The app is one method people can use to demonstrate their vaccination status for mandatory Covid status checks that are still in place for large events and nightclubs, though the vaccine passport scheme will end on Monday.
The Information Commissioner’s Office (ICO) has issued a reprimand to both bodies over their initial failure to provide adequate privacy information within the NHS Scotland Covid Status app when it launched to explain how people’s information was being used.
The watchdog said there had also been an ongoing failure to provide concise privacy information so the average person could realistically understand how the NHS Scotland Covid Status app was using their information.
The ICO said it now expects the Scottish Government and NHS National Services Scotland to act swiftly on the findings.
ICO deputy commissioner Steve Wood said: “People need to be able to share their data and go about their lives with confidence that their privacy rights will be respected.
“The law enables responsible data sharing to protect public health but public trust is key to making that work. When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.
“The Scottish Government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid Status app.
“We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”
The watchdog said it received the full details setting out how the NHS Scotland Covid Status app would be using people’s information on September 27 last year, only three days before mandatory checks were due to be rolled out.
It said it had a number of concerns about the way the app was going to use people’s information, particularly the plans to let the NHS Scotland Covid Status app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.
The ICO said this proposal was there to help the company improve the facial recognition software behind the NHS Scotland Covid Status app, but would have been unlawful in these circumstances as it was not necessary for the app to function and served no benefit to the app user.
The watchdog advised the app should not be launched until its concerns about potential non-compliance had been addressed.
However, the ICO said the app was launched on September 30 last year as planned without fully addressing its wider concerns about compliance with data protection law.
A Scottish Government spokesman said: “The NHS Scotland Covid Status app was an important tool in our response to Covid-19 and has served a vital public health role during the pandemic.
“Following the ICO’s investigation, the Scottish Government accepts that the privacy information in the app could have made it clearer to users how their information would be used. However, it is important to stress that at all times people’s data was held securely and used appropriately.”