Skip to main content

Data Protection Impact Assessment – COVID-19 Vaccine Trials Permission to Contact Service – V1.0

Purpose of this document

A Data Protection Impact Assessment (DPIA) ensures NHS Digital complies with data protection law, and builds confidence with stakeholders of our rigour in respecting citizens data rights.

DPIAs are also a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”. If you are unsure whether a DPIA is necessary, you should complete a DPIA screening questionnaire to assess whether the processing you are carrying out is regarded as high risk. 

By completing a DPIA you can systematically analyse your processing to demonstrate how you will comply with data protection law and in doing so identify and minimise data protection risks. 

This document should be read in conjunction with the DPIA Guidance and DPIA Screening Questionnaire.

1. Consultation with stakeholders

This data protection impact assessment (DPIA has been developed in consultation with the following stakeholders regarding the COVID-19 Vaccine Trial Permission to Contact Service (CV19 Vaccine PtC Service):

  • CV19 Vaccine PtC Service project team (including security, legal and Information governance subject matter experts) drawn from across NHS Digital and the National Institute of Health Research
  • Test and Trace Programme Board
  • Information Commissioner’s Office (ICO) - NHS Digital had previously secured a place in the ICO’s Sandbox Beta with a proposal to explore a central mechanism for collecting and managing patient permissions in relation to health research. Scoping of this project was underway as the COVID-19 pandemic began. Through an iteration of the original proposal and within a short timeframe, the ICO Sandbox provided NHS Digital with general feedback and comments on the updated proposal of a ‘permission to contact service’ for the COVID-19 vaccine trials
  • National Data Guardian’s Office
  • NHS Digital’s Independent Group Advising on the Release of Data (IGARD)
  • Devolved Nations Policy and IG leads
  • Understanding Patient Data
  • Clinical Trials Unit Researchers
  • Health Research Authority
  • Confidentiality Advisory Group

User research was undertaken from 24 to 26 June with rapid iteration of the prototype to incorporate feedback and re-evaluate the product throughout this period. The user research group consisted of a cross section of the public (12 people in total, 8 women and 4 men) to ensure the purpose of the service is fully understood and help to design the questions and screens for clarity and understanding. It should be noted this number and cross section was within the realms of limited time and resource.  

Private beta testing has been undertaken from 9 to 20 July with a closed audience and feedback was collected from this group. This enabled further changes to improve usability prior to UK-wide public launch on 20 July 2020.

User research through interviews and feedback surveys are built into the service and being used to inform the next phases of development of the service.

2. Data flow diagram

Flow diagram of process

See Section 5 below for a description of the processing associated with the flows above.

3. Purpose of the processing

Background

NHS Digital was established under the Health and Social Care Act 2012 and is the national safe haven for patient data in England with statutory powers to collect and analyse information under legal directions and requests, including from devolved nations in the UK, and to operate IT systems and provide IT services on behalf of the Secretary of State in England.

This includes powers to collect and analyse confidential patient information, publish anonymous information and disseminate information, including confidential patient information, to those organisations with a lawful basis to process it. The Secretary of State for Health and Social Care has directed NHS Digital under section 254 of the Health and Social Care Act 2012 (the 2012 Act) by the COVID-19 Public Health Directions 2020 17 March 2020 (as amended) (the COVID-19 Direction) to collect, process and analyse information for COVID-19 Purposes. This direction is referred to in this document as the COVID-19 Direction.

This forms the legal basis for the CV19 Vaccine PtC Service (Service), the details of which are set out below. 
The Devolved Nations in Wales, Scotland and Northern Ireland have each also requested NHS Digital, under section 255 of the 2012 Act, to collect, process and analyse information on request, for COVID-19 Purposes. These section 255 requests (see below for more detail) provide the legal basis for the Service in relation to the collection by NHS Digital of data from residents of Wales, Scotland and Northern Ireland as part of the Service.

Overview of the CV19 Vaccine PtC Service

References to COVID-19 vaccine trials and COVID-19 vaccine clinical trials are used interchangeably with coronavirus vaccine studies throughout this document and have the same meaning.

NHS Digital has agreed to work in partnership with the National Institute of Health Research (NIHR) to build and host a first of type online Permission to Contact (PtC) Service on nhs.uk where members of the public can register their details and give their permission to be contacted by researchers working on NIHR approved UK coronavirus vaccine trials about participating in those trials. As at 20th July 2020 there are two such trials. One is run by Oxford University and the other by Imperial College London. This first PtC Service, which is called “Sign Up to be Contacted about Coronavirus Vaccine Studies” on the nhs.uk website was rolled out as a limited private beta pilot from 8th July 2020 and was launched as a national service on 20th July 2020. 

Purpose of the CV19 Vaccine PtC Service

This Service will enable participants to:

  1. Provide permission for NHS Digital to share an individual’s details provided through the Service with the researchers undertaking COVID-19 UK vaccine trials for the purposes of researchers contacting that individual about taking part in those trials. 
  2. Provide their permission to be contacted by NHS Digital about progress and outcomes from CV19 vaccine studies and in relation to the development of the PtC Service, including to inform them of opportunities to participate in other types of health research. We have had feedback from stakeholders that it would be helpful to split out these two purposes into two separate NHSD permissions and we are considering this suggestion for a future release of the Service.

The data to be collected from individuals who sign up will include sufficient information to achieve the following purposes:

  • potentially eligible participants to be matched to eligibility criteria provided by the vaccine trials for their specific studies. This data will comprise of age, sex, geographic locations, type of employment, and a number health question e.g. about whether they have long-term health conditions.
  • relevant details of potentially eligible participants which have been obtained through the Service to be provided to researchers via NHS Digital. This will allow the researchers to contact the participants with a view to discussing their taking part in a trial and if so, to obtain their further permission to take part in the trial. 

