- COVIDCert NI – Privacy Notice
COVIDCert NI – Privacy Notice
Easy Read Privacy Information
PRIVACY NOTICE – THE Covid Certification Service (CCS), COVIDCERT NI APP AND YOUR DATA
- Why do we need COVID Certification?
The government has decided that COVID, COVID recovery and Exemption certificates are essential in helping the region recover from the COVID-19 virus. To help this the Department of Health, Health and Social Care Board and Public Health Agency, through the Digital Health and Care NI (DHCNI) team, have developed and delivered the COVID Certification Service (CCS) and associated mobile COVIDCERTNI App (App).
People can now apply for a digital or paper-based vaccination/recovery or exemption certificate to travel abroad, use across Northern Ireland
- What does the COVID Certificate Service and App do?
The CCS solution provides people with an easy way to get their COVID or exemption certificate. This takes the workload off GPs and healthcare organisations to manage requests for proof of immunisation and test data. This means they have more time to care directly for patients and those in greatest need.
The CCS and app help people in four ways:
- For people who want to travel abroad will need to share their immunity status and/or testing status as a before they can enter countries they are travelling to.
- As lockdown restrictions are removed, there is increased domestic movement in outdoors and in closed venues like pubs, bars, restaurants, clubs, stadiums, etc. To help stop the spread of COVID and help people visiting these venues to stay COVID free visitors need to share their vaccination status before they can enter these premises.
- To prove they have recovered from COVID-19 and have a PCR test result to prove their status
- CCS can also be used by people who are medically exempt from vaccination and wish to obtain a certificate. Exemption guidance can be found on the NIDirect website
- Who is responsible for my data
The Department of Health (DoH), Regional Health and Social Care Board (HSCB) and Public Health Agency (PHA) are Joint Data Controllers for the personal information processed in the CCS and mobile App and are responsible for making sure your personal data is safely and securely managed.
There are also 9 organisations, called Data Processors, who the Joint Data Controllers allow to use your data to process and produce the COVID certificate, COVID app, recovery and exemption certificates. These processors are not allowed to use, store or share your data with anyone else. The data processors use your personal data for the following purposes only:
- Civica- process your data to check you are fully vaccinated or exemption record. They develop the CCS and App and generate the certificates.
- Kainos store the record of your vaccination and share this with Civica when you apply for a certificate.
- BigMotive – have developed the website and app design you use to prove your COVID status
- Department of Finance – We use NI Direct website’s captures your personal data in order to check and record your identity.
- Ernst & Young (EY) – Staff the CCS call centre and collect your data when you apply via the CCS website or if you apply online for an exemption/recovery certificate.
- HH Global are sent your vaccination or exemption data in order to print out your secure certificate.
- Surecert uses with the data you give to NIDirectto confirm you are who you say you are.
- Business Services Organisation (BSO) provide the CCS with proof of your PCR test result for recovery certificates.
- Belfast Health and Social Care Trust (BHSCT) is used to host the CCS application on their infrastructurewhich is based in Belfast.
- Why are you processing my personal information?
The DOH would not be able to deliver a digital or paper certificate to prove you are either fully vaccinated, in recovery or exempt unless we first prove your identity. Once we have identified you, we can then access your vaccine or PCR test record and match the two together. Matching your identity to your vaccine/recovery records allows us to deliver a digital certificate/recovery or exemption on the app or a printed version for those people who are unable to use the mobile app.
For people who are exempt there is a different process. There are three government departments in Northern Ireland who have the authority to approve aspects of your COVID certification or exemption:
- Public Health Agency (PHA) will review your exemption application should you not agree with the outcome.
- Health and Social Care Board will process your exemption application in relation the administration of service payments to GPs.
- Trusts and your GPs are separate Data Controllers who will process you exemption application, reviewing it in relation to medical records, to facilitate your application.
- What information about me is being collected?
We collect your data in line with European standards. We only collect the minimum data we need to process your certificate. The data we collect includes your personal details (or your children under 18 if you are applying on their behalf) and intended travel details if your are travelling abroad. Personal details are collected to match your details against either your vaccination or PCR test records. The data we collect for you for all travel, domestic, recovery and exemption certificates include:
- Full Name
- Date of Birth
- Health and Care Number (HCN)
- Mobile Number (this optional on NIDA)
For Vaccine Certificates we may ask for:
- Vaccination Centre (Optional; in case of other data mismatch)
If you are travelling abroad, we also need to collect your:
- Date of Travel
- Country of Travel
If you are trying to get a recovery certificate we need to know:
- Your PCR test date and type
Remember, the CCS, app, recovery and exemption processes will never:
- Share any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
- Ask you to make any form of payment or purchase a product of any kind.
- Ask for any details about your bank account.
- Ask for your social media identities or login details, or those of your contacts.
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone.
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else.
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
- What lawful basis are you processing my personal information?
We process your personal information according to the UK General Data Protection Regulation and the Data Protection (UK GDPR) Act 2018. Your data is processed for CCS as part of our public task to protect society under UK GDPR Article 6(1)(e)).
