Data Protection Impact Assessment – COVID-19 Vaccine Trials Permission to Contact Service – V2.0

A Data Protection Impact Assessment (DPIA) ensures NHS Digital complies with data protection law, and builds confidence with stakeholders of our rigour in respecting citizens data rights.

DPIAs are also a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”. If you are unsure whether a DPIA is necessary, you should complete a DPIA screening questionnaire to assess whether the processing you are carrying out is regarded as high risk. 

By completing a DPIA you can systematically analyse your processing to demonstrate how you will comply with data protection law and in doing so identify and minimise data protection risks. 

This document should be read in conjunction with the DPIA Guidance and DPIA Screening Questionnaire.

This data protection impact assessment (DPIA has been developed in consultation with the following stakeholders regarding the COVID-19 Vaccine Trial Permission to Contact Service (CV19 Vaccine PtC Service):

• CV19 Vaccine PtC Service project team (including security, legal and Information governance subject matter experts) drawn from across NHS Digital and the National Institute of Health Research
• Test and Trace Programme Board
• Information Commissioner’s Office (ICO) - NHS Digital had previously secured a place in the ICO’s Sandbox Beta with a proposal to explore a central mechanism for collecting and managing patient permissions in relation to health research. Scoping of this project was underway as the COVID-19 pandemic began. Through an iteration of the original proposal and within a short timeframe, the ICO Sandbox provided NHS Digital with general feedback and comments on the updated proposal of a ‘permission to contact service’ for the COVID-19 vaccine trials
• National Data Guardian’s Office
• NHS Digital’s Independent Group Advising on the Release of Data (IGARD)
• Devolved Nations Policy and IG leads
• Understanding Patient Data
• Clinical Trials Unit Researchers
• Health Research Authority
• Confidentiality Advisory Group

User research was undertaken from 24 to 26 June 2020 with rapid iteration of the prototype to incorporate feedback and re-evaluate the product throughout this period. The user research group consisted of a cross section of the public (12 people in total, 8 women and 4 men) to ensure the purpose of the service is fully understood and help to design the questions and screens for clarity and understanding. It should be noted this number and cross section was within the realms of limited time and resource.  

Private beta testing has been undertaken from 9 to 20 July 2020 with a closed audience of NHS Digital staff, Barts Health NHS Trust staff and NIHR CRN staff and feedback was collected from this group. This enabled further changes to improve usability prior to UK-wide public launch on 20 July 2020.

User research through interviews and feedback surveys have continued to be undertaken. These have been built into the service as well as undertaken as part of the second phase of development of the service.  Phase 2 developments have included:

• option for users to include a contact telephone number
• split of the NHS Digital contact permission into two in line with feedback from ICO and user research
• production of a Welsh language version of the service to meet Welsh legislative requirements for citizen facing services
• iteration and improvement of the landing page and question pages to improve user journey
• enhancement of a private dashboard for researchers and for service sponsors
• implementation of a service for NHS Digital to make the initial contact with eligible participants on behalf of researchers
• further development of the feedback loop to ensure the registry remains up to date

See Section 5 below for a description of the processing associated with the flows above.

Background

NHS Digital was established under the Health and Social Care Act 2012 and is the national safe haven for patient data in England with statutory powers to collect and analyse information under legal directions and requests, including from devolved nations in the UK, and to operate IT systems and provide IT services on behalf of the Secretary of State in England.

This includes powers to collect and analyse confidential patient information, publish anonymous information and disseminate information, including confidential patient information, to those organisations with a lawful basis to process it. The Secretary of State for Health and Social Care has directed NHS Digital under section 254 of the Health and Social Care Act 2012 (the 2012 Act) by the COVID-19 Public Health Directions 2020 17 March 2020 (as amended) (the COVID-19 Direction) to collect, process and analyse information for COVID-19 Purposes. This direction is referred to in this document as the COVID-19 Direction.

This forms the legal basis for the CV19 Vaccine PtC Service (Service), the details of which are set out below. 

The Devolved Nations in Wales, Scotland and Northern Ireland have each also requested NHS Digital, under section 255 of the 2012 Act, to collect, process and analyse information on request, for COVID-19 Purposes. These section 255 requests (see below for more detail) provide the legal basis for the Service in relation to the collection by NHS Digital of data from residents of Wales, Scotland and Northern Ireland as part of the Service.

Overview of the CV19 Vaccine PtC Service

References to COVID-19 vaccine trials and COVID-19 vaccine clinical trials are used interchangeably with coronavirus vaccine studies throughout this document and have the same meaning.

NHS Digital has agreed to work in partnership with the National Institute of Health Research (NIHR) to build and host a first of type online Permission to Contact (PtC) Service on nhs.uk where members of the public can register their details and give their permission to be contacted by researchers working on NIHR approved UK coronavirus vaccine trials about participating in those trials. This first PtC Service, which is called “Sign Up to be Contacted about Coronavirus Vaccine Studies” on the nhs.uk website was rolled out as a limited private beta pilot from 8 July 2020 and was launched as a national service on 20 July 2020. 

