- COVIDCert NI – Easy Read Privacy Notice
COVIDCert NI – Easy Read Privacy Notice
PRIVACY NOTICE – THE CCS, COVIDCERT NI APP AND YOUR DATA
This helps explain how the COVID Certification Status Service (CCS) and COVIDCERT NI App (App) work, what data is collected by the service, and who gets to see it and why.
This Data Protection Information Notice may change. You should check it each time the CCS and app are updated either on the website or on your phone.
- What does the COVID Certification Service do?
Other countries are now requiring travellers to share immunisation status and/or testing status before allowing travellers to enter. The purpose of the CCS is:
- To provide you with a certification of vaccination to enable you to travel internationally.
- To protect the Health Service, such as GPs, from being burdened with requests for details of immunisation and test data.
The CCS may also be used to help give you access to venues with large gatherings, such as concerts and sporting events, in the future.
However, until the Government confirm a policy position on these uses, the CCS will not be developed for purposes outside of international travel. If this changes then the Privacy Notice will be updated.
- What does the COVIDCert NI App do?
The App only provides one function, namely, to show travel, airline and government border officials the status of your COVID vaccination. The COVIDCERT NI App allows you to:
- apply for new certificate;
- register with NIDA if you don’t have an account;
- login using the Identity authentication via the NIDA;
- download the digital certificate from the CCS Backend API(s) and store it on your Mobile App;
- view your certificate details.
The app itself doesn’t undertake any automated matching but the identity management process via NIDA may do. However, if there are any issues with verification of your identity on NIDA can call the Northern Ireland’ Helpline ‘0300 200 7814, Monday-Friday (excluding bank holidays) between the hours of 8:00am – 8:00 pm.
A subsequent release of the App may provide the ability for the user to prove their COVID test status based on information provided by approved test providers.
Further functions may be added to this App in the future.
- How is my privacy protected?
The CCS collects your personal data (shown in section 6) on a secure NIdirect government website. This website is used by NI Government to manage a wide range of civil and government services. Data collected on here is encrypted (hidden by mixing it up in a code). Data is also encrypted when it is being uploaded to our computer servers.
The App does not store or send any data that can identify you. The App does not access GPS functionality on the phone and never tracks your location.
None of your personal data is collected or stored when you use the App. The anonymous data that is collected and used by the App is protected by using IT security. The IT security used includes encryption (scrambling in a code), modern firewalls and intrusion prevention (barriers to stop people getting in and causing harm).
When the pandemic ends, the CCS and App may be shut down. Users will be told to delete the App from their phone. All data on our CCS servers will be deleted.
- Why are you processing my personal information?
We need to collect personal information from you to match with your personal vaccination information. The information you provide at the start of the process helps us identify you to a high standard.
We need this to verify your identity and access and match your vaccination record that was generated when you received your dose. We cannot access your vaccination record until you provide sufficient identification details and a facial image from a recognised identity document such as your passport or driving licence.
The CCS requires processing by different organisations including the Dept of Health, which will enable you to access the service through NI Direct (which is managed by the Department of Finance) and the Vaccine Management System (VMS) which securely stores your vaccination records. The VMS is managed by the Health and Social Care Board (HSCB).
We need to confirm you are who you say you are before we match and generate a vaccine certificate. This is in line with secure standards agreed by the EU and other nations.
A number of trusted government suppliers have been used to develop the CCS and work with us to generate your vaccine certificate. They have been approved to help process the information you supply in order to produce a vaccine certificate you can use for international travel.
- What information do we need to collect from you to produce your Vaccine Certificate?
If you use the CCS and/or App to get a certificate for travel, you will be asked to provide only the information we need to produce the certificate for the desired date of travel.
The data collected by the CCS will include your personal details and intended travel details. Your personal details are collected to match against your vaccination records which are stored in the VMS. To do this we need to collect:
Your personal details:
- Full Name
- Date of Birth
- Health and Care Number (HCN)
- Mobile Number
- Vaccination Centre (Optional; in case of other data mismatch)
Your intended travel details
- Date of Travel
- Country of Travel
The vaccination details we need to collect from your record in the Vaccine System to help certify your documents are:
- Your number of doses
- Your vaccination dates
- Who made the vaccination
- The disease the vaccine targets
- The vaccine product
- What type of vaccine it is
- The vaccination batch, and
- Where you had your vaccine given
Please note that the COVID Certification Service (CCS) will never:
- Reveal any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
- Ask you to make any form of payment or purchase a product of any kind.
- Ask for any details about your pension, bank, building society or savings account.
- Ask for your social media identities or login details, or those of your contacts.
