National booking service staff applications – Privacy policy

1. About this privacy notice

This privacy policy relates to the National Booking Service applications used by staff, and includes:

• QFlow Console.
• Check A Vaccination Appointment.

These are provided by NHS Digital and are referred to in this document as the 'Application' or ‘Applications’.

In this privacy policy, 'we' or 'us' means NHS Digital. 'You' or 'your' means you, a member of the vaccination site staff who are using the Application or Applications.

This privacy policy tells you what information NHS Digital collects about you and how it is used to provide the Application’s services, including your rights and how to contact us.

2. The Application and who we are

The Check A Vaccination Appointment application allows you to:

• Search for a citizen’s appointment via a booking reference or via their name and date of birth.
• Mark the appointment as ‘checked in’.
• Mark the appointment as ‘rejected’.

The QFlow Console application allows you to:

• Add user accounts for staff.
• Create and add Vaccination Centre information.
• Create appointment availability.
• Cancel booked appointments.

The Health and Social Care Information Centre, known as NHS Digital, was set up under the Health and Social Care Act 2012 (2012 Act) and is part of the NHS in England. We securely collect, analyse, and share information to improve health and social care services. Find out more about NHS Digital.

3. Our legal basis for processing your personal information

NHS Digital are commissioned to provide the application by NHS England, who have legal responsibility to deliver the vaccinations programme in England. Our legal basis for processing your personal data is:

• GDPR Article 6(1)(c) - the processing is necessary to comply with a legal obligation to which the controller is subject.
• GDPR Article 6(1) (e) – the processing is necessary for the performance of its official tasks carried out in the public. interest in providing and managing a health service.
• GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services.
• GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
• Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes.

4. How we use your personal information and why

We create a login account to allow vaccination site personnel to use the Applications. We store a first name, surname, email address and a password. These are used to check credentials for vaccination site personnel to allow them to perform the tasks described in section 2.

We create a link between a login account and a vaccination site(s). This is to ensure that vaccination site personnel only gain access to data for the site(s) they work at.

We store a record of each transaction completed by vaccination site personnel. We store who, what and when these transactions take place to provide an audit trail.

5. The types of personal information we use

To gain access to the Application, we store:

• First Name, Surname.
• Email Address.
• Password.
• User Account Role.

To provide an audit trail within the Application, we store:

• First Name, Surname.
• Email Address.
• Date and Time that the transaction took place.
• User Account Role.

6. Who we share your personal information with

Information regarding each vaccination site team member is shared with other users of the system that are required by their role to manage access, such as Site Managers.

The data will be processed and stored in the United Kingdom by NHS Digital and ACF Technologies UK Ltd who supply the booking engine for COVID-19 vaccinations.

7. How long we keep your personal information for

We will retain your personal data for up to 8 years but will dispose of your data sooner if it is appropriate to do so.

8. Where we store your personal information

The data will be processed and stored in the United Kingdom by NHS Digital. All NHS Digital data held within the Application is within the UK jurisdiction as it is hosted in the Microsoft Azure cloud within the UK.

9. Your rights over your personal information

You have the following rights in relation to your personal information:

• the right to be informed.
• the right to access the personal information (get access).
• the right to request the correction of inaccurate personal information (rectify or change).
• the right to request the erasure of your personal information in certain limited circumstances (erase or remove).
• the right to restrict processing of your personal information where certain requirements are met (restrict or stop processing).
• the right to object to the processing of your personal information in certain circumstances (object to processing or use).
• the right to request that elements of your data are transferred either to you or another service provider in certain circumstances (move, copy or transfer).
• the right to object to certain automated decision-making processes using your personal information (know if a decision was made by a computer rather than a person)
• The right to withdraw consent; and
• the right to complain. To raise a concern with NHS Digital and the Information Commissioner's Office at any time (raise a concern).

More information about your legal rights can be found on the Information Commissioner's website.

Please note that some of these rights do not apply in relation to the processing of your personal information by us through these Applications. The rights which do apply in relation to the personal information we process are set out in Section 10.

10. Summary of your rights

Summary of your rights over your personal information processed by the Service:

• The right to be informed. This privacy statement describes what personal data we collect for the Application and how it is used.
• The right to access the personal information. You can contact the NHS Digital service centre to request access to your personal information. They can be contacted on 0300 303 5678 or email (enquiries@nhsdigital.nhs.uk). Our customer service centre is open 9am to 5pm, Monday to Friday except on public holidays.
• The right to request the correction of inaccurate personal information. Contact the NHS Digital service centre for corrections to your personal information.
• The right to request the erasure of your personal information in certain limited circumstances (“right to be forgotten”). Your ‘staff’ record will be deleted as per section 7. You can contact the NHS Digital service centre to request deletion of your personal information.
• The right to restrict processing of your personal information where certain requirements are met. Requests to restrict processing need to be made to the customer service centre.
• The right to object to the processing of your personal information in certain circumstances. Please contact the NHS Digital service centre to object to your personal data being collected and processed. The request will be analysed by the Service and responded to as required by law.
• The right to request that elements of your data are transferred either to you or another service provider in certain circumstances. This does not apply to this Application.
• The right to object to certain automated decision-making processes using your personal information. This does not apply to this Application.
• The right to withdraw consent. This does not apply to this Application because the lawful basis for processing is not based on consent.
• The right to complain. You can make a complaint to the NHS Digital service centre. The request will be analysed by the Service responded to as required by law. You have the right to complain to NHS Digital and to the Information Commissioners Office (ICO) using the contact information provided below.

11. Contact us

If you have any queries in relation to the use of your personal information in connection with the Application, or if you want to exercise any of your rights above, please contact enquiries@nhsdigital.nhs.uk

Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations. You can contact him at enquiries@nhsdigital.nhs.uk

12. Contact the Information Commissioner

If we are unable to resolve any queries or concerns in relation to the use of your personal information in connection with the Service, you can raise your concern with the Information Commissioner. You can contact the Information Commissioner’s Office:

• using the online ‘Contact Us’ service
• by calling 0303 123 1113
• by writing to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12.1 Changes to this notice

The terms of our privacy policy may change from time to time. Any updates to the privacy policy will be published on the Service website. Where we make any significant changes, we will also inform you about this by email.