Guidance

[Withdrawn] NHS COVID-19 app: privacy notice

Updated 28 March 2023

This guidance was withdrawn on

The NHS COVID-19 app closed down on 27 April 2023, so this content is out of date.

The app was managed by the UK Health Security Agency, which is an executive agency sponsored by the Department of Health and Social Care. From 27 April 2023, the app is no longer available and is no longer collecting data or providing a service to app users. This document broadly reflects the service provided by the app during its later stages.

Your data and privacy now the app has closed down

The data collected by the app, which cannot identify app users, will be held in line with the retention period set out in the Privacy Notice for the NHS COVID-19 app.

Find out why the app has closed down and where to find the latest guidance.


Tynnwyd y cyhoeddiad hwn yn ôl ar 27 Ebrill 2023

Caeodd ap COVID-19 y GIG ar 27 Ebrill 2023 felly nid yw’r cynnwys hwn bellach yn gyfredol.

Rheolwyd yr ap gan Asiantaeth Diogelwch Iechyd y DU, sy’n asiantaeth weithredol a noddir gan yr Adran Iechyd a Gofal Cymdeithasol.  O 27 Ebrill 2023, nid yw yr ap ar gael bellach ac nid yw yn casglu data na yn darparu gwasanaeth i ddefnyddwyr apiau bellach. Mae’r ddogfen hon yn adlewyrchu’n fras y gwasanaeth a ddarperir gan yr ap yn ystod ei gamau diweddarach.

Eich data a’ch preifatrwydd nawr mae’r ap wedi cau

Bydd y data a gesglir gan yr ap, na all adnabod defnyddwyr yr ap, yn cael ei gadw yn unol â’r cyfnod cadw a nodir yn yr Hysbysiad Preifatrwydd ar gyfer ap COVID-19 y GIG.

Darganfyddwch pam mae’r ap wedi cau a ble i ddod o hyd i’r canllawiau diweddaraf.

Applies to England and Wales

This document supports the national rollout of the NHS COVID-19 app (the app) and will be subject to ongoing review and improvement.

The app supports the government’s response to the COVID-19 pandemic, which is performed by the UK Health Security Agency (UKHSA). We refer to this as the service in this privacy notice.

The lawful basis for processing information can be found below.

Versions of privacy information

This is the privacy notice for the NHS COVID-19 app.

For the privacy information for the NHS app, which allows English users to share their COVID-19 status for travel and offers various other services for users , read About the NHS app.

Other versions of this document have also been produced:

You can read more information about the app and the service it supports:

Introduction

This privacy notice relates to the national rollout of a mobile application (app) developed to contribute towards the response to the COVID-19 outbreak.

The app is branded as NHS Test and Trace and is managed by UKHSA, which is an executive agency sponsored by the Department of Health and Social Care (DHSC) and the manufacturer of the app. DHSC is the data controller when processing user personal data in connection with the app.

We are working with partner health services in:

  • Gibraltar
  • Jersey
  • Northern Ireland
  • Scotland

These ‘interoperability partners’ have created and maintain their own digital contact-tracing apps (like the NHS COVID-19 app). By working together, however, each provider can make sure that:

  • their digital contact-tracing apps continue to work across borders
  • when needed, you can continue to receive alerts in your digital contact-tracing app – for example, if you happen to be working in Scotland but are using the English and Welsh app

The app helps people manage their exposure to COVID-19 by informing those who are most at risk.

For more information on the definition of close contact see the description of the risk algorithm and the venue check-in section below for detail about venue alerts.

The venue check-in and venue alert system was decommissioned in February 2022. If you are using the latest version of the app you will no longer be able to check into venues.

The app uses a risk algorithm which is continually improved and refined.

If you have not updated your app, you will be using the original digital contact tracing provided by Apple and Google (the GAEN Mode 1) and the associated risk algorithm.

If you are using the latest version of the app, you will be using the latest digital contact tracing (again provided by Apple and Google, GAEN Mode 2) and the latest risk algorithm.

Using the most up-to-date version of the app will ensure you use the app safely and benefit from the latest guidance and support, which may not be available on earlier versions. GAEN Mode 2 and the new risk algorithm includes several improvements that increase the accuracy of digital contact tracing in the app. To learn more see the description of the risk algorithm.

Read the section below on Your symptoms and ordering a test for information about some of the limitations of the app.

You can support the public health response to the COVID-19 pandemic by sharing information (on an anonymous basis) about whether the service and app are working as expected. For example, the data about testing and symptom checks helps NHS Test and Trace to understand how many people are booking a test or showing symptoms.

By using the app and sharing information, you will be making an important contribution to your community staying healthy and helping to save lives.

The app tracks the spread of the virus but does not track people. It provides important alert features that help manage risk and allows you to take appropriate action. The app also provides data which can help the government, the NHS and local services to better understand and manage the response to the COVID-19 public health emergency.

You can learn more about what we mean by terms such as ‘anonymous’ in our definitions and user data journey document.

This privacy notice is available in alternate formats including:

In Welsh:

How the app will help you (digital contact tracing)

The app is designed to make fast, accurate, digital contact tracing possible while protecting your privacy and identity. It uses the minimum amount of your personal data as possible.

Contact tracing depends on being able to determine when a person who has tested positive for COVID-19 could have become infected.

Manual contact tracing involves asking an infected person to remember who they have been in contact with; the person can only identify the people they know.

The app supports contact tracing through your phone, without needing to know anyone’s names or identities.

The app includes a notification feature which will alert you if:

  • you have been near another app user who tests positive for COVID-19
  • your local area has a changed risk status or, when appropriate, a variant of COVID-19 is identified as being of concern for your local area (these are called variants of concern)

If you have these notifications switched on, the app will send reminders about notifications and alerts until they are acknowledged.

If you test positive, the app will ask you to allow those you’ve been in contact with to be alerted. It uses technology developed by Apple and Google called ‘exposure notification’ and ‘exposure logging’ to do this. The people notified will not know who you are. See the section on digital contact tracing for details of these terms and the process.

The app also allows you to:

  • view the current risk in your local area and whether there is a variant of concern in your area
  • check your symptoms in line with the latest public health advice on GOV.UK
  • count down, if relevant, to help you protect others by either self-isolating or being careful who you are in contact with
  • when prompted to get the latest public health advice about either self-isolation or being careful who you are in contact with:
    • declare that you are fully vaccinated (if you are)
    • declare that you are under the age of 18 (if you are)
    • state that you are medically exempt from vaccination (England only) (if you are)
    • state that you are part of a COVID-19 clinical trial (if you are)
  • order a test, via a link to the GOV.UK website
  • add your test result to the app with an NHS-provided code
  • apply for financial support via the isolation payment service (Wales only)

Note: we do not take any steps to verify your self-declared lateral flow device (LFD) test result, your self-declaration of your age, vaccine status, medical exemption from vaccination status or participation in a COVID-19 clinical trial.

You are responsible for the accuracy of the information you provide. The advice provided by the app will be updated in line with your declaration. It is therefore important you provide accurate information to ensure you are provided with the appropriate advice, as your failure to do so could put yourself and others at risk.

For more information on Isolation support payments see the section below.

Note: applying for a support payment places you under a legal obligation to self-isolate. You will still be under this legal obligation even if you are not deemed eligible for the payment (Wales only).

Data the app uses

The app has been designed to use as little information and personal data as possible. All data that could directly identify you is only held on your phone, is never stored centrally, and is not shared anywhere else.

Any data that is provided from the phone will always be anonymised or aggregated, to prevent the NHS (or anyone else) from identifying you or others. This is referred to as the analytical data set.

You can read more about how we protect data through anonymisation.

After first installing the app, instructions will be presented to you about enabling permissions for the app to function. This includes:

  • entering the first part of your postcode (up to the space)
  • selecting the relevant local authority
  • allowing notifications

The app will also ask you to enable Bluetooth as it is necessary for contact tracing because the app calculates how near app users are to each other by evaluating the strength of each phone’s Low Energy Bluetooth signal.

The first part of your postcode before the space (the postcode district) is necessary to help you select your local authority.

Providing your postcode district allows the app to:

  • provide the most relevant local authorities for the user to select
  • tell you about the current risk level in your area
  • detail advice or services specific to your postcode district or local authority, such as additional testing in the near vicinity
  • allowing notifications ensures that you receive the alerts as outlined above. Notifications can be turned off at any time via your phone settings.

Digital contact tracing

When you download the app to your phone, a code will be generated which will identify the app’s existence on your device.

This code changes every day (a ‘diagnosis key’), so that it cannot be associated with you or your phone.

Your app produces another randomly generated code every 15 minutes (known as ‘the broadcast code’). The broadcast code is collected by the app installed on other users’ phones when you come into close contact with them and is held there for 14 days. There is no way for another user to tell that a broadcast code collected from your phone relates to you or your phone.

Digital contact tracing is providing by Apple and Google, who use the term “Exposure Notification” to “Exposure Logging” to describe:

  • the sharing of these codes between app users
  • retaining those details for a period where you may be at risk of infection
  • when appropriate, ensuring that a notification can be generated by the app

For example, if you receive a positive test result for COVID-19, the app will ask for your permission to make diagnosis keys available to other app users. These keys cover the period you may have passed on COVID-19 and allow other app users to be alerted. The app will also remind you to share your keys for a limited period.

If you agree, your diagnosis keys will be uploaded to the central system (the DHSC secure computing infrastructure, hosted on Amazon Web Services (AWS) UK). The central system will then add your diagnosis keys to the list provided to every app user’s phone. Each user’s app will check for any matches between the broadcast codes and diagnosis keys in the list.

The app uses complex cryptography to protect you and other app users’ anonymity while enabling diagnosis keys to be matched with a relevant broadcast code when relevant. Where there are matches, you will get an alert that you’ve been in contact with someone who tested positive. The central system does not know who you have been in contact with and it doesn’t record any matches.

Details about the federated servers that support working with partner health service digital contact-tracing apps can be found in the interoperability section below.

While it is unlikely ever to happen, you should be aware that there are some circumstances in which another person might be able to identify that you were the person who had tested positive when they receive an alert. For example, if an app user had only been in contact with you and no one else, they would be able to infer who the infected person was when they received an alert. Digital and manual contact tracing both incur this risk.

If you have been in close proximity to other users who have tested positive, the app uses automated processing to advise you to take appropriate actions. This will take account of factors such as the duration of time you spent with other users and how near you were to them. Read more about how this risk-scoring algorithm works.

The app is routinely updated to account for the latest government public health advice.

As part of updating the app to account for the latest advice, if you receive an exposure notification, the app will then prompt you to enter your age (if you are under 18), your vaccine status, whether you are medically exempt from vaccination or have taken part in a COVID-19 vaccination trial, as a result of which the advice provided to you within the app may change. This information is private to you.

We use your declaration to:

  • update the advice displayed in-app
  • ensure that the app is working correctly
  • validate the public health impacts and insights from the app

The app reminds users that they can phone NHS 111 (get medical help) or NHS 119 (NHS COVID-19 emergency helpline) if they would like to discuss any advice to either self-isolate or to be careful who they are in contact with. It is appropriate to call NHS 111 or NHS 119 if you have any questions or concerns about your circumstances, what the alert means for you or what you need to do next (including whether it is appropriate to obtain a test).

For those under the age of 18, the app advises the app user to speak to an appropriate adult. Other guidance about COVID-19 is available from the NHS in England and in Wales.

The app also includes a countdown timer, to assist in managing any remaining time when the user is being advised to either self-isolate or be careful who they are in contact with.

Learning about and improving digital contact tracing

The digital contact-tracing technology used in the NHS COVID-19 app is provided by Apple and Google. This technology is known as the ‘Google Apple Exposure Notification system’ (or ‘GAEN’). GAEN, operating systems and data available from this system are constantly being refined.

These updates change the data that can be collected. They also make additional data items available which can help understand and manage public health.

GAEN can provide measurements around the interactions of users. For example, when you update your status in the app with a positive COVID-19 test result (and share your diagnosis keys), GAEN helps the app generate data to understand the level of risk of infection for other app users.

If you have interacted with another app user who has shared their status, the app will measure:

  • a measure of time
  • a measure of distance
  • the basis and calculation of risk

From these details, the app uses a scoring mechanism to determine the app user’s level of risk of getting COVID-19 as a result of close contact with an app user who may be infectious. If the risk of infection is significant, the app will issue an alert.

Without identifying either you or other app users, these measurements are sent to the DHSC secure computing infrastructure along with any self-declared vaccine status. This is separate to the analytical data set, detailed in the data the app uses section, but aligns with the same security and privacy standards.

Measurements include the approximate distance and duration of interactions, with the risk score that is calculated. The data collected covers a 30-minutes time frame.

Your use of the app can never be monitored, and any data collected about you will not be used to identify you.

The collected information is used to:

  • assess if the risk algorithm used is working
  • understand if the risk score (calculated from interactions) accurately reflects the risk of COVID-19
  • make sure the risk threshold is working as intended and set at an appropriate level
  • benefit public health by learning and improving the app and services performance and advice

This data collected includes all exposure windows that are above the current risk threshold and a sample of those exposure windows that fall below. This enables the performance and behaviour of the app to be validated and monitored.

Your symptoms and ordering a test

The app allows you to:

  • check your symptoms
  • review appropriate advice
  • order a test (in line with wider COVID-19 government advice)
  • self-declare your age (if under 18) and vaccine status, medical exemption from vaccination status (England only) or your participation in a COVID-19 vaccine clinical trial
  • receive test results
  • review guidance on what to do next

Any information you enter into the symptom checker will be processed by the app and not shared with anyone else unless you chose to do so.

Entering relevant symptoms of COVID-19 into the app will trigger a recommendation to self-isolate.

If the app advises you to take a COVID-19 test, the app provides a link to GOV.UK to book a test. The website will open in a new window. This website will collect your contact details (in order to be able to provide the test) but this information will not be shared with the app.

The app seeks to provide you with the latest testing and isolation policy in England and Wales, as determined by the local authority you enter. The app will also look to provide you with the latest advice and information on self-isolation based on your test result, your test type and, if applicable, will recommend a follow-up or confirmatory test.

Note: there are and will continue to be instances where the app is not fully aligned with current testing and isolation policy (for instance, due to a recent change in policy or due to technical reasons). The app is advisory and if you have any questions regarding the information you receive on the app, then you can contact NHS 111, NHS 119 or visit the links in the app and in this Privacy Notice for the latest advice and guidance.

When a new testing scheme begins the app will provide you with the latest information and details. For example, these details include testing sites in your area and where to learn more about the particular scheme.

For more information about COVID-19 testing guidance in England and Wales, visit:

Booking a test via the app will generate a test code that will allow you to link your test result to the app automatically. If you test positive the app will ask you to share your diagnosis key (see Digital Contact Tracing above) with other app users. The test codes that link your test result to your app are only held in the DHSC secure computing infrastructure for long enough to send your app your test result. The test codes are deleted within 48 hours.

Where there are additional testing options for your area, the app will provide details about how to apply for a test including a link for more information.

The app is regularly updated with the latest information about testing policy and options.

Updating your test status in the app

Where you do not use the app to book your test, if you are issued with a code, you can manually enter this into the app to update the app with your test result.

The app will ensure you are provided with the appropriate advice about your isolation start dates. It will ask for additional details when necessary. For example, about when you started displaying symptoms.

If you enter symptoms after taking a test, the app will provide you with guidance about your isolation period.

If you test positive for COVID-19, the app will prompt you to share your diagnosis keys and enable the alert process detailed above.

The app aims to provide you with the latest advice, guidance and information on COVID-19, based on the information provided. This includes testing options, information for your area and isolation information. If you require further information or wish to check any advice, you can always seek further advice from:

  • NHS 111
  • NHS 119

Or visit:

If you have concerns about the advice you receive, see the advisory nature of the app and automated individual decision-making including profiling section about the steps you may take.

Venue check-in

The venue check-in and venue alert functions were decommissioned in February 2022. This section has been retained in this document for archive and reference purposes. If your app still shows the venue check-in features, update it to the latest version.

When you use venue check-in for the first time, it will ask you for permission to use the camera on your device in order to ‘check in’ to venues. These are venues which display an official NHS COVID-19 app QR code poster.

If you check into a venue, information will be stored on your phone as a record of the visit, which can be reviewed at any time over a rolling 21-day period.

The information captured by the QR scan will include details of the venue, including its postcode, and the time of your visit. These details are only stored on your phone.

When a venue is identified as high risk by public health officials, it is added to the reference list provided to all app users. Your app checks to see if you have checked in to any of these venues during a time when it may post a risk of infection.

When you are at risk of infection, the app will issue an alert. If you have any symptoms or feel unwell at the time of the alert or in the following days, you should use the symptoms checker which may advise you to book a test.

A venue alert functionality has no link to self-isolation payment eligibility.

You will also be able to use your venue check-in to remind you where you have been and to identify the specific venue, if you are talking to a contact tracer or providing details to the Contact Tracing Advisory service after testing positive.

Unless you choose to disclose this information, this information is private to you and will not be shared with anyone else. You have the option to delete this information at any time by removing either the whole record, or record of individual venues from the list held on your phone.

Isolation support payment

Isolation support payments in England ended in February 2022. This section has been retained to cover the provision of payments in Wales.

The Isolation Support Payment function allows you to trigger the process to explore if you are eligible to receive the isolation support payment.

This is applicable when you are advised to isolate due to being in close contact with another app user, who has tested positive for COVID-19.

If you choose to apply for financial support, the app will take you to a website to complete the necessary details.

You will need an NHS Login to progress through the financial support eligibility process. If you do not have one, you will be given the opportunity to create one during the process. More information about the NHS Login can be found on the NHS Login website.

Residents of Wales can find out more about the scheme via the self-isolation support scheme website and self-isolation support scheme website in Welsh.

Helping the public health response

When you use the app you will be helping your community stay healthy and save lives by sharing important information about COVID-19 in your region and how well the service and the app is working. The app supports this in the background by sending anonymous information about how the functions of the app are being used to NHS Test and Trace. This is called the analytical data set.

Sharing this information is an essential part of the contribution you make to the public health response when you download and use the app. This data helps the NHS actively research, manage, plan and respond to the COVID-19 public health emergency across the country and in your local area.

The data shared by you to support the public health response is subject to routine review and may be updated.

This can be because of:

  • changes made by Apple and Google to their digital contact tracing technology and phone operating systems (iOS and Android)
  • our improvements to the app, support for other functions and options for app users
  • what we learn about COVID-19 and the public health response

All of these changes must meet the standards set for the app. They are strictly necessary for the purposes of the app and your use of it.

This information is also important to ensure the app is safe to use – providing accurate, consistent and effective public health-related advice, information and support to app users.

You can read more about what information on your phone is used for these purposes in the section compliance with the Privacy and Electronic Communication Regulations.

To learn more about how aggregate data from the app supports the work of NHS Test and Trace, see their privacy notice.

The app provides a public dashboard based on aggregated data. You can select local authorities in England or Wales to display the relevant information. There is a link to display details in Welsh.

Working with health services in Gibraltar, Jersey, Northern Ireland and Scotland

The app can work with other digital contact tracing apps to help break transmission of COVID-19, this is called interoperability.

We are working with partner health services in Gibraltar, Jersey, Northern Ireland, and Scotland. They use digital contact tracing apps through which interoperability will continue to allow app users to be alerted should they cross borders in these locations.

Digital contact tracing is supported across these locations by sharing (with the app user’s permission) the anonymous diagnosis keys for app users who have tested positive for COVID-19.

All partners use digital contact tracing apps based on Apple and Google’s Exposure Notification system (GAEN). GAEN prevents app users from being known to each other and protects your privacy from NHS Test and Trace, the DHSC and government.

How interoperability works

A positive test result for COVID-19 will trigger the app to ask for your permission to share diagnosis keys with other app users. With your permission, we will share these codes to allow users across England and Wales as well as Gibraltar, Jersey, Northern Ireland and Scotland to be alerted when needed.

We only share the diagnosis keys with partner health services. The diagnosis key is part of the Apple and Google functionality and no health service can identify an individual from these codes.

By only using the diagnosis keys, all partners keep app users anonymous from each other. We only share diagnosis keys to enable partner health service apps to appropriately alert app users.

Every partner uses a secure federated server to send and receive the codes. The servers do not know who you were in contact with and do not record any contact matches. To support the service and help app users receive alerts when appropriate, the interoperability service captures data to ensure the service is working as expected. No data that could identify app users is shared.

This contact matching only occurs on the app on your phone.

Working with other health services does not change the way each app works. It does ensure that you get the alerts you should get, regardless of which partner app your contacts are using.

Working together

Interoperability is governed by an agreement between all participating partners. As other countries release similar apps, more agreements may be reached to share diagnosis keys, enabling users of the NHS COVID-19 app to use it when visiting other countries.

We will add new partners where we can demonstrate continued benefits to app users whilst maintaining the protections to their identity.

The ability for app users who travel to receive alerts and enable others to receive alerts if they test positive is important to help stop the spread of COVID-19.

Your personal data

‘Personal Data’ is a term defined in law.

The following types of data are considered ‘personal data’ when they are on your phone, because they are being stored on a phone that is registered to you personally:

  • the postcode district you provide when you install the app
  • the local authority you select when the app prompts you
  • the symptom information you enter onto the app
  • your self-declared vaccine status, age declaration (if under 18), medical exemption from vaccination status (England only) or your participation in a COVID-19 vaccine clinical trial
  • the types of codes described above (being diagnosis keys and broadcast codes), which are generated every day and every 15 minutes respectively for contact tracing purposes

The app has been designed to ensure that before data moves out of your phone and enters the DHSC secure computing infrastructure (see below) that there is no way of telling that it came from your phone, or that it relates to you.

If you request a test code and obtain a test result, this information will be personal data both when it is on your phone and when held within the central DHSC systems. We have introduced significant technical controls to prevent this data being linked to an individual. The test code is deleted within 48 hours once it has allowed the correct test result to get to the correct app user.

DHSC has established strict controls of security, access and systems to monitor and restrict who can have access to this information and prevent anyone from being able to identify you. This is the same for any app user seeking a test and updating their status in the app.

The status of your data

The data held on your app is considered personal data but is only accessible to you.

Data within the app’s analytical data set has all direct identifiers removed and we aim to make your use of the app anonymous. For example, the IP address is removed and is not retained at any point.

The data items within the data set are a summary or count, apart from your area, test results and the technical details.

These technical details include:

  • device model
  • operating system version
  • the NHS COVID-19 application version being used on the phone

The analytical data set supports:

  • technical evaluation
  • public health

See our user data journeys for more detail.

What we ask of you

As a user of the app we ask you to:

  • download the app and use it daily
  • always keep the app ‘on’ and carry your phone when you are able to
  • consider the information, guidance and advice the app provides
  • ‘pause’ contact tracing by the app when appropriate
  • enter symptoms and take a test quickly when advised to
  • follow the relevant law or guidance for England or Wales if you test positive for COVID-19

If you test positive for COVID-19 the app will ask you to provide your diagnosis keys (digital contact tracing). This allows us to ensure all app users are provided with information that allows their app to alert them when appropriate.

