The Scottish Government has launched Protect Scotland, a contact tracing app designed to assist NHS Test and Protect and help to reduce the spread of Covid-19. Following its launch, some organisations may be considering whether they should require workers or visitors to their premises to download the app.

How does the Protect Scotland app work?

The Protect Scotland app uses the Google/Apple exposure notification system, which is built around the Bluetooth functionality incorporated in smartphones.

The exposure notification system is a decentralised model, which means all data is held locally on the user's device until such time as he or she tests positive for Covid-19. Interactions are recorded using anonymous, randomised codes, together with information on the distance between the individuals and the duration of the interaction. This approach limits the amount of personal data that is collected, as interactions with other devices never leave the phone.

If a user tests positive, then they will be provided with a code by a Test and Protect contact tracer. When this is entered into the app, the app then informs a central database. The app regularly checks the database and if it detects a match between the database and a logged interaction, and that interaction involved the people being in contact at a distance of 2 metres or less for 15 minutes or more, then the user is alerted.

This is the same system as it used in Ireland, Northern Ireland and many other countries around the world.

You can read the Information Commissioner's views on the Google/Apple system in this opinion (PDF).

Is the Protect Scotland app compulsory?

No. Use of the app is voluntary, but people in Scotland are being encouraged to download and use it to assist with the Test and Protect contact tracing strategy and to try to reduce the spread of Covid-19.

It is anticipated that the Protect Scotland app will help to alert people of a potential risk more quickly and also detect interactions that may not be possible through manual contact tracing (for example, standing next to a stranger in a queue or on public transport).

Can I require my employees or visitors to use the Protect Scotland app?

Employers will need to think carefully about adopting any policy requiring workers to download the app.

The Scottish Government and NHS are the controllers in respect of the Protect Scotland app. No information would be available to a third party, such as an employer. If an individual tests positive for Covid-19, then the app automatically alerts other individuals with whom that person has had a relevant interaction. Contacts (and the employer) may also be contacted by the NHS Scotland Test and Protect manual contact tracers.

However, requiring workers to download and use the app may make the employer a joint controller for the purposes of data protection law. This may be the case even though no personal data would be available to the employer.

More generally, there are a number of practical issues to consider with a mandatory policy. For example:

  • Which device would the app be installed on? If people do not always carry a work phone with them (for example at the weekends or in the evening) then there is likely to be a limited benefit to installing it on the work phone.
  • If it is installed on a personal phone, how would you check whether the app has been installed (and is active and running)?
  • How can you check whether people are always carrying their phone? How will you know whether an worker took their phone to the supermarket at the weekend?
  • What happens if you operate in a sector where workers are not permitted to carry their phones on-site?
  • What do you do if someone's personal phone is not capable of running the app (because it is not an iOS or Android device or because it cannot run a new enough version of the operating system)?

There are also broader employment law questions. If a worker receives an alert that they may be at risk, what is your policy on what the worker needs to do next? How does your sickness policy deal with any requirement to self isolate?

These issues will require employers to consider a mix of data protection and employment law issues, and the particular infection risks within their workplace.

A better approach may simply be to promote the app within the organisation as part of the organisation's Covid-Secure workplace strategy and highlight the benefits of everyone using it.

What about other contact tracing apps?

A number of third party contact tracing apps and other solutions have appeared on the market in recent months. For example, some apps or devices do not collect any information but will make an audible noise when people are too close to each others. Other systems are much more intrusive and will track interactions between individuals and locations within a site and make that information available to HR or the person managing the system.

Each of these presents different challenges from a data protection and employment law perspective and will require a detailed data protection impact assessment to identify the potential privacy risks. Beware of claims being made by suppliers or the use of features that are overly intrusive.