Skip to main content

Digital

Book or manage a free NHS flu vaccine at a pharmacy : GDPR information

Summary

Why and how we process your data in the Book or manage a free NHS flu vaccine at a pharmacy and your rights. 

Controller NHS Digital
How we use the information (processing activities)

We use your information to:

  • check your identity
  • access your NHS vaccination record
  • determine whether you are able to get a free NHS flu vaccination, e.g., because you are pregnant
  • enable you to book a free NHS flu vaccination appointment
  • contact you
  • enable pseudonymised reports to be produced on the take up of the service and the level of do not attends
  • retrieve your booking information at the pharmacy
Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Personal data is shared with the following:

  • Information regarding your appointment is shared with the pharmacy so that they can manage the work.
  • Information regarding your flu vaccination appointment is shared with the National Immunisation Management Service (NIMS) so that the invitation, reminder, and reminder letter to citizens can operate correctly. The National Immunisation Service (NIMS) is commissioned by NHS England and is a centralised service in England to manage invitation letters to the public.
  • Appointment information is sent to NHS Arden and Greater East Midlands Commissioning Support Unit for anonymising and reporting purposes at a national level.
  • If you opt in to the NHS Digital Research Panel, we will ask you to enter your name, email address and mobile telephone number. This is optional, and you do not have to participate if you do not wish to. By giving us this information and clicking submit, you provide us with consent to contact you for research purposes.
Is data transferred outside the UK? This data is not transferred out of the UK
How long the data is kept We will retain your customer record and appointment information for as long as is necessary for the purposes for which the data was collected and for as long as the law allows. It may be necessary to retain your information for various reasons (see below for details). Therefore, we will regularly review whether we need to retain your personal information at least every 6 months. The following factors will be considered by us when reviewing whether we need to continue to keep your data: 1. Whether your personal information is still required to facilitate appointments, you have booked for flu vaccination 2. Whether it is necessary to retain your information for clinical safety purposes. 3. Whether it is necessary to retain your information for any other important reasons. Once the Service no longer requires your customer record, it will be permanently deleted. If you opt-in to the NHS Digital Research Panel, we will keep your name and the contact information you have entered for 3 years. It will then be permanently deleted.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Tick Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

To discuss your rights on withdrawing consent or opting out of the data you can email our customer service centre or call us on 0300 303 5678.
Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? The data subject, PDS (Personal Demographics Service) and the National Immunisation Service (NIMS)
The legal basis for collecting this data

The legal basis for collecting this data

  • UK GDPR Article 6(1)(c) - the processing is necessary to comply with a legal obligation to which the controller is subject
  • UK GDPR Article 6(1) (e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • UK GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services
  • UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in public health
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes