For the health and safety of the customers and staff on this service, we are trialling the voluntary collection of the name and contact details of passengers on this service to support NHS Scotland’s Test & Protect. This information will be used to enable NHS Scotland to contact you should you have been on the service around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread. To assist us in doing this, CalMac and Abellio ScotRail have registered for the NHS Check In Scotland service. This service is based on registering for a unique QR code for the vessel or train carriage, which we will ask you to scan with your mobile phone. This will take you to either a webform or, if you have downloaded it, the Check In Scotland app, to complete the check in process.
Why is this data needed?
As stated above, the purpose for which we are asking you to provide your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic, and test if this method of contact tracing works in a public transport setting.
This will involve the gathering and, when required, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose, and will not be shared with Transport Scotland, CalMac, Abellio ScotRail or any other transport providers.
In relation to the Check In Scotland service, the data you submit via the webform or the App will be automatically sent to NHS National Services Scotland to be held securely in an encrypted data store. This data will not be accessed unless required in response to an outbreak of the disease.
NHS National Services Scotland and locally based Health Board teams will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate.
What data will be collected?
Along with the date and name of the service and the time of your arrival and departure, the following personal data will be collected if applicable:
- your name
- contact telephone number.
If you do not have a telephone number, you have the option to provide
- a postal address
- or an email address.
Where multi-household groups are present, the contact details from a ‘lead member’ of each household, along with the number in attendance from each household within the group will be collected.
What is the lawful basis for collecting and sharing this data?
Under data protection law, GDPR Article 6, there are a number of lawful bases that allow NHS National Services Scotland and Public Health Scotland to collect, process and share personal information.
In this case, the lawful basis for processing your data is to help in the performance of a public task in relation to contact tracing (GDPR Art 6(1)(e) and section 8(c) of the Data Protection Act 2018).
How long will the data be retained for?
Your personal data, collected for the purposes stated in this privacy notice and will be held by us for at least 3 weeks (21 days).
All personal data will be held and disposed of in a safe and secure manner.
As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:
- The right to be informed about the collection and use of your personal data. This is outlined above.
- The right to access the information we hold about you. Also known as Subject Access Request (SAR). If you wish to exercise this right, please contact NHS National Services Scotland at email@example.com
- The right to request rectification of any inaccurate personal data we hold about you. In certain circumstances exemptions to these rights may apply. If you wish to exercise this right, please contact NHS National Services Scotland at firstname.lastname@example.org
Details of how to exercise these rights can be found in the Data Protection Impact Assessment for the Check In Scotland service.
Do you have a complaint?
If you consider that your personal data has been misused or mishandled, you can raise this with the data controller. In this instance, the data controller is the NHS National Services Scotland. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator.
The Information Commissioner can be contacted at:
Information Commissioner’s Office Wycliffe House
Cheshire SK9 5AF
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.