- COVIDCert NI – Privacy Notice
COVIDCert NI – Privacy Notice
PRIVACY NOTICE – THE CCS, COVIDCERT NI APP AND YOUR DATA
As the success of the vaccination programme continues, pressure is increasing to ease restrictions. As international travel resumes, it is assumed that there will be a requirement for travellers to share immunity status and/or testing status as a condition for entry into countries they are travelling to.
As the standards for secure documentation are confirmed by the EU and World Health Organisation (WHO) it has become clear that GPs and HSC Trusts are unable to provide documentation to the required, secure standard. Therefore, solutions that can provide the required assurances to agreed international standards are needed, hence the development of COVID Certification Service (CCS) and associated mobile (COVIDCERT NI) App.
The Department of Health (DoH) and Regional Health and Social Care Board (HSCB) are Joint Data Controllers for the personal information processed in the CCS and mobile App.
- Background – COVID Certification Service
The Department of Health, Health and Social Care Board and Public Health Agency, through the Digital Health and Care NI (DHCNI) team, have worked jointly on the development and delivery of a COVID Certification Service and associated App that, by virtue of vaccination and/or COVID testing, facilitates international travel (meeting EU and WHO requirements). The Department of Finance through NI Direct, as well as other key suppliers, have been employed to help deliver the CSS and COVIDCERT NI App – see below for full list of suppliers in Annex A.
While the initial purpose of the CCS will be to provide certification of vaccination and/ or Covid test results to enable international travel, the CCS has the potential to facilitate access to venues with large gatherings, such as concerts and sporting events, in the future. However, until the NI Executive confirm a policy position on these uses, the CCS will not be developed for purposes outside of international travel. If and when it is intended that the CCS will be developed for other purposes this Privacy Notice will be updated.
This COVID Status Verification requirement may also be put in place by private sector organisations such as airlines, cruise ships and holiday operators to allow access to their services.
There is a growing expectation that other countries will require travellers to share immunisation status and/or testing status as a condition of entry. EU has led on the development of standards. The EU eHealth Network has published an outline of the trust framework required for a Digital Green Certificate infrastructure and has prepared technical specifications for the mutual recognition and interoperability of vaccination, test and recovery certificates.
Finally, the CCS solution protects Health Service, such as GPs, from being burdened with requests for details of immunisation and test data.
The scope of the CCS covers the web front-end, a mobile app and paper- based solutions for people to obtain trusted, and internationally accepted COVID status certification for use in international travel settings. These will be based on global standards and the emerging work of the EU and WHO. The first solution provided via the CCS is a UK format for a paper certificate (meeting EU / WHO specification), which has been agreed between all UK regions.
- Why are you processing my personal information?
The CCS and COVIDCERT NI App products have been developed by an existing DHCNI software partner Civica, who are a data processor for the CCS. There are also other data processors working under instruction of the data controllers for the CCS, who will process your personal data for the following purposes:
- Civica- will process your data to perform a citizen data match to verify against the Vaccine Management System (VMS) and/ or Central Test Registry (CTR) records and process the certification generation request. (Requests will be prioritised by Civica on the basis of the date you are travelling on, in order to ensure everyone can receive a certificate on time for them to travel).
- Kainos process data as part of processing operations for the VMS and will provide the citizen vaccination data that is part of VMS, to be used by Civica in CCS to match against the user entered information.
- Department of Finance – NI Direct will process your data as part of the identity checking service they provide for citizens – ‘The NICS Identity Assurance service (NIDA)’. Use of NIDA along with the SureCert Service delivered by NI Direct provides a real-time ID and Biometric identity checking service, to enable citizens to prove their identity to access government services. This will be the first part of the process where you will add your identity details, which will be verified here and then sent to HSC for the above matching and checks to be performed before a certificate is requested for you. Nidirect’s may process your data if you contact the Covid Care call centre for assistance regarding CCS.
- HSCB staff, supported by a small, temporary team of EY resources are conducting manual matching where the CCS cannot do this automatically and to maintain the certificate generation volumes.
- HH Global will process your data in order to print your secure certificate.
- Belfast Health and Social Care Trust (BHSCT) is a statutory organisation providing services as a processor for HSCB. BHSCT host the CCS application on their infrastructure. Their services are managed via appropriate agreements with HSCB.