NHS Digital will provide access to the information obtained from individuals through the Service via the existing Data Access Request Service (DARS) process available to researchers working on UK COVID-19 vaccine trials sponsored by the National Institute of Health Research. The Service will only provide researchers with the data collected directly from individuals themselves though the Service. 

No automated processing or decision-making is being undertaken during cohort selection. The decision-making process is not “automated decision making” as any decision made on the compilation of cohorts is made with human involvement and those decisions are therefore not based solely on automated processing.

The data obtained from individuals through this service will not be linked to any other data held by NHS Digital. This is because the individual has not been authenticated when signing up. Authentication mechanisms will be looked at in the future as part of the development of the Service.  (Note: Any development of the Service will require a full review and update of the DPIA, Privacy Notice and further consultation with the Devolved Nations).

4. Necessity, proportionality and benefits

Necessity

There is an urgent need for an effective and safe vaccine against Covid-19 to be developed, manufactured and made available across the UK in order to manage the Covid-19 outbreak in the UK. To support this work the Government launched a new Vaccine Taskforce in April 2020 to drive forward, expedite and co-ordinate efforts to research and then produce a coronavirus vaccine and make sure one is made available to the public as quickly as possible.

The taskforce, led by Chief Scientific Adviser Sir Patrick Vallance and Deputy Chief Medical Officer Professor Jonathan van Tam, will support efforts to rapidly develop a coronavirus vaccine as soon as possible by providing industry and research institutions with the resources and support needed. This includes reviewing regulations and scaling up manufacturing, so that when a vaccine becomes available, it can be produced quickly and in mass quantities.

The taskforce is focussing on 5 strands of activity including:

  1. Supporting the discovery of potential coronavirus vaccines by working with the public and private sector, rapidly mobilising funding, supporting leading academics and identifying ways to fast-track clinical trials (Strand 1).
  2. Reparing the UK as a leader in clinical vaccine testing and manufacturing, working with companies already at the forefront of vaccine development.
  3. Reviewing government regulations to facilitate rapid and safe vaccine trials.
  4. Developing funding and operational plans for the procurement and delivery of vaccines.
  5. Building on the UK’s research and development expertise to support international efforts to find a coronavirus vaccine.

Find out more information about the taskforce.

There are currently two UK Covid-19 vaccine trials, but it is anticipated there will be more – potentially up to 12. It is essential that the effectiveness of vaccines are tested through regulated clinical trials in the UK before they can be made available for general use. Clinical trials require volunteers and recruiting volunteers to participate in clinical trials can be time consuming.

Each clinical trial has different criteria which participants may need to meet and they are carried out in different locations across the country. Recruiting volunteers involves a range of different activities, including local advertising and in some cases obtaining data about individuals who may be suitable for a trial without their consent through eg support from the Confidentiality Advisory Group under section 251 of the National Health Services Act 2006 in England and Wales.

The new PtC Service is being delivered as part of Strand 1 activity above and will allow members of the public to register their interest and be contacted with their consent, to participate in vaccine clinical studies. To enable large-scale vaccine studies to take place across the UK, the aim is to get 500,000 people signed up by October, which is considered vital in the fight against coronavirus.

Clinical studies with hundreds of thousands of volunteers will help scientists and researchers better understand the effectiveness of each vaccine candidate and will considerably speed up efforts to discover a safe and workable vaccine.

Find out more in the 20 July 2020 press release.

Proportionality

The PtC Service is a voluntary service which allows those who are interested in participating in coronavirus vaccine studies to easily sign-up and provide their permission to be contacted by the trials. By signing up once, their details can be shared with researchers of suitable vaccine studies who can make contact with them to provide more information about their particular studies. Relevant details will only be shared with trials where individuals are likely to meet the criteria for a particular study based on the information individuals have provided through the Service. The Service has been designed to only ask health questions which are relevant to the trial criteria. More information about the questions asked, the data collected and how the data is used is explained below.

Benefits

The benefits of sharing patient information for the purposes of health research and trials are well known and undisputed. However, truly unlocking this enormous potential is dependent on building public trust. Providing individuals with more control over how their data is used and the ability to easily make well informed decisions is also key. Providing a trusted service which provides members of the public with the opportunity to provide permission to be contacted about the research they wish to support and participate in is a step towards increasing public trust in how their data is used. 

There are a range of potential benefits delivered through the CV19 Vaccine PtC Service including:

  • Individuals: Widens the opportunity for the public from across the UK to get involved in research to develop a vaccine for COVID-19
  • Individuals: In particular it offers an option for individuals to volunteer in advance to participate in COVID-19 vaccine trials as an alternative to other mechanisms e.g. sharing data with researchers about individuals under section 251 consents or COPI notices, which although lawful is initially less transparent.  
  • Individuals: Provides individuals with protection against scams and uncoordinated contact through limits on overall contact and providing advice and mechanisms to help individuals to check that approaches from researchers are genuine. 
  • Researchers: Allows researchers to identify a suitable cohort and recruit them quickly into the vaccine trials – thus reducing the overall time to recruit into their trials and to accelerate the delivery of an effective vaccine to treat individuals to manage the COVID-19 outbreak and to save lives.
  • NHS: Reduces burden on front line NHS staff in identifying and contacting potential clinical trial participants.
  • NHS: Provides a single permission to be contacted mechanism for COVID-19 vaccine trial recruitment from across the UK, which has benefits for the speed and efficiency of all of the vaccine trials set up in the UK.
  • Individuals: Allows geographic and equality monitoring of those who sign up to enable the Service and other Permission to be Contacted Services to be developed in a way that will help to meet the needs of under-represented groups and promote equality.
  • Researchers: Supports the Vaccines Taskforce objectives to drive forward, expedite and coordinate efforts to research and then produce a coronavirus vaccine and make sure one is made available to the public as quickly as possible.  

