The Scottish government and NHS Scotland have been rebuked for breaching data privacy laws on a Covid vaccine status app downloaded by millions of people.

The Information Commissioner’s Office (ICO), which polices the UK’s privacy laws, said it had warned the Scottish government and NHS last year that there were serious privacy problems with the app, but that not all those problems were fixed before it was launched.

The ICO said between 555,000 and 615,000 people were affected by the error.

In an unusually critical ruling issued on Friday, Steve Wood, the ICO’s deputy commissioner, said: “When governments brought in Covid status schemes across the UK last year, it was vital that they were upfront with people about how their information was being used.

“The Scottish government and NHS National Services Scotland have failed to do this with the NHS Scotland Covid status app. We require both bodies to act now to give people clear information about what is happening with their data. If they don’t, we will consider further regulatory action.”

The app was needed to get access to nightclubs, sports arenas and other venues such as university buildings, and for travel overseas, after it became mandatory for people to provide proof of their vaccine status; paper printouts or screenshots of vaccine status were also permitted.

Nicola Sturgeon, the first minister, announced on Tuesday the vaccine passport scheme would be dropped on 28 February. Several hours after she spoke, the ICO notified her officials they would issue the reprimand on Friday. All other Covid regulations in Scotland will remain in force until 21 March.

The Conservatives and Liberal Democrats said ministers had “arrogantly” put privacy at risk by ignoring warnings from the ICO and opposition parties last year. Murdo Fraser, for the Scottish Tories, asked whether Sturgeon knew the ICO rebuke was imminent when she made her announcement on Tuesday.

Wood said the ICO had warned the government last year it would be unlawful for the app’s developers to use people’s portraits to improve facial recognition technology. That plan was dropped, as were plans to share personal data with the company.

Even so, the app still failed to warn users properly about how their data was used when it went live. There was also “an ongoing failure to provide concise privacy information so that the average person can realistically understand how the NHS Scotland Covid status app is using their information”, the ICO said.

The Scottish government admitted the app should have been far clearer about how private data was processed. “Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work,” a spokesperson said.