Further details about the data processors have been added at Annex A.
- What information is collected?
If you use the CCS, data is collated in line with the eHealth Network JSON Technical specification guidelines for EU digital COVID certificates. If you use the COVID Certification Service and app to procure a certificate for travel, you will be asked to provide only the information we need to arrange that certificate for the desired date of travel.
The data collected by the CCS will include your personal details and intended travel details. Personal details are collected to match your details against the vaccination records included as part of the VMS, and/or test records as part of the CTR.
Personal details collected include:
- Full Name
- Date of Birth
- Health and Care Number (HCN)
- Mobile Number
- Vaccination Centre (Optional; in case of other data mismatch)
Intended travel details
- Date of Travel
- Country of Travel
Please note that the COVID Certification Service (CCS) will never:
- Disclose any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
- Ask you to make any form of payment or purchase a product of any kind.
- Ask for any details about your bank account.
- Ask for your social media identities or login details, or those of your contacts.
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone.
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else.
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
- The lawful basis for processing your personal information
We process your personal information according to the UK General Data Protection Regulation and the Data Protection Act 2018, which will be referred to as Data Protection legislation. Your data is processed for CCS as part of our public task (in line with UK GDPR Article 6(1)(e)).
In line with the HSCB and Dept of Health statutory duty, as stated in the Health and Social Care (Reform) Act (Northern Ireland) 2009, which sets out the functions of the HSCB, including that:
- The Regional Board shall exercise on behalf of the Department— (b)such other functions of the Department (including functions imposed under an order of any court) with respect to the administration of health and social care as the Department may direct.
And DoH which include:
- Section 2(1) the duty to promote in Northern Ireland an integrated system of health care designed to secure improvement in the physical and mental health of people in Northern Ireland and in the prevention, diagnosis and treatment of illness, and
- Section 2(3)(g) the duty to secure the commissioning and development of programmes and initiatives conducive to the improvement of the health and social well-being of people in Northern Ireland, and
- •Section 3(1)(b) the power to provide, or secure provision of, such health and social care as it considers appropriate for the purpose of discharging its duty under section 2; and do anything which is calculated to facilitate, or is conducive or incidental to, the discharge of that duty.
Some of the data processed relates to health data which is described as ‘special category data’. In relation to that processing, the following UK GDPR conditions apply:
- Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
- Article 9(2)(g) – the processing is necessary for reasons of substantial public interest.
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 1 (4) – reasons of public interest in the area of public health research
- Data Protection Act 2018 – Schedule 1, Part 2 (6) para (1) – for reasons of substantial public interest.
- How will my data be processed?
Your data will be processed in line with data protection legislation requirements and in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. No use of the camera functionality or storing of sensitive photo information will be utilised by the app.
- Do I need to give my consent?
While you will voluntarily choose to use the CCS service and/or the associated App, we do not process your data on the basis of consent in relation to data protection legislation (see section 5).
- Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments, or when you have booked a test, (or by someone who booked these on your behalf).
The COVID Certification Service will receive data directly from:
- Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS)
- Data you enter onto the NIDA/Surecert portal for the purpose of identity verification, when you access the portal on NI Direct to prove your identity.
- In subsequent CCS releases information that you provided for COVID testing purposes which is collected as part of Central Test Registry (CTR) may also be used.
- Do you share my personal data with anyone else?
We may share your data with organisations who carry out functions on our behalf as ‘data processors’, in relation to the CCS. Details of the data processors has been added in Annex A.
- Do you transfer my personal data to other countries?
No. Your data will be processed within the UK.
- How long do you keep my personal data?
We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule (Good Management, Good Records).
We will only keep the record of you being issued a vaccine certificate in the CSS for a maximum of 1 year after the date of travel. Your vaccine record on the data cache is retained for a day. Your data sent to the secure printers is retained for 30 days.
- What rights do I have?
The GDPR sets out the 8 rights that individuals have in respect of their data. These have been considered in respect of the NI COVID Certification Service as follows:
- The right to be informed
Individuals are provided with information about the collection and use of their personal data for the CCS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data, as part of this privacy notice.
- Right of access
Individuals can ask for copies of the information that we hold about them. Individuals can contact the respective DPO as provided in Section 13 of this document.
