Covid-19 passports could be used for more than international travel, the privacy policy of the service reveals.

The function went live on the NHS App on May 17 and was touted as a way to allow Brits to travel internationally with the potential to skip quarantine, but the privacy policy linked to Covid-19 passports also suggests it could be used for “domestic events”.

Under a section titled “What is the purpose for the processing of personal data” the notice states: “As the country resumes normal functions, this data will be useful for further aspects of unlocking as they arise, e.g for international travel or attendance at domestic events once these have been permitted by government policy and guidance.”

However government officials working on a review into the use of Covid certification have told The Telegraph there is no chance the passports will be used within the UK.

“It’s not a case of ‘it’s finely balanced’. It’s not going to happen. Everyone says it’s dead,” one source told the newspaper.

Ministers are currently reviewing data to determine whether all Covid restrictions can be lifted by June 21, which would include further international travel and a return to clubs and bigger events.

Eerke Boiten, professor in cyber security at De Montfort University in Leicester, said using the passports for anything wider that international travel poses surveillance risks. He called for a full data protection impact assessment (DPIA) to be completed before the purpose of the passport is widened.

“My main remaining concern is the lack of a DPIA – the lack of a DPIA has become more relevant because they are widening the purpose of the whole thing,” he told Digital Health News.

“If you go into the system [NHS App] it is a vaccination passport for international travel, but when you look at the privacy notice it’s also something to keep disease in control as part of the general unlocking of day to day life, and that’s worrying.

“There’s explicit mention of events that this might be used for, and I don’t think there’s anything that actually restricts the use of this or would stop the government from widening its application to other areas.”

The privacy notice of the Covid-19 passports suggests it could be used for domestic events

Boiten reiterated previous calls for the passports to be linked to an identity verification process, such as QR codes, to avoid abuse of the system.

Writing for The Conversation Boiten raised concerns about the wider use of Covid passports resulting in discrimination.

“International travel was merely an example of how the data would be used. Here lie significant problems that critics have been concerned about for some time. For one, the broader use of vaccine passports raises issues of discrimination between those who have and have not been offered vaccinations,” he wrote.

“But using vaccine passports in scenarios other than international travel also necessarily increases surveillance, seeing as you’ll need to prove that the vaccine certificate on your phone truly belongs to you.

“When we travel internationally, we’re used to carrying a passport along with flight tickets and required vaccination certificates – but for events and social gatherings, we don’t expect to have to identify ourselves.”

“Worryingly sensitive” data collection

The privacy policy first published alongside Covid-19 passports suggested the services was collecting “worryingly sensitive” data, Boiten said.

The policy contained a “long and confusing” list of personal data that is collected a part of the passport service including ethnicity, vehicle registration, national insurance number, employer and criminal convictions.

The policy has since been updated to confirm it only collects information including full name, date of birth, NHS number, home address, phone numbers and email address.

Boiten said it was possible the list of data was copied from a previous privacy policy.

“The latest privacy policy also contains a long and confusing list of personal data under ‘The Personal Data we collect and how it is used’, some of which look worryingly sensitive – such as ethnicity, vehicle registration plate, national insurance number, employer, biometric and genetic information and criminal convictions,” he wrote for The Conversation prior to the policy being updated.

“It’s possible that this confusing list of data items is just copied from a previous privacy policy and pasted into this one – a practice apparently used for some sections of the UK’s Brexit agreement, as was revealed in December 2020. If this is the case, it would reveal a privacy-as-afterthought attitude that’s at odds with how widely used and far-reaching this app looks set to become.”

Since Covid-19 passports were announced the NHS App has been downloaded more than one million times. The app now has 4.8 million registered users, of which 1.3m are new users of the app.

The Department of Health and Social Care, which is listed as the data controller in the Covid passport’s privacy policy, has been contacted for comment.

To find out more about Covid-19 passports and how they will work, you can read our explainer here.