To support NHS Scotland's Test & Protect service, and for the health and safety of customers and staff, Check In Scotland must collect the name and contact details of visitors to venues around Scotland.
If you were at a venue at the same time as someone who's tested positive for COVID-19, the data we collect will be used by NHS Scotland to:
- contact you
- give you advice about what to do next
This is an important step in stopping the spread of COVID-19.
Why we collect contact details and other data
The purpose for which we are processing your personal data is to assist with NHS Scotland's Test and Protect strategy in relation to the coronavirus public health epidemic.
This will involve the gathering and, when required, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose.
In order to assist in the containment of the virus, data that is manually collected by a venue will only be shared when it is requested directly by NHS Scotland.
In relation to the Check In Scotland service, the data you submit via the Check In Scotland online form or the Check In Scotland app will be automatically sent to NHS National Services Scotland to be held securely in an encrypted data store. This data will not be accessed unless required in response to an outbreak of COVID-19.
NHS National Services Scotland and locally based Health Board teams will use the data to contact trace those who were in the venue at the same time as a positive COVID-19 case, and will provide guidance and support to those who may be advised to self-isolate.
What data we collect
Along with the date and time of your arrival and departure, we will collect:
- your name
- contact telephone number
If you do not have a telephone number, you have the option to provide either a postal address or an email address.
Mobile app permissions
Certain device permissions are required to run the Check In Scotland app. For Android, this is a permission to allow the Check In Scotland app to use the phone's camera to scan a QR code. For iOS (Apple), camera and push notifications are required (the push notifications are required in relation to check-ins when the phone is not connected to the internet). These settings can be managed through the phone's settings section.
What is our lawful basis for collecting and sharing this data?
Under data protection law, GDPR Article 6(1), we have a number of lawful bases that allow us to collect, process and share personal information. In this case, the lawful basis for processing your data is 'legal obligation'.
In short, we are obliged to process the personal data to comply with the law which requires us to collect your data and share it with public health officers if they request it under The Health Protection (Coronavirus) (Restrictions and Requirements) (Local Levels) (Scotland) Regulations 2020.
How long will we retain the data?
Your personal data, collected for the purposes stated in this privacy notice, will be held by us for at least 3 weeks (21 days). All personal data will be held and disposed of in a safe and secure manner.
As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:
- the right to be informed about the collection and use of your personal data, as outlined in this privacy notice
- the right to access the information we hold about you - also known as Subject Access Request (SAR)
- the right to request rectification of any inaccurate personal data we hold about you
If you wish to change any of the information held about you, contact the venue you visited and give them your updated information. If you've been contacted by a contact tracer about your visit to a venue, but your information is wrong, email NHS National Services Scotland: firstname.lastname@example.org.
If you wish to make a Subject Access Request email NHS National Services Scotland: email@example.com.
In certain circumstances exemptions to these rights may apply.
Details of how to exercise these rights can be found in the Data Protection Impact Assessment for the Check In Scotland service. This will be published online before the Check In Scotland service launches.
You can also read more about data protection on the Information Commissioner's Office website.
Do you have a complaint?
If you think that your personal data has been misused or mishandled by us, you can raise this with the data controller. In this instance, the data controller is the manager of the venue you're visiting. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office Wycliffe House
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
A number of impact assessments have been completed. You can download these if you need to know any more about how Check In Scotland use your data or your rights:
There is a problem
Thanks for your feedback