- Right to rectification
Individuals can ask to have inaccurate personal data corrected or completed if it is incomplete. Individuals can contact the respective DPO as provided in Section 13 of this document.
- Right to erasure
GDPR introduced a right for individuals to have personal data erased (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances.
- Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data, however the right is not absolute. While individuals can request that CCS stops processing their data, data will be held as set out in number ‘d’ above.
- Right to data portability
Individuals can ask CCS to share their information with another organisation (although this may not always be possible).
- Right to object
Individuals have the right to object to the processing of their personal data, including when the lawful basis for processing is public task. However, this is not an absolute right, and processing can continue if there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
- Rights relating to automated decision-making
Individuals will not be subject to solely automated decisions which may have a legal or significant impact on their rights. CCS uses computer systems to process personal data for the purposes of matching of citizen records to the vaccination data and eligibility of COVID certificate based on the data on the number of doses received by the citizen (this is further elaborated in Sections 3 and 4 of this document). However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at firstname.lastname@example.org
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
- How do I complain if I am not happy?
If you have a specific issue, or complaint, regarding the CCS and the COVIDCERT NI App, please contact – DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your vaccine data from the Vaccine Management System, or a complaint in relation to the processing of this data, please contact – DPO.HSCB@hscni.net
If you have a specific issue, or query regarding your test data from the Central Test Registry, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
- Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updated versions will be placed on our website.
- Useful links
Users can also refer to the following links for further information:
Vaccine Management System PN https://covid-19.hscni.net/vaccine-service-privacy-notice/
NIDA Privacy Notice https://www.nidirect.gov.uk/articles/nidirect-web-service-privacy-notice
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or MoUs.
Under the terms of these arrangements HSCB is the data controller responsible for assessing that all processors listed below, except DoF/ESS, are competent to process personal data in line with UK GDPR requirements. DoH is responsible for assessing that DoF/ESS are competent to process data in line with UK GDPR requirements under these arrangements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) HSCB will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. DoH will ensure the same in regard to DoF/ESS.
Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – General Data Protection Regulation (GDPR).
The following provides a list of data processors involved in delivery of the system.
- Civica is a system integrator organisation who were chosen to develop the end-to-end CCS platform and are regarded as a processor contracted by the HSCB. Civica will provide support on an ongoing basis to the CCS configuration for the duration of its operation, as part of their contract.
- Kainos will provide the citizen vaccination data that is part of VMS, to be used by Civica in CCS to match against the user entered information and process the COVID certificate request where applicable. Kainos are contracted by HSCB.
- BigMotive is a software development company who were chosen to develop the CCS user interface and are responsible for the configuration of the CCS webforms and are regarded as a processor contracted by HSCB. BigMotive will provide support for user experience (UX) design on an ongoing basis for the duration of the CCS operation, as part of their contract.
- NI Direct/ NIDA – NIdirect is the official government website for Northern Ireland citizens which is run by DoF ESS. NIdirect aims to make it easier to access government information and services. It does this by working closely with Northern Ireland departments and other public bodies to collate key information based on users’ needs. DoH have a MoU in place with DoF/ ESS, which covers provision of these services.
- NICS Identity Assurance service (NIDA) is a service provided by DoF ESS via NI Direct for the purposes of identity verification.This will be leveraged to integrate with the SureCert AI Service to provide real-time ID and Biometric identity checking service. Surecert are contracted by HSCB.
- HH Global – HH Global are a UK government approved (framework CCS RM6170) secure printing organisation who produce NI’s secure printed certificates. Certificate data is sent to HH Global over an encrypted transfer protocol. These certificates incorporate several secure elements around the QR code, bar code and print layouts. These are done in accordance with the Four Nation COVID Certificate letter spec (release 2). HSCB have a contract in place with HH Global for the provision of this service.
- Ernst & Young – EY are providing temporary data SME resources to support the manual matching and edge case workload in support of HSCB staff. EY are contracted by HSCB via G-Cloud.
- Business Services Organisation (BSO) is a statutory organisation providing services as a data processor for HSCB and PHA. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by HSCB and PHA. They are responsible for all Civica environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA and HSCB have an overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA and HSCB.
- Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor for HSCB and PHA. BHSCT host the CCS application on their infrastructure. Their services are managed via appropriate agreements with HSCB and PHA.