The HSCB, PHA and Dept of Health have a statutory duty to protect people in NI. This follows the Health and Social Care (Reform) Act (Northern Ireland) 2009. Three sections of this act, 2(1), 2(3)g and 3(1)(b) require the NI health departments promote a system that protects the physical and mental health of people in NI. This law also requires NI health organisations to help prevent, diagnose, and treat illness such as COVID-19.
More recently domestic use COVID certification regulations (The Health Protection (Coronavirus, Restrictions) Regulations (Northern Ireland) 2021) have been enacted in NI as a measure to slow down and prevent the spread of COVID infection.
Because the CCS provides a range of digital and non-digital services to help people to prove their COVID status to required standards we need to follow 3 UK GDPR and 3 Data Protection Act conditions:
UK GDPR laws we must follow are:
- UK GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
- UK GDPR Article 9(2)(g) – the processing is necessary for reasons of substantial public interest.
Data Protection laws we must follow are:
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 2 (6) para (1) – for reasons of substantial public interest.
- How will my data be processed?
Your data will be processed in line with legal requirements in section 5. We do this in a way to ensure the proper security of your personal data. This includes protecting your data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate means.
The CCS app asks your permission to use the camera functionality on your phone to capture a ‘selfie photo’. The photo is stored on your phone only. It does this to allow it to be displayed on your phone alongside the domestic 2D bar code(sometimes called a QR code), to show on the certificate screen display. The app does not share your sensitive photo information with anyone, and it remains locked on the phone. Your photo is deleted when you uninstall the app.
- Do I need to give my consent?
While you will voluntarily choose to use the CCS service and/or the associated App, we do not process your data on the basis of consent in relation to data protection legislation.
- Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments, or when you have booked a test, (or by someone who booked these on your behalf), or when you call to begin the process for getting an exemption certificate. If you are applying for a travel certificate for your children under 18 we use that data to generate their certificates.
Depending on the certification type you need the CCS receives data directly from the:
- Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS). The data we collect from the VMS about you includes:
- Number of doses you have had
- Your vaccination date(s)
- The vaccination manufacturer you received i.e AstraZeneca
- The disease targeted – in this case COVID-19
- The vaccine product used
- Vaccine prophylaxis – meaning you were given an injection to help prevent COVID-19
- The vaccination batch number
- The place where you were vaccinated
- Data you enter onto the NIDA/Surecert portal for the purpose of identity verification when you access the portal on NI Direct to prove your identity
- For recovery we use personal data shared from the BSO Central Test Registry (CTR) to certify recovery within the CCS which just includes your :
- PCR test date and test type
- Information you provided when starting the exemption certificate process and information provided by your GP/ Clinician regarding the outcome of the decision regarding your medical exemption application.
- Do you share my personal data with anyone else?
We share your data with the 6 organisations listed in section 3. They carry out functions on our behalf as ‘data processors’, in order to process, produce or print out your certificate/exemption.
Separately, you may choose to share your Covid Certification data as part of verification requirements for access to travel, or to gain entry to certain events, or hospitality premises.
Where a tour operator, organisation, or business needs to verify your Covid Status, they can use the separate COVIDCert NI Verifier App, which the Digital Health and Care NI team have developed and made available for the purposes of enabling your Covid Certificate to be scanned by an organisation who needs to verify your Covid Status. They will use the Verifier App to scan your 2D Barcode on your Covid Cert App, or paper copy certificate.
Organisations who use the Verifier App will be the data controllers for that processing and should provide you with separate privacy notices to explain how they use your data. The Department will not process any of your personal data on the COVIDCert NI Verifier App, however in the spirit of openness and transparency the Department has published a Privacy Notice, which explains how the App works, using data minimisation techniques to enhance data protection and privacy and ensure public trust in the use of the App.
- Do you transfer my personal data to other countries?
No. Your data will be processed within the UK.
- How long do you keep my personal data?
We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule (called Good Management, Good Records). If there is a query, issue or complaint about your application then we may need to retain the relevant emails and any document copies you supplied for up to 30 days to ensure we can resolve the issue. Those emails and your documents are deleted once the issue has been sorted out.
- Your vaccine record on the CCS data store is retained for a day.
- We will only keep the record of you being issued a vaccine/exemption certificate in the CSS for a maximum of up to a 1 year after the date of travel/certificate issue.
- The record of your recovery certificate is kept in the CCS for 180 days from the date of your PCR test.
- Your data sent to the secure printers for provision of a paper certificate is retained for 30 days.
This may remain under review depending how long the pandemic lasts, if the virus recovery period changes or if the NI government changes the law.
- What rights do I have?
The GDPR sets out the 8 rights that you have in respect of your data. These are your rights when using the CCS and app:
- Your right to be informed
You are provided with information about the collection and use of your personal data for the CCS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data, as part of this privacy notice.
- Your right of access
You can ask for copies of the information that we hold about you. You can contact the respective DPO as provided in Section 13 of this document.
