Skip to main content

Book a coronavirus vaccination service: GDPR information


Why and how we process your data in the ‘Book a coronavirus vaccination service’ and your rights.

Controller NHS Digital
How we use the information (processing activities)

We use your information to: check your identity, access your NHS vaccination record, determine whether you are health and social care worker, and whether you are considered to be extremely clinically vulnerable to coronavirus. The information is used to contact you, enable you to book two coronavirus vaccination appointments, and to retrieve your booking information at the vaccination centre. It is also used to enable pseudonymised reports to be produced on the take up of the service and the level of do not attends.

Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Personal data is shared with the following:

  • National Immunisation Service (NIMS)
  • NHS Arden and Greater East Midlands Commissioning Support Unit
Is data transferred outside the UK? This data is not transferred out of the UK
How long the data is kept We will retain your customer record and appointment information for as long as the Book a Coronavirus Vaccination Service exists. We will review whether we need to retain your personal information every six months. The following factors will be considered by us when determining whether we need to retain your data: 1. Whether your personal information is required to arrange your COVID-19 vaccinations appointments 2. Whether it is necessary to retain your information for the purposes of future coronavirus vaccinations and/or booster vaccinations 3. Whether it is necessary to retain your information for clinical safety purposes. We will only retain your personal data for as long as the law allows. Once your customer record is no longer required by the Service, it will be permanently deleted.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Tick Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing.

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Data subject, PDS (Personal Demographics Service) and NIMS (National Immunisation Service).
The legal basis for collecting this data
  • GDPR Article 6(1)(c) - the processing is necessary to comply with a legal obligation to which the controller is subject
  • GDPR Article 6(1) (e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services
  • GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in public health
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes