Privacy notice for the Protect Scotland app

1. Introduction

This is the privacy notice for the Protect Scotland COVID-19 contact tracing app (also referred to as Protect-Scot) which can be downloaded to mobile devices from the Google Play and Apple Stores.

Protect-Scot is an app designed to help stop the spread of COVID-19 (alongside other public health measures) by telling you if you've been near someone who has tested positive with COVID-19 or by telling others who have been near you, if you test positive. Click here to learn more about how the app works. Please note that the app is not intended for children under 16.

This privacy notice sets out information about who we are, how we process your personal information and for what purposes, and your rights in relation to your personal information.

This privacy notice includes the following sections:

Privacy PolicyContents

1. Introduction
2. Controllers
3. Controllers’ contact details
4. Personal information we process
5. How we use your personal information
6. Disclosures of your personal information
7. Data retention
8. International transfers
9. Data security
10. Your rights
11. Your rights to complain
12. Changes to this privacy information notice
13. Related and third party services and websites
14. Glossary

Further information about terms that are used in this privacy notice is available here.

2. Controllers

Scottish Government, Public Health Scotland (PHS) and NHS National Services Scotland (NHS NSS) are controllers for the personal information processed in connection with the app. A controller determines the means and purposes of the processing of personal information.

Scottish Government, PHS and NHS NSS have the following roles in connection with the app:

Scottish Government: has commissioned the app and has strategic direction over it. Scottish Government is involved in policy and technical decisions regarding how personal information is processed within the app and the purposes of processing and is the lead controller.

PHS: is responsible for public health matters in Scotland and makes public health decisions about the app with Scottish Government. PHS is responsible for the National Contact Tracing Centre and decides whether certain limited personal information (mentioned in Personal information we process) is shared with the app.

NHS NSS: operates the National Contact Tracing Centre on behalf of PHS and decides whether certain limited personal information (mentioned in Personal information we process) is shared with the app. NHS NSS is also involved in the sending of authorisation codes to individuals who have received a positive COVID-19 test result.

You can read more about the controllers and other organisations (processors) involved in the app here.

3. Controllers’ contact details

Any questions, comments, complaints or requests regarding your personal information can be sent to any of us using the following details:

Scottish Government:

The Scottish Government Data Protection Officer
Victoria Quay
Commercial Street
Edinburgh
EH6 6QQ

Email: DataProtectionOfficer@gov.scot

Public Health Scotland: Data Protection Officer’s contact details are available in the NHS Inform Website.

NHS National Services Scotland: Data Protection Officer’s contact details are available in the NHS Inform Website.

4. Personal information we process

We collect, use, store and transfer different kinds of personal information about you as follows:

Personal information	Additional details	Where is this information received from?
Mobile phone number	If your COVID-19 test result is positive, your mobile phone number will be used to provide an authorisation code for you to enter into the app. The app itself does not use your mobile phone number.	Where is this information received from?
Estimated date of infection	If your COVID-19 test is positive, a contact tracer will estimate the date of infection. This is likely to be either the test date or the date of your first symptoms. The estimate can be based on the information you have provided.	This is taken from the CMS used by the National Contact Tracing Centre and is estimated by a contact tracer.
Authorisation code	If you have received a positive COVID-19 test result, you can enter this random authorisation code into the app to allow the random IDs that were collected during the relevant infectious time period to be sent to the app server and exposure notifications to be provided to other app users. Your authorisation code is sent to you by text message.	This is requested by the National Contact Tracing Centre only if you told them that you are an app user and that you want to receive an authorisation code. It is provided to you by text message, and is generated by the app and sent to you using the Gov.Uk text service.
IP address	Internet Protocol (IP) address is a numerical label assigned to your device by the mobile phone or the Wi-Fi service provider. This allows the app to communicate with the internet.	This is assigned to your device by your mobile phone or your router. This is automatically determined by your internet service provider.
Diagnosis keys	The app collects anonymous random IDs using Bluetooth technology when app users come into close contact with each other. If an app user receives a positive COVID-19 test result and inputs an authorisation code into the app, the random IDs that were collected during the relevant infectious time period are sent to the app server. These are known as diagnosis keys and are combined with the user’s IP address to send the data to the app server, after which the IP address is stripped off so the diagnosis keys are anonymous.	These are generated by the app.
Exposure notification	This is a notification provided by the app to an app user who has been in contact with an unnamed person who has tested positive for COVID-19, where the contact was recent enough, and for a sufficient time at a close enough distance, to mean that the app user receiving the notification may have been at risk of contracting the virus.	These are generated by the app.
Your confirmation of app use	This is your confirmation when you click “yes” to the question “Do you agree to continue and start using this app?” during the initial setup of the app on your device. This is combined with your IP address to send the data to the app server, after which the IP address is stripped off so the confirmation of app use is anonymous.	This is generated by the app after you click “yes”.