5. Description of the processing

Nature and scope of the processing

In line with the data flow diagram at Section 1 above, the individual completes an online form accessed via the nhs.uk website.  

There is a landing page and service start page providing key information about COVID-19 vaccine clinical trials as well as an overview of the service which explains what information individuals will be asked to provide. The landing page also provides links to the Be Part of Research dedicated web pages about the COVID-19 Vaccine Trials. This provides more information about which trials are included, what is involved in taking part and provides an FAQ section.  

The service start page also provides information to the individual about how to withdraw their permission, so that if they later change their mind, they can come back to the service and withdraw their permission easily.

Individuals are asked some basic questions about which country they live in first to ensure they are eligible for the service (which is limited to the UK) and then they are asked to provide their email address. A confirmation email is then sent to that email address asking the individual to confirm their email address is correct by following the link in the email. The link is a URL which is visible for security reasons. Individuals can only proceed to sign up if they have confirmed their email address by following the link in the email. This is to ensure that the email address has been provided correctly and is controlled by the person who is signing up.

Individuals are then taken through a series of questions, with pauses at various stages, explaining what is going to happen next. Other than the health pages, each page which requires information to be provided explains why that information is required. The Privacy Notice is linked to from each of the start page, each of the pause pages and the end confirmation page. There is also a link to the Privacy Notice for the Service at the foot of every page.

The data provided by the individual is only collected by NHS Digital once they submit their permission. If they change their mind and do not submit their permission the data is not saved and is therefore not collected by NHS Digital. Individuals have the opportunity to review the data they have provided and to confirm they wish to go ahead before the data is submitted. 
Once submitted, the data is collected and stored in a separate instance within the NHS Digital Microsoft Dynamics 365 Customer Relationship Management (CRM) system.  

This system triggers the email confirmation response to the individual via NHS Mail to confirm their successful registration, provides links to the Privacy Notice and confirms the permissions they have provided. It reminds them how to withdraw permission if they change their mind and provides a visible URL link to take them to the page on NHS.UK where they can do that. Withdrawals of permission will be captured in the CRM system and will be used to update the Permission to Contact Database in the Data Processing Service (DPS). Withdrawing permission will withdraw permission for both researchers and NHS Digital to contact the individuals.

Exports of the data are taken from the CRM system every 4 hours and imported into the NHS Digital DPS.  DPS is the platform where the data will be processed and stored. NHS Digital uses Amazon Web Services (AWS) to provide the DPS, which is a cloud service hosted in the UK. AWS is a data processor for all data stored on DPS and NHS Digital has GDPR Article 28(3) compliant contract in place with AWS who have been appointed to provide the cloud services under Crown Commercial Services G-Cloud 9 contract. 

The imported data is then processed into a secure database the “permission to contact” (PtC) database, where it is kept separate from all other data sets stored within DPS.  The PtC data asset will not be linked to any other NHS Digital data assets.
The PtC database will be used for carrying out analysis on the nature and number of individuals who have signed up to provide aggregate anonymised data to researchers and NIHR about the Service. It will also be the source database from which cohorts of individuals will be extracted to meet the eligibility criteria of the specific vaccine trials, following approval of the researcher’s DARS application to access this data. 

The contact details for the relevant cohort and other relevant information provided by individuals through the service which is necessary for the study to have, will be shared with researchers under a data sharing agreement which includes specific conditions about how they need to store and use the data and what they can and cannot do with it. More on this is set out below at Section 11.  NHS Digital is developing a data access protocol with specific terms and conditions which will apply to the use of this data asset by the COVID-19 vaccine clinical trials. This will be included as an appendix to this DPIA once the protocol has been completed (at Appendix C).

The CRM system will be used to manage communication with the volunteers in line with their agreed permissions, such as to inform them of developments to the service, to provide confirmation of withdrawal of their permission if they change their mind.

6. Describe the legal basis for the processing (collection, analysis or disclosure) of personal data

NHS Digital Statutory Authority for Collection and Analysis of Data

Are NHSD a Controller or Processor of this Data?

Controller. Data obtained and system delivery function designed and operated under COVID-19 Public Health Directions 2020.
The Service is both an information system under section 254 of the 2012 Act and a system delivery function under Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013, to be established and operated for COVID-19 research purposes, specifically research into COVID-19 vaccine treatments.

This is part of managing the response to COVID-19 through recruiting patients to take part in urgent priority COVID-19 vaccine trials to develop a vaccine which will be made available within the UK. The service will be developed and it is anticipated that other opportunities to sign up to be contacted for other COVID-19 research will be made available in the future.

For Devolved Nations, this is a service provided under section 270 of the 2012 Act and the data collected and analysed is an information system requested under the respective COVID-19 Section 255 Requests:

NB Should any of the Devolved Nations revoke their S255 letters the functionality to allow their residents to use the service would be removed. In addition, further Directions (and S255 letters as appropriate) would be needed to develop any other PtC services for other COVID-19 research and for any non-Covid19 research.

Are NHS Digital Sole or Joint Controller?

Joint.

