07 March, 2022
The ICO has announced that it has issued a reprimand to the Scottish Government and NHS National Services Scotland for failing to comply with the UK General Data Protection Regulation (UK GDPR) in relation to the NHS Scotland Covid Status App.
The reprimand has been issued after an ICO investigation found that both organisations failed to provide people with clear information about how their personal information, including sensitive health data, is being used by the NHS Scotland Covid Status App.
Details of the Investigation
Throughout the Covid-19 pandemic, the ICO has sought to engage with public authorities to ensure data driven innovation is conducted in a way which is compliant with data protection law, in order to secure public trust in public authorities' use of health data. This included engaging with NHS Scotland and the Scottish Government on routes to introducing Covid status certificates which could be used for the purposes of international travel. The ICO was not provided with a Data Protection Impact Assessment (DPIA) for the App until 3 days prior to its launch.
Issues with the App's Privacy Notice
The ICO investigation found that the App's privacy notice was not initially easily accessible and the ICO advised that this needed to be improved. After being provided with a link to the App's privacy notice, the ICO found that it covered a number of services including the App, the Covid Certificate Service and the National Vaccination Scheduling Service. The ICO found that the privacy notice was long, complex and difficult to navigate. This resulted in confusing information being presented to individuals and inaccurate details of data sharing being reported in the media. The ICO found that these inaccurate details were quotes taken directly from the privacy notice and illustrated the risk of the content of the privacy notice being misunderstood by the public.
The ICO therefore concluded that the App failed to comply with the transparency principle as set out in Article 5 UK GDPR and the obligations relating to transparency as set out in Article 12 UK GDPR. The ICO required that the organisations re-draft the privacy notice to present the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language as required by Article 12 UK GDPR.
What can we learn from this Reprimand?
Privacy policies and notices are well known for being long and technical. This is to be expected to a certain extent because Article 13 of the UK GDPR sets out a long list of information which is required to be included in a privacy notice. However, on the other hand, Article 12 of the UK GDPR requires this information to be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
In light of this reprimand, organisations will want to ensure that its privacy notices are not over-complicated and are easily understood. This may include preparing separate privacy notices for different functions and services in order to avoid any confusion.
The ICO has extensive guidance on drafting clear and concise privacy notices, which is available to view here - How should we draft our privacy information? | ICO
A copy of the ICO's reprimand to the Scottish Government and NHS National Services Scotland is available to view here - Reprimand for failure to comply with UKGDPR (ico.org.uk)
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here