Information collected from Covid-19 vaccine passports: FOI release

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

1. Is information collected by the Scottish Government from people getting Covid Vaccine Passports?

2. Is information from Covid Vaccine Passports, either through paper copies or on an app, shared or sold to 3rd party companies by the Scottish Government?

3. Which companies is this information shared?

4. If it is sold how much money has the government collected for this information?


The majority of the information which you have requested can be found in the Vaccination Programme’s Privacy Notice found here. However, for ease, I have listed and answered the requests below.

1. The Scottish Government provides strategic direction and leadership for the wider Coronavirus Vaccination Programme, including COVID-19 Certification Scheme (commonly referred to as the Vaccine Passport), as per the duty of Scottish Ministers to protect public health ( e.g. via The Public Health etc. (Scotland) Act 2008 section 1). Scottish Government takes an active part in the governance structure of the Vaccination Programme and participates in the decisions about personal information processed in connection with the programme. The Scottish Government is also responsible for providing Citizens with the means to access their COVID-19 Vaccination Certificate. The Chief Executive within the NHS Scotland, as Director General of Health and Social Care in the Scottish Government, has overall responsibility in this area on behalf of Scottish Ministers. The Health Competent Authority (run by the Scottish Government on behalf of Scottish Ministers) oversees compliance with data security and resilience in relation to the processing undertaken by health boards. However, no, the Scottish Government do not collect or have access to personal identifiable information.

2. The Scottish Government does not sell peoples information. As noted previously, the Scottish Government does not have access to any Personal Identifiable Information so do not directly share and are not able to sell any information in relation to the scheme, and wider programme.

To be able to deliver the COVID Certification Scheme, there is a requirement to share information with Key Stakeholders to ensure that appropriate knowledge and understanding can be used for decision making ensuring citizens gain the most benefit from the scheme and wider programme’s delivery.

Key stakeholders make up Data Controllers, who are responsible for specific information, and Data Processors, who are contracted to deliver actions on behalf of the Data Controllers. The Scottish Government has strict Information Sharing Agreements for Data Controllers, and Information Processing Agreements for Data Processors, in place to ensure the citizens data is only used appropriately and safely.

3. These are listed in the sections mentioned above however for ease –

Data Controllers

  • Scottish Government (Scottish Ministers); NHS Territorial Health Boards and General Practices (GPs); Public Health Scotland (PHS); NHS Education for Scotland (NES); The Common Services Agency for the Scottish Health Service (NHS National Services Scotland
  • NHS NSS); Social Security Scotland (for unpaid carers); NHS Digital; Scottish Local Authorities (for the Self-Isolation Support Grant); Border Control Agencies; and Venues. Further details of their role and if they have access to Personal Identifiable Information can be found here: The coronavirus (COVID-19) vaccination programme Data Controllers (

Data Processors

4. The Scottish Government does not sell peoples information.

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at


Please quote the FOI reference
Central Enquiry Unit
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road

Back to top