public service provision.
“The ICO now expects the Scottish Government and NHS National Services Scotland to act swiftly on these findings and apply the wider learning from the roll out of the NHS Scotland COVID Status app to any similar activities in the future to make sure people can continue to have trust in the way both organisations use their information,” states the report.
The whole situation has become a political issue in Scotland. The Telegraph has produced coverage of this aspect, including opposition demands for an apology and a statement from a Scottish government spokesman: “Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used.
“However, it is important to stress that at all times, people’s data was held securely and used appropriately.”