NHS Digital is a joint controller by law with:

  • The Secretary of State for Health and Social Care in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service under the COVID-19 Directions 
  • National Services Scotland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Scottish residents under their request for NHS Digital to make the Service available to Scottish residents set out in the letter dated 9th July 2020 under the NSS Section 255 COVID 19 Request
  • The Department of Health - Northern Ireland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Northern Ireland residents under their request for NHS Digital to make the Service available to residents in Northern Ireland set out in the letter dated 10th July 2020 under the DH and PHA COVID-19 Section 255 Request
  • Public Health Wales in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Welsh residents under their request for NHS Digital to make the Service available to residents of Wales set out in the letter dated 2nd July 2020 under the PHW COVID-19 Section 255 Request

The joint controller arrangement, setting out roles and responsibilities, is further set out in a table at Appendix B.
NHS Digital is the sole Controller who processes the personal data collected, analysed, stored and deleted through the Service and is the sole Controller for the means of processing and is responsible for disseminating the personal data to be shared with the COVID-19 vaccine clinical trials and for ensuring Data Subject rights are met.

Statutory Authority for NHSD to collect and analyse the data requested.

Direction: Covid-19 Public Health Directions 2020. The purpose of collecting this data is for COVID-19 Purposes as above. 
Section 255 Requests: In relation to residents in Wales, Northern Ireland and Scotland as explained above.

Compliance with Common Law Duty of Confidentiality By NHSD on Collection and Analysis

Express consent.

GDPR Compliance for Collection and Analysis

Article 6

6(1)(e) – public task – by virtue of COVID-19 Public Health Direction under S254 of 2012 Act in relation to residents in England and Section 270 of the 2012 Act and COVID-19 Section 255 Requests from each of the Devolved Nations referenced above in relation to residents in the DNs:

  • collection and analysis of personal data
  • analysis for dissemination or processing to produce anonymous data for publication
  • contacting individuals in relation to the vaccine studies and developments in the service

Article 9

Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose re COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above. Relates to collection, analysis, dissemination and contacting individuals about the service.

Article 9(2)(j) - necessary for scientific research and statistical purposes where we are analysing personal information we have obtained through the Service for these purposes, plus Part 2 Schedule 1 of the DPA18, paragraph 4, scientific research and statistical purposes.

We have in place an appropriate policy document for this Service, which is required under the DPA18 in order to process the information we collect about health and ethnicity (or special category data) for this purpose. This provides information about our procedures for complying with the data protection principles under GDPR and explains how long we will retain your information for. This is attached at Appendix D.

Transparency Notice - Article 13 and 14

NHS Digital has drafted a specific transparency notice, which is published and referenced on the service

NHS Digital Statutory Authority to Disseminate the Data and Recipient Statutory Authority to receive the Data

NHS Digital - Section 261 Of the Health and Social Care Act 2012

Section 261(2)(c) of the Health and Social Care Act 2012 – as the individual has consented to the disclosure.

Section 261(1) and 2(e) in relation to dissemination of anonymous data.

Section 260(1) in relation to publication of anonymous data.

Recipient

Case by Case Assessment as part of DARS.

Compliance with Common Law on Dissemination by NHSD and Recipient

We are relying on express consent.

Recipient will be replying on express consent.

GDPR Compliance for NHSD dissemination by NHSD, use by recipient

Article 6

NHS Digital - Case by Case Assessment as part of the DARS process. This is likely to be Article 6(1)(e) – public task.

Recipient – Case by Case assessment as part of the DARS process. This is likely to be:

  • Article 6(1)(e) – public task
  • Article 6(1)(f) – legitimate interests

Article 9 and relevant DPA Schedule 1 Condition

NHS Digital – Case by Case Assessment as part of the DARS process. This is likely to be:

  • Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose regarding COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above

Recipient – Case by Case Assessment as part of the DARS process. This is likely to be:

  • Article 9(2)(g) – substantial public interest. DPA Schedule 1 Part 2 conditions to be assessed at time
  • Article 9(2)(j) - processing is necessary for scientific research purposes in accordance with Article 89(1) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests for the data subject. Also Part 1 of Sched 1 DPA18, para 4

7. Demonstrate the fairness of the processing

Data collected through the CV19 PtC Vaccine Service is processed in line with the expectations of the individuals using the Service. The user journey provides clear and unambiguous information at each stage about the purpose of data collection.  It is a Service that individuals can choose to sign up to and can change their mind at any time.  

There is no obligation, incentive or coercion to sign-up and only the data provided voluntarily by the individual is used.  There is no linkage or access to any other data. User testing has been undertaken to develop the Service using clear and plain language which users understand and with a design, flow and content approach which is in line with the other NHS.UK services and content aimed at members of the public. 

NHS.uk has a clear cookie policy available in the footer of all pages and users are given choices of which cookies to accept or otherwise.  Only essential cookies required for the service are exempt from preference selection.

8. What steps have you taken to ensure individuals are informed about the ways in which their personal data is being used?

The CV19 PtC Vaccine Service provides clear information to explain the participant journey i.e. to register to be contacted by researchers about taking part in the clinical trials for NIHR approved UK COVID-19 vaccines. There is information on each page about the data collected to ensure it is clear to the user why the information is being requested. 

In general, the information is collected for the following purposes:

  • For individuals to provide their permission for their data to be shared by NHS Digital with the researchers to enable the individual to be contacted by the COVID-19 vaccine trials; and to enable NHS Digital to identify cohorts for researchers at a macro level, without disclosing any identifiable data in the first instance, that would be suitable for their proposed trial. This includes providing anonymous information about age, sex, ethnicity as well as a number of specific health conditions to help trials to plan and then providing details of only those users who meet the specific trial criteria in response to specific requests from trials. This approach also ensures that the individual is not contacted about trials that are wholly unsuitable for them and thus limits the amount of contact from COVID-19 vaccine trials to more matched and likely opportunities to participate.
  • To contact participants to keep them informed about the progress and outcomes of the coronavirus vaccine studies. As well as informing them about developments in the Service, including to provide opportunities to take part in other types of health research through eg other permission to be contacted sign up services.
  • To withdraw permission to be contacted or to update changed details.
  • To manage the service and to maintain appropriate records for legal purposes

A specific NHS Digital CV19 PtC Vaccine Service Privacy Notice has been produced and provides details regarding how, and why, NHS Digital will process and use personal data including information about the rights available to individuals to exercise. Researchers using the data received will have responsibilities to publish and make available their own privacy notice about how they use the data, including how they use additional data provided by participants who go on to agree to participate in their trials.

The Privacy Notice is also specifically referred to in a number of key places in the customer journey of signing-up: at the start, on the pause pages, at the end and in the confirmation email which is sent out after the permission has been provided.

9. Is it necessary to collect and process all data items?

Personal data

Data categories Yes Justify
Whether they are over 18 Yes This is because the service can only be used by those over 18 years old, so this question is to ask the user to confirm this fact
Which country in the UK Yes This is because the service can only be used by those resident in the UK - this question is to ask the user to confirm this fact and also to indicate which country they live in which will help to identify the most relevant COVID-19 vaccine clinical trials.  Enables analysis for reporting to the devolved nations and researchers to plan their trials.
Email address Yes

Required to provide confirmation and ensure the user is genuine - e-mail verification is used to reduce the risk of automated entries being put on the system. It is used:

  • if there are any technical issues in the sign-up process to alert users to any technical issues and the expiry of the link which will enable them to continue with their sign-up journey,  
  • to confirm a user wishes to register and
  • to confirm the permission they have given.
Additionally, its required for sharing with researchers working on approved UK coronavirus vaccine studies so they can contact the individual about their study if suitable. It is also required to identify the individual if they withdraw consent, and to enable future contact by researchers and NHS Digital.
Name Yes To enable meaningful contact to be made.
Date of birth Yes Required to enable researchers to select cohort based on age. Also, it is a data item which can be used by researchers to verify the identity of the person when they make contact. It will also be used to monitor that the service is being accessed by a representative mix of the general population in terms of age and to understand any biases or accessibility issues for the service.
Postcode Yes Required for NHSD to identify individuals in the areas in which individual trials are being conducted to provide trials with relevant cohorts.  Is also used by NHS Digital for geographic analysis and monitoring of the volunteer cohort to provide data on take up to help trials plan and ensure coverage need to support UK wide trials.
Sex Yes Required to ensure cohorts have the agreed mix of individuals on a clinical trial. This will be used to monitor that the service is being accessed by a representative mix of the general population, to understand any biases or accessibility issues for the service based on sex and to ensure any vaccine developed will work for everyone.
Gender Yes This is expected by users following the question about sex – those that have changed gender or self-identify in a different category are then able to register this information if they wish.  This will be used to monitor that the service is being accessed by a representative mix of the general population, to ensure everyone aged 18 or over in the UK feels able to take part in the vaccine studies if they want to, and to understand any biases or accessibility issues for the service.  It is not anticipated that trials will need access to this information in identifiable form. If this was expressed as a need then it would be considered fully by DARS and IGARD as part of an application for access and would only be provided if it was necessary and proportionate to do so.
Level of face to face contact on a day to day basis Yes Required to enable clinical trials to be targeted at specific groups, particularly those who come into contact with large number of people and therefore have increased exposure to the virus and have been identified as a key group for vaccine testing.
Health and social care worker Yes Required to enable individuals to be matched appropriately to a relevant study. –People working in health and social care may be more likely to work in a place where coronavirus is passed on to others.
Consent to be contacted by researchers about taking part in approved UK coronavirus (COVID-19) vaccine studies. Yes Specific requirement to enable researchers to contact the individuals on the register when a trial for which they are likely to be suitable is available for them to participate in.
Consent to be contacted by NHS Digital about the progress and outcomes of the coronavirus vaccine studies and plans to develop this service to include providing opportunities to take part in other types of health research Yes This consent enables NHS Digital to update participant about changes to the service, progress and outcomes of the relevant vaccine studies.  It also allows NHS Digital to provide information about other permission to be contacted services for other research as this service is developed. 
Website cookies Yes

Only used within the service whilst data is collected once the user leaves the system the cookie ceases to exist.

nhs.uk has a cookie policy and asks for consent for cookies – with the exception of service cookies which are exempt

Special category data

Data categories Yes Justify
Ethnicity Yes

Required as it’s known coronavirus affects people from different ethnic groups differently and therefore to ensure cohorts have the agreed mix of individuals on a clinical trial. This will ensure any vaccines developed will work for everyone.

This will be used to monitor that the service is being accessed by a representative mix of the general population and to understand any biases or accessibility issues for the service.
Coronavirus test and result Yes Required to identify individuals who have confirmed they have or have not had the virus. Specific requirement to enable researchers to contact an appropriate cohort.
Whether the individual is usually offered a free flu vaccination Yes Specific requirement to enable researchers to contact the right cohort. This is a proxy for more vulnerable groups at higher risk of complications from a similar infection, such as seasonal flu virus.

