Check In Scotland - Public transport trials

Check In Scotland is a voluntary scheme to collect the contact details of people who visit businesses, such as pubs, bars, restaurants and cafes. Check In Scotland is designed to work with NHS Scotland's Test and Protect contact tracing system to:

  • collect your details
  • alert you only if you came into close contact with someone at a business or venue who later tests positive for COVID-19

We, in collaboration with CalMac Ferries Ltd and Abellio ScotRail, are now exploring whether the same technology used in Check In Scotland for the hospitality industry can be used successfully on public transport.

Given the complexity of introducing such a scheme in public transport, we're focussing on ferry and longer rail journeys to test out the technology. Trials are now underway on CalMac’s Wemyss Bay to Rothesay, Gourock to Dunoon and Ardrossan to Brodick ferry services, and on one of Abellio ScotRail’s intercity trains.

By using QR code scanning on public transport, we aim to be able to identify those ferries and trains where infections occur and reach out to a larger number of people, helping transport operators manage passenger contact details and minimise the risk of coronavirus transmission.

How to use the Check In Scotland QR code

Check In Scotland will allow you to log your contact details by scanning the Check In Scotland Test and Protect QR code on the posters found on the vessel, or via the Check In Scotland app which can be downloaded from the Apple App and Google Play stores.

When leaving the vehicle, passengers should remember to “Check Out” to ensure that we know your journey has ended.

If you get an alert, you will be given some advice about what you should do next.

Anyone over the age of 12 can use the Check In Scotland service.

The service is designed to take as few details from you as needed. These details will be kept securely for 21 days before being deleted, unless someone who's part of the NHS Test and Protect response team needs to keep them for longer for public health reasons.

User survey

We're keen to hear what you thought of the QR code service. Please share your opinions of the trial with us.

Collection of personal data - Transport Scotland privacy notice

For the health and safety of the customers and staff on this service, we are trialling the voluntary collection of the name and contact details of passengers on this service to support NHS Scotland’s Test & Protect. This information will be used to enable NHS Scotland to contact you should you have been on the service around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread. To assist us in doing this, CalMac and Abellio ScotRail have registered for the NHS Check In Scotland service. This service is based on registering for a unique QR code for the vessel or train carriage, which we will ask you to scan with your mobile phone. This will take you to either a webform or, if you have downloaded it, the Check In Scotland app, to complete the check in process.

Why is this data needed?

As stated above, the purpose for which we are asking you to provide your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic, and test if this method of contact tracing works in a public transport setting.

This will involve the gathering and, when required, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose, and will not be shared with Transport Scotland, CalMac, Abellio ScotRail or any other transport providers.

In relation to the Check In Scotland service, the data you submit via the webform or the App will be automatically sent to NHS National Services Scotland to be held securely in an encrypted data store. This data will not be accessed unless required in response to an outbreak of the disease.

NHS National Services Scotland and locally based Health Board teams will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate.


What data will be collected?

Along with the date and name of the service and the time of your arrival and departure, the following personal data will be collected if applicable:

  • your name
  • contact telephone number.

If you do not have a telephone number, you have the option to provide

  • a postal address
  • or an email address.

Where multi-household groups are present, the contact details from a ‘lead member’ of each household, along with the number in attendance from each household within the group will be collected.


What is the lawful basis for collecting and sharing this data?

Under data protection law, GDPR Article 6, there are a number of lawful bases that allow NHS National Services Scotland and Public Health Scotland to collect, process and share personal information.

In this case, the lawful basis for processing your data is to help in the performance of a public task in relation to contact tracing (GDPR Art 6(1)(e) and section 8(c) of the Data Protection Act 2018).

How long will the data be retained for?

Your personal data, collected for the purposes stated in this privacy notice and will be held by us for at least 3 weeks (21 days).

All personal data will be held and disposed of in a safe and secure manner.

Your rights

As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:

  • The right to be informed about the collection and use of your personal data. This is outlined above.
  • The right to access the information we hold about you. Also known as Subject Access Request (SAR). If you wish to exercise this right, please contact NHS National Services Scotland at
  • The right to request rectification of any inaccurate personal data we hold about you. In certain circumstances exemptions to these rights may apply. If you wish to exercise this right, please contact NHS National Services Scotland at

Details of how to exercise these rights can be found in the Data Protection Impact Assessment for the Check In Scotland service.

Do you have a complaint?

If you consider that your personal data has been misused or mishandled, you can raise this with the data controller. In this instance, the data controller is the NHS National Services Scotland. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator.

The Information Commissioner can be contacted at:

Information Commissioner’s Office Wycliffe House
Water Lane
Cheshire SK9 5AF

0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.