Covid app's privacy information ruled not clear enough

Covid app’s privacy information ruled not clear enough

The UK’s data watchdog has issued a reprimand to both the Scottish government and NHS National Services Scotland about their Covid Status app. The Information Commissioner’s Office (ICO) urged both to act swiftly to address its concerns about the app that, according to the ICO, failed to provide people with clear details about how their personal information was being used.

Covid Status app

The NHS COVID Pass shows the holder’s Covid vaccination details, test results, and recovery information. The holder can use the app to prove their Covid status when travelling abroad or when visiting venues that require proof of a Covid status. The app can be used to display a QR coderather than details of the vaccination or test results, which can then be scanned by someone using a verifier app. They will need to see a green tick that confirms the person’s Covid status in order to allow them the requested access.

The displayed information is inherently personal because it says something about your medical history so it should be treated with the greatest care. However, the ICO said there were only three days between it receiving the full details on how the NHS Scotland Covid Status app would be using people’s information and the rollout of mandatory status checks. This did not provide authorities and users with ample time to review the privacy details.

Sharing information

Originally, there were plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind it, but this technology wasn’t necessary for the app to function and served no benefit to the user. The ICO concluded it would have been unlawful in these circumstances to share information with the software company in order to help them improve the facial recognition software.

As a result, the Scottish government and NHS National Services Scotland halted plans to share personal data with the software company. However, the ICO said the app was launched as planned without fully addressing its wider concerns about compliance with data protection law.

The investigation

The ICO followed up with an investigation and has now concluded that both parties failed to initially provide adequate information to users about how personal information would be used. They also didn’t correct this by failing to provide concise privacy information so the average person could realistically understand how the app was using their information. The ICO decided to make its ruling public due to the significant public interest in the issues raised.

The defense

Ministers accepted that the privacy information could have been clearer, but the Scottish government said the NHS Scotland Covid Status app was an important tool in their response to COVID-19, and served as a vital public health role during the pandemic. They went on to stress that at all times people’s data was held securely and used appropriately.

“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”

Other Covid apps

Given the limited timeframe to come up with an acceptable solution and the sensitive data held, it was almost inevitable there would be flaws in some of the apps that were designed for this purpose. The NHS Scotland Covid app was not alone.

Numerous tracing applications have been developed or proposed, with official government support in some territories and jurisdictions. These tracing apps are designed to notify users if they have been in close contact with a COVID-19 victim. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.

The Dutch CoronaMelder-app got shut down for days because there were privacy issues with the Google layer of the app that potentially leaked data to standard apps on the Android platform. Later it was criticized again because public health service employees of the GGD would be able to link app data to a specific patient.

The Singapore TraceTogether-app, also a tracing app, was summoned to update its privacy conditions to reflect the fact that location data from the app could be used in criminal investigations.

In France, a researcher found that the contact tracer app collects more data than originally understood. His findings show that all cross-contacts are sent to the central server, contrary to the government guidance which states that only the app users who had been in contact for 15 minutes, closer than one meter away from a person who tested positive for COVID-19 would be stored, meaning that the app processes more data than necessary or specified, and is not compliant with the data minimization principle. The French Government has not denied the comments.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.