Privacy Notice

The purpose of the NHS COVID Pass, how your information is used and your data rights

The Department for Health and Social Care (DHSC) as data controller, is providing citizens with a COVID Pass service to ensure that you can evidence and share your COVID-19 status, which is available to you both digitally through an App or website as well as a non-digital letter service. The purpose for using the service is to demonstrate a lower risk of transmitting the disease to others and limit infection for either international travel or to attend domestic events and settings in England where asked to share your COVID Pass by the organiser. These measures are there to assist in preserving public health within the UK, as well as to facilitate international travel. A full vaccination course is most often the entry requirement for international travel, and you can use your COVID Pass domestically within several overseas countries. Your COVID Pass will be based on either your completed vaccination history, (or exemption from vaccination if you have been on a clinical trial), your natural immunity through recovery from COVID-19 (positive PCR test in the last 180 days) or testing results.

What is meant by NHS COVID Pass ‘Status’?

An NHS COVID Pass shows your Coronavirus (COVID-19) vaccination details, exemption or test results. This is your COVID-19 status which you can access if you are registered with a GP and are receiving healthcare residing in England and Wales through

  • Vaccination status (approved vaccine or trial participants; boosters)
  • Test status (negative PCR and LFT within 48 hours)
  • Exemption status if you are or have been a clinical trial participant or need medical exemption on certain health grounds (approved by GPs, midwives and clinicians)
  • Recovery from COVID-19 Status (those who have had a positive PCR test result in the last 180 days). If you test positive at any stage, this will remove your ability to qualify for and display a COVID Pass for a period of 10 days. If fully vaccinated, the COVID Pass will automatically be available on day 11. You will also qualify for a period of natural immunity based on recovery status for the remaining period of 170 days.

Booster vaccinations:

Where most countries do not yet require booster vaccinations to be presented for travel, there are a small but growing number Worldwide that are introducing limits for inbound travellers prescribing when the most recent vaccine dose has been applied. As a result, the Government has requested that COVID-19 booster vaccinations are available in the Travel Pass (not the Domestic Pass) for English residents. Initially this will only be available digitally (and therefore in PDF format or wallet download, which now spans additional numbered pages). This will appear as ‘’dose 3 of 3’’ (or ‘’2 of 2’’ if Janssen was the primary vaccine), and as the most recent vaccination event. The Travel Pass has also had an additional screen added to it which mirrors the domestic passes ‘View COVID-19 records’. The ‘View COVID-19 Records’ screen will display Boosters. The addition of boosters into your COVID Travel Pass will use the same data flow channels (where the booster is recorded in NIMS) as primary doses and utilise the same EU 2D barcode standard. When travelling abroad and completing the Home Office Passenger Locator Form (PLF), you can upload your booster or final primary dose information (whichever you have had that is most recent) 14 days post vaccination. Boosters are not a requirement for inbound travel.

Note: Booster information is not currently available to all citizens. If you received your COVID-19 booster outside of England (in Scotland, Wales, or Northern Ireland) it will not yet show in the England COVID Pass. In addition, boosters will not show in the COVID Pass for Wales, Jersey, Guernsey and Gibraltar residents at this time.

Where can I find the NHS COVID Pass service?

You can choose either a digital method via the NHS App and NHS.UK website to display and download your NHS COVID Pass ( or a non-digital (letter service) route - which can be requested via the 119 telephone service or on the NHS.UK website (

Please ensure your contact and personal details including mobile phone number, are up to date with your registered GP.

Using the NHS COVID Pass for Adult Social Care purposes - to apply from 11/11/2021

Where for employment or access purposes in adult social care settings, you are required to provide evidence that you have been fully vaccinated against COVID-19, one of the ways you can choose to do this is through the additional information that can be found in the Domestic NHS COVID Pass. When accessing your Domestic Pass digitally via the NHS App, there is an additional tab at the bottom of the screen display called ‘’View COVID-19 Records’’. By opening this tab (live access only), you can choose to share the details of your COVID-19 vaccination events. There are two levels of detail in this tab as below:

  • Level 1 opening ‘box’: Displays the type of vaccine you have had, doses by most recent first and the date you received each dose. By clicking on the arrow, you will see further information.
  • Level 2: Displays additional detail including manufacturer, batch number, country of vaccine and administration centre as verified by NHSD.

