Privacy Policy - Easy Read
Contents
- What is this?
- If you need help
- How does the app work?
- Who are we?
- What information about me does the app use?
- Data about you when you first start to use the app
- Data about you if you test positive from COVID-19
- Data about you if one of your close contacts tests positive from COVID-19
- What does the alert mean?
- Data about you if you ask for a Self-isolation certificate
- What are you using my personal information for?
- Is the app legal?
- Who do we share your information with?
- How long do we keep your information?
- How do we look after your information?
- Does my personal information stay in the UK?
- What rights do I have about my personal information and how to use those rights?
- What about changes to this document?
- Glossary
What is this?
This document explains what personal information the Protect Scotland COVID-19 contact tracing app collects and how the app uses your personal information.
If you want to read the full privacy notice for the app, this is available here: https://protect.scot/privacy-policy-app
You should not use the app if you are in primary school or if you are under 12.
If you need help
If you are not sure what the app does or have difficulties understanding what this document says, you should talk to your parent, guardian or an adult you trust.
How does the app work?
You may like to watch a quick video on how the app works.
The app remembers when you have been within a close distance (less than 2 metres) to other app users for 15 minutes or longer – this is called a close contact. Close contact means there is a risk you may have caught COVID-19 if that other person has it, or you may have passed the virus to a close contact, if you have it. The app uses Bluetooth technology on your phone to decide who is a close contact. This is very technical, but here is a video that explains how it works.
If you have been in close contact with someone who has tested positive for COVID-19, the app will provide you with an alert to let you know about this and ask you to self-isolate to stop the spread of the virus.
Who are we?
We’re the Scottish Government, Public Health Scotland and NHS National Services Scotland. We are responsible for the app and how it uses your personal information.
If you have any questions, comments, complaints or requests about your personal information, you can contact us.
What information about me does the app use?
The app uses very little personal information about you. The app doesn’t know and can’t tell anyone who you are or where you are. Your privacy is safe!
Read on to see what personal information the app uses.
Data about you when you first start to use the app
| Your information | More information |
|---|---|
The “yes” answer when you first start to use the app (also known as your confirmation of app use) | When you download the app and you or your parent or guardian click “yes” to the question “Do you agree to continue and start using this app?” the app sends that answer to us. This is for us to count the number of people who have started using the app. We will not be able to tell who is using the app. |
Your IP address | Your IP address is a set of numbers assigned to your mobile phone. Your IP address is used to send small amounts of information from the app on your phone to us. The way it works is very technical, but this video explains how IP addresses work. Your IP address is used to send the “yes” answer to us securely using the internet. We do not keep your IP address and will not be able to tell who is using the app. The app itself does not know or keep your IP address. |
Your age group | When you first start to use the app, you will be asked to what age group you belong to. We ask this to give you the right information when you first start using the app. |
Data about you if you test positive from COVID-19
Sending an alert to other app users does not reveal your name or other details to other app users or to us. Likewise, you will not be able to tell who has received an alert. Read on below for more information.
When you test positive for COVID-19 the app uses the following data about you:
| Your information | More information |
|---|---|
Your test code, also known as your “authorisation code”. | Also known as your “authorisation code”. If you have tested positive for COVID-19, this is the code you can input into the app to allow your close contacts to receive an alert. Your test code is sent to you by text message. |
Your mobile number | This is used so that your contact tracer can send your test code to you by text message. The app itself does not use or keep your mobile phone number. If you don’t receive your test code within 24 hours you should contact the National Contact Tracing Centre or ask your parent or guardian to do so, as the Centre may have the wrong number and may need to send a new test code to you. If you are unsure what to do, you should ask your parent or guardian to do this for you. |
Your estimated date of infection | This date is used to provide alerts only to those close contacts who have a risk of having caught COVID-19 from you depending on when they were in close contact with you. |
Your diagnosis keys | As explained in this video, the app collects a small amount of information using Bluetooth technology when app users come into close contact with each other. This information is known as random IDs. When you input your test code into the app, the app sends us random IDs so that those close contacts who have a risk of having caught COVID-19 can receive an alert. The random IDs sent to us are called “diagnosis keys” and they are used to provide the alerts to your close contacts. Neither you nor we are able to tell who the close contacts are. We also anonymise your diagnosis keys and we share them with the relevant authorities in other countries so that the app can be used outside Scotland and that visitors to Scotland can use their app here. In addition, we count the number of all diagnosis keys sent to us. |
Your IP address | Your diagnosis keys are sent to us securely through the internet using your IP address. We do not keep your IP address and will not be able to tell whose app sent the diagnosis keys. The app does not know or keep your IP address. |
Data about you if one of your close contacts tests positive from COVID-19
If you have been in contact with someone who tested positive from COVID-19, you will receive an alert.
This notification does not identify the person who has tested positive for COVID-19. The app has no way to know who the person is; the app only knows that you have been in close proximity with someone who has tested positive.
The app will use the following data about you for that.
| Your information | More information |
|---|---|
Your alert (exposure notification) | If you have been in close contact with someone who has tested positive from COVID-19, the app will provide you with an alert (this is also called your exposure notification).
The alert does not say who the close contact is and the app has no way of knowing that. |
Your IP address | Your alert is sent to us securely through the internet using your IP address. We do not keep your IP address and we will not be able to tell who has received an alert. Nor does the app know or keep your IP address. We only count the number of alerts to understand how many people have received an alert from the app. |
What does the alert mean?
Receiving an alert does not mean you have COVID-19, but you need to let your parent, guardian or teacher (if you are at school) know about it as you may have to self-isolate, just in case.
You need to know that the alert is issued automatically by the app, not people. To understand more about why you have received an alert, please see here
There is more information about self-isolation here. Although recommended, the decision on whether or not to self-isolate is ultimately yours or your parent’s or guardian’s. If you think that the alert is wrong or if you need more information, you (or your parent or guardian) can call the National Contact Tracing Centre on 0800 030 8012.
Data about you if you ask for a Self-isolation certificate
If you have been told by the app that you need to self-isolate then you can use the app to send a self-isolation certificate proving you need to self-isolate to other people or organisations e.g. your employer or your Scottish Local Authority. You can also send a copy to yourself. Only one self-isolation certificate can be produced for you for a self-isolation period.
| Your information | More information |
|---|---|
Your email address | This is needed to send you your copy of the self-isolation certificate via email. |
Receiver email address | These are the email addresses of the people or organisations that you want to share your self-isolation certificate with (e.g. your employer or Local Authority). We send the certificate to them via email once you give us approval to do so. |
Your full postcode | If you want to apply for a COVID-19 self-isolation grant from your Local Authority we can send your certificate directly to them. To do this the app needs your full postcode to determine what Local Authority to send the self-isolation certificate to. |
Estimated end date of isolation | This is the date on which you will no longer need to self-isolate. |
Your Self-isolation Notice/Certificate reference number | This unique certificate number is included in your certificate. |
Self-Isolation certificate (Estimated end date of self-isolation, Your name) | If you ask for a self-isolation certificate, the app generates the Self-Isolation Certificate unique reference number and sends you a link where you can provide your name and the email addresses of the people or organisations you want to share your certificate with. Please give your name as you want it to appear in the certificate. Your employer may need this information for health and safety purposes. Local Authorities need this information to support your application for a self-isolation support grant. Your certificates are sent to the people or organisations you want to share them with using a secure email service (Gov.UK Notify). The certificate also shows the date on which you no longer need to self-isolate. |
Your request for a self-isolation certificate (when you click “continue”) | To count the total number of self-isolation certificates asked for. |
That a self-isolation certificate(s) has been sent and whether you’ve sent a self-isolation certificate to a Local Authority | To count the total number of self-isolation certificate emails that have been sent. To count the total number of self-isolation certificate emails sent to Local Authorities. |
What are you using my personal information for?
We are using your personal information so that alerts can be provided by the app letting you and other app users know that you or they may have been at risk of catching the virus. This is so that the spread of the virus can be stopped.
We are also using your information to understand and show how popular and useful the app is and to understand more about COVID-19.
If you have been advised by the app to self-isolate and want to ask for a self-isolation certificate we are using your information so that we can produce your self-isolation certificate. We also use your information to send your self-isolation certificate to yourself and other people or organisations you want to share your self-isolation certificate with.
If you want to learn more about the purposes for which we use your personal information, you can find full details here.
Is the app legal?
Yes it is. We have a legal obligation to protect the health of the people in Scotland, particularly during a pandemic like COVID-19. The app plays a very important part in helping us to do this.
The law also requires us to ask for your consent to provide you alerts. This is because the app provides the alerts in an automatic way (not involving humans). You can read more about alerts here.
We are also allowed to collect information to understand and show how popular and useful the app is and to understand more about COVID-19.
If you want to learn more about specific legal grounds for processing, you can find full details here.
Who do we share your information with?
We only share information about you with some organisations who help us making the app work. Below you can find details of the organisations that are involved with the app, and what they do.
For more information about the sharing of your personal information, please see here.
| Who receives your information | More details |
|---|---|
NHS Education Scotland and Amazon Web Services | NHS Education Scotland provides all the computers and the connections that the app needs to work properly. Amazon Web Services provide storage space for the app (these are known as the app servers). |
Our text message and email service | We use a text message service provided by UK Government’s Gov.uk Notify to send you the text message with your test code and estimated date of infection. We also use Gov.uk Notify to email your self-isolation certificate to yourself and the other people of organisations you want it to be sent to. |
Your Local Authority | If you have told us to send your self-isolation certificate to your Local Authority. Your certificate can be used to support an application for a self-isolation grant. |
Your Employer | If you have told us to send your self-isolation certificate to your Employer by giving us their email address and permission to send it to them. |
Other people | If you have told us to send your self-isolation certificate to other people by giving us their email addresses and permission to send it to them. |
How long do we keep your information?
