COVIDCert NI – Easy Read Privacy Information

This may be used when required, for example if you wish to travel to a country that requires you to produce a Covid Certificate to gain entry to that country. To enable you to do this to the standards set by the European Union (EU), the Department of Health, through the Digital Health and Care NI (DHCNI) team, have developed and delivered the COVID Certification Service (CCS) and associated mobile COVIDCERTNI App (App).

People can now apply for a digital or paper-based vaccination/recovery to travel abroad, or to use to access other events/venues if required locally.

This takes the workload off GPs and healthcare organisations to manage requests for proof of immunisation and test information. This means they have more time to care directly for patients and those in greatest need.

The CCS and app help people in two ways:

• For people who want to travel abroad to share their immunity status and/or testing to enter countries they are travelling to.
• To prove they have recovered from COVID-19 and have a PCR test result to prove their status

There are also organisations, called Data Processors, who the Data Controllers allow to use your data to process and produce the COVID certificate, COVID app and recovery certificate.

These processors are not allowed to use, store, or share your data with anyone else. These processing organisations process your personal data for the following purposes:

• Civica – will process your data to perform a citizen data match to verify against the Vaccine Management System (VMS) and/ or Central Test Registry (CTR) records and process the certification generation request.
• Kainos – process data as part of processing operations for the VMS and will provide the citizen vaccination/booster data that is part of VMS, to be used by Civica in CCS to match against the user entered information.
• Department of Finance, NI Direct/ NIDA – NI Direct will process your data as part of the identity checking service they provide for citizens – ‘The NICS Identity Assurance service (NIDA)’. Use of NIDA along with the SureCert Service delivered by NI Direct provides a real-time ID and Biometric identity checking service, to enable citizens to prove their identity to access government services.  This will be the first part of the process where you will add your identity details, which will be verified here and then sent to HSC for the above matching and checks to be performed before a certificate is requested for you. NI Direct will also process your data if you contact the Covid Care call centre for assistance regarding CCS. NI Direct will also capture your data in the COVIDCert call centre for citizens to apply for recovery based COVIDCerts
• Surecert – will provide proof of identity based on the data/information you provide during the registration process. Surecert uses Experian data to perform a soft search to confirm you name, address and date of birth. This soft search has no impact on your credit rating.
• HH Global – will process your data to print your secure certificate.
• Ernst & Young (EY) – will provide a team to conduct manual matching where the CCS cannot do this automatically and to maintain the certificate generation volumes. The data you provide in applying for your Covid Certificate may be used by EY to ensure the quality of your data in the the VMS is accurate and up to date. In carrying out data quality checks EY will process your data utilising the Northern Ireland Health Analytics platform (NIHAP). The NIHAP platform is a data storage platform hosted on the public health information platform and jointly co-ordinated by Digital Health Care Northern Ireland (DHCNI) and the PHA. Data stored within CCS may also be analysed by EY to identify covid certification fraud.
• Business Services Organisation (BSO) – is a statutory organisation that works on behalf of DOH and the PHA to provide the CCS access to citizen’s COVID-19 PCR test data stored in the Central Test Registry to process a Recovery Certificate.
• Belfast Health and Social Care Trust (BHSCT) hosts the CCS data and application on their infrastructure.

Once we have identified you, we can then check your vaccine or PCR test record and match these with the information you provide as part of the identity checks you will complete on NIDA. Matching your identity to your vaccine/recovery records allows us to deliver a digital certificate/recovery on the app or a printed version for those people who are unable to use the mobile app.

The data we collect includes your personal details (or your children under 18 if you are applying on their behalf) and intended travel details if you are travelling abroad.

If you use the COVID Certification Service and app to get a certificate for travel for yourself or your dependents under the age of 18, you will be asked to provide only the information we need to arrange that certificate(s) for the desired date of travel. People aged 16 and over may apply for a certificate themselves if they satisfy the NIDirect identity check requirements. Under-16s can also download the CCS app to store their Covid Certification on their mobile phone. They will need to download the app to their mobile phone, then scan the QR code available from their parents Covid Cert app.

Personal details collected for all travel and recovery certificates include:

• Full Name
• Date of Birth
• Postcode
• Health and Care Number (HCN)
• Mobile Number (this optional on NIDA)

For Vaccine Certificates we may ask for:

• Vaccination Centre (Optional; in case of other data mismatch)

If you are travelling abroad, we also need to collect your:

• Date of Travel
• Country of Travel

If you are trying to get a recovery certificate we need to know:

• Your PCR test date and type

Remember, the CCS, app and recovery processes will never:

• Share any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
• Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
• Ask you to make any form of payment or purchase a product of any kind.
• Ask for any details about your bank account.
• Ask for your social media identities or login details, or those of your contacts.
• Ask for any passwords or PINs or ask you to set up any passwords or PINs over the phone.
• Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone, or tablet to anyone else.
• Ask you to access any website or smartphone application that does not belong to the Government, or HSC.

Your data is processed for CCS as part of our public task under UK GDPR Article 6(1)(e))[1].

The Dept of Health and the PHA have a statutory duty to protect the health of the people in NI. This follows their duties under the Health and Social Care (Reform) Act (Northern Ireland) 2009., which include promoting a system that protects the physical and mental health of people in NI and helping to prevent, diagnose, and treat illness such as COVID-19. The PHA has a role to improve and deliver health protection to the people of NI using appropriate healthcare data.

