By Aim's data protection experts

March 2022

 

The rules on wearing masks and COVID passports have now changed in Scotland, but when restrictions were in place, proof of vaccination status via a vaccine passport was required at large events and nightclubs, and passports can still be used by businesses that wish to do so. To facilitate the use of a vaccine passport, the Scottish Government and NHS Scotland introduced an app to show a user’s status. It’s the implementation of this app that has caused the ICO issue a reprimand to both the Government and NHS as a result of the implementation of the app.

 

Firstly, what is a reprimand? Well, it’s a formal expression of disapproval from the ICO. So, it seems that the Scottish Government and NHS have done something, or more than one thing to impact data protection negatively and have not responded to requests for action. It’s worth bearing in mind that this has happened despite the ICO already making allowances for the fact that COVID has had a disruptive influence.

 

 

 

In May 2021 the ICO published a guidance paper on the subject of vaccine and COVID status checks, but they received no information from NHS Scotland about their intentions or progress. The ICO then requested a data protection impact assessment (DPIA) for the tool at the beginning of September, which was not forthcoming until the 27^th September. Whilst you might argue it takes time to produce a thorough assessment, it should be noted that this activity should have been completed in advance of the work on the app, to inform everyone involved of the risks posed and the mitigating actions to be taken.

 

The ICO reviewed the document at speed and provided feedback on the 29^th detailing a number of problem areas, including the retention, by the apps third-party identity verification provider, of images used by users to verify their identity, to train facial recognition algorithms, and, in addition, the lack of information provided to app users regarding the use of personal data, in other words, an insufficient privacy notice.

 

The ICO recommended delaying the roll-out of the app, until their concerns were allayed, as there were other ways to receive an electronic or paper version of the passport; however, the app was released as planned on the 30^th September, albeit without the third-party retaining any data.

 

At this stage the ICO obviously felt they were being ignored and have now issued a reprimand, focussing on the lack of transparency around the retention and use of personal data. It is clear that this issuing a reprimand is showing leniency, and is designed to prompt action, but from the content and wording of the reprimand document, it is clear the ICO is not happy, are requesting action, and will take more serious action if their requests are ignored.

 

Now, why should you be bothered about this? After all, it’s unlikely you are responsible for the work of the Scottish Government or NHS Scotland. Well, the moral of the story is that data protection exists, there is clear guidance available, that certain actions, e.g., completing a DPIA and being transparent about the use of data by means of a privacy notice, are required. Not only that, using personal data outside the scope of its original purpose, and not communicating in an appropriate timeframe will bring you to the attention of the ICO, and will more than likely impact your business financially, reputationally, or require an additional investment of resource and time. So, take note of this precautionary tale and be proactive, or engage with a third-party provider, like Aim Ltd, to help you navigate your avoid the wrath of the regulator.

 

More:

• For information about our data protection services, please click here.
• Free GDPR and Data Protection Self-Training Videos - Understand the importance placed on the security of personal data in a technologically complex world with our set of videos accessible here.