- COVIDCert NI – Privacy Information
COVIDCert NI – Privacy Information
PRIVACY NOTICE – THE Covid Certification Service (CCS), COVIDCERT NI APP AND YOUR DATA
As the success of the vaccination programme continues, pressure is increasing to ease restrictions. As international travel resumes, there will be a requirement for travellers to share their ‘Covid status’ as a condition for entry into countries they are travelling to. Your Covid Status can be shown using several certificates via the (COVIDCERT NI) app or a letter depending on your circumstances. These include:
- Vaccination (including Booster) certificates
- Travel certificate
- Paper certificates
- Recovery certificate
- Single dose letter and booster document
- Vaccine trial letter
- EU COVID certificate
As the standards for secure documentation are confirmed by the EU and World Health Organisation (WHO) it has become clear that GPs and HSC Trusts are unable to provide documentation to the required, secure standard. Therefore, solutions that can provide the required assurances to agreed international standards are needed, hence the development of COVID Certification Service (CCS) and associated mobile (COVIDCERT NI) App.
The Department of Health (DoH) and Public Health Agency (PHA) are Joint Data Controllers for the personal information processed in the CCS and mobile App.
2. Background – COVID Certification Service
The Department of Health, Health and Social Care Board (which has now transitioned to the Department of Health), and Public Health Agency, through the Digital Health and Care NI (DHCNI) team, have worked jointly on the development and delivery of a COVID Certification Service and associated App that, by virtue of confirmation of your Covid status, facilitates international travel (meeting EU and WHO requirements) and domestic use cases. The Department of Finance through NI Direct, as well as other key suppliers, have been employed to help deliver the CCS and COVIDCERT NI App – see Annex A for full list of suppliers.
The requirement to use the Covid Certification Service to provide evidence of your Covid status is currently required by most private sector organisations such as airlines, cruise ships and holiday operators to allow access to their services for international travel.
The CCS solution provides citizens with an easily accessible, streamlined process for obtaining a certificate. Additionally, this removes the requirement for GPs and healthcare organisations to manage requests for proof of Covid status, thereby freeing them to concentrate on direct patient care.
The scope of the CCS covers both a digital and paper- based solution for people to obtain trusted, and internationally accepted COVID status certification for use in international travel settings.
As well as providing a mechanism to prove vaccination and testing status, the HSC COVID-19 website details how people can apply for a recovery certificate. The details can be found here.
CCS can also be used by citizens who qualify for a medical exemption from vaccination and wish to obtain a certificate. Exemption guidance can be found on the NIDirect website.
3. Why are you processing my personal information?
The CCS and COVIDCERT NI App products have been developed by an existing DHCNI software partner Civica, who are a data processor for the CCS. Several organisations who process your data are needed to produce, record, and manage COVID-19 related certifications. These data processors work under strict instruction from the data controllers for the CCS. These processing organisations process your personal data for the following purposes:
- Civica – will process your data to perform a citizen data match to verify against the Vaccine Management System (VMS) and/ or Central Test Registry (CTR) records and process the certification generation request.
- Kainos – process data as part of processing operations for the VMS and will provide the citizen vaccination/booster data that is part of VMS, to be used by Civica in CCS to match against the user entered information.
- BigMotive – develop the CCS user app and webpages where your data is entered.
- Department of Finance, NI Direct/ NIDA – NI Direct will process your data as part of the identity checking service they provide for citizens – ‘The NICS Identity Assurance service (NIDA)’. Use of NIDA along with the SureCert Service delivered by NI Direct provides a real-time ID and Biometric identity checking service, to enable citizens to prove their identity to access government services. This will be the first part of the process where you will add your identity details, which will be verified here and then sent to HSC for the above matching and checks to be performed before a certificate is requested for you. NI Direct may also process your data if you contact the Covid Care call centre for assistance regarding CCS.
- Surecert – will provide proof of identity based on the data/information you provide during the registration process. Surecert uses Experian data to perform a soft search to confirm you name, address and date of birth. This soft search has no impact on your credit rating.
- HH Global – will process your data to print your secure certificate.
- The Business Services Organisation (BSO) will process testing data on behalf of the PHA, as they host the Central Test Registry (CTR), which stores the public testing (Polymerase Chain Reaction (PCR)) test results.
- Ernst & Young (EY) – will provide a team to conduct manual matching where the CCS cannot do this automatically and to maintain the certificate generation volumes. EY will also capture your data in the COVIDCert call centre for citizens to apply for exemption and recovery based COVIDCerts. The data you provide in applying for your Covid Certificate may be used by EY to ensure the quality of your data in the Vaccine Management System, to ensure your vaccine data on the VMS is accurate and up to date. In carrying out data quality checks EY will process your data utilising the Azure Synapse Analytics platform. The Azure Synapse Analytics platform is a data storage platform hosted on the public health information platform and controlled by the Public Health Agency (PHA). Data stored within CCS may also be analysed by EY to identify covid certification fraud.