- Your right to rectification
You can ask to have inaccurate personal data corrected or completed if it is incomplete. You can contact the respective DPO as provided in Section 13 of this document.
- Your right to erasure
GDPR introduced a right for you to have personal data erased (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances.
- Your right to restrict processing
You have the right to request the restriction or suppression of your personal data, however the right is not absolute. While you can request that CCS stops processing your data, data will be held as described in number ‘d’ above.
- Your right to data portability
You can ask the CCS to share your information with another organisation (although this may not always be possible).
- Your right to object
You have the right to object to the processing of your personal data, including when the lawful basis for processing is a public task. However, this is not an absolute right, and processing can continue if there are legal grounds for the processing, which overrides your interests, rights and freedoms as an individual.
- Your rights relating to automated decision-making
You will not be subject to decisions made automatically by technology which may have a legal or significant impact on your rights. The CCS uses computer systems to process personal data for the purposes of matching of people’s records to the vaccination data and eligibility of COVID certificate based on the data on the number of doses received by the citizen.
However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at email@example.com
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
- How do I complain if I am not happy?
If you have a specific issue, or complaint, regarding the CCS and the COVIDCERT NI App, please contact- firstname.lastname@example.org
If you are unhappy with how your personal data is being processed by the CCS please contact- DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your vaccine data from the Vaccine Management System, or a complaint in relation to the processing of this data, please contact – DPO.HSCB@hscni.net, or DPO.PHA@hscni.net
If you have a specific issue, or query regarding your test data from the Central Test Registry, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you have a specific issue, or query regarding your data and how it is processed for the purposes of the medical exemption certificate, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
- Changes to this Privacy Notice
This Easy Read Privacy Notice will be kept under regular review and any updated versions will be placed on our website.
- Useful links
Users can also refer to the following links for further information:
Vaccine Management System PN https://covid-19.hscni.net/vaccine-service-privacy-notice/
NIDA Privacy Notice https://www.nidirect.gov.uk/articles/nidirect-web-service-privacy-notice
PHA Privacy Notice https://www.publichealth.hscni.net/privacy-notice
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or MoUs.
Under the terms of these arrangements HSCB is the data controller responsible for assessing that all processors listed below, except DoF/ESS, are competent to process personal data in line with UK GDPR requirements. DoH is responsible for assessing that DoF/ESS are competent to process data in line with UK GDPR requirements under these arrangements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) HSCB will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. DoH will ensure the same in regard to DoF/ESS.
Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – General Data Protection Regulation (GDPR).
The following provides a list of data processors involved in delivery of the system.
- Civica is a system integrator organisation who were chosen to develop the end-to-end CCS platform and are regarded as a processor contracted by the HSCB. Civica will provide support on an ongoing basis to the CCS configuration for the duration of its operation, as part of their contract.
- Kainos will provide the citizen vaccination data that is part of VMS, to be used by Civica in CCS to match against the user entered information and process the COVID certificate request where applicable. Kainos are contracted by HSCB.
- BigMotive is a software development company who were chosen to develop the CCS user interface and are responsible for the configuration of the CCS webforms and are regarded as a processor contracted by HSCB. BigMotive will provide support for user experience (UX) design on an ongoing basis for the duration of the CCS operation, as part of their contract.
- NI Direct/ NIDA – NIdirect is the official government website for Northern Ireland citizens which is run by DoF ESS. NICS Identity Assurance service (NIDA) is a service provided by DoF ESS via NI Direct for the purposes of identity verification.NIdirect aims to make it easier to access government information and services. It does this by working closely with Northern Ireland departments and other public bodies to collate key information based on users’ needs. DoH have a MoU in place with DoF/ ESS, which covers provision of these services.
- Surecert are an identity service that have been engaged to provide secure identity verification.This service integrates with the NIDA service to provide real-time ID and Biometric identity checking service. Surecert are contracted by HSCB.
- HH Global – HH Global are a UK government approved (framework CCS RM6170) secure printing organisation who produce NI’s secure printed certificates. Certificate data is sent to HH Global over an encrypted transfer protocol. These certificates incorporate several secure elements around the QR code, bar code and print layouts. These are done in accordance with the Four Nation COVID Certificate letter spec (release 2). HSCB have a contract in place with HH Global for the provision of this service.
- Ernst & Young – EY are providing temporary technical resources to support the call centre volumes, manual matching and edge case workload in support of HSCB staff. They are also providing call centre services for medical exemption certificate applications. EY are contracted by HSCB via G-Cloud.
- Business Services Organisation (BSO) is a statutory organisation providing services as a data processor for HSCB and PHA. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by HSCB and PHA. They are responsible for all Civica environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA and HSCB have an overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA and HSCB.
Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor for HSCB and PHA. BHSCT host the CCS application on their infrastructure. Their services are managed via appropriate agreements with HSCB and PHA.
 This refers to the processing that is necessary for the performance of the official tasks carried out in the public interest.