The app will ask you to do these things, but it will not compel you in any way and no one will know anything about your personal use of the app. It does not record or track where you or other app users are (for example, at home or in a public space). The app does not identify you or your location to other app users (or, as noted above, the government).

You can delete the app at any time; you can also choose to delete the data held on the app.

Currently, resetting your postcode district within the app results in your details being deleted.

Lawful basis for processing personal data

We will adhere to our legal responsibilities. The legal basis for processing your personal data under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018 in connection with the app changes depending on the purpose that the data is used for. The following lawful bases may apply where we process your personal data in connection with the app:

  • UK GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • UK GDPR Article 9(2)(g) – the processing is necessary for reasons of substantial public interest in the basis set out in Part 2 of Schedule 1 of the Data Protection Act 2018 (para 6 (Statutory and government purposes))
  • UK GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system
  • UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
  • DPA 2018 – Schedule 1, Part 1, Section 2(2)(f) – the management of health care systems or services
  • DPA 2018 – Schedule 1, Part 1, Section 3 – public health purposes

We will continue to develop the app following the Information Commissioner’s (ICO) contact tracing principles.

You can delete the app at any time and/or turn off notifications. If you choose to delete the app, you will not receive any notifications (alerts) from the app about COVID-19 and the data stored by the app on your phone will be deleted. If you decide to install the app again, you will need to provide the requested information again.

We will never share your personal data without your permission, and we will only process it as described in this privacy notice.

Under Article 22 of UK GDPR, we considered whether the app uses Automated Decision Making (ADM) as part of its processing of data. We consider that it does not but have complied with the legal and policy framework around Automated Decision Making and will continue to do so. We are taking all steps required to comply with these requirements.

There is more information in the Data Protection Impact Assessment (DPIA) prepared for the app by the DHSC.

You can find our Appropriate Policy Documentation (APD) setting out what special categories of personal data we process and why. We explain why we process this data while protecting your privacy. More detail can be found in our DPIA.

Compliance with the Privacy and Electronic Communication Regulations (PECR)

The app requires access to data stored on your phone and stores data on your phone. Regulation 6 of PECR governs how we access this data. This is only accessed and shared when strictly necessary to provide those services delivered by the app. These are further explained below.

Function: all features

In order for the app features set out in the rest of this privacy notice to function safely, we need to collect the following information from your phone:

  • phone model
  • operating system version
  • app version number
  • completion of onboarding
  • storage usage
  • data download usage
  • usage status

We need to know this information in case any features of the app do not function correctly on specific phone models or operating systems, so we can quickly remedy the issue and/or alert relevant users. This is necessary to ensure the app provides the working functionality you need to stay safe.

We also need to validate that you are using an up to date version of the app and have completed the onboarding process. This is necessary to ensure you are using the app safely and have the benefit of the latest guidance and support the app offers.

We need to know the storage and data download usage that the app is using. This is necessary to ensure the app is able to function and not using disproportionate amounts of storage or data.

We also need to validate that the app is properly receiving updates from our systems. We do this every 2 hours to ensure you have access to real time risk information. This is necessary to ensure you have access to the latest safety information.

In addition, the data items are used to ensure the core functionality is working as expected across devices and platforms. These include:

  • contact tracing
  • symptom tracker
  • isolation / ‘be careful’ status and reason
  • where relevant, your self-declared opt out status
  • test ordering, status and process
  • isolation support payments

The app collects data items to enable these functions to be monitored and validated. See the data protection impact assessment and data dictionary for more detail. This is aimed at ensuring that the app is operating:

  • accurately
  • appropriately
  • safely
  • securely

Where we are unable to resolve issues in the app using the data items detailed above, we will temporarily collect a technical data set to allow us to identify and fix those issues.

We will restrict the data collected to the relevant platform, operating system, version of the app or other technical category which appear to be causing issues. For example, we may collect crash reports generated by your phone if you are using a version of the app which is not working properly.

The data set is submitted to the app’s dedicated area in the DHSC secure computing infrastructure and only used to resolve these issues. For more information see the app’s data protection impact assessment.

Function: medical device efficacy and safety requirements

The app constitutes a medical device. To support accreditation as a medical device we are required to collect analytical data relating to:

  • contact tracing
  • symptom questionnaire results
  • isolation / ‘be careful for contacts’ status
  • swab test status

This information is necessary to ensure that the medical features of the app are working properly.

Function: check in to a venue

Note: the use of this data has updated to reflect the decommissioning of the venue check-in service in February 2022.

This function did not require any data to be collected in addition to that listed above (Your personal data section).

Function: symptom checker

Any symptoms you provide using the app are collected to support the decision on the advice you will receive in-line with the medical device efficacy.

Function: isolation countdown

Any self-declared status you provide using the app is collected to assess the suggested self-isolation time.

Function: digital contact tracing

For the contact tracing functions within the app to operate effectively we need to validate that the level of alerts users receive are consistent with the wider risk environment. To calibrate the alert system in this way, it is necessary to have access to the following information:

  • relevant area (either postal district or local authority)
  • exposure events
  • pause button usage

Function: public health response

The following information allows us and public health authorities to learn more about the virus and its transmission and take effective measures to manage the response to the COVID-19 public health emergency:

  • relevant area (either postal district or local authority)
  • exposure events
  • symptom questionnaire results
  • isolation / ‘be careful for contacts’ status and reason
  • where relevant, opt-out status
  • isolation support payments
  • test status, test type and test process including confirmatory testing
  • exposure notification, reminders and pause button usage

By way of example, having information about exposure events within an area will help us identify and manage areas of increasing risk around the country and to see if exposure events are happening at the expected levels. Information about use of the pause button helps our understanding of how the function is being used and how it is impacting on exposure events and the risk of infection.

The provision of this information constitutes the valued contribution you will be making to the COVID-19 public health emergency response when you choose to download and use the app.

Data collected by DHSC to support these functions will be uploaded regularly from the app to a dedicated analytical area as explained in the following section. All data in the analytical area will be held in a format that does not identify an individual app user.

The DHSC secure computing infrastructure

The app is supported by a central DHSC secure computing infrastructure. The DHSC secure computing infrastructure only processes data that is confirmed as anonymised as it enters the infrastructure. The exception to this (if you start your test request journey in the app) is a test code and test results, which are held briefly as noted above.

Data in this DHSC secure computing infrastructure will be made available only to individuals that have been formally authorised to access it. Information will only be able to be transferred from this DHSC secure computing infrastructure to another system if appropriate, and after an updated Data Protection Impact Assessment has been carried out.

The test codes that link your test result to your app are only held in the DHSC secure computing infrastructure for long enough to send your app your test result. The test codes are deleted within 48 hours.

We have put in place organisational safeguards to ensure separation between all technical data that is used to check the app is working and the analytical data which can only be used for approved public health purposes. With these controls, monitoring and safeguards in place we conclude that the risk to data privacy of an app user being identified by a combination of factors (e.g. phone model and operating system, plus postcode district), would be negligible to non-existent.

Any use of data and information generated or collected by the app will comply with Data Protection law and the Common Law Duty of Confidentiality (where applicable).

Retention of data

Data held in the DHSC secure computing infrastructure will not contain direct, indirect or consistent identifiers. This means that the retention of this data should not be considered within the legal context of UK GDPR/data protection. However, limits for the retention of data sets and records need to be set even where the data does not constitute personal data. This applies to the analytical data explained above.

Retention of records associated with the app is likely to fall into 2 categories. These categories are records which are used to:

  • hold organisations to account and are held for 8 years
  • monitor communicable diseases, for example in the COVID-19 public health emergency, and are retained for 5 years (if they contain personal data which is not the case in this instance) and 20 years for anonymous data, prior to any review

Retention of these records is governed by the relevant Section 46 Code of Practice, Public Records Act and statutory duties of the organisation accountable (DHSC).

Most data is retained only on the user’s phone. Diagnosis keys (the ones used for contact tracing) are retained on the user’s phone for 14 days and are then deleted (14 days is the incubation period for the virus). The self-declared status is kept for the period set out in the retention of data section below.

Submitted diagnosis keys are retained on the DHSC secure computing infrastructure for 14 days and then deleted. So, the maximum age of a daily code that has been distributed to the DHSC secure computing infrastructure is 28 days. For self-declarations, the app will retain a note that you self-declared for the relevant isolation period plus the 14 days. This enables the app to continue giving relevant advice.

The test codes that link your test result to your app are deleted within 48 hours.

The self-isolation payment token is deleted once the CTAS application is started. It is expected this will occur within 24 hours, however, deletion is dependent on how quickly the user moves through the process. If they do not progress for any reason and therefore do not reach the CTAS application stage, the token will be deleted within 14 days.

QR codes that are scanned by the user when visiting venues are automatically deleted after 21 days. The choice of 21 days takes into account the 14-day incubation period, and the infectious period of the virus. The codes are only accessible to the app users.

Note: the February 2022 changes to both the QR system and self-isolation payments (in England) do not affect data already held on users phones. This will be deleted as per the time periods set out above.

The retention settings will follow the latest government advice and therefore may increase or decrease.

Your rights under the Data Protection Act 2018 and UK GDPR

By law, you have a number of individual rights, such as the right to know what personal data is held about you. You can ask an organisation for copies of your personal information verbally or in writing. This is called the right of access and is commonly known as making a Subject Access Request or ‘SAR’. However, these rights are mostly only available when the data controller (in this case DHSC) holds information that can identify you. As the app is designed to prevent DHSC being able to identify you, DHSC may not be able to respond positively to any requests for access to personal data, or any other rights you may wish to make to us directly.