- Business Services Organisation (BSO) – is a statutory organisation that works on behalf of PHA to provide the CCS access to citizen’s COVID-19 PCR test data stored in the Central Test Registry to process a Recovery Certificate.
- Belfast Health and Social Care Trust (BHSCT) hosts the CCS data and application on their infrastructure.
For clarity, the table below shows the data responsibilities between organisations. Further details about the data processors above have been added at Annex A.
4. What information is collected?
If you use the CCS, data is collated in line with the specification guidelines for EU digital COVID certificates. CCS can be used for travel. If you use the COVID Certification Service and app to obtain a certificate for travel for yourself or your dependents under the age of 18, you will be asked to provide only the information we need to arrange that certificate(s) for the desired date of travel. People aged 16 and over may apply for a certificate independently, provided they satisfy the NIdirect identity/account requirements. Under-16s can also download the CCS app to store their Covid Certification on their mobile phone. They will need to download the app to their mobile phone, then scan the QR code available from their parents Covid Cert app.
The data collected by the CCS will include you or your dependent’s personal details and intended travel details. Personal details are collected to match your details against the vaccination (including boosters) records held on the VMS (held jointly by DoH and PHA), and/or test records as part of the CTR (held by PHA).
Personal details collected for all travel and recovery certificates include:
- Full Name
- Date of Birth
- Health and Care Number (HCN)
- Mobile Number (optionally recorded in NIDA)
The above data will be used to check against personal data held in the VMS, the Central Test Registry (CTR) and shared with CCS for the purposes of vaccination or recovery certification.
Personal data shared from the VMS to certify vaccination for international travel uses will include the citizens’:
- Number of doses
- Vaccination Date
- Vaccination Manufacturer
- Disease Targeted
- Vaccine Product
- Vaccine prophylaxis
- Vaccination batch
- Vaccination Centre
Personal data shared from the CTR, held by BSO on behalf of PHA, to certify recovery within the CCS will include the citizens:
- PCR test date and Test Type
A table summarising how your data is used and collected is shown below:
Please note that the COVID Certification Service (CCS) will never:
- Disclose any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
- Ask you to make any form of payment or purchase a product of any kind.
- Ask for any details about your bank account.
- Ask for your social media identities or login details, or those of your contacts.
- Ask for any passwords or PINs or ask you to set up any passwords or PINs over the phone.
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone, or tablet to anyone else.
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
5. The lawful basis for processing your personal information
We process your personal information according to the UK General Data Protection Regulation and the Data Protection Act 2018, which will be referred to as Data Protection legislation. Your data is processed for CCS as part of our public task (in line with UK GDPR Article 6(1)(e)).
The PHA and Department of Health statutory duty, is outlined in the Health and Social Care (Reform) Act (Northern Ireland) 2009, as below:
- Section 2(1) the duty to promote in Northern Ireland an integrated system of health care designed to secure improvement in the physical and mental health of people in Northern Ireland and in the prevention, diagnosis, and treatment of illness, and
- Section 2(3)(g) the duty to secure the commissioning and development of programmes and initiatives conducive to the improvement of the health and social well-being of people in Northern Ireland, and
- Section 3(1)(b) the power to provide, or secure provision of, such health and social care as it considers appropriate for the purpose of discharging its duty under section 2; and do anything which is calculated to facilitate, or is conducive or incidental to, the discharge of that duty.
Providing strategic oversight and coordination of the implementation and ongoing delivery of regional vaccination programmes; provision of resources for health professionals and the public; interventions to improve uptake; disease and vaccine coverage surveillance; investigation, and management of cases, outbreaks, and other immunisation incidents; and provision of expert advice to policy makers, commissioners, providers, and the public.
In this instance the public task relates to the functions of the Public Health Agency which the Agency exercises on behalf of the Department of Health for:
- the health improvement functions mentioned in section 13 subsection (2).
- the health protection functions mentioned in section 13 subsection (3); and
- obtaining and analysis of data and other information in section 13 subsection (4).
The COVID Certification Service supports a range of digital and non-digital services to enable citizens to evidence their COVID status to required standards (for the purpose of mitigating the rate of spread of COVID infection within NI, and because of international travel).
Some of the data processed relates to health data which is described as ‘special category data’. In relation to that processing, the following UK GDPR conditions apply:
- Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in public health.
