Skip to main content

Privacy policy

About this policy

This privacy policy relates to the website which is provided by NHS Digital in support of the Department of Health and Social Care's COVID-19 response to enable members of the public to be able to get vitamin D supplements if they are at high risk (clinically extremely vulnerable) from coronavirus (COVID-19). This service is referred to in this document as the 'Service'.

The Service is intended for people aged 18 and over.

In this privacy policy, 'we' or 'us' means NHS Digital. 'You' or 'your' means you, a member of the public who is using the Service.

This privacy policy tells you what information NHS Digital collects and how it is used to provide the Service, including your rights and how to contact us.

Learn more about coronavirus (COVID-19).

The Service and who we are

The Service allows you to give your permission for NHS Digital to collect your information and share the details you provide through the Service with the Department for Health and Social Care (DHSC) to provide you with vitamin D supplements.

The Health and Social Care Information Centre, known as NHS Digital, was set up under the Health and Social Care Act 2012 (2012 Act) and is part of the NHS in England. We securely collect, analyse and share information to improve health and social care services. Find out more about NHS Digital.

Our legal basis for collecting, analysing, and sharing personal information

NHS Digital is the controller for the personal information collected and processed about you as part of this Service under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18).

When we share your details with DHSC, they are the controller for processing your personal information in order to get the vitamin D supplements delivered to you.

NHS Digital is a controller jointly with the Secretary of State for Health and Social Care, who has legally directed NHS Digital to operate IT systems and to collect, analyse and share information to support the response to the coronavirus outbreak in England. This includes operating the Service. The COVID-19 Public Health Directions 2020 (COVID-19 Directions) are made under the 2012 Act. A direction is a legally binding document.

GDPR legal basis

NHS Digital’s legal basis for processing your personal information under the GDPR is:

GDPR Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest, where we have been legally directed and requested to provide the Service and where you choose to register your application to receive vitamin D supplements.

Article 6 (1)(c) of GPDR – processing is necessary under legal obligation as NHS Digital is directed to process personal data for COVID-19 purposes and is also necessary under legal obligation by virtue of the Control of Patient Information Regulations 2002 in order to provide the Service to register for your vitamin D supplements

NHS Digital’s legal basis for processing the information you provide us about your health and ethnicity under GDPR is:

  • GDPR Article 9 (2) (g) – processing is necessary for reasons of substantial public interest, where we have been legally directed and requested to provide the Service, plus Part 2 Schedule 1 of the DPA18, paragraph 6, statutory and governmental purpose;

We have in place an appropriate policy document for this Service, which is required under the DPA18 in order to process the information we collect about your health (or special category data). This provides information about our procedures for complying with the data protection principles under GDPR and explains how long we will retain your information for. This is also explained below under 'How long we keep your personal information for'.

How we use your personal information and why

The processing of your personal data is necessary to provide you with the Service and ensure the functionality of the Service.

You will not be able to use the Service unless you agree to its terms of use and this privacy policy.

We may need to share your personal information if we are required to do so by law.

We collect the following personal data from you, via you entering this on the Service site:-

  • Name
  • NHS Number
  • Date of Birth
  • Contact email address
  • Preferred delivery address

To check that you are on the shielded patient list

NHS Digital will use your NHS number and Date of Birth to check that you are on the shielded patient list and entitled to receive this Service.

For more information about how we use your data for the shielded patient list see the shielded patient list transparency notice.

To contact you by email

If you provide us with a contact email address, you will receive an email communication from DHSC to inform you whether your application for vitamin D supplements has been accepted or if you are not entitled to them. NHS Digital performs this on behalf of DHSC.

If you do not provide an email address for us to contact you we will not be able to confirm if your application has been accepted.

To give your details to distributor, who are supplying the service on behalf of the DHSC, so you receive the vitamin D supplements

  • Name
  • Address
  • Application Reference Number (generated by the Service at the point at which you submit your application)
  • For more information about how DHSC use your data please see their privacy policy.

To produce reports

We will provide anonymous data (for example statistical reports which does not allow you to be identified) with DHSC, this will be used to understand service usage and performance.

Who we share your personal information with

The personal information you provide be shared with DHSC’s suppliers in order to supply you with the vitamin D supplement.

If you supply a contact email address we use the GOV.UK Notify email service. This is operated by the Cabinet Office as our processor. The only personal data we share to use this service is your email address. For more information about the GOV.UK Notify email service, please see their privacy policy.

How long we keep your personal information for

The partner provider will retain your personal data until 31 March 2021.

DHSC and NHSD will retain your personal data for a two-year period from the end of the service (that is, until 31 March 2023) to enable us to deal with queries and to contact you if necessary.

Where we store your personal information

We store and process your personal information for this Service in the United Kingdom.

Your rights over your personal information

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information , our general transparency notice and our Coronavirus (COVID-19) response transparency notice

Contact us

If you have any queries in relation to the use of your personal information in connection with the Service, or if you want to exercise any of your rights above, please contact

Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations. You can contact him at

Contact the Information Commissioner

If we are unable to resolve any queries or concerns in relation to the use of your personal information in connection with the Service, you can raise your concern with the Information Commissioner. You can contact the Information Commissioner’s Office:

  • using the online Contact Us service
  • by calling 0303 123 1113
  • by writing to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Changes to this notice

The terms of our privacy policy may change from time to time. Any updates to the privacy policy will be published on the Service website. Where we make any significant changes we will also inform you about this by email.