There is currently no domestic COVID Pass letter to demonstrate your vaccination events.

- Using the digital service to access and display my COVID Pass

NHS App: The NHS - through NHS Digital as data controller, owns and manages the NHS App as a secure way to access a range of NHS services on your smartphone or tablet. This App has many features and functions including the connected service of the NHS COVID Pass.

Note: The NHS COVID Pass is found within the NHS App as a connected service, and is not located in any other NHS Apps or Apps from other organisations. It is not the same as the NHS COVID-19 Contact Tracing App for England and Wales (called the NHS COVID-19 App).

Note: You will see an expiry date on the display screen in your COVID Pass. This only relates to the 2D barcode and is not the validity of your vaccination doses. The barcode will be valid for 30 days and then will automatically be renewed if your status remains the same. There are currently no government decisions on how long a vaccine is effective for and therefore no current expiry is applied to a completed vaccine course, therefore enabling the barcode to continue to be regenerated. Any future changes that will come into effect will be reflected in this privacy notice.

Further information as well as Privacy Notices for the NHS App can be found at NHS App:

NHS login: If you are using the NHS App or NHS.UK website to access your NHS COVID Pass status, and have not registered before, you will need to undertake the NHS login process to authenticate your identity and to prevent fraud and misuse. For the full functionality of all the features of the NHS App as well as to display and share your International COVID Pass (including your vaccine history in the pass) for international travel, will require verification of photographic ID (such as a passport or driving licence). If you need to display your COVID Pass status for use within the UK, your login will require verification using a single mobile number that is matched against your GP record. Please ensure your GP has an up-to-date mobile telephone number for you.

Further information and a privacy notice for the NHS login can be found at Your Privacy on NHS login

NHS Website: You can also access NHS App services from the browser on your computer at the NHS.UK website by clicking on the section marked as the COVID Pass status service.

Further information and a privacy notice for the NHS Website can be found at

What data will be displayed for sharing on my phone?

- For international travel: In addition to a screen displaying a green-for-records-found status, several 2D barcodes will be displayed which may be used for point-of-departure and arrival scanning purposes alongside details of your vaccinations. Alternatively, you may be asked to share your mobile phone screen displaying your status within the NHS COVID Pass or a download of the data in PDF format. In addition to the information on the screen, the 2D barcode(s) confirms your status with coded embedded data in the form of a visual image. This visual image can be transmitted by in-the-moment scanning from an NHS COVID Pass Verifier. This verifier is a scanning application available as an NHS App for download to a mobile phone, which then uses its camera to capture and verify this image. Both the NHS COVID Pass and the NHS COVID Pass Verifier do not retain, share or further process your data. The display screen you surface when logged in to your NHS COVID Pass, only shows your status for long enough to share (up to 10 minutes). The display screen in the Verifier App is also momentary. Your medical records are not accessed during this purpose. For travel purposes, once the 2D barcode data is successfully scanned, a vaccine and booster status will automatically be displayed and can be expanded if further details are needed to show further details of your vaccination history.

- Use in England (Domestic Pass): Your mobile device will generate a 2D barcode and green-for-go (Pass) or “expired”/” not recognised” display screen to evidence your COVID status alongside your name and date of birth. There is no further display of your medical data or vaccination history.

Cookies: To enable the technology to work within the NHS COVID Pass in the NHS App, and to function more efficiently in use, we place small files called cookies that are strictly necessary, on your devices. The cookie policy for the NHS COVID Pass can be found at:

The ‘strictly necessary cookies added to the NHS COVID Pass are:

COVIDStatusUserPreferenceWe store which flow choice you made (UK events or international travel) to bring you back to the right place.
COVID StatusQueueItThis cookie holds your user session information so that when you return from a waiting room to log on, you can continue your session within the service without having to log on again.

There are separate cookie policies for the wider applications of the NHS App, NHS login and the NHS.UK website. NHS Digital (NHSD) is the data controller for these technologies and further information can be found as below

NHS login
NHS Website

IP address: The app and website use an internet connection therefore your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to technically establish a connection between the test performer’s or vaccinator’s server and your phone or browser. The IP address is processed for management and security purposes only.

Apple Wallet option: The iOS operating systems provide a feature called a “Wallet Function”. This will allow smartphone users to collect and organise personal data within their device and have an available offline copy of their COVID Pass. Users of the NHS COVID Pass can download their COVID Pass directly into their wallet from within the COVID Pass App, avoiding the need to create a downloaded PDF copy. COVID Pass App users are advised to familiarise themselves with their smartphone providers terms and conditions of use prior to accepting inclusion of their COVID Pass into a local wallet function.

Google Wallet: From 2 December, if you obtain your NHS COVID Pass through the NHS App or Google Chrome web browser using an Android phone, then you will be able to store your COVID Pass to the wallet of your mobile device. You will see the ‘Google Pay - save to phone’ button within the NHS App. You can then show your COVID-19 status at events and venues in England and for international travel. The ability to store your NHS COVID Pass in the Google Pay digital wallet is available to Google certified android devices manufactured from 2014 onwards (version 5 onwards).

- Using the letter (non-digital) service to get a COVID Pass

The letter service: You can call the 119-telephone service to request your vaccination status for international travel. This will be printed and sent to you through the post to the address held on your GP medical record.

Note: The letter service is for international vaccination status and not your recovery or negative test results. The letter service is not available for domestic use including medical exemptions. Your GP cannot provide you with this letter or service.

- Using the website service to request my COVID-19 status letter

As with the 119-letter service described above, you can also use the NHS.UK website to request an NHS COVID status letter. This will be sent to the address you have provided to your GP, held on your medical record. To access the service, visit the NHS.UK website at
Get your NHS COVID Pass letter - NHS (

How do I evidence my COVID Pass status if I am taking part in a clinical trial?

If you are exempt from receiving deployed approved vaccinations because you are in, or have taken part in, an NHS clinical trial, and may have received other vaccinations, you will be able to use the COVID Pass within the NHS App to display and share your COVID status in the UK for domestic purposes, displaying a green-for-go screen because of your exempt status. If you have had two vaccinations as part of an unblinded trial your COVID Pass status for international travel will display your trial vaccination events/history. However, acceptance of this internationally may depend on the trial that you have taken part in and, pending any international agreements, you may need to evidence your status for foreign travel through testing. Blinded trial participants (those who don't know whether they are being treated with the vaccine in development or a placebo). whose vaccination events are not recorded on the National Immunisation Management System will not be able to qualify for a COVID Pass based on clinical trial status rather than vaccine history.

However, Vaccine clinical trial participants now have the option to get additional vaccine doses, to enable international travel to countries which currently only accept vaccination records with deployed COVID-19 vaccinations. The additional doses will initially be offered to those taking part in the Novavax trial, which includes the vast majority of those in ongoing trials for vaccines not yet approved for deployment. The offer will then be extended to participants in other relevant trials within the coming weeks. Novavax participants will be offered 2 doses of the Pfizer/BioNTech vaccine, with an 8-week interval between first and second doses.

Those that have taken part in private clinical trials for COVID-19 vaccinations will now be able to gain an NHS COVID Pass.

Can I get a COVID Pass if I have a Medical Exemption?

You can now apply for a domestic NHS COVID Pass if you are: -

  • Over 18 years (or you turn 18 years in 3 months or less)
  • Resident in England and registered with a GP (Note: The English service is not available to residents in Wales, Jersey, or the Isle of Man)
  • Have a valid medical exemption to be excluded from vaccination or vaccination and testing (but not testing only). Examples of this include (but are not confined to) those who are in receipt of end-of-life care, are in receipt of certain treatments, have learning disabilities such as autism and cannot be vaccinated with reasonable adjustments or who have medical contraindications to all current approved COVID-19 vaccinations, or who have certain pregnancy complications.