Purpose of the CV19 Vaccine PtC Service

This Service will enable participants to:

1. Provide permission for NHS Digital to share an individual’s details provided through the Service with the researchers undertaking COVID-19 UK vaccine trials for the purposes of researchers contacting that individual about taking part in those trials. In some cases, researchers may ask NHS Digital to contact individuals on their behalf, in which case NHS Digital will do so as a processor for the researcher.
2. Provide their permission to be contacted by NHS Digital about progress and outcomes from CV19 vaccine studies and in relation to the development of the PtC Service, including to inform them of opportunities to participate in other types of health research. Following feedback from stakeholders this is split out and is presented as two separate permissions.

The data collected from individuals who sign up includes sufficient information to achieve the following purposes:

• to determine potentially suitable participants matched to eligibility criteria provided by the vaccine trials for their specific studies. This data includes age, sex, geographic locations, type of employment, and a number of health questions, such as, about whether they have long-term health conditions
• to share participants details and permission with researchers to enabling to be invited to participate in a vaccine study
• to help researchers plan their studies and monitor and improve the service
• if participants give permission their personal information can be used by NHS Digital to keep them informed about the progress and outcomes of the coronavirus vaccine studies. They can also choose to be kept informed about developments in the Service and be provided with opportunities to take part in other types of health research

NHS Digital provides access to the information obtained from individuals through the Service via the existing Data Access Request Service (DARS) process available to researchers working on UK COVID-19 vaccine trials sponsored by the National Institute of Health Research. The Service will only provide researchers with the data collected directly from individuals themselves though the Service. 

No automated processing or decision-making is being undertaken during cohort selection. The decision-making process is not “automated decision making” as any decision made on the compilation of cohorts is made with human involvement and those decisions are therefore not based solely on automated processing.

The data obtained from individuals through this service will not be linked to any other data held by NHS Digital. This is because the individual has not been authenticated when signing up. Authentication mechanisms will be looked at in the future as part of the development of the Service.  (Note: Any development of the Service will require a full review and update of the DPIA, Privacy Notice and further consultation with the Devolved Nations).

Necessity

There is an urgent need for an effective and safe vaccine against COVID-19 to be developed, manufactured and made available across the UK in order to manage the COVID-19 outbreak in the UK. To support this work the Government launched a new Vaccine Taskforce in April 2020 to drive forward, expedite and co-ordinate efforts to research and then produce a coronavirus vaccine and make sure one is made available to the public as quickly as possible.

The taskforce, led by Chief Scientific Adviser Sir Patrick Vallance and Deputy Chief Medical Officer Professor Jonathan Van-Tam, will support efforts to rapidly develop a coronavirus vaccine as soon as possible by providing industry and research institutions with the resources and support needed. This includes reviewing regulations and scaling up manufacturing, so that when a vaccine becomes available, it can be produced quickly and in mass quantities.

The taskforce is focussing on 5 strands of activity including:

1. Supporting the discovery of potential coronavirus vaccines by working with the public and private sector, rapidly mobilising funding, supporting leading academics and identifying ways to fast-track clinical trials (Strand 1).
2. Preparing the UK as a leader in clinical vaccine testing and manufacturing, working with companies already at the forefront of vaccine development.
3. Reviewing government regulations to facilitate rapid and safe vaccine trials.
4. Developing funding and operational plans for the procurement and delivery of vaccines.
5. Building on the UK’s research and development expertise to support international efforts to find a coronavirus vaccine.

Find out more information about the taskforce.

It is essential that the effectiveness of vaccines are tested through regulated clinical trials in the UK before they can be made available for general use. Clinical trials require volunteers, and recruiting volunteers to participate in clinical trials can be time consuming.

Each clinical trial has different criteria which participants may need to meet and they are carried out in different locations across the country. Recruiting volunteers involves a range of different activities, including local advertising and in some cases obtaining data about individuals who may be suitable for a trial without their consent through, for example, support from the Confidentiality Advisory Group under section 251 of the National Health Services Act 2006 in England and Wales.

The new PtC Service is being delivered as part of Strand 1 activity above and will allow members of the public to register their interest and be contacted with their consent, to participate in vaccine clinical studies. To enable large-scale vaccine studies to take place across the UK, the aim is to get 500,000 people signed up by October, which is considered vital in the fight against coronavirus.

Clinical studies with hundreds of thousands of volunteers will help scientists and researchers better understand the effectiveness of each vaccine candidate and will considerably speed up efforts to discover a safe and workable vaccine.

Find out more in the 20 July 2020 press release.

Proportionality

The PtC Service is a voluntary service which allows those who are interested in participating in coronavirus vaccine studies to easily sign-up and provide their permission to be contacted by the trials, or by NHS Digital on behalf of the trial. By signing up once, their details can be shared with researchers of suitable vaccine studies who can make contact with them to provide more information about their particular studies. Relevant details will only be shared with trials where individuals are likely to meet the criteria for a particular study based on the information individuals have provided through the Service. The Service has been designed to only ask health questions which are relevant to the trial criteria. More information about the questions asked, the data collected and how the data is used is explained below.

Benefits

The benefits of sharing patient information for the purposes of health research and trials are well known and undisputed. However, truly unlocking this enormous potential is dependent on building public trust. Providing individuals with more control over how their data is used and the ability to easily make well informed decisions is also key. Providing a trusted service which provides members of the public with the opportunity to provide permission to be contacted about the research they wish to support and participate in is a step towards increasing public trust in how their data is used. 

