- COVIDCare NI – Privacy Information
COVIDCare NI – Privacy Information
Privacy Notice COVIDCare NI (Symptom Checker) App– Department of Health (DoH)
Data Controller Name: Chief Digital Information Officer Group,
DoH Address: Castle Buildings, Stormont Estate, Belfast, BT4 3SQ
Data Protection Officer Name: Charlene McQuillan
Telephone: 028 9052 2353
This is the Privacy Notice for the COVIDCare NI (Symptom Checker) app which can be downloaded to mobile devices from the Google Play and Apple Stores. The app is designed to help the public in Northern Ireland keep up to date with the latest advice on the Covid-19 pandemic. It also provides a symptom checker feature. The app was developed on behalf of the Department of Health. This Privacy Notice provides a broad description of the way your personal information will be processed when submitted via the app.
Why are you processing my personal information?
The primary purpose of this app is to help the public in Northern Ireland keep up to date with the latest advice on the Covid-19 pandemic, helping users to:
- Decide if they have the symptoms of coronavirus infection;
- Depending on the severity of illness, know how to cope and what to do;
- Decide if they need to get clinical advice and how to access it;;
- Give advice to vulnerable members of the public;
- Provide links to trusted information resources;
- Direct individuals to be able to get an isolation note if they have to self-isolate;
- Provide an advice search function of FAQs that will be updated regularly;
The app will also help DoH and HSC to plan services and ensure that resources are directed to the areas of greatest need.
In order to process personal information DoH must have a lawful basis for doing so and at least one of the following GDPR Article 6 conditions must apply:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Processing of data submitted via the app is likely to fall under point 5 above. As the data relates to the processing of special category (health) data, the app must also comply with GDPR Article 9. The Article 9 conditions which relate to this processing include 9(2)(h) and (i).
What categories of personal data are you processing?
Information submitted by users of the app will not be used by the DoH for identification purposes. DoH recognises the importance of minimising the amount of personal data processed in order to protect individual’s identity and privacy. The only data requested by the app will be age and postcode. Age is required to enable us to provide suitable advice related to age and symptoms, while avoiding potential identification. Postcode is essential in terms of epidemiological value for helping us develop heat maps of symptom prevalence. The aggregated information of symptoms meeting the COVID-19 case definition and postcode will help in highlighting clusters of infection, augmenting intelligence around contact tracing, helping to mobilise resources to avoid another general lockdown. We will not be publishing any data that links postcode and age at an individual level, to preserve anonymity, but may use higher level aggregated data. Partial postcode is inadequate in epidemiological terms, as it is insufficiently granular.
The app asks users to indicate if they are adding symptoms for themselves or someone else, does the individual normally get invited for the flu vaccine, whether the individual is pregnant, whether the individual has a high temperature, whether the individual has a new or continuous cough, whether the individual lives with anyone with coronavirus symptoms. The data is sought in order to ensure that sufficient details are obtained to give correct and appropriate advice, related to the person concerned. This creates significantly less risk than using generalised information and asking the public to interpret and apply it to themselves.
Where do you get my personal data from?
Information is provided by the app user either about themselves or on behalf of someone.
Do you share my personal data with anyone else?
Information submitted via the app may be shared with HSC organisations for the purposes of health protection and surveillance. Information may also be shared with Public Health England for the purposes of national disease surveillance.
Information may also be shared with external organisations such as universities, auditors and survey/research organisations etc.
Extracts of information may also appear on HSC websites or in Press documents as appropriate across HSC organisations in Northern Ireland, the Department of Health and other government departments.
The minimum amount of personal data will only ever be shared and all sharing will be in compliance with Data Protection Law.
Do you transfer my personal data to other countries?
Information submitted via the app is stored in secure, cloud storage that is owned by the Northern Ireland Health and Care System and is located in the European Economic Area (EEA) in accordance with the national guidance at this link. This Health and Social Care facility will be transferred to secure, cloud storage specifically in the UK, but this may not happen prior to the end of the Covid-19 pandemic and decommissioning of the Covid-19 NI app. Data will not be shared outside of the EEA.
How long do you keep my personal data?
The length of time we keep your information for will depend on the types of records created. If you want to find out more about how long your records are retained, you can view the Department’s approved retention and disposal schedules – “Good Management, Good Records” section under “Disposal Schedule” on Department of Health’s website at this link.
What rights do I have?
The Data Protection Act 2018 and GDPR provide individuals with a number of rights relating to their personal data:
- The right to obtain confirmation that their personal information is being processed and access to personal information;
- The right to have personal information rectified if it is inaccurate or incomplete;
- The right to have personal information erased and to prevent processing, in specific circumstances;
- The right to ‘block’ or suppress processing of personal information, in specific circumstances;
- The right to portability, in specific circumstances;
- The right to object to the processing, in specific circumstances;
- Rights in relation to automated decision making and profiling;
Further information on your rights can be found on the Information Commissioners website at this link.
How do I complain if I am not happy?
If you are unhappy with any aspect of this privacy notice, or with how your personal information is being processed, please contact the Data Protection Officer at the following address:
Data Protection Officer : Charlene McQuillan
Department of Health (DoH)
Tel: 028 90522353
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: 0303 123 1113
Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updates will be placed on this website.
Updated July 2020