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone.
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else.
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
- The Legal Stuff
We need to have a good reason to use your personal information. It’s called the ‘lawful basis for processing’. We have looked at the law and have taken advice from experts.
In some cases, we will process your data on the basis that you click ‘yes’, or ‘agree’ to what will happen to your data by using the CCS or App. When you apply online, the website will explain some things to you and ask you to give your permission to do those things. If you click on the section ‘CCS Privacy notice’ at the bottom of the page you can read about those things the website asks you to agree or say yes to.
We process your personal information in line with UK Law, as part of our duties as a public body and in the public interest(for the good of everyone). Without the CCS generating vaccine certificates you would not be able to enter certain countries when you travel internationally. We also use information from the CCS which isn’t personal to you, which is known as ‘metric data’ for collecting stats in relation to use and performance of the app.
We are also allowed to process information in order to protect public health. More information about how your data is used for our public duties and tasks is covered under the ‘How is my privacy protected?’ section 4. If you would like to read more detailed information regarding how we process your information lawfully, with specific references to data protection law, you can read the legal section of the more detailed privacy notice for the CCS here.
What happens to my data?
- How will my data be processed?
Your data will be processed in line with data protection and in a way that ensures appropriate security of your personal data.
No use of the camera functionality or storing of sensitive photo information will be utilised by the app.
This means we protect your data against unauthorised or unlawful processing. We also protect it against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
- Do I need to give my consent?
While you will voluntarily choose to use the CCS service and/or the associated App, we do not process your data on the basis of your consent in relation to data protection legislation.
- Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments, or when you have booked a test, (or by someone who booked these on your behalf).
The COVID Certification Service will receive data directly from:
- Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS)
- Data you enter onto the NIDA/Surecert portal for the purpose of identity verification, when you access the portal on NI Direct to prove your identity.
- In subsequent CCS releases information that you provided for COVID testing purposes which is collected as part of Central Test Registry (CTR) may also be used.
- Do you share my personal data with anyone else?
We may share your data with organisations who carry out functions on our behalf as ‘data processors’, in relation to the CCS. If you would like to see more detail about the data processors involved in delivering the CCS please see Annex A of the full detailed Privacy Notice here:
- Do you transfer my personal data to other countries?
No. Your data will be only processed within the United Kingdom.
- How long do you keep my personal data?
We will only keep the record of you being issued a vaccine certificate for a maximum of 1 year after the date of travel.
- What rights do I have?
How are my rights respected? Users have rights under GDPR when their personal data are processed by data controllers.
Right to information – a Data Protection Privacy Notice (Notice) is provided on the CCS webpage and app. This has all the details of how your data is managed.
Right to rectification – you can ask to have inaccurate personal data corrected or completed if it is incomplete. You can contact the respective Data Protection Officer (DPO) as provided in Section 15 of this document.
Right of access – you can ask for copies of the information that we hold about you. You can contact the respective DPO as provided in Section 15 of this document.
Right to erasure – GDPR introduced a right for individuals to have personal data erased (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances. You can choose to delete the app.
Right to restriction – you have the right to request the restriction or suppression of your personal data, however the right is not absolute. While you can request that CCS stops processing your data, data will be held as set out in your right to erasure. You can choose to delete the app.
Right to portability – you cannot move your app data to another device and because we don’t store your data, we cannot move it either. Individuals can ask CCS to share their information with another organisation (although this may not always be possible).
Right to object – You have the right to object to the processing of your data, including when the lawful basis for processing is a public task. However, this is not an absolute right, and processing can continue if there are compelling legitimate grounds for the processing, which override your interests, rights and freedoms as an individual. You can also choose to delete the app.
Right not to be subject to solely automated decision-making – You will not be subject to solely automated decisions made by computers which may have a legal or significant impact on your rights.
The CCS does use computer systems to process personal data. It does this for the purposes of matching your citizen records you supply to the vaccination data held on the VMS and eligibility of COVID certificate based on the data on the number of doses received by the citizen. However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at email@example.com
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
- How do I complain if I am not happy?
If you have a specific issue, or complaint, regarding the CCS and the COVIDCERT NI App, please contact – DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your vaccine data from the Vaccine Management System, or a complaint in relation to the processing of this data, please contact – DPO.HSCB@hscni.net
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
- Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updated versions will be placed on our website.
- Some Useful links for you to find out more information
Users can also refer to the following links for further information:
Vaccine Management System PN https://covid-19.hscni.net/vaccine-service-privacy-notice/
NIDA Privacy Notice https://www.nidirect.gov.uk/articles/nidirect-web-service-privacy-notice