COVID-19 Vaccine Data transparency notice

NHS England Vaccine Digital Services (VDS) have been asked by the Secretary of State to deliver the Coronavirus (COVID-19) Vaccination Programme for England.

This will be done by: 

1. Enabling the collection, processing and dissemination of citizen data for the delivery of COVID-19 vaccinations.
2. Maintaining data quality.
3. Providing a national booking service.

This transparency notice concerns items 1 and 2.

NHS England VDS will collect, process, and disseminate data to: 

• support the identification of age and risk-based priority citizen cohorts in line with the Green Book
• enable call and recall (invite) of these citizens to book a vaccination
• provide vaccination administration information to clinical records for citizens registered to an English GP practice
• enable incorrect vaccination data to be corrected
• ensure that point of care systems (POCs) are able to obtain and display a citizen’s relevant immunisation history for clinicians
• enable citizens to view a full record of their COVID-19 vaccination history through their GP records or the COVID pass service
• monitor the uptake of vaccinations
• provide reports to support planning for the current and future vaccination programmes 

Under the UK General Data Protection Regulation 2016 (GDPR), NHS England is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. Its legal name is the NHS Commissioning Board. 

The health and social care system is taking action to manage and mitigate the spread and impact of coronavirus (COVID-19).

Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. 

To support the healthcare response to COVID-19, NHS England is directed under the COVID-19 Public Health Directions 2020, 17th March 2020 (as amended) (NHS England Directions - NHS Digital which updates the original direction in accordance with the Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (Transfer Regulations)) to:

• establish information systems to collect and analyse data in connection with COVID-19; and
• develop and operate IT systems to deliver services in connection with COVID-19

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation, and we are allowed to do this under Article 6 (1)(c) of UK GPDR.

We are also processing personal data as part of our statutory functions under Article 6(1)(e) of UK GDPR.

Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under UK GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), where it is necessary for healthcare purposes (Article 9(2)(h)) and for archiving, research, or statistical purposes (Article 9(2)(j)). 

We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.

The data processed includes:

• NHS number
• name
• gender
• date of birth
• address
• postcode
• health related data in the form of condition codes held in central NHS records
• information about vaccinations received and details of any adverse reactions

This information is also used to support identity verification and NHS Number tracing/updating GP records.

Identifying citizens for vaccination is carried out using data we already hold as the national safe haven for health and care data in England. Find out more in our Cohorting as a Service (CaaS) pages.

We also collect information about the treatment provided at the point of care.

We share relevant information with organisations who have responsibilities for delivering vaccinations.

NHS England will share personal and clinical information with:

• GPs
• pharmacies
• other NHS, health, or social care organisations
• NHS bodies in Scotland, Wales and Northern Ireland

We will also link record level data with other data sets to understand whether vaccinations are effective and to monitor health inequalities. The data is pseudonymised to ensure that individual patients are not identifiable. Find out more in the NHS COVID-19 Data Store.

We all use data to support management of the vaccination programme. Data will be used for planning, commissioning and research purposes, including clinical trials, relating to coronavirus. This will include sharing information with NHS organisations, government departments, other public authorities and research organisations. Data will be at record level or aggregate and will not identify individuals unless we have your consent.

We may also share your information with organisations who process personal data for us on our behalf. They are called Processors. Where we use Processors, we have contracts in place with them which means that they can only process your personal data on our instructions. Our Processors must also comply with stringent security requirements when processing your personal data on our behalf.

We may also publish data we have obtained for COVID-19 purposes which is anonymous, so that no individuals can be identified from that data. This will enable NHS and other organisations to use this anonymous data for statistical analysis and for planning, commissioning and research purposes as part of the response to coronavirus.

We will retain your personal data for as long as is necessary for the purpose outlined above in accordance with the Records Management Code of Practice 2021.

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

NHS Digital only stores and processes your personal data within the United Kingdom.

Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK.

Some of our Processors may process your personal data outside of the UK. If they do, we will always ensure that the transfer outside of the UK complies with data protection laws.

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information, our general transparency notice and our Coronavirus (COVID-19) response transparency notice.

You can read more about how NHS England processes your data for COVID-19 purposes.

We may make changes to this transparency notice. If we do, the ‘last edited’ date at the bottom of the notice will also change. Any changes to this notice will apply immediately from the date of any change.