- Privacy Information
PRIVACY NOTICE – THE Covid Certification Service (CCS), COVIDCERT NI APP AND YOUR DATA
As the success of the vaccination programme continues, pressure is increasing to ease restrictions. As international travel resumes, there will be a requirement for travellers to share immunity status and/or testing status as a condition for entry into countries they are travelling to. As lockdown restrictions are removed, there is increased domestic movement in outdoors and in closed venues like pubs, bars, restaurants, clubs, stadiums, etc., and to assure safety of all there can be requirements for visitors to share their vaccination status for entry into these venues.
As the standards for secure documentation are confirmed by the EU and World Health Organisation (WHO) it has become clear that GPs and HSC Trusts are unable to provide documentation to the required, secure standard. Therefore, solutions that can provide the required assurances to agreed international standards are needed, hence the development of COVID Certification Service (CCS) and associated mobile (COVIDCERT NI) App.
The Department of Health (DoH), Regional Health and Social Care Board (HSCB) and Public Health Agency (PHA) are Joint Data Controllers for the personal information processed in the CCS and mobile App.
- Background – COVID Certification Service
The Department of Health, Health and Social Care Board and Public Health Agency, through the Digital Health and Care NI (DHCNI) team, have worked jointly on the development and delivery of a COVID Certification Service and associated App that, by virtue of confirmation of your Covid status, facilitates international travel (meeting EU and WHO requirements) and domestic use cases. The Department of Finance through NI Direct, as well as other key suppliers, have been employed to help deliver the CCS and COVIDCERT NI App – see below for full list of suppliers in Annex A.
The requirement to use the Covid Certification Service to provide evidence of your Covid status is currently required by most private sector organisations such as airlines, cruise ships and holiday operators to allow access to their services for international travel; similarly, for domestic use cases requirements have been put in place for:
- Indoor events (where some or all of the audience are not normally seated) with 500 or more attendees
- Outdoor events (where some or all of the audience are not normally seated) with 4,000 or more attendees
- events where more than 10,000 people will be present, regardless of whether or not they will be seated
- Licensed Hospitality premises and unlicensed premises for the duration of the time when they are operating under an occasional licence or when BYO alcohol is consumed
- Cinemas, theatres and conference halls
Finally, the CCS solution provides citizens with an easily accessible, streamlined process for obtaining a certificate. Additionally, this removes the requirement for GPs and healthcare organisations to manage requests for proof of immunisation, boosters and test data, thereby freeing them to concentrate on direct patient care.
The scope of the CCS covers both a digital and paper- based solution for people to obtain trusted, and internationally accepted COVID status certification for use in international travel settings and domestic use cases.
The HSC COVID-19 website details how people can apply for a recovery certificate. The details can be found here.
CCS can also be used by citizens who have recovered from COVID-19 or who qualify for a medical exemption from vaccination and wish to obtain a certificate. Exemption guidance can be found on the NIDirect website.
- Why are you processing my personal information?
The CCS and COVIDCERT NI App products have been developed by an existing DHCNI software partner Civica, who are a data processor for the CCS. Several organisations who process your data are needed to produce, record and manage COVID-19 related certifications. These data processors work under strict instruction from the data controllers for the CCS. These processing organisations process your personal data for the following purposes:
- Civica – will process your data to perform a citizen data match to verify against the Vaccine Management System (VMS) and/ or Central Test Registry (CTR) records and process the certification generation request. (Travel requests will be prioritised by Civica on the basis of the date you are travelling on, in order to ensure everyone can receive a certificate on time for them to travel).
- Kainos – process data as part of processing operations for the VMS and will provide the citizen vaccination/booster data that is part of VMS, to be used by Civica in CCS to match against the user entered information.
- BigMotive – develop the CCS user app and webpages where your data is entered
- Department of Finance, NI Direct/ NIDA – NI Direct will process your data as part of the identity checking service they provide for citizens – ‘The NICS Identity Assurance service (NIDA)’. Use of NIDA along with the SureCert Service delivered by NI Direct provides a real-time ID and Biometric identity checking service, to enable citizens to prove their identity to access government services. This will be the first part of the process where you will add your identity details, which will be verified here and then sent to HSC for the above matching and checks to be performed before a certificate is requested for you. Ni Direct may process your data if you contact the Covid Care call centre for assistance regarding CCS.
- Surecert – will provide proof of identity based on the data/information you provide during the registration process. Surecert uses Experian data to perform a soft search to confirm you name, address and date of birth. This soft search has no impact on your credit rating.
- HH Global – will process your data in order to print your secure certificate.
- Ernst & Young (EY) – will provide a temporary team to support HSCB staff in conducting manual matching where the CCS cannot do this automatically and to maintain the certificate generation volumes. EY capture your data in the COVIDCert call centre for citizens to apply for exemption/recovery COVIDCerts.
- Business Services Organisation (BSO) – is a statutory organisation provides the CCS access to citizen’s COVID-19 PCR test data stored in the Central Test Registry to process a Recovery Certificate.
Belfast Health and Social Care Trust (BHSCT) hosts the CCS data and application on their infrastructure.
For clarity the table below shows the data responsibilities between organisations. Further details about the data processors above have been added at Annex A.
Public Health Agency (PHA) will review your exemption application should you not agree with the outcome.
Health and Social Care Board (a Joint Data Controller for the CCS) will process your exemption application in relation the administration of service payments to GPs.
Trusts and GPs (who are separate Data Controllers) will process you exemption application, reviewing it in relation to medical records, to facilitate your application. Their processing of your data sits outside the CCS with the exception of the processing of the outcome of their review of your application, which will be notified to CCS for the purposes of confirming whether or not a medical exemption certificate should be generated for you by the CCS.
- What information is collected?
If you use the CCS, data is collated in line with the specification guidelines for EU digital COVID certificates. CCS can be used for travel and domestic purposes. If you use the COVID Certification Service and app to obtain a certificate for travel for yourself or your dependents under the age of 18, you will be asked to provide only the information we need to arrange that certificate(s) for the desired date of travel.
The data collected by the CCS will include you or your dependent’s personal details and intended travel details. Personal details are collected to match your details against the vaccination (including boosters) records included as part of the VMS, and/or test records as part of the CTR.
Personal details collected for all travel, domestic, recovery and exemption certificates include:
- Full Name
- Date of Birth
- Health and Care Number (HCN)
- Mobile Number (optionally recorded in NIDA)
For Domestic Vaccine Certificates
- Vaccination Centre (Optional; in case of other data mismatch)
For people intending to travel abroad internationally:
- Date of Travel
- Country of Travel
The above data will be used to check against personal data held in the VMS, the BSO Central Test Registry (CTR) and shared with CCS for the purposes of vaccination or recovery certification. Personal data shared from the VMS to certify vaccination for domestic or international travel uses will include the citizens’:
- Number of doses
- Vaccination Date
- Vaccination Manufacturer
- Disease Targeted
- Vaccine Product
- Vaccine prophylaxis
- Vaccination batch
- Administering centre
Personal data shared from the CTR, held by BSO, to certify recovery within the CCS will include the citizens:
- PCR test date and Test Type
An exemptions process for CovidCert is in place for citizens who qualify for an exemption certificate. Details of eligibility can be found on NIDirect.
A table summarising how your data is used and collected is shown below:
Please note that the COVID Certification Service (CCS) will never:
- Disclose any personal or health/medical information provided by you to anyone other than your GP practice patient record system.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us.
- Ask you to make any form of payment or purchase a product of any kind.
- Ask for any details about your bank account.
- Ask for your social media identities or login details, or those of your contacts.
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone.
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else.
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
- The lawful basis for processing your personal information
We process your personal information according to the UK General Data Protection Regulation and the Data Protection Act 2018, which will be referred to as Data Protection legislation. Your data is processed for CCS as part of our public task (in line with UK GDPR Article 6(1)(e)).
The HSCB, PHA and Dept of Health statutory duty, is outlined in the Health and Social Care (Reform) Act (Northern Ireland) 2009, as below:
- The Regional Board shall exercise on behalf of the Department— (b)such other functions of the Department (including functions imposed under an order of any court) with respect to the administration of health and social care as the Department may direct.
- Section 2(1) the duty to promote in Northern Ireland an integrated system of health care designed to secure improvement in the physical and mental health of people in Northern Ireland and in the prevention, diagnosis and treatment of illness, and
- Section 2(3)(g) the duty to secure the commissioning and development of programmes and initiatives conducive to the improvement of the health and social well-being of people in Northern Ireland, and
- Section 3(1)(b) the power to provide, or secure provision of, such health and social care as it considers appropriate for the purpose of discharging its duty under section 2; and do anything which is calculated to facilitate, or is conducive or incidental to, the discharge of that duty.
Providing strategic oversight and coordination of the implementation and ongoing delivery of regional vaccination programmes; provision of resources for health professionals and the public; interventions to improve uptake; disease and vaccine coverage surveillance; investigation, and management of cases, outbreaks, and other immunisation incidents; and provision of expert advice to policy makers, commissioners, providers and the public.
In this instance the public task relates to the functions of the Public Health Agency which the Agency exercises on behalf of the Department of Health for:
- the health improvement functions mentioned in section 13 subsection (2);
- the health protection functions mentioned in section 13 subsection (3); and
- obtaining and analysis of data and other information in section 13 subsection (4).