There are a range of potential benefits delivered through the CV19 Vaccine PtC Service including:

• Individuals: Widens the opportunity for the public from across the UK to get involved in research to develop a vaccine for COVID-19
• Individuals: In particular it offers an option for individuals to volunteer in advance to participate in COVID-19 vaccine trials as an alternative to other mechanisms, such as, sharing data with researchers about individuals under section 251 consents or COPI notices, which although lawful is initially less transparent.  
• Individuals: Provides individuals with protection against scams and uncoordinated contact through limits on overall contact and providing advice and mechanisms to help individuals to check that approaches from researchers are genuine. 
• Researchers: Allows researchers to identify a suitable cohort and recruit them quickly into the vaccine trials – thus reducing the overall time to recruit into their trials and to accelerate the delivery of an effective vaccine to treat individuals to manage the COVID-19 outbreak and to save lives.
• NHS: Reduces burden on front line NHS staff in identifying and contacting potential clinical trial participants.
• NHS: Provides a single permission to be contacted mechanism for COVID-19 vaccine trial recruitment from across the UK, which has benefits for the speed and efficiency of all of the vaccine trials set up in the UK.
• Individuals: Allows geographic and equality monitoring of those who sign up to enable the Service and other Permission to be Contacted Services to be developed in a way that will help to meet the needs of under-represented groups and promote equality.
• Researchers: Supports the Vaccines Taskforce objectives to drive forward, expedite and coordinate efforts to research and then produce a coronavirus vaccine and make sure one is made available to the public as quickly as possible.  

Nature and scope of the processing

In line with the data flow diagram at Section 1 above, the individual completes an online form accessed via the nhs.uk website.  

There is a landing page and service start page providing key information about COVID-19 vaccine clinical trials as well as an overview of the service which explains what information individuals will be asked to provide. The landing page also provides links to the Be Part of Research dedicated web pages about the COVID-19 Vaccine Trials. This provides more information about which trials are included, what is involved in taking part and provides an FAQ section.  

The service start page also provides information to the individual about how to withdraw their permission, so that if they later change their mind, they can come back to the service and withdraw their permission easily.

Individuals are asked some basic questions about which country they live in first to ensure they are eligible for the service (which is limited to the UK) and then they are asked to provide their email address. A confirmation email is then sent to that email address asking the individual to confirm their email address is correct by following the link in the email. The link is a URL which is visible for security reasons. Individuals can only proceed to sign up if they have confirmed their email address by following the link in the email. This is to ensure that the email address has been provided correctly and is controlled by the person who is signing up.

Individuals are then taken through a series of questions, with pauses at various stages, explaining what is going to happen next. Other than the health pages, each page which requires information to be provided explains why that information is required. The Privacy Notice is linked to from each of the start page, each of the pause pages and the end confirmation page. There is also a link to the Privacy Notice for the Service at the foot of every page.

The data provided by the individual is only collected by NHS Digital once they submit their permission. If they change their mind and do not submit their permission the data is not saved and is therefore not collected by NHS Digital. Individuals have the opportunity to review the data they have provided and to confirm they wish to go ahead before the data is submitted. 

Once submitted, the data is collected and stored in a separate instance within the NHS Digital Microsoft Dynamics 365 Customer Relationship Management (CRM) system.  

This system triggers the email confirmation response to the individual via NHS Mail to confirm their successful registration, provides links to the Privacy Notice and confirms the permissions they have provided. It reminds them how to withdraw permission if they change their mind and provides a visible URL link to take them to the page on NHS.UK where they can do that. Withdrawals of permission are captured in the CRM system and used to update the Permission to Contact Database in the Data Processing Service (DPS). Withdrawing permission will withdraw permission for both researchers and NHS Digital to contact the individuals.

Exports of the data are taken from the CRM system every 4 hours and imported into the NHS Digital DPS.  DPS is the platform where the data will be processed and stored. NHS Digital uses Amazon Web Services (AWS) to provide the DPS, which is a cloud service hosted in the UK. AWS is a data processor for all data stored on DPS and NHS Digital has GDPR Article 28(3) compliant contract in place with AWS who have been appointed to provide the cloud services under Crown Commercial Services G-Cloud 9 contract. 

The imported data is then processed into a secure database the “permission to contact” (PtC) database, where it is kept separate from all other data sets stored within DPS.  The PtC data asset will not be linked to any other NHS Digital data assets.

The PtC database is used for carrying out analysis on the nature and number of individuals who have signed up to provide aggregate anonymised data to researchers and NIHR about the Service. It is also the source database from which cohorts of individuals are extracted to meet the eligibility criteria of the specific vaccine trials, following approval of the researcher’s DARS application to access this data. 

The contact details for the relevant cohort and other relevant information provided by individuals through the service which is necessary for the study to have, are used by NHS Digital to contact the individuals on behalf of the researcher or alternatively, shared directly with the researchers for them to make contact. A data sharing agreement is required for all research access and includes specific conditions about how researchers use the data and what they can and cannot do with it, as well as how the data will be stored if shared with them directly.  More on this is set out below at Section 11.

In the event that NHS Digital contacts the individuals directly, this is as a processor for the vaccine study and an additional data processing agreement is put in place in the form attached below at Section 6. Emails are issued by the NHS Digital Contact Centre with content and branding of the trial itself and signed by the Chief Investigator or equivalent.  A delivery report is provided to NIHR and the trial and any replies to the email receive a standard response.  

