COVID validated vaccination events FDP product privacy notice

Product description

  The COVID validated vaccination events provides information about:

  • patients who have received a COVID vaccination
  • patients who are eligible for a COVID vaccination
  • COVID Vaccination appointments

The dashboard enables the NHS to have oversight of the uptake of COVID-19 vaccinations. This enables NHS organisations to identify cohorts of individuals who are eligible for the COVID-19 vaccination, so that NHS organisations can then deliver services to provide access to the vaccination in the right places. An example of this would be a location that can see a low vaccination uptake level.

What are the purposes for processing my personal data in this product?

This product processes personal information (called ‘personal data’ under data protection laws) about patients who are eligible for the COVID vaccination and require the vaccinations. It helps the NHS to understand who has received the COVID vaccination and who has not.

This enables the NHS to better understand the number and needs of patients accessing those services, the NHS to continually improve patient experience when receiving COVID vaccinations and better co-ordinate patient care.

You can’t be identified in the data in the product dashboard because all identifiers such as your name, NHS number, full address and full date of birth have been removed from the data which is used. This is called de-identification. Your data is de-identified by NHS England before it is transferred into the NHS Federated Data Platform (FDP). Only de-identified data is processed to create the product. The dashboards in the product only show anonymous aggregated data, this is data which does not identify you, it is just counts of data.

What personal data about me is processed in this product?

Personal data which has been de-identified (we call this de-identified data) will be processed by NHS England, for the purposes mentioned above, about patients who are eligible for or have received a COVID vaccination. De-identified data that is processed to create the product and to create anonymous data that is shown in the dashboards may include data about a patient’s:

  • postcode
  • date of birth
  • gender
  • biological sex
  • NHS number and/or hospital record number
  • health information, including information about your symptoms, medical conditions, diagnosis and, treatment
  • race or ethnicity

The dashboard also shows operational information about including:

  • vaccination appointments
  • uptake of COVID vaccinations
  • number of eligible patients of COVID vaccination

Who is my personal data shared with?

De-identified data is securely analysed by a small number of data analysts in NHS England for the purposes of creating anonymous aggregated data to display in the dashboards. This is statistical counts of data that don’t identify you. It is therefore not personal data. Your personal data will not therefore be shared with any other organisation as part of this product.

Authorised users from NHS England, NHS Trusts and integrated care boards can access the anonymous data in the dashboards for the purposes described above.

UK General Data Protection Regulation (GDPR) information

Controllers of your personal data

Under data protection law NHS England are the legal controllers of your de-identified personal data.

Legal grounds for processing your personal data

The processing of de-identified personal data by NHS England for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA 2018):

  • Legal obligation – Article 6(1)(c) …the processing is necessary for compliance with a legal obligation’. This applies where NHS England is directed under section 254 of the Health and Social Care Act 2012 to collect and analyse personal data for the purpose of producing the dashboards.
  • Substantial public interest – Article 9(2)(g) ‘processing is necessary for reasons of substantial public interest’ together with the legal ground in Schedule 1, Part 2, Paragraph 6 of the Data Protection Act 2018 (“DPA 2018”) “statutory etc and government purposes”. This applies where NHS England processes de-identified personal data under Legal Obligation above.

Processor acting on behalf of NHS England

The data platform contractor, Palantir Technologies UK Ltd is a processor acting on behalf of NHS England. They provide the data platform and the technology that the product uses and only act on the instructions of NHS England to process the de-identified data to store it and make it available to NHS England in the platform for the product.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by NHS England for the purposes above:

  • right to be informed
  • right of access
  • right to rectify

Further information about these rights is in the NHS Federated Data Platform Privacy Notice.

You can contact NHS England’s data protection officer at england.dpo@nhs.net.

Does the National Data Opt Out or any other opt out apply to this product?

The National Data Opt Out does not apply to the processing of de-identified data by NHS England in this product. This is because NHS England is required by law under the legal direction to process the data to create the dashboards. The National Data Opt Out does not apply in these circumstances. The National Data Opt Out also does not apply to anonymous data that is shared through the dashboards as information that can identify you has been removed.

More information about when the National Data Opt Out does not apply is available at When your choice about sharing data from your health records does not apply – NHS (www.nhs.uk)

Type One Opt Outs do not apply to this product as no confidential patient information obtained from GP practices is used in this product.

More information

For more information about how personal data is processed within the Federated Data Platform please see the NHS Federated Data Platform Privacy Notice.