GHA COVID Pass - Digital Covid Certificate

Privacy Notice

Purpose of this notice

HM Government of Gibraltar’s Digital Services Team (We, Us, and Our in this privacy notice) in collaboration with the Gibraltar Health Authority (“GHA”) has developed a mobile application (“GHA COVID Pass” or “App”) for Digital Covid Certification, as a direct response to the current Covid-19 pandemic and international travel requirements.

The GHA COVID Pass App is designed for use in retrieving and displaying your Digital Vaccine Certificate QR codes which are retrieved from your GHA Covid Vaccine records and electronically signed as authentic by the UK’s NHSx Covid Passport certification.

This privacy notice applies to the GHA COVID Pass App only.

What Personal data do we process?

We process personal data and, special category personal data (as defined in Article 9(1) of the Gibraltar GDPR), which identifies you and relates to Covid vaccination and Covid testing events. We process the following types of data (“Shared Data”):

Full name
Date of birth
GHA Number
Vaccination 1 Date
Vaccination 2 Date
Batch

The personal data will be limited to the bare minimum information that we required in order to meet our objective of providing the GHA COVID Pass service to you.

How does the GHA COVID Pass App work?

To retrieve your Covid Vaccination QR code, a user must first insert their Name, Surname, GHA number and Mobile phone into the GHA COVID Pass App. If all details match your GHA records, then you will receive an SMS with a verification code on your phone.

Should your details not match you will be presented with a message asking you to get in contact with the GHA to update your contact details. It is important that you update your details so that we process accurate personal data.

Once your details are verified and verification code is inserted, the GHA COVID Pass App will pass your details to NHSx where they will process and provide the App with a verified QR code. Note that no personal data is stored during this process.

Your Digital QR code will then be available to be scanned using the NHSx scanner and validated by any Local or UK Border Agent or used for entry into any UK venue/event where proof of vaccination is required.

How do we protect your personal data?

The security and confidentiality of your personal data is very important to us. We will:

Ensure safeguards are in place to make sure personal data is kept secure.
Ensure that your data remains under the control of our authorised controllers and processors with adequate safeguards to protect your rights.
Ensure only authorised staff are able to view your data.
Not make your information available for commercial use.
Only ask you for what is needed.

The App is designed with your privacy in mind. We have carefully considered guidance issued by the Gibraltar Regulatory Authority (GRA) and the European Data Protection Board (EDPB) when developing the App.

In order to provide a successful service, the NHS Covid Pass Service has made available to the GHA access to a technical sub-service, which can provide, on demand, the ability to embed Covid Event evidence (including the Shared Data) into a 2D barcode. The service is available to accelerate development and deployment of a digital Covid status certificate to citizens, thus improving public health protection measures to ensure a collaborative response to the Covid-19 pandemic.

The API will store hashed personal data against a Unique Vaccination Certificate Identifier (UVCI) for the lifecycle of the 2D barcode (e.g., between the creation and expiry date). This ensures that your privacy is protected.

Additional data such as IP address, response time, date / time will be available to NHSX for auditing and reporting purposes. Please note that downloading the App is completely voluntary. You can install or delete the App at any time.

How do we process your personal data?

We process your personal data in performance of our tasks carried out in the public interest and in exercise of official authority vested in us by HM Government of Gibraltar. The special category personal data (namely vaccination information) is processed as it is necessary for reasons of public interest in the area of public health. This includes, but is not limited to, protecting against cross border threats to health and ensuring a high standard of quality and safety of health care or social care where they are provided for by law and the processing is carried out with appropriate safeguards for the rights and freedoms of data subjects.

NHSx process the personal data under a contractual relationship with us and to ensure that they can deliver the contractual service that we have hired them to provide.

How do we retain your personal data?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. Processing of your personal data will continue for as long as is necessary and until the Covid-19 pandemic is declared over. After this, the GHA COVID PASS App will be suspended. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe, there is a prospect of litigation in respect to our relationship with you.

Your rights

The law gives you specific rights over your information, such as the right to be informed of our use of information about you, and your right to access your information.

If you wish to exercise any of these rights, or if you have any concerns or questions, please contact us on cvcchecker@gha.gi Alternatively, you can contact our Data Protection Officer on dpo@gibraltar.gov.gi.

You also have the right to make a complaint at any time to the Gibraltar Regulatory Authority (GRA), Gibraltar’s supervisory authority for data protection issues. You can contact them on: