Concerns have been voiced by leading data privacy advocates regarding a new COVID-19 venue check-in app announced by the Scottish government.
The app, Check In Scotland, which is separate from the Protect Scotland contact tracing app, requires citizens to check into venues as the country reopens from pandemic-induced lockdowns.
As outlined on the Scottish government’s website, “Check In Scotland is a way to collect the contact details of people who visit a wide range of businesses and venues in Scotland. It’s designed to work with NHS Scotland’s Test and Protect.”
It has been created for use by certain businesses in Scotland – including pubs, bars, restaurants, cafes, hairdressers, beauticians and tattooists – in accordance with law that states such establishments must collect and record the contact details of visitors to help track and trace people potentially exposed to the virus.
However, Ray Walsh, digital privacy expert at ProPrivacy, has warned of the potential data privacy issues that surround the use of the app, with particular focus on the fact that it collects and stores venue attendance information such as name, email address and mobile phone number, along with the time and date of venue visits, in a centralized database.
“This raises serious privacy concerns that will likely impact the number of people willing to use the app,” he said. “Any centralized repository of people’s location information results in a highly detailed record of their daily activities and potentially information about who they choose to associate with. This is highly revealing habitual information that results in the potential for pervasive government surveillance.”
Whilst the government has assured that any information collected will be used solely to prevent the spread of COVID-19, Walsh pointed out that a data protection impact assessment highlighted that there is nothing to stop the data from being exploited for secondary purposes using a warrant.
“There is no doubt that this data can cause a significant breach of people’s privacy rights, making it impossible for them to move around public spaces and venues without constantly informing the government about where they go,” he added.
Walsh argued that it is therefore vital that the government upholds transparent sunset clauses to ensure that data is deleted once it has served its purpose, as “failure to do so provides an ongoing threat to citizens’ privacy that is out of line with its promise to use the data only to prevent the spread of the virus.
“We urge the Scottish government to consider moving to a decentralized approach like that being used in the rest of the UK, where the app allows citizens to be informed about the risk to their health without their personal details and location information being harvested to a central database.”