1. About this privacy notice
This privacy notice relates to the National Booking Service which is provided by NHS Digital to enable members of the public in England to book coronavirus vaccinations and to book Overseas vaccination evidence check appointments. This service includes the ‘Book a coronavirus vaccination’ service and the ‘Book an overseas vaccine evidence check’ service. This service is referred to in this document as the 'Service'.
2. The Service and who we are
The Service allows you to:
- Book coronavirus vaccination appointments at mass vaccination, primary care, community pharmacy or hospital hub vaccination sites.
- Book overseas vaccine evidence check appointments at mass vaccination sites
- Cancel and rebook your coronavirus vaccination appointments
- Cancel and rebook overseas vaccine evidence check appointments
- Receive a booking confirmation and reminder by email or text message which you can take to the relevant vaccination site
The Health and Social Care Information Centre, known as NHS Digital, operate the Service. NHS Digital was set up under the Health and Social Care Act 2012 (2012 Act) and is part of the NHS in England. We securely collect, analyse, and share information to improve health and social care services. Find out more about NHS Digital.
3. Our legal basis for processing your personal information
NHS Digital is the controller for the personal information collected and processed about you as part of this Service under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18).
NHS Digital is the controller for the National Booking Service. NHS England is the controller with overall responsibility for the Covid-19 vaccination programme in England. NHS Digital has been commissioned by NHS England to establish and operate the National Booking Service.
Our legal basis for processing your personal data for the purposes of providing the Service is:
- UK GDPR Article 6(1)(c) - the processing is necessary to comply with a legal obligation to which the controller is subject
- UK GDPR Article 6(1) (e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
- UK GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services
- UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes
Separately, special permission from the Secretary of State for Health and Social Care is in place to use confidential patient information without people’s explicit consent for the purposes of diagnosing, recognising trends, controlling, and preventing, and monitoring and managing communicable diseases and other risks to public health.
We have in place an appropriate policy document for this Service. This provides information about our procedures for complying with the data protection principles under UK GDPR and explains how long we will retain your information for. This is also explained in Section 6 - 'How long we keep your personal information for'.
4. How we use your personal information and why
4.1 Checking your identity
We use the following information to check your identity against our records.
- Your NHS number
- Your first name
- Your surname
- Your date of birth
- Your home postcode
If the information that you enter matches our records, we will create a ‘customer’ record for you which will allow you to book and cancel/rebook appointments using the Service.
4.2 Access your NHS vaccination record
For coronavirus vaccination appointments, we access your NHS vaccination record to offer suitable coronavirus vaccination appointments that meet clinical guidelines. This allows us to check the following:
- Your eligibility to book coronavirus appointments. The Joint Committee for Vaccinations and Immunisations (JCVI) advises the Department of Health and Social Care on what groups of people should be prioritised for coronavirus vaccinations. This is based on clinical risk factors and determines who and in what order people are invited for to book a vaccination.
- Your flu vaccination status – whether you have received a vaccination in the 2020/21 flu season and when this occurred.
- Your COVID -19 vaccination status – whether you have received a vaccination, the type of vaccination and when this occurred.
If your flu vaccination status is not in our records, we may ask you whether you have a flu vaccination booked and the date of your appointment.
4.3 To determine whether you are a health and social care worker or an unpaid carer
For coronavirus vaccination appointments, we may ask you whether you are a health and social care worker, or an unpaid carer as these workers are in the first cohort of people that will receive the coronavirus vaccination.
If you identify as either a health or social care worker, this information will be stored in your ‘customer’ record. This information may be used by the vaccination centre check-in staff so that they can ask you, where appropriate, for your workplace identification.
We may also ask you if you are an unpaid carer along with some additional questions to determine your eligibility for the vaccine in line with JCVI guidance.
4.4 To determine if you are pregnant
For coronavirus vaccination appointments, we may ask you if you are pregnant so that we only offer you appointments for vaccines which are recommended during pregnancy.
This information will not be stored in your ‘customer’ record.
4.5 To determine if you are or have been severely immunosuppressed
For coronavirus vaccination appointments, we may ask you if you are severely immunosuppressed so that we only offer you appointments for vaccines which are recommended.
If you identify as severely immunosuppressed, this information will be stored in your ‘customer’ record. This information may be used by the vaccination centre check-in staff so that they can ask you, where appropriate, for proof of status, such as a letter from your GP.
4.6 To enable you to book two coronavirus vaccination appointments
For coronavirus vaccination appointments, we link the coronavirus vaccination appointments that you select to your customer record. These details are then retrieved by the vaccination centre so that you can be checked in and vaccinated.
For Overseas vaccination evidence check appointments, we link the appointment that you select to your customer record. These details are then retrieved by the vaccination centre so that you can be checked in and vaccinated.
4.7 To contact you
The Service will ask you to enter your mobile telephone or email address to receive booking confirmations and reminders.
If you choose not to do this, the Service will then ask you to enter a landline or home phone number and ask again for your mobile number or email address. This is so that a vaccination centre can contact you in case your appointment(s) have to be rearranged or cancelled.
Providing this information is optional, but if you do not enter this information, the service will not be able to contact you if your appointment(s) is/are rearranged or cancelled. Your contact information is stored in your ‘customer’ record.
4.7 To enable pseudonymised reports to be produced on the take up of the service and the level of do not attends
The service will use summarised and pseudonymised data which will be used to produce operational and strategic reporting. This will enable us to understand how the Service is performing, measure the take up of the service and to identify the number of users that do not attend their appointments.
4.8 To retrieve your booking information at the vaccination centre
Vaccination centre staff will be able to check that you have an appointment by retrieving your booking reference number, name, mobile phone number or email address.
They will be able to view details of all appointments (past and future) at their centre. These details will include your name, booking reference number, NHS number, appointment type (e.g., for an Overseas vaccine evidence check), vaccine type and appointment time.
4.9 To invite you to join the NHS Digital Research Panel
At the end of the booking service, we will invite you to give feedback on your experience of the Service. This feedback helps us make improvements in the future.
The feedback form will also give you the option of joining the NHS Digital Research Panel. As a panel member you will have the opportunity to take part in online surveys, one-to-one interviews, web usability tests and discussion groups. We may follow up with you to ask about how your experience at your appointment(s).
If you opt into the NHS Digital Research Panel, we will ask you to enter your name, email address and mobile telephone number. This is entirely optional, and you do not have to participate if you do not wish to. By giving us this information and clicking submit, you give us consent to contact you for research purposes.
5. Who we share your personal information with
When disclosing and sharing personal data with other organisations, NHS Digital complies with the UK GDPR and the DPA 2018 and additionally when sharing identifiable health data complies with the common law duty of confidentiality.
Personal data is shared with the following:
- Information regarding your coronavirus vaccination appointments is shared with the National Immunisation Service (NIMS) so that the mechanism for invitations and reminders to citizens can operate correctly. The National Immunisation Service (NIMS) is commissioned by NHS England and is a centralised service in England to manage invitations to vaccinate.
- Appointment information is sent to NHS Arden and Greater East Midlands Commissioning Support Unit for anonymising and reporting purposes at national level.
6. How long we keep your personal information for
To create your appointments, we will need to create a customer record for you using information from the Personal Demographics Service (PDS) and information entered in the Service by you. The Personal Demographics Service (PDS) is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number (known as demographic information).
Your customer record includes the following personal information: First name, Surname, Date of birth, NHS number, and for coronavirus vaccination appointments, whether you are a health worker or a social care worker.
We will also store your appointment information in your customer record. Each booking will include the name of the vaccination centre, the date and time of your appointment(s).
We will retain your customer record and appointment information for as long as is necessary for the purposes for which the data was collected and for as long as the law allows. Due to the current nature of the pandemic, it isn’t possible to set specific time periods for how long we must retain your personal information in the Service. It may be necessary to retain your information for various reasons (see below for further information). We will, therefore, regularly review whether we need to retain your personal information and at least every 6 months. The following factors will be considered by us when reviewing whether we need to continue to retain your data:
- Whether your personal information is still required for the purposes of facilitating appointments you have booked for vaccinations or Overseas vaccination evidence checks.
