Skip to main content
COVID-19 Vaccine Trials Permission to Contact Service - DPIA risks
Describe source of the risk and nature of potential impact on individuals

Likelihood of harm

(Remote; reasonable possibility or more likely than not)

Severity of impact

(Minimal impact; some impact; or serious harm)

Overall risk rating

(Low; medium; or high)
Options to mitigate (treat) the risk

Effect on risk

(Eliminated, Reduced, Accepted)

Residual harm

(Low; medium; or high)

Measure approved

Name and Date)

Actions taken

(Date and Responsibility for completion)
How will volunteers ensure that when they are approached by researchers that this is genuine ie not a scam or phishing Reasonable possibility Some impact Medium

Researchers only use the official clinical trial email account to approach the volunteer – this is made a condition of data access.   Information is provided to volunteers on the specific trials they may be approach by on the Be Part of Research webpage.  Volunteers advised that recruitment is regional and that they will be contacted by the centre nearest to them.

Statement included in the Privacy Notice telling individual how to check a contact email is coming from an official email address and including links to National Cyber

Security Centre and Action Fraud website with tips as to how to recognise a scam.

Reduced Low  

Include in Privacy Notice

Official emails and contact details included in NIHR to Be Part of Research Website

Links to National Cyber Security Centre and Action Fraud included in the Privacy Notice.


Owner: IAO. [Redacted]

Risk of individual being contacted too many times by researchers.  Reasonable possibility Minimal impact Low

This is mitigated by the limited number of CV19 vaccine trials running in the UK – as estimated between 5 and 12. NHSD will manage this within DARS.

We will limit contact to no more than 8-12 times a year through the DARS process and will not contact an individual where they have indicated they no longer wish to be contacted in this regard.

Researchers are provided with rules as to how many times they can attempt to contact an individual and also have a limited time period to do this.
Reduced Low  

NHSD DARS to develop process to limit number of trials an individual is put forward for.

NHSD to agree time periods for contact with researchers in protocol and include in special conditions

Owner: IAO To be resolved before any details are shared with researchers and made a condition of sharing the data in the DSA
As there is no linkage to NHS Digital data or data from the devolved administrations, there is a risk that an individual has died after signing up and their family may see an email sent to them asking them to participate in a trial with potential distress to family members. However this risk would not impact the data subject themselves. Remote Minimal impact Low

Without authentication it is not possible for NHS Digital to check for death on PDS. However this risk is minimal for MVP where contact is only by email

Researchers are asked to feedback if they discover an individual has died.  We will attempt to confirm this by sending an email and then will mark the individual's record as inactive.
Accepted Low   For consideration after MVP if alternative contact methods are introduced.

Someone tries to use the service to sign up someone for CV19 vaccine research without their knowledge

Remote  Minimal impact Low

Email verification occurs at an early part in the patient journey – so although this is not a verification check it ensures that the person accessing the service has access to the email address being used to register for the service. 

If they are using a third party’s address, then this also means a notification email will be sent to that account which reduces the risk of spoofing. 

Further verification of the user would be required before NHS D would link any data to the individual. This is therefore currently out of scope until an authentical mechanism is built and implemented.

Accepted Low   Consider this further when authentication mechanism is introduced.

Inadequate or no transparency

Patients are not sufficiently informed about how their personal data is being used through inadequate or lack of transparency material.

The risk to data subjects is that their personal data is processed in an unfair or unexpected way, potentially causing distress.
Remote Some Low

Information provided during the user journey.

User testing to ensure information is clear.

Privacy Notice in place which is written in plain English and contains full details of how data is used.

Further communications materials to promote service.

Accepted Low  

Layering of Privacy Notice to be considered in future releases to help reduce length of the Notice and increase ease of use.


Redacted]Improvements to be identified at next release, including removing table in the Annex and putting this on a different page. 

Risk of data being disseminated to organisations that do not meet the required security standard expected by NHS Digital

The risk to data subjects is that their personal data including special category data is processed by an unauthorised third party resulting in distress, anxiety and other harm to the rights and interests of the data subject.

Remote Minimal Low

NHS Digital DARS Team will be responsible for assessing and fulfilling the applications for access to the data, which will include assessing the security arrangements that the clinical trials have in place for processing the data. Data will not be shared unless the clinical trials meet the required security standards.

These applications will only be successful if they pass the appropriate ethical, legal and Information Governance requirements set out by DARS to ensure that data is only shared where it is secure, lawful and appropriate to do so.

