National vaccination programmes

How we use personal data to support the national vaccination programmes

NHS England has been given responsibility by the Secretary of State, for the delivery of a number of vaccination programmes provided by the NHS for England.

Information about the types of vaccinations that are available in the UK, those provided by the NHS and also when to have them can be found on nhs.uk.

NHS England is supported by a number of different agencies and other health organisations in order to deliver the different programmes.

This transparency notice provides information about the programmes where NHS England is providing a centralised national approach to:

  • the selection of citizens eligible for a particular vaccination
  • inviting eligible citizens for their vaccination
  • enabling citizens to book an appointment to receive their vaccine
  • monitoring and managing the delivery, efficacy and safety of immunisation programmes including adverse reactions to vaccines and medicines.

Purposes for which we process your data

NHS England will collect, process, and disseminate citizen data to:

  • Identify people who we are advised are eligible for a particular vaccination in line with the guidance provided by the Joint Committee on Vaccination and Immunisation (JCVI). Further details of their work can be found on gov.uk.
  • Send you national invitations where we feel that this will be of benefit to you and so we can support GP’s and other vaccination providers to contact you to tell you about any vaccination that you are eligible for.
  • Enable you to book your vaccination.
  • Send you reminders that encourage you to book a vaccination where they are needed.
  • Send your vaccination administration information to your GP so that your clinical records can be updated electronically, if you are registered to an English GP practice.
  • Ensure that you can access a vaccination at a suitable location and that there is vaccination available to give to you.
  • Check that people are receiving their vaccinations as we expect so that we can take measures to support our vaccination providers in areas of low uptake. In these cases, we do not need to know who you are, so we ask for the data to be altered so that your name and address is not visible to anyone apart from those responsible for your care.
  • Provide reports to support planning for the current and future vaccination programmes.
  • Support incorrect COVID-19 vaccination records to be corrected.
  • Ensure that systems used to record your vaccination are able to obtain and display a person’s relevant immunisation history to help clinicians administer your vaccination.
  • Enable you to view a full record of your vaccination history through your GP records or the NHS app.
  • Provide data to the UK Health Security Agency so that they can carry out their duties to protect the health of the population.
  • Provide data to the NHS Business Services Authority so that they can help us manage claims for payment from vaccination service providers and to ensure that any discrepancies are highlighted and dealt with appropriately.

The controller of your personal data

Under the UK General Data Protection Regulation 2016 (UK GDPR), NHS England is the controller of your personal data where we process it for national vaccination programme purposes. Our legal basis is set out in the table below:

Legal basis for all vaccination programmes Processing condition
The processing is necessary for a task that is within our remit as a public authority. UK GDPR Article 6(1) (e)
The processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law UK GDPR Article 9 (2) (h)
The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats on the basis of domestic law UK GDPR Article 9 (2) (i)
Health or social care purposes

“Health or social care purposes” means the purposes of:

(a) preventive or occupational medicine

(b) the assessment of the working capacity of an employee

(c) medical diagnosis

(d) the provision of health care or treatment

(e) the provision of social care

(f) the management of health care systems or services or social care systems or services.

Public health

Processing is necessary for reasons of public interest in the area of public health and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Data Protection Act 2018, chapter 12, Schedule 1

Rationale and basis in domestic law

NHS Act 2006, Chapter 41, Part 1.

Section 2A:

(1) The Secretary of State must take such steps as the Secretary of State considers appropriate for the purpose of protecting the public in England from disease or other dangers to health.

(2) The steps that may be taken under subsection (1) include:

      c. providing vaccination, immunisation or screening services.

Section 7A:

(1) The Secretary of State may arrange for any of the public health functions of the Secretary of State to be exercised by one or more relevant bodies.

(2) In this section “relevant body” includes:

(a) NHS England,

The annual NHS Public Health Functions agreement details how NHS England will exercise the NHS public health functions delegated by the Secretary of State; we refer to these as the ‘NHS public health functions’ provided under Section 7A or simply Section 7A services.

Processing of confidential patient information for the purposes of the national vaccination programmes under the Common Law Duty of Confidentiality

The Health Service (Control of Patient Information) Regulations 2002

Communicable disease and other risks to public health

3. (1) Subject to paragraphs (2) and (3) and regulation 7, confidential patient information may be processed with a view to (the purposes):

a. diagnosing communicable diseases and other risks to public health

b. recognising trends in such diseases and risks

c. controlling and preventing the spread of such diseases and risks

d. monitoring and managing:

(i) outbreaks of communicable disease

(ii) incidents of exposure to communicable disease

(iii) the delivery, efficacy and safety of immunisation programmes

(iv) adverse reactions to vaccines and medicines

(v) risks of infection acquired from food or the environment (including water supplies)

(vi) the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.