Health questions on

  • Diabetes
  • Moderate/severe Asthma
  • Long term lung disease
  • Liver condition
  • Serious heart condition
  • Current treatment for cancer
  • Bleeding disorders
  • Immune system conditions
Pregnant or breast-feeding or planning to get pregnant in next 6 months (those answering female only).
Yes

The individuals are requested to state if they have a range of health conditions, each condition has its own page and can be answered yes/no/don’t know.  Required to enable clinical trials to be targeted at specific groups with specific conditions that have an impact on how seriously ill a patient might be with Covid19.

Being pregnant and breast-feeding is required as an inclusion or exclusion criteria for certain vaccine clinical trials.  There are some specific concerns for pregnant women and their unborn child(ren) from CV19 and they are likely to be a group targeted for a vaccine.

10. Describe if personal datasets are to be matched, combined or linked with other datasets? (internally or for external customers)

There will be no linkage with other datasets held by NHS Digital for the launch of the Service. The CV19 PtC Asset will be a stand-alone data asset and will be held and processed separately to any other data.

There is an intention by NHS Digital to develop a wider PtC Service to include appropriate user authentication – once this functionality is available, the possibilities for linkage to other data held by NHS Digital will be explored. If authentication was introduced as part of any future release of the CV19 PtC Vaccine Service, this DPIA would be updated in relation to that additional functionality and data use and consultation would take place with IG and Policy leads in DAs and with relevant stakeholders. Privacy notice would also be updated.

11. Describe if the personal data is to be shared with other organisations and the arrangements you have in place

When disclosing and sharing personal data with other organisations, NHS Digital complies with the GDPR and the DPA 2018 and additionally when sharing identifiable health data complies with the common law duty of confidentiality. All dissemination of data must also be permitted under NHS Digital’s statutory powers.

Access to the CV19 PtC Vaccine Data by CV19 Vaccine Clinical Trials will be subject to approval via NHS Digital’s Data Access Request Service (DARS). The DARS process assesses applications to ensure that they meet key standards including appropriate ethical, legal and Information Governance requirements so that data is only shared where it is secure, lawful, ethical and appropriate to do so. DARS is advised by the Independent Group Advising on the Release of Data (IGARD) which is responsible for ensuring robust independent scrutiny of NHS Digital data dissemination to improve accountability, quality and consistency.

DARS checks that the data requesters (ie the CV19 vaccine researchers) have safeguards in place for secure handling of the data and they meet the obligations in their Data Sharing Contract and Data Sharing Agreement. COVID-19 Vaccine Clinical Trials will need to demonstrate through the DARS  process that they have adequate security measures in place to protect the data when it is to be disseminated to them.

They must specify their intended data retention period, the location of processing and location of the data in their DARS application. The researchers’ organisation is required to enter into a Data Sharing Framework Contract and Agreement which strictly limits the use of the data to the agreed purpose of contacting the individual for the COVID-19 vaccine trial. NHS Digital will also be developing a specific protocol for the handling of the PtC CV19 Data which will set out a number of special conditions of release which will form part of the DSA.  This will be developed in conjunction with vaccine researchers and will ensure that specific risks identified in this DPIA are managed. This will include – but is not limited to:

  • time limits to contact the volunteers and maximum number of times a researcher will attempt to make contact
  • time limits for processing to data to ensure that permission withdrawals notified to NHS Digital to comply with an individual’s rights under GDPR and expectations set out by the Privacy Notice
  • arrangements for verifying the age and identity of the volunteer
  • sharing of data back to NHS Digital about which volunteers have been accepted onto the trial and participated, so that these volunteers can be withdrawn from the cohort of individuals who would be shared with other trials
  • arrangements to ensure volunteers are not approached too many times by different clinical trials in any given period of time and no more than 12 times in a year as per the Privacy Notice
  • arrangements to provide individuals with the assurance that the COVID-19 clinical trial researchers contacting them are genuine to manage the risk of scamming and ensure ease of response to the contact, including specific secure email addresses which researchers will need to use and publish on the Be Part of Research website

Once agreed the protocol will be added to this DPIA.

The first applications will be reviewed by NHS Digital’s Independent Group Advising on the Release of Data (IGARD) but subsequent applications may be able to access the data through DARS under a precedent process with a standard set of checks and conditions which have been consulted on and agreed with IGARD.  This would enable very similar applications from different vaccine trials to be processed more efficiently and quickly. 

Once the application is approved and the DSA signed the extract files for any data shared will be sent to the COVID-19 Vaccine Clinical Trial using an agreed secure mechanism such as MESH or SEFT.  The extract files will only contain data that has been approved through the DARS process as likely to meet the Trial’s eligibility criteria. This will include name and email address as a minimum - other information such as ethnicity and answers to the health questions will only be released where this is necessary for the study. Researcher will be required to justify what data they receive, and data minimisation is considered as part of the application and approval process. Where necessary data may be derived, such as providing age rather than date of birth. Details of all releases of data will be published on the NHS Digital data release register

In order to ensure that organisations abide by the terms and conditions set out in their Data Sharing Framework Contracts and Data Sharing Agreements NHS Digital carries out audits and where necessary post audit reviews. There are undertaken by an independent audit function that is separate from the DARS Team. Audit Team personnel are suitably experienced and hold relevant international and/or industry recognised auditing and technical qualifications. Further details on the approach and copies of previous audits is available.

It should be noted that this data access process is for the permission to contact data only researchers are responsible for seeking further consents – as needed - around access to a participants medical record. Where this consent is given, the Researcher will then be required to apply to access those records via the usual data access arrangements in place within each of the regions, or to apply to DARS if they need data from NHS Digital. 