Because the CCS provides a range of digital and non-digital services to help people to prove their COVID status, which would be considered health related data, we are also required to meet the following UK GDPR and Data Protection Act conditions:

UK GDPR laws we must follow are:

• UK GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
• UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in public health.

Data Protection laws we must follow are:

• Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
• Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in public health

[1] This refers to the processing that is necessary for the performance of the official tasks carried out in the public interest.

This includes protecting your data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate means.

The CCS app asks your permission to use the camera functionality on your phone to capture a ‘selfie photo’. The photo is stored on your phone only. It does this to allow it to be displayed on your phone, sometimes called a QR code, to show on the phone screen display. The app does not share your sensitive photo information with anyone, and it remains locked on the phone. Your photo is deleted when you uninstall the app.

If you have an older android device, when you chose to download a PDF version of your certificate you may be asked for access to your device’s file storage to download your COVID Certificate Service PDF documents. Files that you choose to download will then be stored on your device.

If you are applying for a travel certificate for your children under 18, we use that data to generate their certificates.

Depending on the certification type you need the CCS receives data directly from the:

• Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS). The data we collect from the VMS about you includes:

• • Number of doses you have had
  • Your vaccination date(s)
  • The vaccination manufacturer you received i.e., AstraZeneca
  • The disease targeted – in this case COVID-19
  • The vaccine product used
  • Vaccine prophylaxis – meaning you were given an injection to help prevent COVID-19
  • The vaccination batch number
  • The place where you were vaccinated

• Data you enter onto the NIDA/Surecert portal for the purpose of identity verification when you access the portal on NI Direct to prove your identity

• For recovery we use personal data shared from the Central Test Registry (CTR) owned by the PHA but delivered by the BSO, to certify recovery within the CCS which includes your:

• • PCR test date and test type

Separately, you may choose to share your Covid Certification data as part of verification requirements for access to travel, or to gain entry to certain events, or hospitality premises.

Where a tour operator, organisation, or business needs to verify your Covid Status, they can use the separate COVIDCert NI Verifier App, which the Digital Health and Care NI team have developed and made available for the purposes of enabling your Covid Certificate to be scanned by an organisation who needs to verify your Covid Status.  They will use the Verifier App to scan your 2D Barcode on your Covid Cert App, or paper copy certificate.

Organisations who use the Verifier App will be the data controllers for that processing and should provide you with separate privacy notices to explain how they use your data.  The Department will not process any of your personal data on the COVIDCert NI Verifier App, however in the spirit of openness the Department has published a Privacy Notice, which explains how the App works, using minimal data and secure ways to ensure your data and privacy are protected and  to ensure public trust in the use of the App.

If there is a query, issue, or complaint about your application then we may need to retain the relevant emails and any document copies you supplied for up to 30 days to ensure we can resolve the issue. Those emails and your documents are deleted once the issue has been sorted out. These records will be retained for seven years (the current year plus six financial years).

• Your vaccine record on the CCS data store is retained for a day.
• We will only keep the record of you being issued a vaccine certificate in the CSS for a maximum of up to a 1 year after the date of travel/certificate issue.
• The record of your recovery certificate is kept in the CCS for 180 days from the date of your PCR test.
• Your data sent to the secure printers (HH Global) for provision of a paper certificate is retained for 30 days.

This may remain under review depending how long the pandemic lasts if the virus recovery period changes or if the NI government changes the law.

1. Your right to be informed

You are provided with information about the collection and use of your personal data for the CCS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data, as part of this privacy notice.

1. Your right of access

You can ask for copies of the information that we hold about you.  You can contact the respective DPO as provided in Section 13 of this document.

1. Your right to rectification

You can ask to have inaccurate personal data corrected or completed if it is incomplete.  You can contact the respective DPO as provided in Section 13 of this document.

1. Your right to be forgotten

GDPR introduced a right for individuals to have personal data erased/ deleted (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances, which do not include when processing is carried out under ‘public task’, which is the lawful basis under which the CCS processes data. However, the CCS will consider requests for erasure of data when received from individuals for their own data, or data related to their deceased relatives (where they have the authority to make such requests).   You should be aware that if you request your data to be deleted from CCS you will no longer be able to retrieve, access or update your Covid Status Certificates.  If you wish to receive certificates in the future, you will need to reapply to the CCS and go through the full application process again. Once requested your detailed will be deleted within one month of the request.

1. Your right to restrict processing

You have the right to request the restriction or suppression of your personal data, however the right is not absolute.

1. Your right to data portability

You can ask the CCS to share your information with another organisation (although this may not always be possible).  This does not apply to CCS.

1. Your right to object

You have the right to object to the processing of your personal data, including when the lawful basis for processing is a public task.  However, this is not an absolute right, and processing can continue if there are legal grounds for the processing, which overrides your interests, rights, and freedoms as an individual.

1. Your rights relating to automated decision-making

You will not be subject to decisions made automatically by technology which may have a legal or significant impact on your rights. The CCS uses computer systems to process personal data for the purposes of matching of people’s records to the vaccination data and eligibility of COVID certificate based on the data on the number of doses received by the citizen.

However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at covidcertni@hscni.net

If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/