Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - UK
The Guardian - UK
National
Severin Carrell Scotland editor

NHS Scotland Covid app rebuked for breaching data privacy laws

The NHS Scotland Covid status app
The UK data watchdog said there had been ‘an ongoing failure to provide concise privacy information’. Photograph: Jane Barlow/PA

The Scottish government and NHS Scotland have been rebuked for breaching data privacy laws on a Covid vaccine status app downloaded by millions of people.

The Information Commissioner’s Office (ICO), which polices the UK’s privacy laws, said it had warned the Scottish government and NHS last year that there were serious privacy problems with the app, but that not all those problems were fixed before it was launched.

The ICO said between 555,000 and 615,000 people were affected by the error.

In an unusually critical ruling issued on Friday, Steve Wood, the ICO’s deputy commissioner, said: “When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.

“The Scottish government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid status app. We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”

The app was needed to get access to nightclubs, sports arenas and other venues such as university buildings, and for travel overseas, after it became mandatory for people to provide proof of their vaccine status; paper printouts or screenshots of vaccine status were also permitted.

Nicola Sturgeon, the first minister, announced on Tuesday the vaccine passport scheme would be dropped on 28 February. Several hours after she spoke, the ICO notified her officials they would issue the reprimand on Friday. All other Covid regulations in Scotland will remain in force until 21 March.

The Conservatives and Liberal Democrats said ministers had “arrogantly” put privacy at risk by ignoring warnings from the ICO and opposition parties last year. Murdo Fraser, for the Scottish Tories, asked whether Sturgeon knew the ICO rebuke was imminent when she made her announcement on Tuesday.

Wood said the ICO had warned the government last year it would be unlawful for the app’s developers to use people’s portraits to improve facial recognition technology. That plan was dropped, as were plans to share personal data with the company.

Even so, the app still failed to warn users properly about how their data was used when it went live. There was also “an ongoing failure to provide concise privacy information so that the average person can realistically understand how the NHS Scotland Covid status app is using their information”, the ICO said.

The Scottish government admitted the app should have been far clearer about how private data was processed. “Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work,” a spokesperson said.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.