National COVID-19 and Flu Vaccination Programmes

The National Immunisation Management Service

Purposes for processing

With the availability of a vaccine for COVID-19, there is a need to coordinate vaccination for the population of England.

The seasonal flu programme is a long-established and successful vaccination programme. The service is offered to patients who are particularly susceptible to the flu for example because of their health condition, age or because they are pregnant.

NHS England has established a centralised service for the management of both the COVID-19 and seasonal flu vaccination programmes. This service is supported by a central system, the Immunisation Management System.

The key functions of this system are to enable identification of priority groups, to send invitations to book appointments for vaccination, to manage and monitor the progress of the programme.

In summary, the system works as follows:

Loading personal information about people in England

The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service operated by NHS Digital on behalf of NHS England. After an initial load from NHS Digital, the data is kept up to date overnight.

Information about patients who are particularly susceptible to the flu because of their health condition or because they are pregnant is also uploaded into the system from data held by NHS Digital.

Further data such as lists of shielded patients, NHS staff,  social care workers, unpaid carers and ethnic category information are also uploaded. This data can then be used for prioritising invitation for flu or COVID-19 vaccination, and for reporting purposes.

Selecting people to invite for immunisation

The system has an interactive dashboard which will allows us to select groups of people to invite for immunisation. Factors such as age, ethnic origin, gender and underlying health conditions can be applied. We can also select NHS staff , social care workers and unpaid carers.

The system shows how many people will be invited if the selected criteria are used. The analysis will include a full geographical breakdown so users can ensure there are sufficient vaccinations and delivery capacity to meet demand.  People already vaccinated will be excluded automatically so they are not invited again.

The system sends invitation letters to the people selected.

Sending invitations for vaccination

The list of people to be invited to book an appointment is sent to an automated mailing service. The mailing service prints and sends invitation letters, which explain how to book an appointment for vaccination either for flu or COVID-19.

We will send SMS text message invitations to some groups of people selected for their age or other priority reasons.

The Immunisation Management System keeps a record of everyone who has been invited for vaccination. NHS England uses this information to remind people by telephone, text or letter if they have been invited to attend for vaccination and have not been vaccinated. We may also send reminders to people who have been invited for COVID-19 vaccination and have not booked an appointment through the National Booking System.

Booking appointments

The list of people that have been invited for a COVID-19 vaccination is sent to the National Booking System, which invitees can use to book an appointment online. This system is managed by NHS Digital.

NHS England and the Department of Health and Social Care have also established a COVID-19 vaccine telephone booking service – available by dialling 119.

Informing GPs

The system sends daily updates to GP systems to allow them to update their local record and monitor progress for their patients.

Recording vaccinations given

When someone attends for vaccination the immuniser will be able to use one of a number of applications provided by NHS England as a controller to record the details of vaccinations administered and any adverse reactions. The central Immunisation Management System is updated with this information.

Other attributes are collected at the point of care include:

  • Carer
  • Social care worker
  • Health care worker
  • Care home worker
  • Care home resident
  • Ethnic category
  • Vaccination location
  • Care home details

These applications obtain details of current immunisation status from the Immunisation Management System to so that the immuniser can make an informed decision on whether it is safe to administer the immunisation or not.

Vaccination providers that use these applications are able to obtain reports from them on the people they have vaccinated, to enable them to conduct second dose COVID vaccination recall.


The system includes a business intelligence tool which provides comprehensive analysis of how the vaccination programmes are progressing, nationally and locally.

Categories of personal data and sources

The Immunisation Management System obtains names, addresses telephone numbers, other personal details, and GP registration information from the Primary Care Registration Management service that NHS Digital manages as a processor for NHS England.

It receives information about health conditions and other factors that can make people vulnerable to the flu from NHS Digital who collect it from GP Practices, acting under directions from the Secretary of State for Health and Social Care. We also obtain information about ethnic category from NHS Digital.

It receives information about vaccinations given from GP Practices, pharmacies and other vaccination centres. This is so that we can send out reminder letters, inform GPs for them to update their records, and monitor the progress of the vaccination programme.

The data collection and reporting system receives information about vaccination decisions – given or not given. It also includes demographic data about NHS staff from the NHS Electronic Staff Record, obtains NHS Numbers traced from the Primary Care Registration Management service.

Lists of unpaid carers are obtained via NHS Digital from the Department for Work and Pensions, Local Authorities and other sources.

Categories of recipients

The system sends lists of people to be invited for vaccination to the mailing service managed by NHS England, and for COVID-19 vaccination invitations, the National Booking Service managed by NHS Digital.

The system sends information to GP Practices so that they can update their records about vaccinations that their patients have received at pharmacies or other vaccination centres.

The system sends personal data to the NHS England COVID-19 datastore.

Personal data from the Immunisation Management System is shared with the following external agencies:

  • Public Health England – an executive agency sponsored by the Department of Health and Social Care
  • Joint Biosecurity Centre (JBC) – a directorate of the Department of Health and Social Care
  • Trusted Research Environments – operated by the Office for National Statistics (ONS) and Health Data Research (HDRUK)
  • SPI-M – an independent group set up by the Government to support the Scientific Advisory Group for Emergencies (SAGE)
  • NHS Digital – joint controller with NHS England for processing to facilitate the analysis, linkage and dissemination of data about COVID-19 vaccination (under the COVID-19 Public Health (NHS England) Directions 2020) to requestors who have an appropriate legal basis to process it.
  • The Department of Health and Social Care receives data about individuals’ immunisation status in order to issue the NHS COVID pass.

Data Protection Impact Assessment: National Flu and COVID-19 Vaccination Programme including the National Immunisation Management Service (NIMS)

View the Data Protection Impact Assessment: National Flu and COVID-19 Vaccination Programme including the National Immunisation Management Service (NIMS)

Data Protection Impact Assessment: National Immunisation, Vaccination System – Health Care Workers

View the Data Protection Impact Assessment National Immunisation, Vaccination System – Health Care Workers

Legal basis for processing

For GDPR purposes NHS England’s lawful basis for processing is Article 6(1)(e) – ‘…exercise of official authority…’.

For the processing of special categories (health) data the conditions are

Article 9(2)(h) – ‘…health or social care…’

Article 9(2)(i) – ‘…public health purposes…’,

Article 9(2)(j) – ‘……archiving…research…or statistical purposes…’

For processing special categories (ethnicity) data the conditions are

Article 9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)

Article 9(2)(h) – ‘…health or social care…’

Article 9(2)(j) – ‘……archiving…research…or statistical purposes…’

NHS England’s basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(3) of the Health Service (Control of Patient

Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.