Scottish ministers reprimanded after Covid passport scheme broke data law | HeraldScotland - Tom Gordon:
February 25, 2022 - "The UK information watchdog has reprimanded the Scottish Government for launching its Covid vaccine passport despite being warned the app broke data protection law. Ministers also struck an 'unlawful' deal with the firm behind the app to let it use people’s passport pictures to improve its own algorithm despite this being of no benefit to the public. The UK Information Commissioner (ICO) said it was publicising its reprimand of the Government and an NHS quango because of the significant issues involved. The ICO said it now expected the Government and NHS National Services Scotland to fix 'ongoing' problems with the Covid status app or face 'further regulatory action'.
"Launched last autumn, the app let people prove their vaccination status for mandatory Covid checks for large events and nightclubs. The mandatory scheme is now due to end this Monday, but Nicola Sturgeon said this week that the app will remain operational if any venues still wish to check people. The ICO asked both the Government and its quango to provide adequate privacy information within the app when it launched to explain how people’s information was being used. It said there has also been an ongoing failure to provide concise privacy information so that the average person could realistically understand how the app used their information.
"The ICO said it had ... received the full details of how the Scottish app would work only three days before the scheme was due to go live on September 30 and found 'a number of concerns'.... Its summary of the case said: 'The ICO provided comprehensive feedback on the [app] on 29 September 2021, and advised Scottish Government and NHS NSS to delay the app launch until our most serious concerns were addressed in full. This included revoking permission for the third party’s retention and re-processing of data to train their algorithms. It is important to note that the App would not have been the only way to obtain proof of COVID vaccination.... Delaying the launch of the app would therefore not have prevented the implementation of the Scottish Government’s policy on mandatory COVID certification'....
"On September 30, the Information Commissioner Elizabeth Denham met Deputy First Minister John Swinney and stressed the need for the app to meet data protection law. However the app was launched that evening regardless. Although the planned sharing of data, including passport images, with the software firm was suspended prior to launch, other aspects of the app remained 'non-compliant' with the law. That prompted Ms Denham to meet Mr Swinney again and tell him that the ICO had launched a 'formal investigation' into the app’s compliance.
"ICO deputy commissioner Steve Wood said: 'People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected. The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used. The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app'....
"After the app launched, the ICO raised concerns about the lack of a privacy notice telling users how their data would be used. This led to a link being added to the NHS Inform website, but it was 'not easily accessible' and ... also complex, 'unneccessarily long and difficult to navigate'. Despite being updated several times, the ICO said this privacy notice remained defective. It has therefore ruled that the app is still failing to comply with the transparency principle set out in UK data protection law.... The Government and NHS NSS must now rectify the privacy notice within 30 days or face enforcement action."
No comments:
Post a Comment