National vaccination programmes

NHS England has been given responsibility by the Secretary of State, for the delivery of a number of Vaccination Programmes provided by the NHS for England.

Information about the types of vaccinations that are available in the UK, those provided by the NHS and also when to have them can be found on our website.

NHS England is supported by a number of different agencies and other health organisations in order to deliver the different programmes.

This transparency notice provides information about the programmes where NHS England is providing a centralised national approach to any of the activities listed below, including:

• the selection of citizens eligible for a particular vaccination
• inviting eligible citizens for their vaccination
• enabling citizens to book an appointment to receive their vaccine
• monitoring and managing the delivery, efficacy and safety of immunisation programmes including adverse reactions to vaccines and medicines

We will collect, process, and disseminate citizen data to:

• identify people who we are advised are eligible for a particular vaccination in line with the guidance provided by the Joint Committee on Vaccination and Immunisation. Further details of their work can be found on GOV.uk website.
• send you national invitations where we feel that this will be of benefit to you
• support GP’s and other vaccination providers to contact you to tell you about any vaccination that you are eligible for
• enable you to book your vaccination
• send you reminders that encourage you to book a vaccination where they are needed
• send your vaccination information to your GP electronically, if you are registered to an English GP practice
• ensure that you can access a vaccination at a suitable location and that there is vaccination available to give to you
• check that people are receiving their vaccinations as we expect so that we can take measures to support our vaccination providers in areas of low uptake. In these cases, we do not need to know who you are, so we ask for the data to be altered so that your name and address is not visible to anyone apart from those responsible for your care
• provide reports to support planning for the current and future vaccination programmes
• support incorrect vaccination records to be corrected where this is possible
• provide systems to enable vaccination providers to record a vaccination and for that data to flow to us and onwards to GP records. See our website for further information
• ensure that systems used to record your vaccination are able to display your immunisation history to help clinicians
• enable you to view a full record of your vaccination history through your GP records or the NHS APP
• provide data to the UK Health Security Agency so that they can carry out their duties to protect the health of the population
• provide data to the NHS Business Services Authority so that they can help us manage claims for payment from vaccination service providers and to ensure that any discrepancies are highlighted and dealt with appropriately

Under the UK General Data Protection Regulation 2016 (UK GDPR), NHS England is the controller of your personal data where we process it for national vaccination programme purposes. Our legal basis is set out below:

1. Compliance with an Article 6 condition in the UK GDPR

The processing that we undertake complies with condition 6(1)(e), which applies where processing is necessary for the performance of a task carried out in the public interest.  This task has to be set out in UK domestic law.

The relevant UK law is section 8 of the Data Protection Act 2018 (“DPA 2018”).  This states that the section 6(1)(e) condition is met if the processing of personal data is necessary for the exercise of a “function” given to a public body by legislation. A function is a task or duty that the legislation says the public may or must perform.

Under the NHS public health functions agreement 2023 to 2024 (and all previous and future versions of the agreement) the Secretary of State arranges for certain elements of their public health functions to be exercised by NHS England. The Secretary of State is able to make such arrangements with NHS England under section 7A of the National Health Service Act 2006 (“the 2006 Act”). We will therefore refer to this agreement as “the 7A Agreement”.

The overarching functions that we are exercising on behalf of the Secretary of State are set out in the “Legal framework” section of the Agreement. Sections 2A and 2B of the 2006 Act relate to the protection or improvement of public health. Section 2A describes the steps that may be taken by the Secretary of State under that section which includes providing vaccination, immunisation or screening services.

The particular tasks that we must carry out to assist with the exercise of these functions are set out in Annex A of the 7A Agreement which lists the vaccination and immunisations programmes to be provided.

2. Compliance with an Article 9 condition in the UK GDPR

As the data used includes special category data a Schedule 9 condition must be complied with.

a. Health and social care purposes – Article 9(2)(h)

The processing complies with condition 9(2)(h), which applies if the processing is necessary for the purposes of preventive medicine, the provision of health or social care or treatment or the management of health or social care systems and services, as further detailed in UK law.

The relevant UK law is section 10(2) and paragraph 2 of Schedule 1 of the Data Protection Act 2018.  Paragraph 2 confirms that Article 9(2)(h) covers processing necessary for preventive medicine, the provision of health care and the management of health care systems. These points cover all processing of personal data carried out as part of the immunisation programmes.

b. Public health – Article 9(2)(i)

The processing also complies with Article 9(2)(i), which applies if the processing is necessary for reasons of public interest in the area of public health, as further detailed in UK law.

The relevant UK law is section 10(2) and paragraph 3 of Schedule 1 of the Data Protection Act 2018. Paragraph 3 confirms that Article 9(2)(i) covers processing carried out in the public interest in the area of public health and under the responsibility of a health professional.

3. Compliance with the common law duty of confidentiality (CLDC)

The Health Service (Control of Patient Information) Regulations 2002 (“COPI Regulations”) were passed to ensure that there was clear authority for the processing of confidential patient information in certain circumstances.  They suspend the duty of confidentiality where confidential patient information is being processed in the circumstances described in the Regulations.
Regulation 3 says that confidential patient information may be “processed” with a view to:

Recognising trends in communicable diseases and other risks to public health.

Monitoring and managing:

• outbreaks of communicable disease
• the delivery, efficacy and safety of immunisation programmes
• adverse reactions to vaccines and medicines
• providing information to people about the risks of acquiring communicable diseases

“Processing” includes obtaining patient information, using it and disclosing it to other organisations.  It also includes maintaining any databases containing patient information that are necessary for the purposes set out above.

The use of patient data for the programme falls within the tasks described in the Regulation and the definition of “processing”.

To support the healthcare response to COVID-19, NHS England is directed under the COVID-19 Public Health Directions 2020, 17 March 2020 (as amended) to:

• establish information systems to collect and analyse data in connection with COVID-19; and
• develop and operate IT systems to deliver services in connection with COVID-19

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation, and we are required to do this under Article 6 (1)(c) of UK GDPR.

We also rely on this Direction to process data for seasonal influenza immunisation purposes. For further information on how we collect and process data for COVID-19 and seasonal flu vaccination programmes see our website.

We are also allowed to share your personal data under UK GDPR where it is necessary for us to do so.

Note: this will be updated when additional vaccination programme data processing requirements are finalised.

MMR – Measles, Mumps and Rubella vaccination
HPV – Human Papilloma Virus vaccination
RSV – Respiratory Syncytial Virus vaccination – maternity (infant) and older persons
Pertussis – Whooping Cough vaccination

Identifying citizens for eligibility for a vaccination is carried out using data we collect or already hold. More information is provided on our website.

We also collect information about the vaccinations provided at the point of care; this data flows from any system used to record when a vaccination is given. We can then ensure that we have up to date information about your vaccination history and flow that data to those responsible for your health care, your GP.

We have developed a point of care system to enable vaccinations administered in Maternity Services and Community Pharmacies to be captured so that they can be flowed to your GP record automatically. This record a vaccination service is known as RAVS. We currently use this system for COVID-19, Flu, RSV and Pertussis vaccination data capture and will extend its use for other vaccinations as part of our Vaccination and Immunisation Strategy. You can find additional information on our website.

We also obtain a limited amount of data from the Department for Education (DfE) for the purposes of linking a school reference number to a child where the vaccination programme identifies a requirement to monitor vaccination uptake by school. There is a Data Sharing Agreement in place where this is required, and all data is de-identified prior to it being made available for analytics purposes.

Once it is agreed that a vaccination programme must be offered, we will process the data necessary to manage and monitor the vaccination programme including where we support the programme by running a national invitation campaign. We use cohorting as a service to develop the cohorts that contain the data we need.

A vaccination event contributes to your clinical care and where we decide to send a national vaccination invitation this is considered as a Direct Care activity. We will send invitations using SMS text messages, e-mails, through the NHS App or where necessary, by letter. We use our NHS Notify service to undertake this part of the processing.

We will send information on who has been invited for a particular vaccination to our National Booking Service, but this may not apply to all vaccinations at present.

We will use NHS England Arden and GEM Commissioning Support Unit, to de-identify the data and then make it available to our analysts in our analytics platforms. They will then link datasets so that we can manage and monitor the programmes.

In order to monitor and manage our programmes, we need to understand the number of people that have been invited for a vaccine, so we have a baseline figure to work from. The data that is obtained from vaccination providers in relation to the vaccinations that they administer is then used to provide actual figures. In order to be able to report progress as accurately as possible, we need these 2 types of data.

We receive and share relevant information with organisations who have responsibilities for delivering vaccinations or for monitoring their safety.

We will share personal, identifiable and clinical information with or receive vaccination information from:

GPs

We request extracts of vaccination event data from GP systems where the GP has provided the vaccination, or the GP record is used as the source of that vaccination event (see below).

We will flow the vaccination data from any organisation that has administered an NHS funded vaccination and entered it into an assured and approved point of care system (POC) including our own RAVS system.

We will flow a vaccination event to your GP clinical record even though your GP may have provided your vaccination, they may have recorded it in a different IT system.

School Aged Immunisation Services, the Child Health Information Service, Maternity Services and Primary Care Networks

We also process vaccination data that has been shared between systems by providers of local vaccination and immunisation services. Whilst they may not share data directly with us, we will obtain it from GP clinical records once it has been sent by the originating system or provider.

Pharmacies

We will enable demographic data and vaccination history to be available in the same way that we do for pharmacies where an organisation needs to know this information to care for you.

Some NHS trust hospitals administer vaccinations where they have been contracted to do so. We ask them to use an NHS England provided point of care system so that the vaccination they administer can flow to us and on to your GP.

We also make the data available in the summary care record.

Other NHS, health, or social care organisations

We will enable demographic data and vaccination history to be available in the same way that we do for pharmacies where an organisation needs to know this information to care for you.

Some NHS trust hospitals administer vaccinations where they have been contracted to do so. We ask them to use an NHS England provided point of care system so that the vaccination they administer can flow to us and on to your GP.