You may however readily access personal data held on your phone, as there is a feature on the app that allows users to view the data held on the app. You can also exercise your right to object and be forgotten by removing the app, deleting the data held by the app, or deleting the list of individual venues you have visited within the app itself.

As the app user is not identifiable within the DHSC secure computing infrastructure, we have aimed to provide you with functionality within the app wherever possible. Once data is received by app’s DHSC infrastructure we ensure that app users cannot be identified.

The advisory nature of the app and automated individual decision-making including profiling

Any notifications provided through the app are advisory only. If you have any concerns about the app’s advice to self-isolate or seek a test, you are advised to contact NHS 111, NHS 119 or appropriate healthcare professional who will be able to provide you with the appropriate information.

As noted above, the app makes every effort to provide advice that is in line with the latest testing and isolation policy. There are, however, limited circumstances in which the app may generate advice (automatically) that differs from current policy in England or Wales or is specific to app users.

We continually assess these circumstances and assess how best to address them. As part of this assessments, we consider the latest public health advice and policy to determine the priorities of the app’s development and where appropriate, introduce mitigating measures for any potential negative impacts.

We always consider the primary objective of the app – to reduce the spread of COVID-19, as part of our assessments.

In addition to our ongoing work to improve the app, we take the following steps to ensure the latest advice is provided to users:

  • Ensure on screen advice includes links and support
  • The app provides a link to our frequently asked questions pages
  • Provide information on support provided by NHS Test and Trace, in England
  • Provide information on support proved by Test, Trace, Protect in Wales

Right of access and requests for information

You can always access your data in the app. Further information about ‘Managing my data’ can be found in the frequently asked questions. An equivalent for the Welsh service can be found at this frequently asked questions website.

Right to be forgotten

You can choose to delete the app and the data it contains.

Right to object

You can choose to delete the app, the data it contains or specific venues.

Other data subject rights

The right to data portability does not apply as the lawful basis is not consent or a contract. See the DPIA for more detail. The right to rectification and restriction of processing is not available as we cannot identify app user’s data within the DHSC infrastructure.

Your rights

Information about your rights and how to use them is available from the Information Commissioner’s Office.

Please note that the DHSC secure computing infrastructure does not hold any personal data about app users, except for any test codes and test results. It will not be possible to inform app users about their test code and result because it would require DHSC to collect further information and personal data just in order to satisfy this right. It would also undermine the privacy protection afforded to this data for the limited time that it is stored in the cloud.

If you are unhappy or wish to complain about how your information is used as part of this app, you should first contact the DHSC Data Protection Officer (DPO) to resolve your issue (see DPO section). If you remain unhappy, you can complain to the ICO.

Further information

If you would like more detailed information about the app, you can find this in the Data Protection Impact Assessment created for the app.

For more general information about COVID-19, go to GOV.UK/coronavirus.

Data Controller

A ‘Data Controller’ is the organisation that is legally responsible for deciding how and for what reason a user’s personal data is processed. For the NHS COVID-19 app, as noted above, the Data Controller is the government (DHSC). Data Controllers (where required) have a ‘Data Protection Officer’ who acts as a contact point for questions about your data. Details of DHSC’s Data Protection Officer can be found at the end of this information.

The app is being overseen by UKHSA, which is an executive agency sponsored by DHSC. DHSC has contracts or agreements with some other organisations that provide services in developing or supporting the app. The ones that will be processing personal data are:

  • Amazon Web Services (AWS) which hosts the central system (cloud server) that supports the app
  • The Health Informatics Service (THIS), which is hosted by the Calderdale and Huddersfield NHS Foundation Trust. THIS provides the ‘NPeX’ system which provides test results to the app (using the test code unique to the app)

These organisations can only work under instruction from DHSC and cannot use information they process for any other purposes.

These organisations’ details can be found in the DPIA.

Data Protection Officer (DPO)

The DHSC DPO is Lee Cramp, who can be contacted by sending an email to data_protection@dhsc.gov.uk

Security of your information

The system gives a high level of privacy protection, as the app does not collect or transfer any information that tells us who or where you are. This also means it cannot tell the NHS, people and organisations who have contributed to the development of the app, or any other app user, who or where you are.

In addition to the protections already explained above, we have implemented and maintain the necessary technical and organisational security measures, and policies and procedures.

These are designed to reduce the risk of:

  • the deliberate or accidental destruction of data
  • the loss of data
  • unauthorised access to or disclosure of the information collected by the app

This includes:

  • limiting access to those who can support the management of the app
  • using secure, privacy preserving methods when details are shared between app users (see the Digital contact tracing section above).

Other privacy notices

Privacy notices relating to other parts of the NHS Test and Trace Programme:

Relevant information for isolation support payments