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in public health
6. How will my data be processed?
Your data will be processed in line with data protection legislation requirements and in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The app asks you permission to use the camera functionality on your phone to capture a ‘selfie photo’. The photo is stored on your phone only, to allow it to be displayed on your phone alongside the domestic QR code, to show on the certificate screen display. The app does not share your sensitive photo information with anyone, it remains locked on the phone. The photo is deleted when you uninstall the app.
If you have an older android device, when you chose to download a PDF version of your certificate you may be asked for access to your device’s file storage to download your COVID Certificate Service PDF documents. Files that you choose to download will then be stored on your device.
7. Do I need to give my consent?
While you will voluntarily choose to use the CCS service and/or the associated App, we do not process your data based on consent in relation to data protection legislation (see section 5).
8. Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments, or when you have booked a test, (or by someone who booked these on your behalf), or when you call to begin the process for getting an exemption certificate. To support this the CCS will receive data directly from:
- Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS).
- Data you enter onto the NIDA/Surecert portal for the purpose of identity verification when you access the portal on NI Direct to prove your identity.
- Data you enter on behalf of your dependent children under the age of 18 for the purposes of identity verification for overseas travel once you have confirmed your identity via the NIDA/Surecert portal.
- Information about PCR test you have undertaken, from the data processed by BSO from the CTR, on behalf of PHA.
9. Do you share my personal data with anyone else?
We may share your data with organisations who carry out functions on our behalf as ‘data processors’, in relation to the CCS. Details of the data processors has been added in Annex A.
Separately, you may choose to share your Covid Certification data as part of verification requirements for access to travel, or to gain entry to certain events, or hospitality premises. Where a tour operator, organisation, or business needs to verify your Covid Status, they can use the separate COVIDCert NI Verifier App, which the Digital Health and Care NI team have developed and made available for the purposes of enabling your Covid Certificate to be scanned securely by an organisation which needs to verify your Covid Status. They will use the Verifier App to scan your 2D Barcode on your Covid Cert App, or paper copy certificate. The organisations who use the Verifier App will be the data controllers for that processing and should provide you with separate privacy notices to explain how they use your data. The Department will not process any of your personal data on the COVIDCert NI Verifier App, however in the spirit of openness and transparency the Department has published a Privacy Notice, which explains how the App works, using data minimisation techniques to enhance data protection and privacy and ensure public trust in the use of the App.
10. Do you transfer my personal data to other countries?
Your data will be processed within the UK.
11. How long do you keep my personal data?
We will only retain your personal data for as long as necessary, in line with our Retention and Disposal Schedule (Good Management, Good Records – GMGR). For complaints (see section 13) or cases where additional checks or more data are needed to support verification (e.g., the name you provide online does not match your name on your passport), we may need to retain your supplied data/call centre calls/emails for up to a year. In all cases your data will be deleted once any queries or investigations are complete in line with GMGR. These records will be retained for seven years (the current year plus six financial years).
Your vaccine record on the CCS data store is retained for a day.
Your data sent to the secure printers (HH Global) for provision of a paper certificate is retained for 30 days.
We will only keep the record of you being issued a vaccine/exemption certificate in the CCS data store for a maximum of up to a 1 year after the date of travel/certificate issue.
Recovery data is stored in the CCS data store for 180 days after the citizen’s PCR test date.
This may remain under review pending the outcome of the pandemic.
12. What rights do I have?
The GDPR sets out the 8 rights that individuals have in respect of their data. These have been considered in respect of the NI COVID Certification Service as follows:
a) The right to be informed
Individuals are provided with information about the collection and use of their personal data for the CCS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data, as part of this privacy notice.
b) Right of access
Individuals can ask for copies of the information that we hold about them. Individuals can contact the respective DPO as provided in Section 13 of this document.
c) Right to rectification
Individuals can ask to have inaccurate personal data corrected or completed if it is incomplete. Individuals can contact the respective DPO as provided in Section 13 of this document.
d) Right to be forgotten
GDPR introduced a right for individuals to have personal data erased/deleted (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances, which do not include when processing is carried out under ‘public task’, which is the lawful basis under which the CCS processes data. However, the CCS will consider requests for erasure of data when received from individuals for their own data, or data related to their deceased relatives (where they have the authority to make such requests).