- Whether it is necessary to retain your information for the purposes of future coronavirus vaccinations and/or booster vaccinations.
- Whether it is necessary to retain your information for clinical safety purposes.
- Whether it is necessary to retain your information for any other important reasons.
Once your customer record is no longer required by the Service, it will be permanently deleted.
If you opt-in to the NHS Digital Research Panel, we will keep your name and the contact information that you have entered for a maximum period of 3 years. It will then be permanently deleted.
7. Where we store your personal information
Your personal information will be processed and stored in the United Kingdom by NHS Digital and ACF Technologies UK Ltd who supply the booking engine for COVID-19 vaccinations. All data held within the Service is within the UK jurisdiction as it is hosted in the Microsoft Azure cloud within the UK.
If you opt into the NHS Digital Research Panel, your personal information will be processed and stored in the EU by Qualtrics UK who supply the survey tool for the Service.
8. Your rights over your personal information
You have the following rights in relation to your personal information under data protection law:
- the right to be informed about how your personal information is being used (be informed).
- the right to access the personal information (get access).
- the right to request the correction of inaccurate personal information (rectify or change).
- the right to request the erasure of your personal information in certain limited circumstances (erase or remove).
- the right to restrict processing of your personal information where certain requirements are met (restrict or stop processing).
- the right to object to the processing of your personal information in certain circumstances (object to processing or use).
- the right to request that elements of your data are transferred either to you or another service provider in certain circumstances (move, copy or transfer).
- the right to object to certain automated decision-making processes using your personal information (know if a decision was made by a computer rather than a person).
- the right to raise a concern with NHS Digital and the Information Commissioner's Office at any time (raise a concern).
More information about your legal rights can be found on the Information Commissioner's website.
Please note that some of these rights do not apply in relation to the processing of your personal information by us through this Service. This is because there are certain circumstances where your rights will not apply. The rights which do apply in relation to the personal information we process as part of this Service are set out in summary form below.
9. Summary of your rights
Summary of your rights over your personal information processed by the Service:
- The right to be informed. This privacy statement describes what personal data we collect for the Service and how it is used.
- The right of Access. You can contact the NHS Digital service centre to request access to your personal information. They can be contacted on 0300 303 5678 or email (email@example.com). Our customer service centre is open 9am to 5pm, Monday to Friday except on public holidays.
- The right to rectification. Contact the NHS Digital service centre for corrections to your personal information
- The right to erasure (“right to be forgotten”). Your ‘customer’ record and booking details will be deleted as per section 6. You can contact the NHS Digital service centre to request deletion of your personal information.
- The right to restriction of processing. Requests to restrict processing need to be made to the customer service centre. Any requests to restrict processing by the Personal Demographics Service would be passed to the relevant team in NHS Digital. Any requests to restrict processing by the National Immunisation Management Service (NIMS) citizens will be passed to System C who operate the service.
- The right to data portability. This does not apply to this Service.
- The right to object. Please contact the NHS Digital service centre to object to your personal data being collected and processed. The request will be analysed by the Service and responded to as required by law.
- The right not to be subject to automated decision making. This does not apply to this Service.
- The right to withdraw consent. You have the right to withdraw the consent to be contacted by the service for booking confirmations, and if your appointments have to be cancelled. Changes to consent should be directed to the NHS Digital service centre.
- The right to complain. You can make a complaint to the NHS Digital service centre. Any complaints on the NIMS or PDS services will be passed on to the relevant teams. The request will be analysed by the Service responded to as required by law. You have the right to complain to NHS Digital and to the Information Commissioners Office (ICO) using the contact information provided below.
10. Contact us
If you have any queries in relation to the use of your personal information in connection with the Service, or if you want to exercise any of your rights above, please contact firstname.lastname@example.org
Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations. You can contact him at email@example.com
11. Contact the Information Commissioner
If we are unable to resolve any queries or concerns in relation to the use of your personal information in connection with the Service, you can raise your concern with the Information Commissioner. You can contact the Information Commissioner’s Office:
- using the online Contact Us service
- by calling 0303 123 1113
- by writing to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11.1 Changes to this notice