[Withdrawn] NHS COVID-19 app: our processing of special categories of personal data
Updated 28 March 2023
Applies to England and Wales
As part of the Department of Health and Social Care’s (DHSC, we or us) statutory functions we process special category of data as part of providing the NHS COVID-19 app. Special Category of Data is defined by Article 9 of the General Data Protection Regulations (‘GDPR’) and Schedule 1 of the Data Protection Act 2019 (‘DPA 2018’). We process the special category of data was process in accordance with the requirements set by the law. We do not process any criminal offence data, as defined by this legislation.
You can find our privacy notice and our data protection impact assessment
What special category of data we process (Description of data processed)
Data held only on the app on your phone will include:
-
Data concerning health – such as your COVID-19 test result and your isolation status
-
Venue details held only on your phone, might be indicative of other special categories of data. However, these details are only stored in your app. The summary or count included in the analytical data set does not include these details.
For example, a venue may indicate:
-
Racial or ethnic origin;
-
Political opinions;
-
Religious or philosophical beliefs;
-
Trade union membership;
-
Data concerning a natural person’s sex life or sexual orientation.
-
However, our systems cannot access or process this data we note it here to support transparency.
The central systems that we use to update app users’ processes COVID-19 test results for app users and enables the app to update their status. In order to ensure that the correct results are returned to the correct use we treat this as personal data, though we protect the identity of the app user (through pseudonymisation in GDPR terms) and promptly delete the data from our systems. So, for the central system we process:
- Data concerning health – such as your COVID-19 test result
The analytical data set, submitted every 6-hours, is managed to ensure that app users cannot be identified.
Why we process Special Category data in the Substantial Public Interest (SPI)
We (DHSC) considers that any automated decision making is authorised by law, specifically section 2A of the NHS Act 2006 which permits the Secretary of State to take such steps as he considers appropriate for the purpose of protecting public health.
This is the power that the Secretary of State relies on to authorise the design, implementation and operation of the App by DHSC. We have also sought to implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests as would be required. As regards Article 22, we note that any automated decisions based on special categories of personal data shall be processed on the basis of Article 9(2)(g) being processing that is necessary for reasons of substantial public interest, following the conditions in paragraph 6 of Part 2 of Schedule 1 of the Data Protection Act 2018 (Statutory and government purposes).
Our legal basis for processing this special category of data (Schedule 1 DPA (Article 9) basis for processing)
In addition, to We process Special Category data for the following purposes as set out in Part 1 of Schedule 1 of the DPA.
Paragraph 2 – Health or social care purposes
Section 2 conditions which apply
With, as referenced by the DPIA, particular reference to the management of health of care and social care services.
- (f) the management of health care systems or services or social care systems or services.
Paragraph 3 Public health
Conditions which apply
-
(a) is necessary for reasons of public interest in the area of public health, and
-
(b) is carried out—
- (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
As detailed in the DPIA, this condition is triggered because the objectives of the App include public health planning.
Paragraph 6 Statutory etc. and government purposes
Conditions which apply
-
(1) This condition is met if the processing
-
(a) is necessary for a purpose listed in sub-paragraph (2), and
-
(b) is necessary for reasons of substantial public interest.
-
-
(2) Those purposes are—
-
(a) the exercise of a function conferred on a person by an enactment or rule of law;
-
(b) the exercise of a function of the Crown, a Minister of the Crown or a government department.
-
In particular, as noted in the DPIA, this for the Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency.
How we ensure we comply with the Data Protection principles (Procedures for ensuring compliance with the principles)
Accountability
We have appropriate technical and organisational measures in place to meet our accountability obligations.
-
The Test and Trace programme has a Data Protection Officer who reports directly to our senior management. You can find the details in our privacy notice
-
We have developed and continue to the develop the app in line with the data protection by design and default principles. We provide more detail in our published Data Protection Impact Assessment (DPIA)
-
Our DPIA includes consideration of the risks that arise from processing and the controls we have in place
-
We maintain documentation and records of our processing activities including reviewing them on a regular basis
-
We ensure we have contracts in place with data processors and all our suppliers
-
We ensure we have security measures in place and work with organisations, including the National Cyber Security Centre (NCSC) to routinely review and improve these measures
-
We review all of our controls and measures around accountability regularly, updating, improving and amending them as required
We will:
-
ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
-
maintain our DPIA and Privacy Notice , reviewing in in the light of any changes to the app or processing of data.