You should be aware that if you request your data to be deleted from CCS you will no longer be able to retrieve, access or update your Covid Status Certificates. If you wish to receive certificates in the future, you will need to reapply to the CCS and go through the full application process again. Once requested your detailed will be deleted within one month of the request.
e) Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data, however the right is not absolute.
f) Right to data portability
Individuals can ask CCS to share their information with another organisation (although this may not always be possible). This does not apply to CCS.
g) Right to object
Individuals have the right to object to the processing of their personal data, including when the lawful basis for processing is public task. However, this is not an absolute right, and processing can continue if there are compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the individual.
h) Rights relating to automated decision-making
Individuals will not be subject to solely automated decisions which may have a legal or significant impact on their rights. CCS uses computer systems to process personal data for the purposes of matching of citizen records to the vaccination data and eligibility of COVID certificate based on the data on the number of doses received by the citizen (this is further elaborated in Sections 3 and 4 of this document). However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at email@example.com
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
13. How do I complain if I am not happy?
The CCS and COVIDCERT NI App follow the Health and Social Care Complaints Procedure effective from 1st January 2022. The details of which can be found here.
If you have a specific issue, or complaint, regarding the CCS and the COVIDCERT NI App, please contact- firstname.lastname@example.org
If you are unhappy with how your personal data is being processed by the CCS, please contact- DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your vaccine data from the Vaccine Management System, or a complaint in relation to the processing of this data, please contact DPO.PHA@hscni.net, or DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your test data from the Central Test Registry, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
14. Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updated versions will be placed on our website.
15. Useful links
Users can also refer to the following links for further information:
Vaccine Management System Privacy Notice- https://covid-19.hscni.net/vaccine-service-privacy-notice/
NIDA Privacy Notice- https://www.nidirect.gov.uk/articles/nidirect-web-service-privacy-notice
PHA Testing Programme Privacy Notice – Test Data PN
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or MoUs.
Under the terms of these arrangements DoH and PHA are the data controllers responsible for assessing that all processors listed below, except DoF/ESS, are competent to process personal data in line with UK GDPR requirements. DoH is responsible for assessing that DoF/ESS are competent to process data in line with UK GDPR requirements under these arrangements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) DoH and PHA will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. DoH will ensure the same regarding DoF/ESS.
Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – General Data Protection Regulation (GDPR) and Data Protection Act 2018.
The following provides a list of data processors involved in delivery of the system.
- Civica is a system integrator organisation who were chosen to develop the end-to-end CCS platform and are regarded as a processor contracted by the DoH/PHA. Civica will provide support on an ongoing basis to the CCS configuration for the duration of its operation, as part of their contract.
- Kainos will provide the citizen vaccination data that is part of VMS, to be used by Civica in CCS to match against the user entered information and process the COVID certificate request where applicable. Kainos are contracted by DoH/PHA.
- BigMotive is a software development company who were chosen to develop the CCS user interface and are responsible for the configuration of the CCS webforms and are regarded as a processor contracted by DoH/PHA. BigMotive will provide support for user experience (UX) design on an ongoing basis for the duration of the CCS operation, as part of their contract.
- Department of Finance, NIdirect/ NIDA – NIdirect is the official government website for Northern Ireland citizens which is run by DoF ESS. NICS Identity Assurance service (NIDA) is a service provided by DoF ESS via NI Direct for the purposes of identity verification. NIdirect aims to make it easier to access government information and services. It does this by working closely with Northern Ireland departments and other public bodies to collate key information based on users’ needs. DoH have a MoU in place with DoF/ ESS, which covers provision of these services.
- Surecert are an identity service that have been engaged to provide secure identity verification. Surecert supports the NIDA service delivered by the DoF. This service integrates with the NIDA service to provide real-time ID and Biometric identity checking service. Surecert are contracted by DoH/PHA.
- HH Global – HH Global are a UK government approved (framework CCS RM6170) secure printing organisation who produce NI’s secure printed certificates. Certificate data is sent to HH Global over an encrypted transfer protocol. These certificates incorporate several secure elements around the QR code, bar code and print layouts. These are done in accordance with the Four Nation COVID Certificate letter spec (release 2). DoH/PHA have a contract in place with HH Global for the provision of this service.
- Ernst & Young – will provide a team to conduct manual matching where the CCS cannot do this automatically and to maintain the certificate generation volumes. EY will also capture your data in the COVIDCert call centre for citizens to apply for exemption and recovery based COVIDCerts. The data you provide in applying for your Covid Certificate may be used by EY to ensure the quality of your data in the Vaccine Management System, to ensure your vaccine data on the VMS is accurate and up to date. In carrying out data quality checks EY will process your data utilising the Azure Synapse Analytics platform. The Azure Synapse Analytics platform is a data storage platform hosted on the public health information platform and controlled by the Public Health Agency (PHA). Data stored within CCS may also be analysed by EY to identify covid certification fraud.
- Business Services Organisation (BSO) – is a statutory organisation providing services as a data processor for PHA. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by PHA. They are responsible for all Civica environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA have overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA.
- Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor for DoH and PHA. BHSCT host the CCS application on their infrastructure. Their services are managed via appropriate agreements with DoH and PHA.