An aggregate and anonymous dashboard will be produced by NHS Digital to enable monitoring of numbers of individuals signing up and to enable geographic and equality analysis of the volunteers. This will also enable researchers to plan their vaccine trials and support reporting to Devolved Nations, Vaccine Task Force, DHSC and NIHR. This analysis will also support NIHR and other stakeholders to promote the COVID-19 Vaccine Trials to under-represented groups.  

Dashboards will contain anonymous aggregate data only and will either be shared on a restricted basis or where there is a public interest in the data, may be published. In each case this would follow assurance in relation to disclose control which may include assurance by NHS Digital’s Disclosure Control Panel, made up of senior statisticians as well as the Chief Statistician to ensure data is not identifiable (such as by suppressing small numbers, aggregating data to large geographical areas or using other methods of disclosure control).   

12. How long will the personal data be retained?

NHS Digital will retain the data collected for the following purposes:

  • To make it available to NIHR approved COVID-19 Vaccine Clinical Trials who continue to require it for the purposes of their vaccine trials and who have a legal basis to process it
  • For internal record keeping purposes in relation to:

- the data NHS Digital itself has analysed under the COVID-19 Directions and Section 255 Requests in response to requests from the trials for details of those who may be eligible for their studies and for producing anonymous aggregate statistical data about those who have signed up to the service for publication or dissemination  
- the date and data disseminated to the COVID-19 Vaccine Clinical Trials 
- the withdrawal of permissions

  • For legal reasons in relation to the data that has been obtained about individuals through the Service for 8 years from the last transaction relating to the data. This is to ensure that NHS Digital has a record of the processing and dissemination of personal information in relation to the establishment, exercise of any rights or the defence of any potential legal claims

The ongoing collection and analysis of the data will continue until the expiry of the COVID-19 Directions and the Section 255 Requests with the Devolved Nations. For the Directions, this is currently 31 March 2022 but will be reviewed in September 2020 and every 6 months thereafter. For the Section 255 Requests this is currently September 2020, but extension letters are being put in place to extend the Section 255 Letters for the duration of the COVID-19 Directions. 

The PtC data will be used and be available to be shared with approved COVID-19 Vaccine Trials until 31 July 2022 (or less if the PtC CV19 Vaccine Service ceases or is replaced see below). We will retain this information for legal purposes for 8 years from this date, until 31 July 2030. It will then be securely destroyed.

If an individual withdraws their permission to be contacted, the data they provide, including the withdrawal of their permission to be contacted, will be retained by NHS Digital for 8 years (from the date of withdrawal) for audit purposes, legal purposes. It will then be securely destroyed. This data will not however be disseminated by NHS Digital after their permission has been withdrawn. Nor will NHS Digital contact them.

Data will be retained in accordance with the records management policy of NHS Digital. This is in line with the agreed record management approach across health and social care for a care record under the NHS Records Management Code of Practice 2016. Data will therefore be kept for 8 years after last use to enable NHS Digital to establish and exercise legal rights and respond to any potential legal claims that might arise from processing.

13. Where you are collecting personal data from the individual, describe how you will ensure it is accurate and if necessary, kept up to date

At the end of the user journey for the CV19 PtC Vaccine Service the user will be asked to review the information provided through a “check your answers” screen. Once this is completed, they will then be asked to continue to sign up. Following submission of the data, an e-mail will be sent to their registered e-mail, which will enable the individual to confirm that they have been registered and at this point their data will be sent to the secure CRM System. 

An individual can update their information by withdrawing their permission and then re-registering with accurate information. This is set out in the FAQs for the service and in the privacy notice.

If an individual gives us permission, NHS Digital will provide regular updates about the progress and outcomes of the coronavirus vaccine studies. These emails will be general eg newsletters and will not be targeted as a result of any of the information you have provided. To note these updates will provide a reminder that individuals are signed up and may prompt the individual to update their details if their circumstances have changed. After 31 July 2022 the data will not longer actively be used and is only retained for legal reasons, therefore, if this data is becomes inaccurate after this date this is of limited impact.

14. How are individuals made aware of their rights and what processes do you have in place to manage such requests?

Individuals have the following rights under the GDPR:

  • the right to be informed – Fair Processing information and Transparency Notice for NHS Digital have been developed by NHS Digital as explained above and made available prior to the launch of the CV19 PtC Vaccine Service
  • the right of access - Individuals who have registered with the Service can request access to information by making a Subject Access Request to NHS Digital.  An explanation about how an individual can request a copy of information that NHS Digital holds is published at: https://digital.nhs.uk/article/6851/How-to-make-a-subject-access-request. NHS Digital has established processes for handling Subject Access Requests
  • the right to rectification - The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete, will be upheld when such a request is received by asking the individual to withdraw their permission and to re-register with accurate information
  • the right to erasure –an individual has the right to request erasure, however NHS Digital has the right to retain the data where necessary for legal purposes, such as defence of a legal claim and for audit purposes
  • the right to restrict processing – this will apply
  • the right to data portability- is not applicable to this processing because under article 20 (3) the processing is being carried out on the basis of public task or the exercise of official authority vested in the controller
  • the right to object – this right is applicable to processing based on the lawful basis of public task. However NHS Digital would not share data following withdrawal of permission and would only process data following a withdrawal of permission for record keeping and legal purposes. This need would be considered compelling legitimate grounds which are likely to override the interests of the individual. This would be considered if the right was exercised.  As participants are giving permission to be contacted, this will override any National Data Opt-Out for this purpose
  • the right to raise a concern with NHS Digital and the Information Commissioner's Office at any time

