Transformation Directorate

NHS COVID Pass Verifier app Privacy Notice (PN)

Last updated 12 May 2022

About the NHS COVID Pass Verifier app

What is the NHS COVID Pass Verifier app?

This is a downloadable mobile device app that allows an organisation/operator to scan and read the 2D barcode displayed by a citizen travelling abroad, or domestically - to gain entry to an event. An organiser can download the Verifier app from the Apple iOS or Google Play stores.

The purpose of this privacy notice is to explain to citizens holding an NHS COVID Pass how their data is processed when scanned by the NHS COVID Pass Verifier app and to provide information to operators.

What is the purpose of the Verifier app?

For international travel an operator can scan 2D travel barcodes presented from an English, Welsh or Isle of Man residents’ NHS COVID Pass or any passes linked to the EU Gateway via their mobile app, letter, PDF or Wallet-saved NHS COVID Pass. This 2D barcode confirms that the person travelling, meets the criteria of being fully vaccinated against COVID-19 or has recovery status. A citizen’s international COVID travel pass will also show vaccination details in the operator's screen, such as when the vaccine was given and what type, as defined and required by international standards. The NHS COVID Pass Verifier app can recognise certain vaccines which remain under continual review and expansion in line with international rule sets.

As of 12 May 2022, the domestic pass is no longer available. This means that venues and events will no longer be able to request it as a condition of entry. The NHS COVID Pass for travel will remain as is in line with international requirements.

Note: The Verifier app will always use current policy to decide what gives rise to a Pass status. If a visitor from Scotland or Northern Ireland needs to show their COVID Pass at an English event, they will need to show their international pass.

How does the Verifier app use data?

An organisation can opt to check a COVID Pass visually (which does not process data and UK GDPR does not apply), or to use the NHS COVID Pass Verifier app which processes a citizen’s data. The venue or travel operator will become a data controller under UK GDPR. Demographic and health information from a person’s COVID-19 events are exchanged between the citizens COVID Pass screen and the camera of the Verifier app to the operator's screen processing non-human readable data. The processing is fleeting and the Verifier app does not retain, store, share or further process any personal or health information in the scanning process.

How does the Verifier app process and scan data?

The verifier app uses a system of public keys to manage identity and security in internet communications. Permissions are used to securely store public keys that are used to verify a 2D barcode that has been signed by a trusted authority. These permissions are not used to store any data related to the user or app usage. The storage used does not hold any personal data.

The internet is only used within the Verifier application to obtain the public keys needed to verify the 2D barcodes. Once the public key has been obtained, they are stored for a select amount of time, before getting refreshed, to prevent excessive calls and internet usage.

Camera usage - upon clicking the ‘check a 2D barcode’ button on the landing screen, the verifier app user is asked to ‘Give permission’ to the application to use the camera. If the user denies these permissions, a screen will appear specifying that the permissions are required to proceed to the Verifier. If the user grants these permissions, the app will proceed to the Verifier.

File usage - when a user downloads the application, they have explicitly given permission for file usage within the application. However, file usage is only used to store public keys into secure external storage, which then allows the application to verify 2D barcodes from a trusted authority. The usage permission is not used to store any data related to the users personal or application usage.

Further user guidance for operators on how to use the Verifier app can be found at

https://transform.england.nhs.uk/covid-19-response/nhs-covid-pass-verifier-app/ and

https://transform.england.nhs.uk/covid-19-response/nhs-covid-pass-verifier-app/international-covid-pass-verifier-app-user-guide/

and the Terms and Conditions of use are available at

https://transform.england.nhs.uk/covid-19-response/nhs-covid-pass-verifier-app/nhs-covid-pass-verifier-terms-and-conditions/

How is data processed when there is an error message?

There are a number of error messages that the Verifier app will deploy in the operator's screen in the event that a citizen’s NHS COVID Pass is in some way insufficient. These messages will allow an operator to convey some minimal redirecting information to a citizen to assist them in becoming successful. This information will not be further processed, shared or retained by the Verifier app. The Verifier app will now log the signing and issuing country of an EU DCC pass in international mode, and record where there is a mismatch between the two. A discrepancy between these two fields is an indicator of possible fraud, and will be monitored to help improve the security of the service.

Who manages the NHS COVID Pass Verifier app service?

The Department for Health and Social care (DHSC) provides English residents with the NHS COVID Pass service - including the NHS Verifier app. Neither DHSC nor data controllers using the Verifier app, collect, share, store, retain or further process any personal or health data from their citizens’ NHS COVID passes through using the NHS Verifier app.

Visual checking without the use of the verifier app is not considered be data processing

Metrics, using anonymised data, are collected on behalf of DHSC using Microsoft technology (‘Visual Studio App Centre’). These insights from operational use are sent securely to Microsoft ‘Azure App Insights’ to ensure features and updates can be maintained. No personal data is processed for this purpose.

The legal basis for using personal information

The lawful basis for an venue operator acting as a data controller to use the Verifier app is for the purposes of verifying an NHS COVID Pass (under UK GDPR)

Art 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest

Art 6(1)(f) – processing is necessary for the purposes of the ‘legitimate interests pursued’ by the controller or by a third party

Art 9(2)(g) – processing is necessary for reasons of ‘substantial public interest’, supported by paragraph 11 (1) [c] of Part 2, schedule 1 Data Protection Act 2018.

Art 9(2)(i) – processing is necessary for reasons of ‘public interest in the area of public health’, such as protecting against serious cross-border threats to health.

A citizen’s rights over their information

Under data protection law, a citizen has several information access rights over their personal information, to which the data controller must comply. However, as no data is retained by the NHS COVID Pass Verifier app, a citizen cannot ask the operator to uphold these rights.

https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/

https://covid-status.service.nhsx.nhs.uk/help/privacy-notice/

Changes to this Privacy Notice

DHSC regularly reviews this Privacy Notice. This Privacy Notice was last updated on 29/04/2022.

How to find out more information

Please contact the data protection officer or information governance/data protection team at the setting you attended for further information or to ask for other information that an organisation holds about you.

The data controller for the production of service information regarding use of the Verifier app as well as service design is the Department of Health and Social Care (DHSC). All information is anonymised and aggregated. Please contact the Data Protection Officer as below in the event that you require further information or wish to bring something to our attention.

In writing:

DPO

Department of Health and Social Care

1st Floor North

39 Victoria Street

London SW1H 0EU

By email:

data_protection@dhsc.gov.uk

Formal complaint about the processing

If, after contacting either data protection officer you wish to make a formal complaint about the processing of you personal data, please contact the Information Commissioner at:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Fax: 01625 524510

https://ico.org.uk/