(2) For the purposes of this regulation, “processing” includes any operations, or set of operations which are undertaken for the purposes. These are (in addition to the use, disclosure or obtaining of information) any operations, or set of operations, which are undertaken in order to establish or maintain databases for the purposes, including:

a. the recording and holding of information

b. the retrieval, alignment and combination of information

c. the organisation, adaption or alteration of information

d. the blocking, erasure and destruction of information.

(3) The processing of confidential patient information for the purposes may be undertaken by:

a. the Public Health Laboratory Service

b. persons employed or engaged for the purposes of the health service

c. other persons employed or engaged by a government department or other public authority in communicable disease surveillance.

7. (1) Where a person is in possession of confidential patient information under these regulations, he shall not process that information more than is necessary to achieve the purposes for which he is permitted to process that information under these regulations and, in particular, he shall:

a. so far as it is practical to do so, remove from the information any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed

b. not allow any person access to that information other than a person who, by virtue of his contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information may be processed

c. ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information

d. review at intervals not exceeding 12 months the need to process confidential patient information and the extent to which it is practicable to reduce the confidential patient information which is being processed

e. on request by any person or body, make available information on the steps taken to comply with these regulations.

(2) No person shall process confidential patient information under these Regulations unless he is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(3) For the purposes of paragraph (2) “health professional” has the same meaning as in section 69(1) of the Data Protection Act 1998(5).

COVID-19 only

To support the healthcare response to COVID-19, NHS England is directed under the COVID-19 Public Health Directions 2020, 17th March 2020 (as amended) [1] to:

  • establish information systems to collect and analyse data in connection with COVID-19; and
  • develop and operate IT systems to deliver services in connection with COVID-19.

[1] NHS England Directions – NHS Digital which updates the original direction in accordance with the Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (Transfer Regulations)

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation, and we are allowed to do this under Article 6 (1)(c) of UK GDPR.

We are also allowed to share your personal data under UK GDPR where it is necessary for us to do so for one of the COVID-19 purposes explained above.

Types of personal data we process (this will vary dependent on the vaccination programme)

Programme
Data Item COVID-19 Flu Measles, Mumps and Rubella (MMR) vaccination Human papilloma virus (HPV) vaccination (this will be updated when additional vaccination programme data processing requirements are finalised)
NHS number Yes Yes Yes Yes
names Yes Yes Yes Yes
gender Yes Yes Yes Yes
date of birth Yes Yes Yes Yes
address Yes Yes Yes No
postcode Yes Yes Yes Yes
contact details such as an email address and mobile phone number Yes Yes Yes Yes
health related data in the form of condition codes held in central NHS records such as those held by your GP or a hospital where you have received healthcare Yes Yes No No
information about vaccinations received/refused/not given and details of any adverse reactions/doses/date/batch/type/body site/how administered/ Yes Yes Yes Yes
if you are a carer Yes Yes No No
if you are a social care worker Yes Yes No No
if you are a Health care worker Yes Yes No No
if you are a care home worker or care home resident along with details of your care home Yes Yes No No
Ethnic category Yes Yes No No
Vaccination location (site code) Yes Yes Yes Yes
Consent to treatment information where we hold this a) the vaccination type requires this, b) due to the closure of a service or c) where the system holding the information in its original form is no longer available Yes Yes No Yes
Details of the person administering the vaccine including job role No No No Yes

How we obtain your personal data

Identifying citizens for eligibility for a vaccination is carried out using data we already collect or hold as the national safe haven for health and care data in England. More information is provided on NHS Digital’s website.

We also collect information about the vaccinations provided at the point of care; this data flows from the systems used to record when a vaccination is given so that we can ensure that we have up to date information about your vaccination history and also flow that data to those responsible for your health care, your GP. 

How we process your data

Once it is agreed that a vaccination programme will be supported by a national invitation campaign or we need to process data in order to manage and monitor a vaccination programme, we use cohorting as a service to develop the cohorts that contain the data we need.

Where we decide to send a national vaccination invitation this is considered as contributing to your direct care. We will process your data through our Invitation Processing Service which will apply a number of business rules to the data so that we can prepare invitations using SMS text messages, emails, through the NHS App or where necessary, by letter. We use our Communications Management Service to undertake this part of the processing.