We also make the data available in the summary care record.

The UK Health Security Agency (UKHSA)

We share data so that the UKHSA can fulfil their statutory Public Health duties. See Framework document between DHSC and the UK Health Security Agency. This includes a letter from Maggie Throup to Professor Dame Jenny Harries, UKHSA chief executive.

The NHS Business Services Authority (BSA)

We share data with the BSA because we are permitted to do so as it is necessary for us both to exercise certain functions in relation to the running and management of the NHS.

The legal basis for the processing of this data for the purpose stated is Article 6 (1) e, where, under the NHS Act 2006, Chapter A1, Section 13Z3, (e, and (f.

Specific Directions relating to the functions of the NHS Business Services Authority are made in the NHS Counter Fraud Authority Directions, with Supplemental Directions to the NHS Business Services Authority (Awdurdod Gwasanaethau Busnes y GIG) 2017, schedule which includes intelligence, detection, and prevention functions (paragraph 5) and Investigation functions (paragraph 7).  See NHS Counter Fraud Authority and supplemental directions 2017 for further information.

We tell them you have had a vaccination, when, where and who administered it. We tell them your NHS number and your date of birth. This enables them to consolidate claims for payment from vaccination providers and ensure that these claims are made accurately. Linking data in this way is the only way to achieve this obligation.

The National Crime Agency

Personal data will be shared with the National Crime Agency where this data is needed for law enforcement purposes and is for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Data will be used for programme evaluation, planning, commissioning, and where approved, could be used for research purposes, including relevant clinical trials. Ultimately, we need to understand whether vaccinations are effective and contributing to the improved health of the population in a way that is equitable.

The data we use for these purposes does not identify you. We change your NHS number into a random selection of characters and remove names and addresses. The data containing the random characters is then made available to analysts who are able to link any data with the same characters in it, but they will not know who you are.

The majority of reporting uses data relating to a number of unidentified people that has been grouped together and we further minimise the risk of identifying anyone by removing data where the analysis indicates there are less than 10 people to whom the data could relate to.

Further information about how we did this during the COVID-19 pandemic is on our website.  We use the same technology currently for processing data for other national vaccination programmes.

Where we use data Processors, we have contracts and agreements in place with them which means that they can only process your personal data on our instructions. Our Processors must also comply with stringent security requirements when processing your personal data on our behalf.
 

We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the relevant Records Management Code of Practice.

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

Due to legislation published to support the UK COVID-19 Public Inquiry, NHS England and other organisations who supported the services provided during the pandemic, are legally obliged to retain data relating to the Pandemic until such time as the COVID Inquiry deems it is no longer necessary to retain it for their purposes. At that point in time, we will review retention periods to ensure that we are fulfilling our obligations under the Records Management Code of Practice and therefore expect our retention periods to be longer than stated in the Code.

We store and process your personal data within the United Kingdom but where our Processors need to process your personal data outside of the UK, we will always ensure that the transfer outside of the UK complies with data protection laws.

Statistical data, which does not allow you to be identified, may be stored and processed outside of the UK.

To read more about the information we collect, our legal basis for collecting this information and what choices and rights you have, see – how we look after your health and care information.

As NHS England has now merged with NHS Digital and Health Education England, additional transparency information about the data we are now the Controller for can be found at:

NHS England’s privacy notice

Transparency notice: how we use your personal data

Privacy notice

In most vaccination programmes, any Type 1 opt outs recorded within your GP record will not apply where the data obtained from GP systems is for a Direct Care purpose; we are obliged to monitor uptake of the vaccination which, although a secondary purpose, is linked to direct care.

The National Data Opt Out will not apply in all cases where any disclosure is for the purposes of monitoring and control of communicable disease or other risks to public health which includes:

• diagnosing communicable diseases
• controlling or preventing their spread
• delivering and monitoring vaccination programmes

Where processing is in relation to planning and research, we will adhere to the National Data Opt Out policy.

We have set up a service for people to choose whether they receive invitations and reminders to attend for COVID-19 vaccinations.

When you access this service, we need to verify your identity. You will need to provide your name, date of birth, and either your NHS Number or postcode. There is a facility to find an NHS number if you do not know it.

You will also need to have an email address or mobile phone number that you have registered with your GP, and is available in the Personal Demographics Service.

Once you have made your preference, your choice is saved against your NHS number.  This is the minimum amount of information that we need to provide this service.

We also record and store audit data each time you use the service, including the date and time and internet protocol (IP) address.  This is stored to help us monitor the service and protect the service from malicious use.  This data is stored on secure servers in the European Economic Area.

Whilst you will no longer receive COVID-19 vaccine invites for that particular campaign, your details will continue to be processed for the purposes of managing and monitoring the progress of the COVID-19 programme.

If circumstances were to change, for example, should the impact of COVID-19 significantly worsen, we may consider whether we have compelling grounds to send vaccination invitations irrespective of any preference set.

Setting your COVID-19 contact preference using this central service will not stop other organisations such as your GP practice from sending you invitations for vaccinations.