Some of the information mentioned above is personal information relating to health. This is because that data is only sent to the app server if there is a positive COVID-19 test result. Personal health information is considered special category data in terms of data protection legislation.

You can learn more about how your personal information is anonymised.

Metric Data

We collect and use statistical and aggregated data regarding the total number of app users, the total number of authorisation codes entered by app users and the total number of exposure notifications provided to app users. This is called metric data.

In order to count the total numbers of app users, authorisation codes and exposure notifications, an app user’s device sends a “count” to the app server:

When you click “yes” to the question “Do you agree to continue and start using this app?”;
Every time diagnosis keys are sent from your device to the app server after you have entered an authorisation code; and
Every time your device gives you an exposure notification

The app uses your IP address in order to send these “counts” to the app server. At this point this is considered your personal information, because it contains your IP address. Once the “count” reaches the app server (typically in no more than a few seconds), the IP address is deleted, and this “count” becomes anonymous and can no longer be associated with you or any other app user.

Metric data is collected on a Scotland-wide basis and is not considered personal information in law as this data will not directly or indirectly reveal your identity. We may hold this information indefinitely and collect this information to:

Allow us and members of the public to have visibility of the level of uptake and the potential of the app to reduce the rate of spread of infections of COVID-19; and
To gather information required to obtain formal regulatory approval (from the Medicines and Healthcare Products Regulatory Agency) and accreditation for the app

5. How we use your personal information

We will only use your personal information when the law allows us to do so and to the minimum extent possible.

These are the purposes for which your personal information is used:

Personal information	Purpose / activity
Mobile phone number	To send your authorisation code to you by text. Your authorisation code is needed for exposure notifications to be provided to other app users if you receive a positive COVID-19 test result.
Estimated date of infection	To identify the relevant time period during which other app users could have been infected if they were near an app user who has received a positive COVID-19 test result. The infectious time period is used to identify the relevant random IDs from the app user’s device who has tested positive, to allow exposure notifications to be provided to other app users who have been in close contact with the infected app user during the infectious time period and therefore could be at risk of having contracted COVID-19.
Authorisation code	To allow exposure notifications to be provided to other app users, if you receive a positive COVID-19 test result. This is also used to collect metric data.
IP address	To send information from your phone to the app server to allow exposure notifications to be provided to other app users and to collect metric data.
Diagnosis keys	To provide exposure notifications to app users and to collect metric data.
Exposure notification	To inform you that you may have been at risk of contracting the virus and to collect metric data.
Your confirmation of app use	To collect metric data.

What are the lawful grounds

These are the lawful grounds on the basis of which each controller processes your personal information for the above purposes:

Personal Data:

Mobile phone number
Estimated date of infection
Authorisation code
Diagnosis keys
IP address
Your confirmation of app use

Data Controller	Legal basis
Scottish Government	Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 6(1)(e)) Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(g)) Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(i)) Necessary for scientific research or statistical purposes in the public interest (GDPR Art 9(2)(j))
NHS National Services Scotland	Necessary for performance of a task carried out in the public interest on the basis of The National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 Section 2 (Functions of the Agency) (duty to provide services in support of the functions of Scottish Ministers, Health Boards or Special Health Boards) (GDPR Art 6(1)(e)) Necessary for reasons of public interest in the area of public health (GDPR Art 9(2)(i))
Public Health Scotland	Necessary for performance of a task carried out in the public interest on the basis of Public Health Scotland Order 2019 section 4 (Functions of the Board, in particular (d) the protection of public health including those specified in section 1 of the Public Health etc. (Scotland) Act 2008 (duty of Scottish Ministers to protect public health)) and The Health Protection (Coronavirus) (International Travel) (Scotland) Regulations 2020, (Part 5 (Information Sharing – Power to use and disclose Information) (GDPR Art 6(1)(e))

Personal Data:

Exposure notification

Data Controller	Legal basis
Scottish Government	Necessary for the performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 6(1)(e)) Explicit consent (GDPR Art 9(2)(a)) Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(g)) Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(i)) Necessary for scientific research and statistical purposes in the public interest (GDPR Art 9(2)(j))
NHS National Services Scotland	Necessary for performance of a task carried out in the public interest on the basis of The National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 Section 2 (Functions of the Agency) (duty to provide services in support of the functions of Scottish Ministers, Health Boards or Special Health Boards) (GDPR Art 6(1)(e)) Explicit consent (GDPR Art 9(2)(a)) Necessary for scientific research and statistical purposes in the public interest (GDPR Art 9(2)(j))
Public Health Scotland	Necessary for performance of a task carried out in the public interest on the basis of Public Health Scotland Order 2019 section 4 (Functions of the Board, in particular (d) the protection of public health including those specified in section 1 of the Public Health etc. (Scotland) Act 2008 (duty of Scottish Ministers to protect public health)) and The Health Protection (Coronavirus) (International Travel) (Scotland) Regulations 2020, (Part 5 (Information Sharing – Power to use and disclose Information) (GDPR Art 6(1)(e)) Explicit consent (GDPR Art 9(2)(a)) Necessary for scientific research and statistical purposes in the public interest (GDPR Art 9(2)(j))

Automated decision-making

Exposure notifications: the generation of exposure notifications advising you to self-isolate is an automated process, not involving a human. This is carried out on the basis of the consent you provided when you started using the app.

The exposure notification includes the date of the potential exposure but does not include information about where and with whom the potential exposure took place, as we have no way of knowing this. You will receive an exposure notification if any of the random IDs stored on your device matches with a diagnosis key released by another app user by inserting their authorisation code into their device after that app user has received a positive COVID-19 test result. The app tries to match the random IDs on your device with the diagnosis keys on the app server every 2 hours. The exposure notification means that your device has been within 2 meters of that other app user’s device for at least 15 minutes within a 14 day time period during which that other app user could have passed the virus on to you. The 14 day time period from which the diagnosis keys are taken is the 14 days immediately prior to the authorisation code being inserted.

The app will advise you to self-isolate in line with current guidelines, and signpost you to further information. Although recommended, the decision on whether or not to self-isolate is ultimately yours. If after reading the additional information, you wish to discuss the advice to self-isolate and its implications, you can call the National Coronavirus Helpline (0800 028 2816). You also have the right to call the National Coronavirus Helpline to question the advice if you think the advice is incorrect so that you may then make an informed decision as to whether to self-isolate. If you have tested positive, you can discuss the notification with your existing contact tracer to understand the implications.

You can disable exposure notifications from the app settings at any time and/or uninstall the app from your device at any time although doing so will prevent you receiving exposure notifications.

Automated and semi-automated processing

When authorisation code is inserted, the device sends the diagnosis keys to the app server using the IP address of the device and these are held on the server anonymously to allow other app users’ devices to search for a match. The processing does not require consent as it is not based solely on automated processing as app users are required to take action to insert authorisation codes into the app.

Processing of anonymised random IDs: the processing of anonymised random IDs as a result of close proximity with other app users is also an automated process. To work, the app requires that location services are switched on on Android phones but the app does not use GPS location services or Google location services to track your movements. You can stop this processing of anonymised random IDs by disabling the Bluetooth feature of your device (and/or location on Android phones).

The processing does not require consent as the random IDs are anonymised. You also can delete the anonymised random IDs stored on your device using the settings and/or uninstall the app from your device at any time.

Storage and access to information on your device

The app stores and accesses information on your device (for example the diagnosis keys from your device are provided to the app server if you enter an authorisation code). For the purposes of the Privacy and Electronic Communications Regulations 2003, such storage and access is strictly necessary for the purposes of the service provided by the app.

6. Disclosures of your personal information

Your personal information is shared with the third parties set out below for the purposes/activities mentioned in the table set out in the section How we use your personal information.