We will send information on who has been invited for a particular vaccination to our National Booking Service where the facility exists to use that system to book; this may not at present apply to all vaccinations.

If we are not intending to send invitations, we will send data directly to our processor, Arden and Gem Commissioning Support Unit, who will de-identify the data, add a pseudonym and then make that data available to our analysts through our analytics platform. They will use this platform to link datasets so that we can fulfil our obligations to manage and monitor the delivery, efficacy and safety of immunisation programmes along with identifying adverse reactions to vaccines and medicines.

In order to monitor and manage our programmes, we need to process two distinct elements of data; we need to understand the number of people that have been included in a particular cohort, so we have a baseline figure to work from – we call this our denominator. The data that is obtained from vaccination providers in relation to the vaccinations that they administer is then used to provide actual figures, we call this our numerator. In order to be able to report progress as accurately as possible, we need these two types of data to do that.

Sharing your data

We share relevant information with organisations who have responsibilities for delivering vaccinations or for monitoring their safety.

NHS England will share personal, identifiable and clinical information with or receive vaccination information from:

GP’s: We will flow the vaccination data that we have received from the organisation that gave you the vaccination, to your GP clinical record. Even though your GP may have provided your vaccination, they record it in a different system. This data can then flow to NHS England before being sent to the GP clinical system to become part of your GP record.

Pharmacies: We will only make this data available once you have decided to obtain your vaccination at a pharmacy and the pharmacy staff are administering your vaccination. They will use their point of care system to record your vaccination but they will link your data to information provided through our own advanced programming interface.

Other NHS, health, or social care organisations: We will make this data available in the same way that we do for pharmacies where an organisation needs to know your vaccination history to care for you. In addition to this, we make the data available in the summary care record.

NHS bodies in Scotland, Wales and Northern Ireland: Depending on the needs of each vaccination programme, if you obtain a vaccination in Scotland, Wales or Northern Ireland but are registered with a GP in England, vaccination event data is shared with us by the NHS body responsible for vaccinations in that country. If you live in one of those countries and are registered with a GP in that country, should you get vaccinated in England we will share this data with the NHS body responsible for your care in that country.

The UK Health Security Agency (UKHSA): We share data so that the UKHSA can fulfil their statutory public health duties – see Framework document between DHSC and the UK Health Security Agency. This includes a letter from Maggie Throup to Professor Dame Jenny Harries, UKHSA Chief Executive – see the gov.uk website for more information about the role of the UKHSA.

The NHS Business Services Authority (BSA): We share data with the BSA because we are permitted to do so as it is necessary for both NHS England and the NHS BSA to exercise certain functions in relation to the running and management of the NHS.

The legal basis for the processing of this data for the purpose stated is Article 6 (1) e, where, under the NHS Act 2006, Chapter A1, Section 13Z3, (e, and (f.

Specific directions relating to the functions of the NHS Business Services Authority are made in the NHS counter fraud authority directions, with supplemental directions to the NHS Business Services Authority (Awdurdod Gwasanaethau Busnes y GIG) 2017, schedule which includes intelligence, detection, and prevention functions (paragraph 5) and Investigation functions (paragraph 7). See NHS Counter Fraud Authority and supplemental directions 2017 for further information.

We do not flow confidential patient information to the NHS BSA apart from the fact that you have had a vaccination; this includes when, where and who administered it. We do not tell the NHS BSA any more about you apart from your NHS number and your date of birth.  This enables them to consolidate claims for payment from vaccination providers and ensure that these claims are made accurately.  Linking data in this way is the only way to achieve this obligation.

It should be recognised that we also process data that has been shared between systems by providers of local vaccination and immunisation services; these include school aged immunisation services, the Child Health Information Service, maternity services and primary care networks. They do not share data directly with us; we obtain it through GP clinical records once it has been sent by the originating system or provider.

What else do we use your data for?

In addition to the purposes described above, we need to undertake monitoring and analysis to support management of the various vaccination programmes. Data will be used for planning, commissioning, and where approved, could be used for research purposes, including relevant clinical trials. Ultimately, we need to understand whether vaccinations are effective and contributing to the improved health of the population in a way that is equitable.

The data we use for these purposes is pseudonymised to ensure that individual patients are not identifiable. Data is pseudonymised by changing identifiable data such as your NHS number into a random selection of characters. The data containing the random characters is then made available to analysts who are able to link any data with the same characters in it, but they will not know who you are.

