- PRIVACY NOTICE – COVIDCert Check NI ‘Verifier app’
PRIVACY NOTICE – COVIDCert Check NI ‘Verifier app’
The Verifier app has been developed by the Department of Health (DoH) to enable ‘Verifiers’ to certify a member of the public’s Covid Status. It will be used by Verifiers, where the Northern Ireland Executive has decided that it is in the public interest to permit only those persons who possess evidence of, being fully vaccinated against COVID-19 to be present on the Verifier’s premises to minimise as far as possible the risk of transmission of the virus which causes COVID-19.
This privacy notice has been drafted in line with UK GDPR. Although personal data is not being processed by the Department of Health (DoH) in relation to this app, this privacy notice has been drafted to ensure transparency and to maximise the public’s confidence in the app.
Each Verifier who uses the NI Verifier app is required to have their own privacy
notice and they should make these privacy notices available to the public. A template for these can be found on the ICO website – make your own privacy notice.
The Verifier app has been developed by the Department of Health (‘DOH’, ‘we’, ‘our’) and DoH has overall responsibility for the functionality and delivery of the Verifier app. It will be delivered by Digital Health and Care NI (DHCNI) team on behalf of the DOH.
This privacy notice applies to the NI Verifier app only. There is a separate privacy notice that applies to the processing carried out as part of the Covid Certification Service (CCS) and related COVIDCert NI Cert App, which explains how your data is processed when you chose to use the Service to certify your Covid status. The Verifier App relies on your Covid Certification being in place and therefore if you chose to use the Verifier App we recommend that you read both Privacy Notices to fully understand how your data is processed end to end. The Department will not process any personal data in relation to the Verifier App. Users of the Verifier App will temporarily process your data for the purposes of verifying your Covid status (as explained below).
3. What is the purpose of the NI Verifier app?
The purpose of the NI Verifier app is to allow the device onto which the Verifier app is downloaded to scan and read a COVID Pass 2D barcode produced by the Covid Certification Service (CCS) for a member of the public. The 2D barcode contains information associated with the service user’s digital “COVID Pass”.
This helps users of the NI Verifier app to confirm citizen’s Covid status for the purposes of international travel, or entry into events and venues.
The Verifier app is only designed for use in conjunction with the CCS and must not be used for any other purpose.
Note: The NI Verifier app is not the same as the COVIDCert Check NI app or the Contact Tracing service.
4. What does the NI Verifier app do?
The NI Verifier app allows the Verifier to scan a COVID Pass 2D barcode, displayed by a member of the public from their Covid Certificate, either via the 2D barcode available on the COVIDCert Check NI app, or via a hard copy Covid Certificate, to show their COVID Pass status.
5. How does the NI Verifier service work?
The scanning device for the 2D barcode is known as the NI Verifier app and is downloaded as an app to a mobile device from the Apple Play Store or Google Play in order to verify COVID certificates. Secure paper vaccination certificates can also be scanned by the NI Verifier app.
The NI Verifier app reads 2D barcodes that are presented to it and allows the Verifier to check the validity of the 2D barcode.
The scanner or verifier views the information contained in the 2D barcode by using the camera on the phone of NI Verifier operator. Once the 2D barcode is successfully scanned a number of results will be returned, these remain on screen for a maximum of 10 seconds:
- For domestic use2, scanning a 2D barcode generated for domestic use and events using the NI Verifier app, will generate a green for a “valid” certification status (Fig.1) or a red for “invalid” certification status screen (Fig.2). Citizens presenting a paper certificate for scanning will result in a yellow check screen on the Verifier App status screen (Fig.3). There is no furtheropportunity to see any further details as a result of that scan.
- For domestic use, scanning a 2D barcode generated for domestic use and events using the NI Verifier app, will generate a green for a “valid” certification status or a red for “invalid” certification status screen. Citizens presenting a paper certificate for scanning will result in a yellow check screen on the Verifier App status screen. There is no further opportunity to see any further details as a result of the scan.
For international travel, scanning a 2D barcode generated for travel use using the NI Verifier app, will generate a teal blue “valid” screen and request the user to check the citizen’s identification. A red “invalid for travel” screen will be shown if it doesn’t satisfy the NI vaccination travel rules
In terms of architecture, the Verifier mobile scanner application utilises “Visual Studio App Centre” to log metrics of all different builds and versions of the scanner application. The anonymous analytics of app operation are securely sent to Azure App Insights. No personal data is processed.