Personal information	Party with whom personal information is shared
Mobile phone number	Data processors: NHS Education Scotland (NHS NES) who manage the digital infrastructure required for the app under a contract with Scottish Government UK Government’s Gov.uk Notify text service who send the authorisation codes and advise of successful delivery or non-delivery under a contract with NHS NES Amazon Web Services who host the app under a contract with NHS NES
Estimated date of infection	Same as above
Authorisation code	Same as above
IP address	Data processors: NHS NES Amazon Web Services
Exposure notification	Data processors: NHS NES Amazon Web Services
Your confirmation of app use	Data processors: NHS NES Amazon Web Services

The app can only be downloaded from the Apple app Store and the Google Play Store. In this regard they are independent controllers as owners of the app stores. Their processing activity is separate to the processing of personal information on the app. Furthermore, although Apple and Google have developed the technology on which the app is based, neither company obtain any personal information from the app or the exposure notifications.

7. Data retention

Personal information	Length of time this information is kept
Mobile phone number	This information is held on the app server until the text with your authorisation code is sent to you (typically within a short period within a range of a couple of hours) Gov.UK Notify holds this encrypted for up to 72 hours
Estimated date of infection	This information is held on the app server until the text with your authorisation code is sent to you (typically within a short period within a range of a couple of hours) Gov.UK Notify holds this encrypted for up to 72 hours
Authorisation code	This information is kept until your authorisation code is sent to you by text (typically within a short period within a range of a couple of hours) Gov.UK Notify holds this encrypted for up to 72 hours
IP address	The app uses your IP address only for a few seconds every time data needs to be sent from your device to the app server. IP addresses are not stored and are deleted immediately once the data they are transporting has reached the server.
Diagnosis keys	If you have tested positive, once your diagnosis keys reach their destination in the app server, the IP address is deleted, and the diagnosis keys become anonymous and you or any other app user cannot be identified from them The anonymous diagnosis keys are kept on the app server for 14 days to allow other app users’ devices to check if they have been exposed Anonymous diagnosis keys are retained on your device for as long as it takes to check for a match and are deleted thereafter
Exposure notification	Though we collect metric data regarding total number of exposure notifications in Scotland, we do not retain any information about exposure notifications individual app users have received You can delete app data using your device settings or select the 'Leave' function in the settings and uninstall the app at any time
Your confirmation of app use	This is identifiable to you when it is combined with your IP address, only for a few seconds to allow the app server to collect metric data regarding total number of people using the app. IP addresses are not stored and are deleted immediately once this information has reached the app server. At that point this information can no longer be linked to you.

The anonymous, random IDs which are held on your device when you come into close contact with another app users are kept for 14 days. This is a global policy set by Apple and Google.

We hold metric data indefinitely.

8. International transfers

Your personal information is not transferred outside the UK.

9. Data security

Click here to learn more about how the app works and the security measures used.

10. Your rights

You have the following rights under data protection laws in relation to your personal information.

Your data protection right	How to exercise your right
The right to access your personal information.	Since only very limited personal information is retained in a short term and temporary manner, it would not be possible to comply with this request.
The right to have personal information rectified if it is inaccurate or incomplete.	If you suspect your mobile number used to issue your authorisation code to you or your estimated date of infection are incorrect, please contact the NHS Scotland National Contact Tracing Centre Since only very limited personal information is retained within the app or the server and such information is retained in a short term and temporary manner, it would not be possible to comply with this request You have the right to contest and seek rectification of your exposure notification
The right to have personal information erased and to prevent processing.	If you want to delete the anonymous random IDs stored on your device you can do so using the device settings. You can also select the 'Leave' function in the settings and/or uninstall the app at any time Since only very limited personal information is retained within the app server and such information is retained in a short term and temporary manner it would not be possible to comply with this request
The right to 'block' or suppress processing of personal information.	Using settings you can disable exposure notifications and the collection of anonymous random IDs by turning off Bluetooth on your device. You can delete the anonymous data from your device at any time You can also select the 'Leave' function in the settings and/or uninstall the app at any time You can decide not to insert the authorisation code into the app to release the diagnosis keys Other than the above measures, since only very limited personal information is retained and such information is retained in a short term and temporary manner, it would not be possible to comply with this request
The right to portability.	Since only very limited personal information is retained in the app server and such information is retained in a short term and temporary manner, it would not be possible to comply with this request app functionality does not allow porting the anonymous random IDs from your device
The right to object to the processing.	If you want to delete the anonymous data stored on your device you can do so using the device settings. You can also select the 'Leave' function in the settings and/or uninstall the app at any time.
Rights in relation to automated decision making and profiling.	The decision on whether or not to self-isolate is ultimately yours. If after reading the additional information, you wish to discuss the advice to self-isolate and its implications, you can call the National Coronavirus Helpline (0800 028 2816) or your existing contact tracer to understand the exposure notification and to make an informed decision as to whether to self-isolate You have the right to call the National Coronavirus Helpline to question the advice if you think the advice to self-isolate is incorrect Using settings you can disable exposure notifications and the collection of anonymous random IDs by turning off Bluetooth on your device. You can delete the anonymous random IDs from your device at any time You can also select the 'Leave' function in the settings and/or uninstall the app at any time

Further information on your rights can be found on the Information Commissioner’s website.