The NHS COVID Pass for Medical Exemptions will be digitally available for domestic voluntary use reflecting current Government policy. For international use, acceptance will be dependent on foreign travel policy and the requirements set by individual countries as to what they will accept. There is no international agreement currently regarding medical exemptions. The Medical exemption COVID Pass does not disclose your medical history or detail.

You can apply for a Medical Exemption status for yourself or for someone else that you care for by calling 119. You will be asked to provide some initial non-medical personal information (first and second name, date of birth, NHS number, address and postcode, optional email address and GP practice). You will then be asked some basic screening questions but will not need to divulge your medical information to the 119-call handler.

NHS Digital is the data controller for Medical Exemptions whilst DHSC remains the data controller for the NHS COVID Pass.

If accepted as suitable to progress from the initial 119 call, you will be sent a form by post, it will have been partially filled in by the 119 service which you will then need to further complete and provide directly (i.e., by hand) to your clinician (registered GP, midwife, or NHS secondary care professional), who will access your medical records to progress the application. The GP or clinician will then have 10 working days from receipt to complete your assessment and form and update your Summary Care Record (SCRa). The application must meet the criteria for either vaccination exemption or vaccination and testing exemption status and not be based on testing only exemption. Once reviewed you will receive a letter confirming successful application for medical exemption status or that the exemption has been declined. This initial letter is not the NHS COVID Pass although you will be advised to retain this letter for your own records reflecting the fact that your medical exemption status will last for a maximum of 12 months. For shorter term exemptions such as pregnancy from the second trimester, the clinician may apply an end date of (for example) due date plus 16 weeks.

Where approval has been granted, the letter will contain details of how to progress getting the digital NHS COVID Pass. This is available via the NHS App and NHS.UK.

Your information will be shared with the service’s approved printers to produce information letters and with DHSC through NHSX for the purpose of providing the digital pass.

The domestic NHS COVID Pass Medical Exemption will have equivalence with the NHS COVID Pass for domestic use achieved through other means - vaccination, testing or recovery (from COVID-19) status.

If your medical exemption application decision is not upheld, there is no appeals process and you are advised to contact your GP or 119 to discuss other available options.

Further information can be found at

What if I have been vaccinated abroad?

Vaccination centres have already been recording all COVID-19 vaccinations received by English residents when abroad, where the citizen makes this evidence known through a vaccination centre or the 119 service. The NHSD vaccine records management system (NIMS) data has then shown there is a need for extra steps to be taken to yield a COVID Pass where historically some foreign-administered vaccines have not qualified the recipient for an NHS COVID Pass. As a result, a pilot outreach service was established in September 2021, making contact with those affected who are already in the system to help facilitate suitable steps to generate a COVID Pass. This may include additional vaccinations.

From 25th November 2021, if you are one of these citizens, qualifying vaccines have been expanded to allow a COVID Pass if you have received any of the ‘big 4’ COVID-19 vaccination types (AstraZeneca, Pfizer, Moderna and Janssen) from most countries across the World, including where mixed doses have been given or where the vaccinations were provided cross-borders. This will also allow you to be called for COVID-19 boosters. Your existing overseas vaccination data and new vaccine information will be processed by the existing NHSD systems including the Data Processing Service and NIMS system that supports the COVID-19 vaccination programme - from which the data is provided to the COVID Pass.

Note: There will however remain a small number of territories where coding issues for their COVID-19 vaccines prevent the generation of a COVID Pass. Engagement continues where these issues exist. You can call the 119 Vaccine Data Resolution Service for further assistance. Where English residents have received COVID-19 vaccines other than the big four, the UKHSA has developed guidance for healthcare professionals on when additional doses of equivalent MHRA vaccinations should be administered.