NHS Digital has developed a data access protocol and checklist with specific terms and conditions which apply to the use of this data asset by the COVID-19 vaccine clinical trials. This is included as an appendix to this DPIA (at Appendix C).

The CRM system is be used to manage communication with the volunteers in line with their agreed permissions, such as to provide them with information about the vaccine studies, or to inform them of developments to the service, or to provide confirmation of withdrawal of their permission if they change their mind.

Newsletters are issued by NHS Digital to those who have consented to receive them. Data management generate batch files for those who have given permission, these are loaded into the NHS Digital Contact Centre CRM system. Newsletter format and content is developed in conjunction with NIHR and the Vaccines Taskforce and signed off by NHS Digital Communications team. 

All newsletters include a link for anyone who wishes to withdraw permission, if they wish to amend their details or permissions relating to contact they need to unsubscribe and resubscribe. 

All emails are sent through established contact centre systems such that emails are addressed to an individual with no other recipients listed. A delivery report is generated and any emails where a hard bounce is established the error codes are reviewed and if the code relates to an inactive or no longer existing email address, the permission record relating to this individual is manually deactivated on CRM, which then updates the P2C asset in DPS.

If service update emails are to be issued by NHS Digital these would go through the same process as detailed above with an additional step to confirm with IG that the proposed message is in compliance with the permission received.

NHS Digital Statutory Authority for Collection and Analysis of Data

Are NHSD a Controller or Processor of this Data?

Controller. Data obtained and system delivery function designed and operated under COVID-19 Public Health Directions 2020.

The Service is both an information system under section 254 of the 2012 Act and a system delivery function under Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013, to be established and operated for COVID-19 research purposes, specifically research into COVID-19 vaccine treatments.

This is part of managing the response to COVID-19 through recruiting patients to take part in urgent priority COVID-19 vaccine trials to develop a vaccine which will be made available within the UK. The service will be developed and it is anticipated that other opportunities to sign up to be contacted for other COVID-19 research will be made available in the future.

For Devolved Nations, this is a service provided under section 270 of the 2012 Act and the data collected and analysed is an information system requested under the respective COVID-19 Section 255 Requests:

• Scotland - NSS COVID-19 Section 255 Request
• Wales – PHW COVID-19 Section 255 Request
• Northern Ireland – DH and PHA COVID-19 Section 255 Request

NB Should any of the Devolved Nations revoke their S255 letters the functionality to allow their residents to use the service would be removed. In addition, further Directions (and S255 letters as appropriate) would be needed to develop any other PtC services for other COVID-19 research and for any non-Covid19 research.

Are NHS Digital Sole or Joint Controller?

Joint.

NHS Digital is a joint controller by law with:

• The Secretary of State for Health and Social Care in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service under the COVID-19 Directions 
• National Services Scotland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Scottish residents under their request for NHS Digital to make the Service available to Scottish residents set out in the letter dated 9 July 2020 under the NSS Section 255 COVID 19 Request
• The Department of Health - Northern Ireland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Northern Ireland residents under their request for NHS Digital to make the Service available to residents in Northern Ireland set out in the letter dated 10 July 2020 under the DH and PHA COVID-19 Section 255 Request
• Public Health Wales in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Welsh residents under their request for NHS Digital to make the Service available to residents of Wales set out in the letter dated 2 July 2020 under the PHW COVID-19 Section 255 Request

The joint controller arrangement, setting out roles and responsibilities, is further set out in a table at Appendix B.

NHS Digital is the sole Controller who processes the personal data collected, analysed, stored and deleted through the Service and is the sole Controller for the means of processing and is responsible for disseminating the personal data to be shared with the COVID-19 vaccine clinical trials and for ensuring Data Subject rights are met.

Statutory Authority for NHSD to collect and analyse the data requested.

Direction: COVID-19 Public Health Directions 2020. The purpose of collecting this data is for COVID-19 Purposes as above. 

Section 255 Requests: In relation to residents in Wales, Northern Ireland and Scotland as explained above.

Compliance with Common Law Duty of Confidentiality By NHSD on Collection and Analysis

Express consent.

GDPR Compliance for Collection and Analysis

Article 6

6(1)(e) – public task – by virtue of COVID-19 Public Health Direction under S254 of 2012 Act in relation to residents in England and Section 270 of the 2012 Act and COVID-19 Section 255 Requests from each of the Devolved Nations referenced above in relation to residents in the DNs:

• collection and analysis of personal data
• analysis for dissemination or processing to produce anonymous data for publication
• contacting individuals in relation to the vaccine studies and developments in the service

Article 9

Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose regarding COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above. Relates to collection, analysis, dissemination and contacting individuals about the service.

Article 9(2)(j) - necessary for scientific research and statistical purposes where we are analysing personal information we have obtained through the Service for these purposes, plus Part 2 Schedule 1 of the DPA18, paragraph 4, scientific research and statistical purposes.

We have in place an appropriate policy document for this Service, which is required under the DPA18 in order to process the information we collect about health and ethnicity (or special category data) for this purpose. This provides information about our procedures for complying with the data protection principles under GDPR and explains how long we will retain your information for. This is attached at Appendix D.