Data will be processed at row level where necessary; this means that a table will contain different rows of data relating to unidentified people on each row. The majority of reporting uses anonymised and aggregated data; this is data relating to a number of unidentified people that has been grouped together and no longer contains the random characters used to pseudonymise it. This makes it anonymous, and we further minimise the risk of identifying anyone by suppressing low numbers, so for example, we may remove data where the analysis indicates there are less than 10 people to whom the data could relate to.

Further information about how we did this during the COVID-19 pandemic is available on our website. We use the same technology currently for processing data for other national vaccination programmes; it is known as Foundry as this is the name of the platform we currently use, provided by Palantir.

We also share your information with organisations who process personal data for us, on our behalf. They are called processors. Where we use processors, we have contracts and agreements in place with them which means that they can only process your personal data on our instructions. Our Processors must also comply with stringent security requirements when processing your personal data on our behalf.

How long we keep your personal data for

We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice 2021.

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

Data relating to the COVID-19 pandemic

Due to legislation published to support the UK COVID-19 public inquiry, NHS England and other organisations who supported the service provided during the pandemic, are legally obliged to retain data relating to the pandemic until such time as the COVID inquiry deems it is no longer necessary to retain it for their purposes.  At that point in time, we will review retention periods to ensure that we are fulfilling our obligations under the Records Management Code of Practice and therefore expect our retention periods to be longer than stated in the code.

Where we store the data

NHS England only stores and processes your personal data within the United Kingdom.

Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK.

Some of our processors may process your personal data outside of the UK. If they do, we will always ensure that the transfer outside of the UK complies with data protection laws.

Your rights over your personal data

Read more about the health and care information NHS England collects, our legal basis for collecting this information and what choices and rights you have.

As NHS England has recently merged with NHS Digital and Health Education England, additional transparency information about the data we are now the Controller for can be found at:

Type 1 opt outs and the National Data Opt Out  

In most vaccination programmes, any Type 1 opt outs recorded within your GP record will not apply where the data obtained from GP systems is for a direct care purpose; NHS England is obliged to monitor uptake of the vaccination which, although a secondary purpose, is linked to direct care.

The National Data Opt Out will not apply in all cases where any disclosure is for the purposes of monitoring and control of communicable disease or other risks to public health which includes:

  • diagnosing communicable diseases
  • controlling or preventing their spread
  • delivering and monitoring vaccination programmes. 

Where processing is in relation to planning and research, NHS England will adhere to the National Data Opt Out policy.

 Who are our processors

  • UK Health Security Agency – manage our inbound 119 vaccine booking service capability.
  • Point of Care system providers
  • Palantir – providers of the Foundry analytics software

Choosing your COVID-19 vaccination invitation preference

We have set up a service for people to choose whether they receive invitations and reminders to attend for COVID vaccination. This is available on nhs.uk. The service is available to people aged 16 and over.

When you access this service, we need to verify your identity. You will need to provide your name, date of birth, and either your NHS Number or postcode. Once we find a match and verify this by using a security code sent to your registered mobile number or email address, we do not keep this information. There is a facility to find an NHS number if you do not know it.

You will also need to have an email address or mobile phone number that you have registered with your GP, and is available in the Personal Demographics Service. This is used to send you a security code (via the gov.uk Notify Service) which you enter into the system, before proceeding to choose whether or not to receive COVID-19 appointment invitations.

Once you have made your preference, your choice is saved against your NHS number. This is the minimum amount of information that we need to provide this service.

We also record and store audit data each time you use the service, including the date and time and internet protocol (IP) address. This is stored to help us monitor the service and protect the service from malicious use. This data is stored on secure servers in the European economic area.

Access to the service is also available by calling 119. The call handler talks you through the process, entering the data you provide into the online service. You provide your name, date of birth, and either your NHS number or postcode, to the call handler so they can verify your identity. You also need to have your registered mobile phone or email account available so you can receive the security code and provide it to the 119 call handler.

If you have difficulty communicating or are a British Sign Language (BSL) user, you can use textphone 18001 119 or the NHS BSL interpreter service.

Whilst you will no longer receive COVID-19 vaccine invites, your details will continue to be processed for the purposes of managing and monitoring the progress of the COVID-19 programme.

If circumstances were to change, for example should the impact of COVID-19 significantly worsen, we may consider whether we have compelling grounds to send vaccination invitations irrespective of any preference set.

Setting your COVID-19 contact preference using this central service will not stop other organisations such as your GP practice from sending you invitations for vaccination.