Domestic use COVID certification regulations (The Health Protection (Coronavirus, Restrictions) Regulations (Northern Ireland) 2021) have been enacted in NI as a measure to mitigate the spread of COVID infection.
The COVID Certification Service supports a range of digital and non-digital services to enable citizens to evidence their COVID status to required standards (for the purpose of mitigating the rate of spread of COVID infection within NI, and as a result of international travel).
Some of the data processed relates to health data which is described as ‘special category data’. In relation to that processing, the following UK GDPR conditions apply:
- Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
- Article 9(2)(g) – the processing is necessary for reasons of substantial public interest.
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 2 (6) para (1) – for reasons of substantial public interest.
- How will my data be processed?
Your data will be processed in line with data protection legislation requirements and in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. The app asks you permission to use the camera functionality on your phone to capture a ‘selfie photo’. The photo is stored on your phone only, to allow it to be displayed on your phone alongside the domestic QR code, to show on the certificate screen display. The app does not share your sensitive photo information with anyone, it remains locked on the phone. The photo is deleted when you uninstall the app.
- Do I need to give my consent?
While you will voluntarily choose to use the CCS service and/or the associated App, we do not process your data on the basis of consent in relation to data protection legislation (see section 5).
- Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments, or when you have booked a test, (or by someone who booked these on your behalf), or when you call to begin the process for getting an exemption certificate. To support this the CCS will receive data directly from:
- Information you provided when booking your appointment and when attending for your vaccination, from the Vaccine Management System (VMS)
- Information you provided when starting the exemption certificate process and information provided by your GP/ Clinician regarding the outcome of the decision regarding your medical exemption application.
- Data you enter onto the NIDA/Surecert portal for the purpose of identity verification, when you access the portal on NI Direct to prove your identity.
- Data you enter on behalf of your dependent children under the age of 18 for the purposes of identity verification for overseas travel once you have confirmed your identity via the NIDA/Surecert portal
- Information about PCR test you have undertaken, from the data processed by BSO from the CTR, on behalf of PHA.
- Do you share my personal data with anyone else?
We may share your data with organisations who carry out functions on our behalf as ‘data processors’, in relation to the CCS. Details of the data processors has been added in Annex A.
Separately, you may choose to share your Covid Certification data as part of verification requirements for access to travel, or to gain entry to certain events, or hospitality premises. Where a tour operator, organisation, or business needs to verify your Covid Status, they can use the separate COVIDCert NI Verifier App, which the Digital Health and Care NI team have developed and made available for the purposes of enabling your Covid Certificate to be scanned by an organisation who needs to verify your Covid Status. They will use the Verifier App to scan your 2D Barcode on your Covid Cert App, or paper copy certificate. The organisations who use the Verifier App will be the data controllers for that processing and should provide you with separate privacy notices to explain how they use your data. The Department will not process any of your personal data on the COVIDCert NI Verifier App, however in the spirit of openness and transparency the Department has published a Privacy Notice, which explains how the App works, using data minimisation techniques to enhance data protection and privacy and ensure public trust in the use of the App.
- Do you transfer my personal data to other countries?
No. Your data will be processed within the UK.
- How long do you keep my personal data?
We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule (Good Management, Good Records – GMGR). For cases where additional checks or more data are needed to support verification (e.g the name your provide online doesn’t match your name on your passport), we may need to retain your data for up to 30 days. In all cases your data will be deleted once any queries or investigations are complete in line with GMGR.
Your vaccine record on the CCS data store is retained for a day. Your data sent to the secure printers for provision of a paper certificate is retained for 30 days.
We will only keep the record of you being issued a vaccine/exemption certificate in the CCS data store for a maximum of up to a 1 year after the date of travel/certificate issue.
Recovery data is stored in the CCS data store for 180 days after the citizen’s PCR test date.
This may remain under review pending the outcome of the pandemic.
- What rights do I have?
The GDPR sets out the 8 rights that individuals have in respect of their data. These have been considered in respect of the NI COVID Certification Service as follows:
- The right to be informed
Individuals are provided with information about the collection and use of their personal data for the CCS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data, as part of this privacy notice.
- Right of access
Individuals can ask for copies of the information that we hold about them. Individuals can contact the respective DPO as provided in Section 13 of this document.
- Right to rectification
Individuals can ask to have inaccurate personal data corrected or completed if it is incomplete. Individuals can contact the respective DPO as provided in Section 13 of this document.
- Right to erasure
GDPR introduced a right for individuals to have personal data erased (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances.
- Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data, however the right is not absolute. While individuals can request that CCS stops processing their data, data will be held as set out in number ‘d’ above.
