About this policy
Note: due to the evolving nature of COVID-19 response, it may be necessary to enhance the Service. This may include changing the way we process data and who we share it with. We will always process this in accordance with data protection laws and this privacy notice will be updated to reflect any changes to the Service.
Learn more about coronavirus (COVID-19).
The Service and who we are
- The Service allows a user to view a digital record of their COVID-19 vaccine history, where they have received a COVID-19 vaccination at a hospital, GP practice or vaccination centre located in England, so that they are able to understand what vaccines they have had and report adverse reactions through the Medicines and Healthcare products Regulatory Agency (MHRA) Coronavirus Yellow Card reporting site, which this Service provides a link to. The information is only accessible to the data subject choosing to access it.
- Once you have submitted valid credentials to NHS login and provided you are over the age of 16 then you will be verified to the highest level and logged into the Service.
- Both the NHS App and NHS.UK will provide an entry route to the Service, which is a standalone service. Aside from the audit trail showing how an individual reached the Service (ie, through which route), the processing of the personal data to check your COVID-19 vaccine record is undertaken within this standalone Service.
- Users who reside within any of the devolved authorities and have received a COVID-19 vaccination in England, will be able to view a digital record of their COVID-19 vaccine history if they use the service via NHS.UK.
- Please note that when you access our service using your NHS login details, the identity verification services are managed by NHS Digital in our role delivering NHS login. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose.
NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. Find out more about NHS Digital.
NHS Digital has been asked by the Department of Health and Social Care to provide the Service. It also provides a public-facing help desk for user queries relating to the Service.
NHS Digital is the controller for the personal data we process, unless otherwise stated. NHS Digital has collected the COVID-19 vaccination data from NHS England, as controller of the National Immunisation Management System (NIMS) database, for the purpose of facilitating this Service.
You can contact us by post, telephone or email. More details are available on our contact page.
Our postal address is:
The Leeds Government Hub
7 & 8 Wellington Place
Leeds LS1 4AP
Telephone: 0300 303 5678
Our Data Protection Officer
Our Data Protection Officer, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, can be contacted via email@example.com.
Our legal basis for processing personal data
The Department of Health and Social Care on behalf of the Secretary of State has directed NHS Digital under s.254 of the Health and Social Care Act 2012 to collect and analyse data in connection with COVID-19 and set up a system to collect this data.
A copy of the Direction is published in the COVID-19 Public Health Directions 2020 webpage. This direction is the basis on which NHS Digital operates the "Check Your COVID-19 Vaccine Record" Service.
Our legal basis for processing your personal data under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) is:
- UK GDPR Article 6 (1) (c) – processing is necessary to comply with a legal obligation
- UK GDPR Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest
- UK GDPR Article 9 (2) (g) – processing is necessary for reasons of substantial public interest
- UK GDPR Article 9(2)(h) – processing is necessary for the management of health systems and services
- DPA 2018 – Schedule 1, Part 2, (6) (1) – Statutory and government purposes
- DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes
If you agree to take part in feedback or surveys about the Service, our legal basis for processing your data in this context is consent (GDPR Article 6 (1) (a)).
What information we collect about you and how it is used
The information processed for the purposes of the Service can be split into several different categories.
Details of the information and personal data falling within each of the categories where NHS Digital is the controller are set out below.
|Category of information||Personal data||Special categories of personal data|
|Vaccine record data||Date and time the vaccine dose was administered, the name of vaccine, the vaccine batch, and the administering centre in England||Yes – data concerning health|
|NHS Digital service helpdesk information||The personal data you provide if you contact the NHS Digital helpdesk; could include information about your use of the Service||None|
|NHS Digital service helpdesk feedback and surveys||The personal data you provide if you provide feedback such as responding to one of our surveys||None|
|Service audit data||Event logs containing an NHS login ID, the event being audited and the time stamp of the event||None|
Who we share your data with
If you are using the check your COVID-19 vaccine record service we do not share any of your personal data captured by the service in an identifiable form with any other party.
How NHS Digital uses your personal data and why
The processing of your personal data is necessary to provide you with the Service and ensure the functionality of the Service.
We may need to share your personal information if we are required to do so by law.
How long we keep your data for
|Category of information||Retention period|
|Vaccine record data||The data will be retained only for as long as is necessary for the provision of this Service and until the expiry of the COVID-19 Direction unless extended or another lawful basis applies. The COVID-19 Direction is currently in force until 31 March 2022 but will be reviewed every 6 months in consultation with SoS, DHSC and NHSX. It will also be retained in accordance with the Records Management Code of Practice for Health and Social Care 2016 and NHS Digital’s Records Management Policy|
|Service audit data||6 years after the audit event occurred|
|NHS Digital service helpdesk information||12 months|
|NHS Digital service helpdesk feedback and surveys||12 months|
Where this data is stored and processed
We only store and process your personal data within the UK.
Your rights over your personal data
We respect your rights to access and control the personal data that we hold about you, as required by data protection legislation. This includes the right to:
- be informed
- get access to it
- rectify or change it
- restrict or stop processing it
You can exercise these rights at any time by emailing us on firstname.lastname@example.org
If you wish to make a complaint about how we have managed your data, contact the Regulator, the Information Commissioner's Office:
Information Commissioner's Office
Wilmslow WSK9 5AF
Points of contact for queries
If you have any questions about the functionality of this Service (either in the NHS App or website version) please use our feedback and complaints page in the first instance.
If you have any questions about or want to request any amendments to your COVID-19 vaccine data, please phone 119 or, if calling from outside the UK, phone +44 119.
If you have any questions about your health you should contact a GP or an other healthcare professional directly, or phone NHS 111 by calling 111 from any landline or mobile phone free of charge.
If you have any queries in relation to the use of your personal data within the Service, you can contact our Data Protection Officer at email@example.com.