A watchdog has reprimanded the Scottish Government and an NHS body over a key aspect of the vaccine passport policy.
The Information Commissioner’s Office said there had been a failure to provide “adequate” privacy info at the launch of the app central to the initiative.
Downloading an NHS app has been one way for people to prove their vaccination status to access venues such as nightclubs.
With progress made on combating covid, the vaccine passport policy will end on Monday.
In a blow for Ministers, the ICO said they received full details about how the app would use people’s data in September last year.
After reviewing the details “at pace”, the ICO advised the Scottish Government and NHS National Services Scotland of a “number of concerns” about the way the app would use people’s information.
The watchdog was particularly concerned by plans to allow the app to share the images and passport details of Scottish users with the software firm providing the facial recognition technology.
According to the ICO, the plan to share personal data with the company was halted, but the app was launched as planned without “fully addressing” the ICO’s wider concerns.
An investigation was launched and the reprimand cover two issues, the first being an “initial failure” to provide “adequate privacy information” within the app at launch.
It also covered an “ongoing failure” to provide concise privacy information so the “average person” can understand how the app is using their information.
The ICO made the reprimand public because of the “significant public interest” in the issues raised.
ICO Deputy Commissioner, Steve Wood, said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.
“The law enables responsible data sharing to protect public health. But public trust is key to making that work. When governments brought in COVID status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
"The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland COVID Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.
"The ICO, including our office in Scotland, remains committed to working with both bodies to address these outstanding issues and ensure this learning is applied to future activities, including the development of any future government apps that store and use people’s information.”
A Scottish Government spokesperson said: “The NHS Scotland Covid Status app was an important tool in our response to COVID-19, and has served a vital public health role during the pandemic. Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people’s data was held securely and used appropriately.
“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”
Scottish Tory MSP Murdo Fraser said: “As if the vaccine passport scheme had not been enough of a disaster, we now discover that the SNP Government launched the Covid Status app despite being warned that doing so would compromise users’ privacy and personal information.
“It’s disgraceful that the SNP arrogantly rushed ahead when the Information Commissioners’ Office expressly asked them to delay the launch until their concerns over the app’s flaws had been addressed.
“Thankfully, this hated scheme will finally end on Monday but the ICO findings put the tin lid on a fiasco and shambles that shames the SNP.”
To sign up to the Daily Record Politics newsletter, click here.