The NHSS COVID Check App supports NHS Scotland's Test & Protect service. The App scans and reads QR codes containing an individual’s COVID vaccination status and automatically checks whether the QR code has been issued by a trusted authority.
The App is intended for use by appropriately appointed personnel (the "Verifier") who work in environments where verification of an individual's COVID status is required to be carried out. It is not intended for use by the general population.
The data processing
The data are processed within the App on the mobile device of the Verifier. The App reads the QR code presented by the individual and displays the data to the Verifier. The data are deleted once the verification process is complete. No personal data is collected, stored or transferred by the App.
What data are processed about the visitor
The App reads the QR code, presented by an individual, which contains personal and other data and allows the Verifier to read this information within the App only. The personal data contained in the international QR code and used by the App are:
- your name
- your date of birth
- the QR code expiration date
- your dates of vaccination
- what vaccine you received
- last test result
- recovery data i.e. data that represents an individual who has recovered from COVID-19. This data is based on your test results where applicable.
Mobile app permissions
Certain device permissions are required to run the COVID Check App. These are required on the Verifier’s device only. An individual presenting a QR code to be scanned does not require any device permissions to be granted.
For both Android and iOS (Apple), this is a permission to allow the COVID Check App to use the phone's camera to scan a QR code. If the Verifier denies permission, a screen appears specifying that the permission is required for the App to work.
The app will need periodic access to the internet to download updates to the "public key" security mechanism used to decode the QR codes presented to it. It is recommended you do this every 24 hours or you may find valid QR codes fail to scan successfully.
When the Verifier downloads the App, they have explicitly given permission for file usage within the App. However, file usage is only used to store public keys into secure internal storage on the device where the App is installed which then allows the App to verify QR codes from a trusted authority. The file usage permission is not used to store any data related to the Verifier’s personal or application usage. Nor is the permission used to store any data read from a QR code.
Metrics on the usage of the app are captured. These are anonymous and cannot be used to identify you. The metrics are sent to Microsoft App Centre. Using this data the NHS Scotland technical team can make useful observations such as error frequencies, request frequencies, service usage and oversight of the general activity. The metrics collected are:
- Active Users
- Daily sessions per user
- Session duration
- Device type
- Country the user is in
- Language used
- App version per user
- Public key used.
Changes to our policy
This version was last updated on 10 September 2021.