- Right to data portability
Individuals can ask CCS to share their information with another organisation (although this may not always be possible).
- Right to object
Individuals have the right to object to the processing of their personal data, including when the lawful basis for processing is public task. However, this is not an absolute right, and processing can continue if there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
- Rights relating to automated decision-making
Individuals will not be subject to solely automated decisions which may have a legal or significant impact on their rights. CCS uses computer systems to process personal data for the purposes of matching of citizen records to the vaccination data and eligibility of COVID certificate based on the data on the number of doses received by the citizen (this is further elaborated in Sections 3 and 4 of this document). However, app users can contact our helpline and progress their application manually if any issues are encountered. If you have any questions or concerns, please email us at firstname.lastname@example.org
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
- How do I complain if I am not happy?
If you have a specific issue, or complaint, regarding the CCS and the COVIDCERT NI App, please contact- email@example.com
If you are unhappy with how your personal data is being processed by the CCS please contact- DPO@health-ni.gov.uk
If you have a specific issue, or query regarding your vaccine data from the Vaccine Management System, or a complaint in relation to the processing of this data, please contact – DPO.HSCB@hscni.net, or DPO.PHA@hscni.net
If you have a specific issue, or query regarding your test data from the Central Test Registry, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you have a specific issue, or query regarding your data and how it is processed for the purposes of the medical exemption certificate, or a complaint in relation to the processing of this data, please contact – DPO.PHA@hscni.net
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
- Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updated versions will be placed on our website.
- Useful links
Users can also refer to the following links for further information:
Vaccine Management System PN https://covid-19.hscni.net/vaccine-service-privacy-notice/
NIDA Privacy Notice https://www.nidirect.gov.uk/articles/nidirect-web-service-privacy-notice
PHA Privacy Notice https://www.publichealth.hscni.net/privacy-notice
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or MoUs.
Under the terms of these arrangements HSCB is the data controller responsible for assessing that all processors listed below, except DoF/ESS, are competent to process personal data in line with UK GDPR requirements. DoH is responsible for assessing that DoF/ESS are competent to process data in line with UK GDPR requirements under these arrangements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) HSCB will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. DoH will ensure the same in regard to DoF/ESS.
Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – General Data Protection Regulation (GDPR).
The following provides a list of data processors involved in delivery of the system.
- Civica is a system integrator organisation who were chosen to develop the end-to-end CCS platform and are regarded as a processor contracted by the HSCB. Civica will provide support on an ongoing basis to the CCS configuration for the duration of its operation, as part of their contract.
- Kainos will provide the citizen vaccination data that is part of VMS, to be used by Civica in CCS to match against the user entered information and process the COVID certificate request where applicable. Kainos are contracted by HSCB.
- BigMotive is a software development company who were chosen to develop the CCS user interface and are responsible for the configuration of the CCS webforms and are regarded as a processor contracted by HSCB. BigMotive will provide support for user experience (UX) design on an ongoing basis for the duration of the CCS operation, as part of their contract.
- Department of Finance, NI Direct/ NIDA – NIdirect is the official government website for Northern Ireland citizens which is run by DoF ESS. NICS Identity Assurance service (NIDA) is a service provided by DoF ESS via NI Direct for the purposes of identity verification.NIdirect aims to make it easier to access government information and services. It does this by working closely with Northern Ireland departments and other public bodies to collate key information based on users’ needs. DoH have a MoU in place with DoF/ ESS, which covers provision of these services.
- Surecert are an identity service that have been engaged to provide secure identity verification.This service integrates with the NIDA service to provide real-time ID and Biometric identity checking service. Surecert are contracted by HSCB.
- HH Global – HH Global are a UK government approved (framework CCS RM6170) secure printing organisation who produce NI’s secure printed certificates. Certificate data is sent to HH Global over an encrypted transfer protocol. These certificates incorporate several secure elements around the QR code, bar code and print layouts. These are done in accordance with the Four Nation COVID Certificate letter spec (release 2). HSCB have a contract in place with HH Global for the provision of this service.
- Ernst & Young – EY are providing temporary technical resources to support the call centre volumes, manual matching and edge case workload in support of HSCB staff. They are also providing call centre services for medical exemption certificate applications. EY are contracted by HSCB via G-Cloud.
- Business Services Organisation (BSO) is a statutory organisation providing services as a data processor for HSCB and PHA. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by HSCB and PHA. They are responsible for all Civica environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA and HSCB have an overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA and HSCB. BSO also host the CTR and use this to store a record of citizen’s PCR test results received from the National Pathology Exchange (NPEx).
- Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor for HSCB and PHA. BHSCT host the CCS application on their infrastructure. Their services are managed via appropriate agreements with HSCB and PHA.