IGARD will also provide independent oversight and scrutiny.
Accepted Low   None

Risk that an individual changes their email address or that the information they have provided becomes out of date.

More likely than not Some impact Low

At MVP there are no options for a user to update their details other than to withdraw their permission and re-register. For MVP this has been explained in the Privacy Notice and in the FAQs on the Service pages.

An authentication mechanism could remedy this and also support the facilitation of other rights, such as SARs, and updating details.

The impact of out of date data decreases once we stop sharing the data, which is from 30th July 2022, therefore the overall risk decreases.

Accepted Low  

Include in Privacy Notice.

Mechanism and update process to be considered as part of future development of wider PtC Service linked to introduction of an authentication mechanism.

The personal data is held for longer than necessary for the purposes set out in the COVID-19 Direction.

This could result in the personal data being held for longer than is necessary and be a breach of the GDPR as there would not be a lawful basis to process the data.

The risk to data subjects is that the risks associated with data breaches and unlawful use of their data are not eradicated as they should be by data deletion at the time the data is no longer required for the legal purposes for which it is held.  
Remote Minimal impact Low

The data will only be disseminated up to 3 months after the expiry of the CV19 Directions and S255 Requests ie 31 July 2022

The Collected Data shall be retained for 8 years following last use in accordance with the NHS Digital Records Management Policy for record keeping and legal reasons and securely destroyed 31 July 2030. Information Assets are regularly reviewed by Asset Owners to prevent personal data being retained for longer than considered necessary. IG Team will also be supporting NHS Digital to review all COVID-19 assets on expiry of COVID-19 Directions and Section 255 Requests.

NHS Digital has created a record within the IG Team of all COVID-19 assets which have been collected or created. A separate area where COVID-19 data sets collated and or processed under the COVID-19 Direction or COVID-19 Section 255 Requests are held has also been created. Upon instruction the data can be easily be securely deleted.

Reduced Low   Owner: IAO. As Information Asset Owner to ensure processes are in place to manage data appropriately in line with this DPIA and NHS Digital’s records management approach.
[Redacted] Remote Minimal impact Low [Redacted] Accepted Low   None
[Redacted] Remote Minimal impact Low [Redacted] Accepted Low  


Owner: IAO
Risk that right to rectify information can only be done by withdrawing information and re-signing up.  Thus making it difficult for a participant to exercise this right. Remote Some impact Low

Currently the only way to rectify information, including if they’ve had a COVID test or there are any changes to their health conditions following initial sign-up, is to withdraw permission and re-sign up.

This has been highlighted more in the Privacy Notice.
Accepted Low   This issue has been added to the backlog to be addressed in further releases of the service
Second permission has 2 different aspects and it would be fairer to offer this as 2 different choices as an individual may wish to make different choices in relation to being contacted with progress about vaccine trials compared to development to the service for other covid and non covid research. Remote Some impact Low

Due to limited time to develop the service and the urgency to launch to support on-going vaccine trails it was not possible to split into 2 permissions for UK wide launch.

However, Privacy Notice advises in clearer terms what NHSD will contact people about and individuals are given the opportunity to unsubscribe from any emails sent by NHSD. NHSD will also only send general newsletter type emails, not targeted emails.
Accepted Low   This issue has been added to the backlog to be addressed after public launch by splitting out the two consents and undertaking more user research.
There is currently only one mode of communication for researchers to communicate initially with individuals about participating in the vaccine studies, which is not inclusive and may omit some communities or parts of communities from participating. Remote Some impact Low

Currently the only way for researchers to communicate with individuals through the Service is via email. Telephone is a future intention and on the development list for future release. Other options for contact such as text, Whatsapp and pre-recorded phone messages may be discussed as future options but the IG implications of this and ability to offer individuals preferences will need to be carefully considered.

NHSD note that the Service is not the only way that trials will recruit and therefore there will still be other recruitment initiatives outside of the Service organised by the trials which may reach out to other individuals who are not able to use the digital sign up process.
Accepted Low   Consideration of other means for communicating with individuals other than email to be considered as part of future development list of the service.
[Redacted] Reasonable possibility Some impact Low [Redacted] Reduced Low    
[Redacted] Reasonable possibility Minimal Low [Redacted] Reduced Low    
[Redacted] Reasonable possibility Some impact Low [Redacted] Accepted Low   [Redacted] Owner: IAO
Last edited: 5 August 2020 9:28 am