Transparency Notice - Article 13 and 14

NHS Digital has drafted a specific transparency notice, which is published and referenced on the service. 

NHS Digital Statutory Authority to Disseminate the Data and Recipient Statutory Authority to receive the Data

NHS Digital - Section 261 Of the Health and Social Care Act 2012

Section 261(2)(c) of the Health and Social Care Act 2012 – as the individual has consented to the disclosure.

Section 261(1) and 2(e) in relation to dissemination of anonymous data.

Section 260(1) in relation to publication of anonymous data.

Recipient

Case by Case Assessment as part of DARS.

Compliance with Common Law on Dissemination by NHSD and Recipient

We are relying on express consent.

Recipient will be replying on express consent.

GDPR Compliance for NHSD dissemination by NHSD, use by recipient

Article 6

NHS Digital - Case by Case Assessment as part of the DARS process. This is likely to be Article 6(1)(e) – public task.

Recipient – Case by Case assessment as part of the DARS process. This is likely to be:

• Article 6(1)(e) – public task
• Article 6(1)(f) – legitimate interests

Article 9 and relevant DPA Schedule 1 Condition

NHS Digital – Case by Case Assessment as part of the DARS process. This is likely to be:

• Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose regarding COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above

Recipient – Case by Case Assessment as part of the DARS process. This is likely to be:

• Article 9(2)(g) – substantial public interest. DPA Schedule 1 Part 2 conditions to be assessed at time
• Article 9(2)(j) - processing is necessary for scientific research purposes in accordance with Article 89(1) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests for the data subject. Also Part 1 of Sched 1 DPA18, para 4

NHSD as a Processor

NHS Digital may act as a processor on behalf of a researcher to send emails out to participants recruiting them into their trials. This will be done relying on NHS Digital’s powers under section 270 of the 2012 Act.

NHSD will require the researcher to enter into a standard form data processing agreement for this activity in the form below:

Data collected through the CV19 PtC Vaccine Service is processed in line with the expectations of the individuals using the Service. The user journey provides clear and unambiguous information at each stage about the purpose of data collection.  It is a Service that individuals can choose to sign up to and can change their mind at any time.  

There is no obligation, incentive or coercion to sign-up and only the data provided voluntarily by the individual is used.  There is no linkage or access to any other data. User testing has been undertaken to develop the Service using clear and plain language which users understand and with a design, flow and content approach which is in line with the other NHS.UK services and content aimed at members of the public. 

NHS.uk has a clear cookie policy available in the footer of all pages and users are given choices of which cookies to accept or otherwise.  Only essential cookies required for the service are exempt from preference selection.

The CV19 PtC Vaccine Service provides clear information to explain the participant journey, that is, to register to be contacted by researchers about taking part in the clinical trials for NIHR approved UK COVID-19 vaccines. There is information on each page about the data collected to ensure it is clear to the user why the information is being requested. 

In general, the information is collected for the following purposes:

• For individuals to provide their permission for their data to be shared by NHS Digital with the researchers to enable the individual to be contacted by the COVID-19 vaccine trials; (or for NHS Digital to contact individuals on behalf of researchers, as their processor where requested); and to enable NHS Digital to identify cohorts for researchers at a macro level, without disclosing any identifiable data in the first instance, that would be suitable for their proposed trial. This includes providing anonymous information about age, sex, ethnicity as well as a number of specific health conditions to help trials to plan and then providing details of only those users who meet the specific trial criteria in response to specific requests from trials. This approach also ensures that the individual is not contacted about trials that are wholly unsuitable for them and thus limits the amount of contact from COVID-19 vaccine trials to more matched and likely opportunities to participate.
• To contact participants to keep them informed about the progress and outcomes of the coronavirus vaccine studies.
• To inform them about developments in the Service, including to provide opportunities to take part in other types of health research through, for example other permission to be contacted sign up services.
• To withdraw permission to be contacted or to update changed details.
• To manage the service and to maintain appropriate records for legal purposes

A specific NHS Digital CV19 PtC Vaccine Service Privacy Notice has been produced and provides details regarding how, and why, NHS Digital will process and use personal data including information about the rights available to individuals to exercise. Researchers using the data received will have responsibilities to publish and make available their own privacy notice about how they use the data, including how they use additional data provided by participants who go on to agree to participate in their trials.

The Privacy Notice is also specifically referred to in a number of key places in the customer journey of signing-up: at the start, on the pause pages, at the end and in the confirmation email which is sent out after the permission has been provided.

Personal data

Special category data

There will be no linkage with other datasets held by NHS Digital for the launch of the Service. The CV19 PtC Asset will be a stand-alone data asset and will be held and processed separately to any other data.

There is an intention by NHS Digital to develop a wider PtC Service to include appropriate user authentication – once this functionality is available, the possibilities for linkage to other data held by NHS Digital will be explored. If authentication was introduced as part of any future release of the CV19 PtC Vaccine Service, this DPIA would be updated in relation to that additional functionality and data use and consultation would take place with IG and Policy leads in DAs and with relevant stakeholders. Privacy notice would also be updated.

When disclosing and sharing personal data with other organisations, NHS Digital complies with the GDPR and the DPA 2018 and additionally when sharing identifiable health data complies with the common law duty of confidentiality. All dissemination of data must also be permitted under NHS Digital’s statutory powers.

Access to the CV19 PtC Vaccine Data by CV19 Vaccine Clinical Trials is subject to approval via NHS Digital’s Data Access Request Service (DARS). The DARS process assesses applications to ensure that they meet key standards including appropriate ethical, legal and Information Governance requirements so that data is only shared where it is secure, lawful, ethical and appropriate to do so. DARS is advised by the Independent Group Advising on the Release of Data (IGARD) which is responsible for ensuring robust independent scrutiny of NHS Digital data dissemination to improve accountability, quality and consistency.

DARS checks that the data requesters (that is, the CV19 vaccine researchers) have safeguards in place for secure handling of the data and they meet the obligations in their Data Sharing Contract and Data Sharing Agreement. COVID-19 Vaccine Clinical Trials will need to demonstrate through the DARS  process that they have adequate security measures in place to protect the data when it is to be disseminated to them.

They must specify their intended data retention period, the location of processing and location of the data in their DARS application. The researchers’ organisation is required to enter into a Data Sharing Framework Contract and Agreement which strictly limits the use of the data to the agreed purpose of contacting the individual for the COVID-19 vaccine trial. NHS Digital has developed a specific protocol for the handling of the PtC CV19 Data which sets out a number of special conditions of release which form part of the DSA.  This has been developed in conjunction with vaccine researchers and ensures that specific risks identified in this DPIA are managed. This includes – but is not limited to:

• time limits to contact the volunteers and maximum number of times a researcher will attempt to make contact
• time limits for processing to data to ensure that permission withdrawals notified to NHS Digital to comply with an individual’s rights under GDPR and expectations set out by the Privacy Notice
• arrangements for verifying the age and identity of the volunteer
• sharing of data back to NHS Digital about which volunteers have been accepted onto the trial and participated, so that these volunteers can be withdrawn from the cohort of individuals who would be shared with other trials
• arrangements to ensure volunteers are not approached too many times by different clinical trials in any given period of time and no more than 12 times in a year as per the Privacy Notice
• arrangements to provide individuals with the assurance that the COVID-19 clinical trial researchers contacting them are genuine to manage the risk of scamming and ensure ease of response to the contact, including specific secure email addresses which researchers will need to use and publish on the Be Part of Research website

NHS Digital data management has arrangements in place as part of the cohort generation processes to ensure volunteers are not approached too many times by different clinical trials in any given period of time and no more than 12 times in a year as per the Privacy Notice.

Applications are reviewed by NHS Digital’s Independent Group Advising on the Release of Data (IGARD).  This process has been fast tracked through the development of a standard template for these applications with a standard set of checks and conditions which have been developed in line with IGARD recommendations.  This enables very similar applications from different vaccine trials to be processed more efficiently and quickly.

Once the application is approved and the DSA signed the data is extracted. If the data is to be shared directly with the vaccine trial , it is sent to them using an agreed secure mechanism such as MESH or SEFT. 

If NHS Digital is contacting individuals directly through the NHS Digital Contact Centre mailings team on behalf of the trial an extract containing first name, surname and email address of the individuals is sent to the contact centre via nhs.net email. The extract files only contain data that has been approved through the DARS process. This includes name and email address as a minimum - other information such as ethnicity and answers to the health questions are only released where this is necessary for the study. 

This additional information will not be released to the contact centre, if the study requires this information it will be sent to them directly, subject to the appropriate DSA being in place.  The code to generate the cohort is checked by a second data manager to ensure it is the same as the specification provided.  Emails are issued by the NHS Digital Contact Centre with content and branding of the trial itself and signed by the Chief Investigator or equivalent.  A delivery report is provided to NIHR and the trial and any replies to the email receive a standard response. Data Access protocol and checklist set out the detail of the process – this is included at appendix C.

Researchers are required to justify what data they receive, and data minimisation is considered as part of the application and approval process. Where necessary data may be derived, such as providing age rather than date of birth. Details of all releases of data will be published on the NHS Digital data release register. 

In order to ensure that organisations abide by the terms and conditions set out in their Data Sharing Framework Contracts and Data Sharing Agreements NHS Digital carries out audits and where necessary post audit reviews. These are undertaken by an independent audit function that is separate from the DARS Team. Audit Team personnel are suitably experienced and hold relevant international and/or industry recognised auditing and technical qualifications. Further details on the approach and copies of previous audits is available.

It should be noted that this data access process is for the permission to contact data only researchers are responsible for seeking further consents – as needed - around access to a participants medical record. Where this consent is given, the Researcher will then be required to apply to access those records via the usual data access arrangements in place within each of the regions, or to apply to DARS if they need data from NHS Digital. 

An aggregate and anonymous dashboard has been published by NHS Digital to enable monitoring of numbers of individuals signing up and to enable geographic and equality analysis of the volunteers. This public dashboard meets all disclose control requirements as defined by NHS Digital’s Disclosure Control Panel (made up of senior statisticians as well as the Chief Statistician) to ensure data is not identifiable.  For example by suppressing small numbers, aggregating data to large geographical areas or using other methods of disclosure control.

A private dashboard has been developed which is accessed on a restricted basis only with more granular data.  This enables researchers to plan their vaccine trials and support reporting to Devolved Nations, Vaccine Task Force, DHSC and NIHR. This analysis will also support NIHR and other stakeholders to promote the COVID-19 Vaccine Trials to under-represented groups.

NHS Digital will retain the data collected for the following purposes:

• To make it available to NIHR approved COVID-19 Vaccine Clinical Trials who continue to require it for the purposes of their vaccine trials and who have a legal basis to process it
• For internal record keeping purposes in relation to:

- the data NHS Digital itself has analysed under the COVID-19 Directions and Section 255 Requests in response to requests from the trials for details of those who may be eligible for their studies and for producing anonymous aggregate statistical data about those who have signed up to the service for publication or dissemination  
- the date and data disseminated to the COVID-19 Vaccine Clinical Trials 
- the withdrawal of permissions

• For legal reasons in relation to the data that has been obtained about individuals through the Service for 8 years from the last transaction relating to the data. This is to ensure that NHS Digital has a record of the processing and dissemination of personal information in relation to the establishment, exercise of any rights or the defence of any potential legal claims

The ongoing collection and analysis of the data will continue until the expiry of the COVID-19 Directions and the Section 255 Requests with the Devolved Nations. For the Directions, this is currently 31 March 2022 but will be reviewed every 6 months. For the Section 255 Requests this is also 31 March 2022, that is, for the duration of the COVID-19 Directions

The PtC data will be used and be available to be shared with approved COVID-19 Vaccine Trials until 31 July 2022 (or less if the PtC CV19 Vaccine Service ceases or is replaced see below). We will retain this information for legal purposes for 8 years from this date, until 31 July 2030. It will then be securely destroyed.

Individuals data used to form the mailing lists which are held on CRM are automatically deleted 3 months after creation.

If an individual withdraws their permission to be contacted, the data they provide, including the withdrawal of their permission to be contacted, will be retained by NHS Digital for 8 years (from the date of withdrawal) for audit purposes, legal purposes. It will then be securely destroyed. This data will not however be disseminated by NHS Digital after their permission has been withdrawn. Nor will NHS Digital contact them.

Data will be retained in accordance with the records management policy of NHS Digital. This is in line with the agreed record management approach across health and social care for a care record under the NHS Records Management Code of Practice 2016. Data will therefore be kept for 8 years after last use to enable NHS Digital to establish and exercise legal rights and respond to any potential legal claims that might arise from processing.

At the end of the user journey for the CV19 PtC Vaccine Service the user is asked to review the information provided through a “check your answers” screen. Once this is completed, they are then asked to continue to sign up. Following submission of the data, an e-mail is sent to their registered e-mail, which enables the individual to confirm that they have been registered and at this point their data will be sent to the secure CRM System. 

An individual can update their information by withdrawing their permission and then re-registering with accurate information. This is set out in the FAQs for the service and in the privacy notice.

If an individual gives us permission, NHS Digital will provide regular updates about the progress and outcomes of the coronavirus vaccine studies. These emails will be general, such as newsletters, and will not be targeted as a result of any of the information you have provided. They will also contain an unsubscribe function which will allow an individual to unsubscribe from receiving those emails at any time. To note these updates will provide a reminder that individuals are signed up and may prompt the individual to update their details if their circumstances have changed. After 31 July 2022 the data will no longer actively be used and is only retained for legal reasons, therefore, if this data is becomes inaccurate after this date this is of limited impact.

Individuals have the following rights under the GDPR:

• the right to be informed – Fair Processing information and Transparency Notice for NHS Digital have been developed by NHS Digital as explained above and made available prior to the launch of the CV19 PtC Vaccine Service
• the right of access - Individuals who have registered with the Service can request access to information by making a Subject Access Request to NHS Digital.  An explanation about how an individual can request a copy of information that NHS Digital holds is published. NHS Digital has established processes for handling Subject Access Requests
• the right to rectification - The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete, will be upheld when such a request is received by asking the individual to withdraw their permission and to re-register with accurate information
• the right to erasure –an individual has the right to request erasure, however NHS Digital has the right to retain the data where necessary for legal purposes, such as defence of a legal claim and for audit purposes
• the right to restrict processing – this will apply
• the right to data portability- is not applicable to this processing because under article 20 (3) the processing is being carried out on the basis of public task or the exercise of official authority vested in the controller
• the right to object – this right is applicable to processing based on the lawful basis of public task. However NHS Digital would not share data following withdrawal of permission and would only process data following a withdrawal of permission for record keeping and legal purposes. This need would be considered compelling legitimate grounds which are likely to override the interests of the individual. This would be considered if the right was exercised.  As participants are giving permission to be contacted, this will override any National Data Opt-Out for this purpose. If a participant changes their mind and wishes to withdraw their permission, they can do so following the instructions within the emails sent to them and on the website and privacy notice page. They can also unsubscribe from emails which are sent to them by NHS Digital using the unsubscribe functionality
• the right to raise a concern with NHS Digital and the Information Commissioner's Office at any time

Individuals who believe that their data is not being processed in accordance with the law can complain to the Information Commissioner’s Office (ICO). They can also contact NHS Digital’s Data Protection Officer (DPO) regarding any NHS Digital data processing activity. Details for the NHS Digital DPO are included in the Privacy Notice. 

Individuals will be made aware of their rights through the following documents hosted on the service that will be available from the footer of every page in the service:

• Privacy Notice (Transparency Notice)
• Terms and Conditions
• Cookie Policy

A summary of the rights that apply in relation to the legal bases used is provided below:

Although there is limited identify verification the individual is required to verify their email address which ensures that the individual registering has access to the email address – as this is used for them to withdraw their permission. 

A review of security of the service concluded that this is all using existing NHS Digital technical infrastructure which is already in live service and complies with corporate standard security controls. This includes all data transfer between the Dynamics and DPS cloud services and also the DARS-controlled external data access point. The new front-end service has passed penetration testing by external contractors and has built-in monitoring to check for cyber-attacks, for example, where multiple applications come from the same IP address in quick succession

System Level Security Policies (SLSP) are in place for all elements of the service. Data in transit and at rest is encrypted. Backups of the data are supported by the corporate backup and recovery processes.  

NHS Digital infrastructure has a comprehensive service management and information security plan and is securely protected by firewalls and other technical, administrative and logical security controls. There is limited and controlled access to the data processing environment with multi-level of access controls and monitoring in place. These security arrangements are tested and reviewed annually.

NHS Digital's Data Security Centre monitors national applications and services, including the NHS.UK website and NHS Digital infrastructure for suspicious or unusual activity and works with the National Cyber Security Centre on current and developing threats.  

The DPS infrastructure is hosted on AWS Public Cloud and has been designed around the good practice guidance and risk model described in NHS and social care data: off-shoring and the use of public cloud services written jointly by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement.  Due to the nature of data held within DPS, the service is within the highest category of risk within the risk model.

All NHS Digital staff undertake annual mandatory Data Security and Protection training as part of the requirements for the Data Security and Protection Toolkit, that includes how the data should be handled and shared appropriately, what to do when a personal data breach has been identified. All staff have awareness of policies, such as Data Protection Legislation policy, Confidentiality Policy, Security Policy etc which they must review regularly and confirm they have read, including when these are updated. Specific staff with more responsibilities in relation to data receive additional training, such as Information Asset Owners.  

Access to the PtC CV19 Vaccine Asset is strictly limited and subject to authorisation by the Information Asset Owner for specific legitimate purposes. This is controlled through the NHS Digital Clear Data Access (CDA) application forms approved by line managers and the IAO. This authorisation is only given to an individual for a time-limited period, where the access to the data is justified, and an appropriate legal basis for such processing is in place. All staff requiring access to identifiable data must have national security vetting Security Check level clearance. 

This includes carrying out of approved internal analysis as well as the creation of data derivations items (for example, creating Year of Birth from Date of Birth) to provide non-identifiable data items for customers as approved by DARS. 

Access to the instance of CRM and the operational data store is managed through role-based access controls managed via the NHS Digital Contact Centre CRM Administrator. Security and access is validated by Contact Centre as part of account creation and a valid business justification is required.

The data is processed and stored in the United Kingdom by NHS Digital.  All NHS Digital data held in the DPS Platform, is within the UK jurisdiction as it is hosted in the AWS cloud within the UK.

DARS applications made by COVID-19 Vaccine Clinical Trials are required to specifically state the locations for storage and processing of data, and the Territory of Use by the Trial. This is captured within the Data Sharing Agreement, which restricts use to these addresses and the territory.  

The application process includes assessing the recipient’s legal basis for processing within these territories, and in particular the legal basis under GDPR where the territory of use is outside the UK.  

Any storage outside of the UK would be limited to the EU Exit implementation period with further assessment required at that stage as to adequacy, including appropriate consideration following the Schrems II decision.

The national data opt-out does not apply as the data is all provided directly by the individual and they have given their consent for its use. 

Consider the potential impact of your processing and the potential harm or damage that it might cause to individuals whether physical, emotional, moral, material or non-material, such as the inability to exercise rights; discrimination; loss of confidentiality; re-identification of pseudonymised data, etc. 

You can also use this section to detail any risks you have in complying with data protection law and any resulting corporate risks, such as the impact of regulatory action; reputational damage; loss of public trust, etc.

View the risks.

The completed DPIA should be submitted to the IG Helpline Service or your Programme IG Officer for review.

The IAO should keep the DPIA under review and ensure that it is updated if there are any changes (to the nature of the processing and/or system changes).

The DPIA accurately reflects the processing and the residual risks have been approved by the Information Asset Owner.

None – all risks are mitigated to low.

Summary of DPO advice

DPO reviewed as part of final sign off 21/07/20

ICO consultation outcome

Information Commissioner’s Office (ICO) - NHS Digital had previously secured a place in the ICO’s Sandbox Beta with a proposal to explore a central mechanism for collecting and managing patient permissions in relation to health research.

Scoping of this project was underway as the COVID-19 pandemic began. Through an iteration of the original proposal and within a short timeframe, the ICO Sandbox provided NHS Digital with general feedback and comments on the updated proposal of a ‘permission to contact service’ for the COVID-19 vaccine trials.

For the avoidance of doubt the ICO involvement was not because the processing was considered to be high risk

Next steps

• DPO to inform stakeholders of ICO consultation outcome
• IAO along with DPO and SIRO to build action plan to align the processing to ICO’s decision