Skip to main content

Digital

Tell the NHS about coronavirus (COVID-19) vaccinations you've had abroad service: GDPR information

Summary

Why and how we process your data in the ‘Tell the NHS about coronavirus (COVID-19) vaccinations you’ve had abroad service’ and your rights.

Controller NHS Digital
How we use the information (processing activities)

We use your information to check your identity. The information is used to contact you, enable you to book an Overseas vaccine evidence check appointment, and to retrieve your booking information at the vaccination centre. It is also used to enable pseudonymised reports to be produced on the take up of the service and the level of ‘did not attend’ appointments.
Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Personal data is shared with the NHS Arden and Greater East Midlands Commissioning Support Unit
Is data transferred outside the UK? This data is not transferred out of the UK
How long the data is kept We will retain your customer record and appointment information for as long as is necessary for the purposes for which the data was collected and for as long as the law allows. Due to the current nature of the pandemic, it isn’t possible to set specific time periods for how long we must retain your personal information in the Service. It may be necessary to retain your information for various reasons (see below for further information). We will, therefore, regularly review whether we need to retain your personal information and at least every 6 months. The following factors will be considered by us when reviewing whether we need to continue to retain your data: 1. Whether your personal information is still required for the purposes of facilitating appointments you have booked for Overseas vaccination evidence checks. 2. Whether it is necessary to retain your information for clinical safety purposes. 3. Whether it is necessary to retain your information for any other important reasons. Once your customer record is no longer required by the Service, it will be permanently deleted. If you opt-in to the NHS Digital Research Panel, we will keep your name and the contact information that you have entered for a maximum period of 3 years. It will then be permanently deleted.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Tick Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing
Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Data subject and PDS (Personal Demographics Service)
The legal basis for collecting this data
  • UK GDPR Article 6(1)(c) - the processing is necessary to comply with a legal obligation to which the controller is subject
  • UK GDPR Article 6(1) (e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • UK GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services
  • UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in public health
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes