How we use your data

Privacy and how we use your data

Privacy and data security are very important to the Scottish Government and the NHS Scotland. Protect Scotland is designed with this as a priority, in order to protect the privacy of all app users.

Protecting your privacy

The app:

  • Does not collect your name, age or address
  • Does not hold your phone number
  • Cannot be used to track your location
  • Cannot be used to check if you are self-isolating
  • Can only share the anonymised app information from your phone if you choose to
  • Cannot reveal the identities of any close contacts
  • Cannot reveal the identities of people who have tested positive for coronavirus
  • The app is voluntary to download and use, and you will never be required to use it. You can choose whether to share data and information with us or not
  • You will never be asked to prove you have the app, and you should never be asked to show the status of the app to anyone else – that is entirely up to you

You can:

  • Change your preferences at any time in the app settings
  • Use parts of the app without sharing any data at all
  • Choose to use app features independently
  • Remove or update any information you provide to the app, at any time
  • Delete the app at any time

Deleting your data

You can choose to delete the app and your data at any stage. To do this:

  • Go to 'Settings' in the app
  • Select 'Leave'
  • Tap on 'I want to leave'
  • This will delete the app and your data

For more information on your data held within the Protect Scotland app

Translations and accessible formats

If you require this information in another language or accessible format, please email ceu@gov.scot


Protect Scotland app Privacy Notice

FAQs about how we use your data

Who can see my data?

No-one can see your data. The app does not store personal data anywhere and is not made visible by the app to anyone, including the Scottish Government, not even the NHS Scotland.

None of the subcontractors (e.g. AWS, NearForm, NES Digital Services or Gov.UK Notify) involved in making the app work have access to your data either, this is because your data is never stored anywhere. Only completely anonymous data is stored in the app User mobile phone, and is only stored in a public registry if the app User decides to share his anonymous data.

How does the Google Apple Exposure Notification system work?

Scotland has chosen to build its proximity tracing app on the Google Apple Exposure Notification system as it does not collect information on the user's identity or location.

When app users come into close proximity their smartphones automatically exchange encrypted random keys (completely anonymised and non-identifiable data). These random keys only tell the app that two people have encountered each other, for how long and how far apart they were.

This video is particularly useful to understand how the Google Apple Exposure Notification system works: https://youtu.be/1Cz2Xzm6knM

A full explanation of how the Google Apple Exposure Notification system works is provided by the following two official company websites:

Google Exposure Notification system

Apple Exposure Notification system

Does the Scottish app use the centralised or decentralised model? And what is that?

This is a decentralised solution, so data is only held and processed on a user’s mobile until a user that has tested positive for COVID-19 shares his/her anonymous keys (called Diagnosis Keys) that have been captured by the app on his/her mobile phone.

When these ‘diagnosis keys’ are shared voluntarily by an app User, they are stored (completely anonymised) in a secure registry (called the AWS Registry).

Every 2 hrs the app checks if there are any anonymous keys in the phone matching the keys in the AWS Registry. These checks are done on the mobile phone. If there is a match, the app User will receive a notification that they have been exposed to the virus and are advised to self-isolate.

This model is called “decentralised” because the data is not stored in a central place, but rather distributed on the app User’s mobile phones and only some anonymous ’diagnosis keys’ are voluntarily shared in a public registry.

What is the main purpose of this app?

The primary purpose of the app is to support the public health response to the COVID-19 crisis in Scotland and to accomplish that through the following functions:

  • Remembering when you have been close enough for long enough to other app Users during the last of 14 days (interchanging anonymous random codes)
  • Providing you with prompt advice
  • Sending you alerts ('Exposure Notifications') if you have been in close contact with another app User who has tested positive for COVID-19 within the last 14 days. The app will advise you to commence isolation. The app also points you to other useful information sources

Does the app collect statistics? Are they anonymous? And why these statistics are needed?

The app anonymously counts:

  • How many people have downloaded the app
  • How many times someone who tested positive has voluntarily shared his/her anonymous keys (by producing his/her "Test Code" in the app)
  • How many times alert notifications are sent to app Users (this is also called 'exposure notifications')

The app produces Scotland-wide statistics (aggregated and anonymous) that will enable the Scottish Government and Public Health Scotland to understand the spread of the virus better and plan for services and actions to tackle the pandemic accordingly.

The collection of these metrics is also essential to prove the app works and to keep the approval for the app in line with current regulations set by the Medicines and Healthcare Products Regulatory Agency (MHRA), this is called ‘CE marking accreditation’.

Will there be further improvements to the app?

The Scottish Government is considering the future development of versions of the app to address various helpful features, including:

  • Improved accessibility, e.g. in terms of languages other than English
  • Anonymous sharing of ‘diagnosis keys’ for people who travel abroad or come to visit Scotland
  • Wider use (e.g. people under 16, and minorities)

Future updates of the app may occur to improve the way it works, or for improvements in the Google-Apple operating system.

Any future changes will follow rigorous scrutiny; the decision will be balanced against public health benefit and cost (balanced against other health priorities) and this privacy notice will be updated accordingly for transparency.

Who has been consulted about how the data is used?

The Scottish Government and the NHS Scotland have rigorous information governance process in place. From the early stages of the design of the app, a thorough consultation with relevant Scottish groups of interests and advocacy has taken place, including:

  • The Health and Social Care (Scotland) Public Benefit and Privacy Panel
  • The Scottish Privacy Forum
  • The Open Rights Group
  • The COVID-19 Data and Intelligence Network – Data ethics and public engagement subgroup
  • Representatives of the general public

Will the app know my mobile number? And what does the app do with it?

Contact tracing is a well-established public health intervention within the NHS Scotland. If you test positive from COVID-19, the National Contact Tracing Centre will contact you.

During the call, the Contact Tracer will discuss with you if you wished to receive a text message containing a ‘Test Code’ via SMS, so you can anonymously upload your ‘Diagnosis Keys’ so other app Users can be alerted (Exposure Notifications).

The Contact Tracer also will discuss with you when symptoms started and will determine what the most relevant date to use when sending this anonymous “Exposure Notifications' to other app Users, and therefore advising them to self-isolate.

If you agree to receive a ‘Test Code’, the National Contact Tracing Centre will send a request to the app Backend along with your encrypted mobile phone number and the data the contact tracer determined is the more relevant for infection control purposes e.g. the date of your last COVID-19 test or the date when you started having some symptoms (-48 hrs).

The app backend will then generate and send you an SMS message containing the “Test Code” that can you can produce in the app if you want to send your Diagnosis keys to the app Registry, so other app Users can check if they have been exposed anonymously.

The Test Code is valid for 24 hours.

The SMS text message is delivered using the Gov.UK Notify service.

Storage and retention:

  • The app backend will keep your app User mobile number until the SMS is sent to you (typically within a short period within a range of a couple of hours). Then the mobile phone number is deleted; it is never stored in the app backend
  • The government service used to send the SMS (Gov.UK Notify) holds your data for up to 72 hours. This is necessary in order to ensure the SMS is sent and there is sufficient time to deal with potential SMS verification issues. Once the SMS is satisfactorily sent, it is marked as ‘beyond use’ and is deleted as soon as the automated deletion process is scheduled (this happens every 72 hours). During this time, your SMS data is stored encrypted in their secure servers

Who can access it?

  • Your mobile number and the relevant date are not stored by the app and is not made visible by the app to anyone, including Scottish Government, the AWS, NES Digital Services or Gov.UK Notify. While the app processes this data in order to generate the SMS, no person can see your data
  • The National Contact Tracing Centre, (which is the source of your mobile number and the relevant date) only can access this information using their own systems (CMS) – they cannot access this information via the app

Are the SMS sent with the Test Code anonymous?

No. The SMS is personal identifiable data because in order to send the Test Code to you, it is required to use your mobile phone number.

This is also considered health data by inference since it is only sent to app Uses who have tested positive for COVID-19.