Individuals who believe that their data is not being processed in accordance with the law can complain to the Information Commissioner’s Office (ICO). They can also contact NHS Digital’s Data Protection Officer (DPO) regarding any NHS Digital data processing activity. Details for the NHS Digital DPO are included in the Privacy Notice 

Individuals will be made aware of their rights through the following documents hosted on the service that will be available from the footer of every page in the service:

  • Privacy Notice (Transparency Notice)
  • Terms and Conditions
  • Cookie Policy

A summary of the rights that apply in relation to the legal bases used is provided below:

Rights Where we are relying on public task (Article 6(1)(e) of GDPR above) Where we are processing for scientific research and statistical purposes in relation to anonymous statistics (Article 9(2)(j) of GDPR above)
Be informed Yes Yes
Get access Yes No
Rectify or change Yes No
Erase or move Yes Yes
Restrict or stop processing Yes No
Move, copy or transfer No Yes
Object to processing or use Yes No
Know if a decision was made by a computer rather than a person Yes Yes
Raise a concern Yes Yes

15. What technical and organisational controls for information security have been put in place?

Although there is limited identify verification the individual is required to verify their email address which ensures that the individual registering has access to the email address – as this is used for them to withdraw their permission. 

A review of security of the service concluded that this is all using existing NHS Digital technical infrastructure which is already in live service and complies with corporate standard security controls. This includes all data transfer between the Dynamics and DPS cloud services and also the DARS-controlled external data access point. The new front-end service has passed penetration testing by external contractors and has built-in monitoring to check for cyber-attacks.

System Level Security Policies (SLSP) are in place for all elements of the service. Data in transit and at rest is encrypted. Backups of the data are supported by the corporate backup and recovery processes.  

NHS Digital infrastructure has a comprehensive service management and information security plan and is securely protected by firewalls and other technical, administrative and logical security controls. There is limited and controlled access to the data processing environment with multi-level of access controls and monitoring in place. These security arrangements are tested and reviewed annually.

NHS Digital's Data Security Centre monitors national applications and services, including the NHS.UK website and NHS Digital infrastructure for suspicious or unusual activity and works with the National Cyber Security Centre on current and developing threats.  

The DPS infrastructure is hosted on AWS Public Cloud and has been designed around the good practice guidance and risk model described in NHS and social care data: off-shoring and the use of public cloud services written jointly by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement.  Due to the nature of data held within DPS, the service is within the highest category of risk within the risk model.

All NHS Digital staff undertake annual mandatory Data Security and Protection training as part of the requirements for the Data Security and Protection Toolkit, that includes how the data should be handled and shared appropriately, what to do when a personal data breach has been identified. All staff have awareness of policies, such as Data Protection Legislation policy, Confidentiality Policy, Security Policy etc which they must review regularly and confirm they have read, including when these are updated. Specific staff with more responsibilities in relation to data receive additional training eg Information Asset Owners.  

Access to the PtC CV19 Vaccine Asset will be strictly limited and subject to authorisation by the Information Asset Owner for specific legitimate purposes. This is controlled through the NHS Digital Clear Data Access (CDA) application forms approved by line managers and the IAO. This authorisation is only given to an individual for a time-limited period, where the access to the data is justified, and an appropriate legal basis for such processing is in place. All staff requiring access to identifiable data must have national security vetting Security Check level clearance. 

This includes carrying out of approved internal analysis as well as the creation of data derivations items (e.g. creating Year of Birth from Date of Birth) to provide non-identifiable data items for customers as approved by DARS. 

Access to the instance of CRM and the operational data store is managed through role-based access controls managed via the NHS Digital Contact Centre CRM Administrator. Security and access is validated by Contact Centre as part of account creation and a valid business justification is required.

16. In which country/territory will personal data be stored or processed?

The data will be processed and stored in the United Kingdom by NHS Digital.  All NHS Digital data held in the DPS Platform, is within the UK jurisdiction as it is hosted in the AWS cloud within the UK.

DARS applications made by COVID-19 Vaccine Clinical Trials will be required to specifically state the locations for storage and processing of data, and the Territory of Use by the Trial. This is captured within the Data Sharing Agreement, which restricts use to these addresses and the territory.  

The application process includes assessing the recipient’s legal basis for processing within these territories, and in particular the legal basis under GDPR where the territory of use is outside the UK.  

Any storage outside of the UK would be limited to the EU Exit implementation period with further assessment required at that stage as to adequacy, including appropriate consideration following the Schrems II decision.

17. Does the National Data Opt-Out apply to the processing?

The national data opt-out does not apply as the data is all provided directly by the individual and they have given their consent for its use. 

18. Identify and assess risks

Consider the potential impact of your processing and the potential harm or damage that it might cause to individuals whether physical, emotional, moral, material or non-material, such as the inability to exercise rights; discrimination; loss of confidentiality; re-identification of pseudonymised data, etc. 

You can also use this section to detail any risks you have in complying with data protection law and any resulting corporate risks, such as the impact of regulatory action; reputational damage; loss of public trust, etc.

View the risks.

19. Further actions

The completed DPIA should be submitted to the IG Helpline Service or your Programme IG Officer for review.

The IAO should keep the DPIA under review and ensure that it is updated if there are any changes (to the nature of the processing and/or system changes).
 

20. Signatories

The DPIA accurately reflects the processing and the residual risks have been approved by the Information Asset Owner.

21. Summary of high residual risks

None – all risks are mitigated to low.

Summary of DPO advice

DPO reviewed as part of final sign off 21/07/20

Download as a PDF

Download a PDF version of this document.

Last edited: 5 August 2020 9:49 am