If you have questions regarding your rights, please contact Scottish Government using the details set out in Controllers’ contact details.

If you have any specific questions to Public Health Scotland or NHS National Services Scotland, please contact the Data Protection Officer of that organisation using the contact details available in the NHS Inform Website.

11. Your right to complain

If you are unhappy with any aspect of this privacy information notice, or how your personal information is being processed in connection with the app, please contact Scottish Government using the details set out in Controllers’ contact details.

If you are unhappy with anything that either Public Health Scotland or NHS National Services Scotland have done, please contact the Data Protection Officer of that organisation using the contact details available in the NHS Inform Website.

If you feel any of us have been unable, or unwilling, to resolve your information rights concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.

For further information, including independent data protection advice and information in relation to your rights, you can contact the Information Commissioner at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113.

Website: www.ico.org.uk

You can also report any concerns here: https://ico.org.uk/concerns/handling

12. Changes to this privacy information notice

We keep our privacy information notice under regular review.

This version was last updated on 11 September 2020. It may change and if it does, changes will be notified to you when you next start the app. The new notice may be displayed on-screen and you may be required to read and accept the changes to continue your use of the app.

We may also update this privacy notice as part of a version change to the app. In that case the updated privacy notice will be provided to you when you install the new version.

13. Related and third party services and websites

The National Contact Tracing Centre is subject to its own privacy notice.

The app may, from time to time, contain links to related and/or third party websites and services. Please note that these websites and services have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal information that may be collected through these websites or services. Please check these policies before you submit any personal information to these websites or use these services.

The app has functionality allowing you to send your friends and family a suggestion to download the app. If you use this function, a notification is sent to your selected contacts using your chosen communication method (e.g. text, e-mail, Whatsapp message). These third parties have their own privacy notices according to which they process your information. We do not retain or store any such notification data.

14. Glossary

app server	The app server holds the anonymous diagnosis keys used by the app to allow those to be checked for a match with random IDs on other app users’ devices. The app server also collects metric data.
Authorisation code (referred to as “Test Code” in the app)	A random code entered into the app by an app user who has had a positive COVID-19 test result, to allow exposure notifications to be provided to other app users.
CMS	The National Contact Tracing Centre Case Management System provided by NHS NSS.
Controller	Any body which, alone or jointly with others, determines the purposes and means of the processing of personal information. Scottish Government, Public Health Scotland and NHS National Services Scotland are controllers in respect of personal information in connection with the app.
Diagnosis keys	Random IDs sent from a user’s device to the app server after that user has inserted an authorisation code on their app. We have explained here when diagnosis keys are considered personal information and when they are anonymised.
Exposure notification	A notification provided by the app to an app user who has been in contact with an unnamed person who has tested positive for COVID-19, where the contact was recent enough, and for a sufficient time at a close enough distance, to mean that the app user receiving the notification may have been at risk of contracting the virus. The notification does not include who the contact was with and where it was but does indicate date of potential infection.
IP address	A numerical label assigned to a mobile device by the mobile phone or Wi-Fi service provider. It is typically made up of 4 sets of numbers (e.g. 192.168.0.50). As a consequence of how data traffic passes across the internet, the IP address is inevitably transferred to the app server.
National Contact Tracing Centre	A service hosted within NHS NSS which will support the contact tracing function.
Personal information	Any information relating to an identified or identifiable individual who can be identified, directly or indirectly from that information.
Processor	Any body which processes personal information on behalf of the controller.
Processing	Any action or operation which is performed on personal information (whether or not by automated means) such as collection, recording, storage, use, disclosure and destruction of personal information.
Random IDs (also known as identifier beacons, keys, anonymous rolling identifiers and Bluetooth IDs)	These are random numbers used by the app to create exposure notifications on app users’ devices. You can learn more here.