We don’t keep your personal data for any longer than we need to. Most of the data about you is destroyed within a very short amount of time. If you tested positive for COVID-19 we may keep your SMS for a bit longer to ensure you receive it. If you have asked for a self-isolation certificate we may keep the email addresses provided for a bit longer to make sure your certificate is sent. Below, you can find more details:
| Your information | More details |
|---|---|
Your test code, estimated date of infection, date of COVID-19 test and mobile phone number | These are not kept longer than 72 hours. You may decide to keep your text message (which includes this information) on your phone for longer – this is your decision and you can delete it when you like. |
Your IP address | The app uses your IP address only for a few seconds every time information needs to be sent from your app to us. IP addresses are not stored and are deleted immediately once the information they are transporting has reached us. |
Diagnosis keys sent to us | We delete them after 14 days though we won’t be able to tell who the keys relate to or who sent them. |
Random IDs | These are deleted every 14 days from your phone. |
Your alert | We only count the number of alerts and do not keep any personal information if you receive an alert. |
The “yes” answer when you first start to use the app | We only count the number of people starting to use the app and do not keep any personal information when you or your parent or guardian click “yes” when you first start to use the app. |
Your age group | We don’t keep this information. |
Estimated end date of self-isolation period | This information is held on the app server until the email with your self-isolation certificate is sent to all the email addresses you gave us (typically within a short period within a range of a couple of hours). Gov.UK Notify holds this information encrypted for up to 3 days. |
Your Self-isolation Notice / Certificate reference number | This information is held on the app server for 14 days in order to check that only one self-isolation certificate is given to one person for a self-isolation period. |
Your self-isolation certificate (Your name, Estimated end date of self-isolation and Your Self-isolation Notice / Certificate reference number) | This information will be held by your Local Authority for seven years from the date when your application for a grant is received. If you do not submit an application for the self-isolation support grant within 28 days, then the Local Authority will delete your self-isolation certificate. You should check with your employer and any other persons and organisation who you allow your self-isolation certificate to be sent to how long they will keep this information. |
How do we look after your information?
We have experts in our team that help us make sure that the information we hold is secure and protected. We have also discussed the app with the Information Commissioner’s Office (this is a body that wants to ensure that your information is only used according to the law), and they have helped us check that the app is secure and your information is safe.
Does my personal information stay in the UK?
Yes, your personal information stays here in the UK. We only share your anonymous Diagnosis Keys with other relevant authorities in other countries in order to alert you and other app user when travelling, either in the UK or abroad.
To find out if your employer or any other person or organisation you sent your certificate to transfers your personal information outside of the UK you will need to check with them directly.
What rights do I have about my personal information and how to use those rights?
You have rights relating to your personal information which we need to comply with. You can read more detail about your rights here. The app does not use or store much personal information so not all of the rights apply. We have explained here how you can use your data protection rights that are applicable to the app. If you have any questions or concerns about your rights, you should discuss these with your parent or guardian.
- If you think the mobile number we have for you is wrong, you need to contact the National Contact Tracing Centre to get that updated and ask them to send you a new test code. If you are unsure what to do, you should ask your parent or guardian to do this for you
- If you think that an alert you have received is wrong, you have the right to challenge this. The decision to self-isolate is up to you or your parent or guardian. If you want to find out more about what the alert means, you can read some more information here and discuss it with your parent or guardian. If after that, you still want to talk to someone else, you can call the National Contact Tracing Centre on 0800 030 8012 or your existing contact tracer. If you are unsure what to do, you should speak to your parent or guardian, who can call for you
- If you want to stop using the app, simply use the “Leave” option on the app. You can uninstall the app at any time
- You can delete all personal information from the app using the settings on your phone
- If you are not happy with the way the app uses your information, you can complain about it to the Information Commissioner’s Office. There are details about how to do it here: https://protect.scot/privacy-policy-app#complain. If you are unsure you should speak to your parent or guardian, who can do this for you
- You can disable alerts using app settings and stop the collection of random IDs by turning off Bluetooth on your phone or using the “pause” option on the app
- You can access the exposure notifications sent to you by the app using the standard functionality of your mobile phone for checking notifications received.
What about changes to this document?
If we make changes to how we use your personal information, we will update this document and you will be able to see it when you install a new version of the app on your phone.
You can also review our latest Privacy Policy.
Glossary
You can find some definitions of terms used by the app here.