Storage and retention:

  • The app backend will keep your Test Code only until the SMS is sent to you (encrypted). It usually takes up to a couple of hours to generate and send the SMS with Test Code to you, and then it is deleted; it is never stored in the app backend
  • The government service used to send the SMS (Gov.UK Notify) holds your data for up to 72 hours. This is necessary in order to ensure the SMS is sent and there is sufficient time to deal with potential SMS verification issues. Once the SMS is satisfactorily sent, it is deleted. During this time, your SMS data is stored encrypted in their secure servers

Who can access it?

  • Your Test Code is not stored by the app; it is not made visible by the app to anyone, including the Scottish Government, the AWS, Gov.UK Notify or any of the participating NHS Scotland organisations. While the app processes this data in order to generate the SMS, no person except you can see your Test Code
SMS timeline Figure 1 SMS timeline (includes your mobile phone number, date of your last test and your 24 hrs Test Code)

What are IP Addresses and why are they needed? Are IP Addresses anonymous?

An Internet Protocol (IP) address is a numerical label assigned to your mobile device by the mobile phone or the internet service provider. An IP address is typically made up of 4 sets of numbers (e.g. 192.168.0.50). As a consequence of how data traffic passes across the Internet, your IP address is inevitably transferred to the network.

Most mobile phones will have IP addresses that change overtime; however, some mobile devices may have IP addresses that don’t change so much (e.g. static IP addresses), therefore IP Addresses have the potential of being associated with the app User.

The app needs to use your IP Address for sending data from your phone using the network (e.g. your diagnosis keys or the metrics). Your IP Address is only used for a very short period (typically in the range of seconds). The app only sends encrypted data in the network.

The way it works is very technical, but there is a quick and relatively easy video that explains how it works.

GDPR court rulings have determined that IP Addresses are personal identifiable data as for a period of time and could potentially be associated with you.

Storage and retention:

  • IP Addresses are not stored by the app, they are deleted immediately once the data they are transporting in the network has reached its destination. The app uses your IP Address only for a few seconds every time data needs to be sent from your mobile phone to the network (e.g. your Diagnosis Keys)

Who can access it?

  • None of the organisations involved have access to your IP Addresses. The Scottish Government cannot use your IP address to identify you. These IP addresses are not stored by The Scottish Government, the AWS or any NHS Scotland organisation involved in the delivery and running of this app. They are only used by the network. You can see your IP address in your mobile phone network settings

When are diagnosis keys considered personal information? When are they anonymised?

If you tested positive for COVID-19, you will be invited via SMS to upload your Diagnosis Keys collected during the past 14 days into the app Backend. The phone generates random Identifier Beacons privately every day. It does so using the Google an Apple ENS. On a positive diagnosis, the app requests permission (Test Code) from you to access these random Identifier Beacons from your phone and then publishes them on a public registry in the app Backend.

Diagnosis Keys are necessary, so other app users can be notified if they have been exposed. app Users mobile phones check any new diagnosis keys from the registry every 2 hours and compare with the ‘Identifier Beacons’ collected in their phone during the last 14 days. These Identifier Beacons are only collected if two mobile phones with the app installed, and the ENS active (switched on) have been in close proximity (within 2 metres for at least 15 minutes).

Diagnosis Keys are therefore a subset of these random Identifier Beacons, and they can only be uploaded in the app Backend if you input an Authorisations Code in the app.

Diagnosis Keys are considered health data by inference since they are uploaded only after authorisation from app users who have tested positive for COVID-19.

  • Diagnosis Keys are considered personal identifiable data when they are combined with your mobile phone IP Address. This is necessary in order to send your Diagnosis Keys from your mobile phone to the app Backend. This process is very technical; however, section 6.4 offers more details about IP Addresses and how it works
  • Anonymisation. Once your diagnosis keys reach their destination in the network (the app backend), the IP Address is deleted, and the diagnosis keys become anonymous again. They cannot be linked back to you, even if you wanted (refer to section ‘Your rights’, right to access)

Storage and retention:

  • The anonymous diagnosis keys are kept in the app backend for 14 days to allow other app users phones check if they have been exposed during that period, then the anonymous diagnosis keys are deleted from the app backend

Who can access it?