-
ensure that our Data Protection Officer is involved in any review of our DPIA and any proposed changes to our processing of personal data
-
make sure our internal processes and controls are robust to ensure data is handled in compliance with our obligations
Principle (a): lawfulness, fairness and transparency
We ensure that we meet our obligations to be lawful, fair and transparent. See above about how we meet our legal obligations under Schedule 1 for special categories of data.
We provide information about why we process personal data in:
-
this document
-
our privacy notice
-
our privacy notice – aimed at young app users (16 to 18 age band)
-
our privacy notice – easy read (a pictogram summary to support access)
You will find information about data, privacy and the app throughout our:
-
comms material, videos and information for the public (privacy is a point touched upon in all)
-
How to guides and other support for app users
-
frequently asked questions
To further support transparency we published our DPIA and the code for the app.
We will ensure:
-
that personal data is only processed where a lawful basis applies, and where processing is lawful;
-
we process personal data fairly, and will clearly set out the purposes of any processing to data subjects;
-
data subjects are provided with privacy information that is clear and transparent
Principle (b): purpose limitation
We will process personal data only for specified, clear and legitimate purposes. We will not process personal data for purposes incompatible with the original purpose it was collected for.
We process special category personal data to:
-
To respond to the COVID-19 emergency, efficacy of the App and services that users interact with.
-
To understand, learn and manage
We set out these purposes in the DPIA, the Privacy Notice and provide specific detail on what data is collected and how is supports these purposes in our DPIA.
-
You can find our DPIA here
-
The most relevant sections are:
i. The introduction
ii. The section Assessment of application of the Privacy and Electronic Communications Regulations 2003 (as amended) (‘PECR’)
iii. The section Public health purposes and value of the app
iv. The DPIA Assessment section 2 Purposes
We are authorised by law to process personal data for these purposes. We ensure that any processing for these purposes is necessary and proportionate for the purpose.
Principle (c): data minimisation
We collect the personal data and data necessary for the relevant purposes and ensure that is not excessive. We have controls and systems in place to minimise both the personal data and data from app users whilst ensuring that the data is adequate to deliver the purposes and services to app users.
We ensure that the information we process is necessary and proportionate. Where personal data, for example IP addresses associated with app users, are provided or obtained by us but is not required we ensure it is promptly erased.
Principle (d): accuracy
We seek to ensure that any personal data is accurate and maintained. As personal data is only directly held on app users’ phone, we ensure that systems are in place to enable the data is accurate and maintained.
Data collected from app users and returned to app users, for example an update of their status, goes through robust systems to ensure the correct results and returned to correct users whilst maintaining their privacy from us and other app users.
Principle (e): storage limitation
We ensure that personal data held on the app users’ phone is only retained for as long as necessary and that this period is aligned with government policy and the latest scientific environment.
Our processes remove identifiers and reduce identification from the data provided to the central system, the analytical data set. We set out the retention for this data in our DPIA.
Please Note: Further clarification on retention is expected as the COVID-19 Public Health emergency changes.
Principle (f): integrity and confidentiality (security)
We hold data on secure systems and work to ensure the app’s security on devices, in conjunction with Apple and Google. We undertake regular checks and are receiving support, oversight and constructive feedback from the NCSC and other Cyber and Information Security (CIS) specialists within the programme and DHSC.
We ensure that our systems have appropriate access controls, audit logs and monitoring. All staff are trained before accessing any data.
We monitor, review and update security issues and risks on a routine basis to ensure that are safeguards are robust and improve with the latest information. For example, with changes to Phone Operating Systems that could impact the app.
Retention and erasure policies
Our retention periods are referenced in the DPIA, and we comply with the broader DHSC retention and erasure polices.
For data held on the app:
-
Test codes which link to a test result – 24 to 48 hours
-
Daily codes used for contact tracing – 14 days
-
Details from QR scans from venue check-ins – 21 days
For the analytical data set we have set the following two retention periods:
-
hold organisations to account is held for 8 years
-
monitor communicable diseases, for example in the COVID-19 Public Health Emergency, are retained for 5 years (if they contain personal data which is not the case in this instance) and 20 years for anonymous data prior to any review
We ensure the DHSC secure computing infrastructure only processes data that has been anonymised once it enters the infrastructure, with the exception of a test code and test results which are destroyed within 24 to 48 hours of test results being received
APD review date
We will review this policy every 3 months, or when there is a substantial review of our DPIA, whichever comes first.