6. The Personal Data we collect and how it is used
Updating permissions used to securely store public keys, that are used to verify a 2D barcode, have been signed by a trusted authority. These permissions are not used to store any data related to the user or app usage. The storage where public keys are stored does not hold any personal data.
Public keys are readily available to be downloaded at https://hsccvsprodstoragepkblob.blob.core.windows.net/pubkeys/keys.json.
The internet is only used within the NI Verifier app to obtain the public keys needed to verify the 2D barcodes. For domestic use, a real time automated lookup is performed by the app against the COVIDCert NI system to check whether you have a valid status against your vaccine certificate. This app does not provide the user of the verifier app any form of access to data stored in the CCS.
Upon clicking the “Scan QR code” button on the landing screen, the NI Verifier app user- the Verifier- is asked to “Give permission” to the application to use the camera. If the user denies these permissions, a screen will appear specifying that the permissions are required to proceed to the verifier. If the user grants these permissions, the app will proceed to the verifier. The user will not be able to use the NI Verifier app without the camera permission enabled.
File usage When a NI Verifier app user downloads the application, they have explicitly given permission for file usage within the application. However, file usage is only used to store public keys into secure external storage which then allows the application to verify 2D barcodes from trusted authority. The usage permission is not used to store any data related to the NI Verifier app users personal or application usage.
Public Keys are a set of numeric characters that are used to decrypt a code, referring to 2D bar code on the certificates in this context
7. How will my information be shared?
No onward sharing of personal information is available from the NI Verifier app.
8. The lawful basis for processing personal data on the NI Verifier app
The Northern Ireland Executive has legislated in the Health Protection (Coronavirus, Restrictions)(No.4) Regulations (Northern Ireland) 2021 that it is in the public interest to permit only those persons who possess evidence of, inter alia, being fully vaccinated against COVID-19 to be present on the Verifier’s premises to minimise as far as possible the risk of transmission of the virus which causes COVID-19.
The Verifier app may be used to verify a citizen’s covid vaccine status. This privacy notice has been drafted in line with UK GDPR. Although personal data is not being processed by the Department in relation to this app, this privacy notice has been drafted to ensure transparency and to maximise the public’s confidence in the app.
Each Venue that uses the NI Verifier app is required to have their own privacy notice. A template for these can be found on the ICO website – make your own privacy notice.
The NI Verifier app processes a citizen’s COVID Certification Service status to establish whether the citizen may or may not enter the Verifier’s premises. It is likely that in doing so a Verifier will process your data under UK GDPR:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Article 6(1)(e) – your data is processed as part of our public task
- Article 9(2)(g) – the processing is necessary for reasons of substantial public interest.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
While the Verifier will not have access to any special category data, special category data may be inferred by confirmation of Covid Certification- i.e. the Verifier will know that the person wishing to access their premises meets the relevant criteria and may be, for example, vaccinated. Guidance on UK GDPR is available from the ICO web site.
9. How long do we keep personal data?
NI Verifier app user’s personal data is not retained. However, Public keys are downloaded and kept indefinitely to support offline usage. Public keys are not from certificates scanned, but a list downloaded in advance to determine trusted signed certificates.
10. Personal data storage
NI Verifier app user’s personal data is not retained. The information scanned on the 2D barcode is not stored on the Verifier’s device.
11. Your rights as a data subject
UK GDPR Rights are fully engaged please see section 7. Rights in relation to the Covid Certification Service (CCS) are set out in the CCS PN and your rights regarding the processing carried out by users of the Verifier App- ‘Verifiers’- should be set out in their Privacy Notices
12. Data security
No data is held, or retained, within the NI Verifier app, data security does not engage.
SSL Pinning is used for associating a host with the public key. Public keys are stored in device secure storage.
Screenshot prevention is enabled in Android. iOS users will be shown the following warning when trying to screenshot their Verifier App status screen:
13. Changes to this privacy notice
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on the HSC COVID-19 NI website. This privacy notice was last updated on 19 Nov 2021.
14. Data Controller
The DoH are responsible for the technical functioning of the App via the DHCNI Team. If there are technical issues experienced by Verifier App users (Verifiers) they should contact firstname.lastname@example.org.
Those who use the NI Verifier app will be data controllers in regards to their use of the app. Please see their Privacy Notices for relevant information and contact details.
15. Data Controller
If you wish to make a formal complaint about the processing of your personal data you can contact the Information Commissioner at:
Information Commissioner’s Office (ICO)
Telephone: 0303 123 1113
Fax: 01625 524510 Visit the ICO website.