Skip to main content

Privacy policy for Get your coronavirus (COVID-19) vaccination status letter service


The Department of Health and Social Care (DHSC) is providing a service to you that will produce a COVID Status Certificate. This will allow residents in England to display their COVID vaccination history on paper.

How does the service work?

Users will be asked to provide NHS number, name, date of birth and postcode. If these identify a relevant history, then a letter will be produced and sent to the address we hold for correspondence.

What is the purpose for the processing of personal data?

The principle of the Covid Status Certificate programme is to ensure that illness and death from Covid-19 can be minimised as the UK’s social and economic life is re-established. This will apply both during and after the Government “roadmap” allows citizens to emerge from the restrictions placed on the country during the COVID-19 pandemic response.

The Covid Status Certificate provides citizens with evidence of their vaccination history. As the country resumes normal functions, this data will be useful for further aspects of unlocking as they arise, e.g for International travel or attendance at domestic events once these have been permitted by government policy and guidance.

What does the Covid Status Certificate service do?

The service enables you to receive a letter indicating, your COVID-19 vaccination history.

What do I need to do?

To access the service you can provide your NHS number, name, date of birth and postcode to get a Covid-119 (non digital) letter.

Data Controller

If you find any errors within the information provided please contact our support service via the Covid -119 contact centre in the first instance.

The data controller for this service will be DHSC. The Data Protection Officer can be contacted:

In writing:
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU

By email:

NHS Digital is the certifying authority which means that it certifies that it has provided the information about your vaccine history to the service, on behalf of the Department of Health and Social Care from the Vaccination database operated by NHS England (the approved source system). This contains vaccine information supplied by the National Immunisation Management System (NIMS) which is the source system for all vaccination information in England. NIMS is controlled and operated by NHS England.

The Personal Data we collect and how it is used

In order to ensure your Covid Status can be delivered to you, data will be presented from existing COVID vaccination data source within NHS England under a data sharing agreement and from records held by NHS Digital for correspondence:

The Personal Data we collect and how it is used
Personal data
Full name: to correctly identify an individual
Date of birth: to correctly identify an individual
NHS number: to correctly identify an individual
Home address (including post code): to correctly send letters to an individual's home address if requested
Landline and/or mobile phone numbers: to be able to contact those who have requested a letter, or require support
Email address: as above
Third parties’ contact details may be taken when they have agreed to be contacted on behalf of other adults
Special category data
Special category data
Information relating to the individual’s physical or mental health condition: only vaccination events

Automated decision making or profiling.

For the purposes of effective compliance with the requirements of Article 22 of the General Data Protection Regulations (GDPR), the DHSC considers that automated decision making is not engaged in this service.

How will my information be shared

Your information will be made available to you either via letter. Your data will not be shared any further.

Lawful basis for processing personal data

The legal basis for the use of personal data in the service will be:

  • UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health
  • UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject underpinned by DPA 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency
  • UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
  • UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes

How long do we keep your personal data?

Data collected in providing the service will only be retained for a brief period of time. For users of the non-digital option your data will not be retained once the letter has been printed.

Additional retention periods which may be engaged are:

  • Legal complaints – 10 years
  • Subject Access Requests and Freedom of Information Requests (FOI) – 3 years
  • Subject Access requests & FOI requests where there has been an appeal – 6 years

Personal Data storage

We handle your Personal Data in accordance with appropriate procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

Storage of data by the DHSC is provided secure computing infrastructure on servers located in the European Economic Area (“EEA”). Our platforms are subject to extensive security protections and encryption measures.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you’re unhappy or wish to complain about how your Personal Data is used by DHSC, you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to

Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.


We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to our policy

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 20 May 2021.

Formal complaint about the processing

If you wish to make a formal complaint about the processing of your personal data you should contact the UK regulator the Information Commissioner at:

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Fax: 01625 524510

Page last reviewed: 9 June 2021
Next review due: 9 June 2024