  • Because your diagnosis keys are sent encrypted to the network, no one can see this data when in transit from your phone to the app backend
  • Your anonymised diagnosis keys will be available, so other mobiles phones with the app installed can check for any matching keys and send Exposure notifications to the app User
Diagnosis Keys timeline Figure 2 Diagnosis Keys timeline

Are metrics anonymous?

The app produces aggregated and anonymous Scotland-wide statistics e.g. the total number of app Users, the total number of instances when diagnosis keys are uploaded, the total number of alert notifications generated.

Metrics are anonymous but in order to count them, the app needs to send every “count” to the servers using your IP Address. Once the “count” (or metric) reaches the app Backend, the IP Address is deleted, and this “count” becomes anonymous as can no longer be associated with the app user or its mobile phone.

For example, in order to count the total number of app Users, the mobile phone sends a “count” to the app Backend when you click “yes” to the question “Do you agree to continue and start using this app?”. The app will use your IP address in order to send this “count” through the network to the app Backend. At this point a ‘count’ is considered personal identifiable data, because it contains your IP Address. Once the “count” reaches the app Backend, the IP Address is deleted, and this “count” becomes anonymous as can no longer be associated with the app user or its mobile phone.

Storage and retention:

  • IP Addresses are not stored; therefore, no personal identifiable metrics are held. IP Addresses are used only to send metrics to the backend, therefore personal data is only processed for a couple of seconds each time a new metric is forwarded to the backend, then the IP Address is deleted
  • The anonymous metrics are stored in the app backend and send to the NHS National Services Scotland data warehouse for statistical and research purposes and future pandemic response planning. Data will be retained in its anonymous format in line with the NHS Records Management Code of Practice
  • These anonymous metrics are also retained in the back end for at least six months in order to accumulate the necessary evidence of efficiency of the app as required for obtaining formal MHRA Regulatory approval and CE marking accreditation
  • Scottish Government will also retain regional (Scotland level) statistical summaries indefinitely. These summaries do not contain any personal identifiable information, nor individual-level data of any kind; it is aggregated at Scotland level, therefore, unable to be subject in any manner to re-identification

Who can access it?

  • The Scottish Government or the NHS Scotland will not receive any metric data related to any individual app User, only total numbers (for the region) of the metrics detailed above, in any given period
  • No one can access personal identifiable metrics as they are only available in this format when in encrypted and in transit in the network
Anonymous and personal identifiable flowchart Figure 3 Anonymous and personal identifiable data flows

How secure is the app?

The app does not store any personal data that can identify you; only anonymous data is stored and is encrypted by the app using the built-in encryption capability of your phone. Data is also encrypted when it is being uploaded to the app servers.

The app does not access GPS functionality or any form of location data from your phone.

The Contract Tracing feature uses a fully 'decentralised' privacy model. This means that identifier and diagnosis key matches are made locally on your phone. Matches are not made externally. This ensures no tracking of people’s movements or who they contact can be done.

Your IP address is stripped from the data at the earliest possible opportunity to ensure it cannot be used in any way to re-identify the person that uploaded the information.

SMS are sent via Gov.UK Notify, an encrypted and secure service for government use. This service complies with the National Cyber Security Centre (NCSC) Cloud Security Principles.

The app and all the technical infrastructure used, including Amazon Web Services and Gov.UK Notify are subject to rigorous security tests and follow the National Cyber Security Centre (NCSC) Cloud Security Principles.

SMS are sent via Gov.UK Notify, an encrypted and secure service for government use. Further security information.

Further details of Amazon Web Services security is available.


What are the key organisations involved?

These are the key organisations involved in the development, deployment and running of the Protect Scotland app:

Scottish Government (Scottish Ministers)

Scottish Government is the organisation responsible for assisting Ministers in discharging their duties with NHS Scotland and the population of Scotland.

Scottish Government is the lead data controller for the app and has decided the means and purposes for the processing of data collected and used by the app.

The Scottish Government provides strategic direction for the app.

Decisions over the app Direct processing of personal identifiable data Data Protection Role

Purpose of the app, technical means to process the data (e.g. the app), technical interchanges of data e.g. with Test Results, NHS Case Management System (CMS), how SMS will be sent.

No.

Scottish Government has no access to the data.

Scottish Government and Ministers may receive aggregated statistics on uptake and efficacy of the app, as well as aggregated statistical data for planning the response to COVID at regional (Scotland) level.

Lead data controller as per the duty of Scottish Ministers to protect public health (The Public Health etc. (Scotland) Act 2008 Section 1)

Public Health Scotland (PHS)

Is the organisation responsible for public health matters in Scotland.

Scottish Government, through its Directorate for Population Health and the Chief Medical Officer, works closely with Public Health Scotland, to ensure the appropriateness of the app for helping the public keep up to date with the latest advice on the COVID-19 pandemic, but also for planning services and resources, so they are directed to areas of highest risk. Epidemiologists, among other experts, are involved in the assessment of the effectiveness of the app for the broad public health purpose.

Decisions over the app Direct processing of personal identifiable data Data Protection Role

Advisory to SG on the potential efficacy of the app for making public health decisions and, about COVID-19 measures.

Decides on sharing data with the app (mobile numbers collected in the CMS).

They have appointed NSS to manage the National Contact Testing Centre (NCTC) on their behalf.

No.

Controller

  • PHS have a common objective with the Scottish Government regarding the use of the app for public health purposes
  • PHS are responsible for the same set of personal data used by the app as Scottish Government
  • They have common IG rules to the other data controllers (NHS Scotland IG rules)

NES Digital Service (NDS) - (part of NHS Education for Scotland (NES)

NES is a data processor commissioned by the Scottish Government to manage the digital infrastructure required for the app through their Digital Service, in particular, to provide the AWS account for hosting the app backend and to upload the app to the Google Play Store and the Apple app Store.

Since NHS Education for Scotland provides various services unrelated to the app, we refer to their engagement as a data processor for the app in this privacy notice as NES Digital Service (NDS).

NHS Education for Scotland is the legal entity.

Decisions over the app Direct processing of personal identifiable data Data Protection Role

NES makes some decisions on how data is processed, but implement these decisions under a contract with the Scottish Government as the commissioner.

NES subcontracts Amazon Web Services (AWS).

NES owns the AWS account that is being used to host the app backend that provides the centralised data processing.

NES also owns the Google Play Store and Apple app Store accounts that will be used to upload the Protect Scotland app to these stores.  NES will upload the app; no other organisation will be provided with access to the accounts.

No.

NES only has indirect access for the provision of infrastructure services through Amazon Web Services (subcontractor).

Data processor

  • Follows instructions from the Scottish Government
  • Is told about what data should be processed in the app Backend infrastructure
  • Doesn't decide what data to collect, legal basis, purposes, or data sharing
  • NES does not benefit from the processing of the data used by the app

NearForm

NearForm Is the organisation responsible for developing the app, as well as designing the architecture and delivering essential components (e.g. SMS’s code integration).

Decisions over the app Direct processing of personal identifiable data Data Protection Role

NearForm develops the code for the app and provides some technical support, and therefore makes some decisions on how data is processed and what data is needed to make the code work but does not decide on the purpose of the app or the functionality that is required.

NearForm develops the codes and provides support under contract with the NHS National Services Scotland on behalf of the Scottish Government.

No.

Nearform may have indirect access to anonymous data if required for the provision of app technical support services.

Nearform will also produce an aggregated SMS failure report; however, no personal identifiable data is accessed to produce this report, only SMS failure notifications.

Data processor

Amazon Web Services (AWS)

NES have contracted Amazon Web Services (AWS) to provide cloud services. AWS provide and maintain the cloud infrastructure, including the network and operating systems to run the infrastructure and the associated services.

AWS does not have access to the NES AWS account being used to host the app backend, and therefore do not have access to any data processed.

Decisions over the app Direct processing of personal identifiable data Data Protection Role

No decisions over the app.

AWS only makes decisions over their cloud infrastructure.

No.

Management of the cloud infrastructure that holds only anonymous data.

Data processor

NHS National Services Scotland (NHS NSS)

Is the organisation responsible for the National Contact Tracing Centre, on behalf of Public Health Scotland. They operate the Case Management System, which shares data (mobile numbers of people with a positive result) with the app.

NHS NSS also manages the contract with NearForm and the contractual relationship with app Users (Terms and Conditions) of the app on behalf of the Scottish Government.

Decisions over the app Direct processing of personal identifiable data Data Protection Role

Joint decision (with PHS) on sharing data with the app backend (mobile numbers collected in the CMS and relevant data for self-isolation notification).

Triggers the automated process to send the SMS to people who tested positive.

NSS receives data from the app to confirm that an SMS has been sent to the user or an error code has been returned.

Yes.

NSS is the source of mobiles numbers and relevant dates for self-isolation advice (e.g. date of last test or date pf first symptoms).

NSS receives "SMS Job reference" data (anonymous) for reconciliation purposes.

NSS receives anonymous metrics to provide intelligence services to the Scottish Government, and Public Health Scotland needed for planning the COVID response.

Controller

  • NSS has a common objective (contact tracing) with the Scottish Government and PHS
  • NSS processes data (mobile numbers and test results) for the same purposes as the other data controllers
  • Uses common NHS Scotland IG rules, as well as the other data controllers

Gov.UK Notify service (UK Government)

The Cabinet Office acts as a data processor for Gov.uk Notify. This service is used to send secure SMS notifications.

GOV.UK Notify is built for the needs of government services. It has processes in place to protect user data.

On Notify, SMS are encrypted.

The Notify team has Security Check (SC) level clearance from United Kingdom Security Vetting (UKSV).

Decisions over the app Direct processing of personal identifiable data Data Protection Role

Gov.UK Notify does not make any decision over the app but interacts with the app in order to send SMS messages.

Yes.

Gov.UK receives SMS requests from the app backend, which include the mobile number, the Test Code and the date of the test.

Gov.UK verifies the mobile number and delivers the encrypted SMS to the app user mobile phone.

Gov.Uk also notifies the app backend of SMS messages that have not been delivered due to failure during the verifications process.

Data is only held for 72 hours in order to ensure the SMS text messares are sent.

Data Processor

For more information about the data controllers and how to contact them, please refer to the Privacy Notice.


Glossary

app Backend - is the part of the app that is not in your phone. This is managed by NES Digital Services on behalf of Scottish Government. The app Backend is hosted within the Amazon Web Services computers.

Bluetooth IDs (ids) refer to Identifier Beacons.

Identifier Beacons, ‘Random IDs’ or ‘anonymous rolling identifiers’: these are random numbers used by the Google and Apple Exposure Notification Service.

AWS (Amazon Web Services) is a cloud computing platform provided by Amazon. It provides cloud infrastructure for the app.

CE marking is a certification mark that indicates conformity with health, safety and environmental protection standards for products sold within the European Economic Area.

CMS refers to the NHS Scotland National Contact Tracing Centre’s Case Management System.

ENS Exposure Notification Service

GAENS Google and Apple Exposure Notification Service.

MHRA is the Medicines and Healthcare Products Regulatory Agency.

NDS, also referred to as NES Digital Service, is part of NHS Education for Scotland (NES). They provide digital infrastructure services for the app on behalf of the data controllers. NHS Education for Scotland is the legal entity as Data Processor.

Random IDs refer to Identifier Beacons.

Anonymous Rolling Identifiers refer to Identifier Beacons.

SMS (Short Message Service) is a text messaging service used by most mobile devices. It uses standardised communication protocols to enable mobile devices, apps and other information systems to exchange short text messages.

Help stop the virus. Download the app today.

By voluntarily choosing to use the Protect Scotland app, alongside existing public health and contact tracing measures, you can help to stop the spread of the virus in Scotland.

Help family members to download the app, encourage your colleagues to use it and share it with friends.

If we all play our part, we can all help protect ourselves, our families and Scotland against coronavirus.