In addition to the pilot outreach scheme, a self-service (walk in) request programme will soon be available for English residents vaccinated overseas to seek resolution to qualify for a COVID Pass. You will also be able to contact 119 (and provide your name and date of birth to the 119 operator) to establish a vaccine centre near to you. You will be asked to take your COVID-19 vaccine evidence to that centre for data entry onto the point-of-care system and may be offered an additional COVID-19 vaccine to complete a qualifying course.

For those seeking further information or who have not qualified for an NHS COVID Pass, please visit

I work in adult social care and need to share my vaccination events

Where for employment or access purposes in adult social care settings, you are required to provide evidence that you have been fully vaccinated against COVID-19, one of the ways you can choose to do this is through the additional information that can be found in the Domestic NHS COVID Pass. When accessing your Domestic Pass digitally via the NHS App, there is an additional tab at the bottom of the screen display called ‘’View COVID-19 Records’’. By opening this tab (live access only), you can choose to share the details of your COVID-19 vaccination events. There are two levels of detail in this tab as below:

  • Level 1: Displays the type of vaccine you have had, doses by most recent first and the date you received each dose.
  • Level 2: Displays additional detail including manufacturer, batch number, country of vaccine and administration centre as verified by NHSD.

There is currently no Domestic Pass letter to demonstrate your vaccination events.

I am a visitor to England with an International Pass - can I use it for domestic settings?

If you are a visitor to England attending English venues and settings (where the organiser has chosen to apply COVID-19 certification), you may be able to show that you have a valid COVID Pass (see below). This has been made possible through international compliance with EU DCC standards (the EU Commission's Digital COVID Certificate) making the encoding of the 2D barcode within the COVID-19 international passes, interoperable. This applies to EU countries and those outside the EU, including the UK, wishing to use this same standard.

If you have an international digital COVID pass or gained entry to the UK with a paper copy carrying a 2D international or EU DCC barcode from your own country’s COVID Pass system, this can be presented to an English venue operator for

- a visual check (if scanning cannot be achieved, or where a visual check is preferable) so that the setting can confirm your status (but which may also reveal the medical information of vaccination events)

- scanning by the NHS COVID Pass Verifier (App) downloaded in advance to an operator's mobile device. The scanning process will not reveal any of the vaccination event details and will simply display the citizen’s name and a green tick as valid. Your data will not be retained, shared, or further processed in this verification process as it is a momentary screen to screen check.

In summary, an organisation can use visual checks or the NHS COVID Pass Verifier App to check the following:

- For those citizens from Northern Ireland visiting English settings and needing to use their international pass and 2D barcode (unless and until a domestic pass becomes available), when scanned by the Verifier App, will only display a green tick pass and will not reveal any details of vaccination events.

- International visitors can continue to show an international pass (digital or paper versions) for a visual operator check in English domestic settings using voluntary certification. There is also the ability to scan these 2D international barcodes in domestic mode - which will not reveal the full details of vaccination events (reserved only for international travel purposes).

- For English residents, an international pass with 2D barcode cannot be scanned for entry into English venues and settings.

What will I need to get or show my COVID Pass status?

Your status will be based on your vaccination history, exemption, recovery status or test results through either a

  • Completed course of approved COVID-19 vaccinations, 2 weeks after your second dose (or be a valid vaccination trial participant)
  • Valid test status: A Polymerase Chain Reaction (PCR) test result - a positive PCR test (within the past 6 months giving you natural immunity status after self-isolating and up to 180 days after taking the test), or negative PCR test or rapid Lateral Flow Test (LFT) reported within the past 48 hours.
  • A Medical Exemption or Clinical Trial exempt status

Report a COVID-19 rapid lateral flow test result - GOV.UK (

There are several different types of COVID-19 tests available including PCR tests and LFT tests. Relatively new LAMP and SAMBA II tests are also being made available in certain settings. From 25th November 2021, the NHS COVID Pass will be able to incorporate tests conducted in UKHSA laboratories and NHS Hospitals for those with a clinical need, as well as health and care workers. These tests are known as Pillar 1 tests. The COVID Pass will continue to reflect tests carried out for the wider population (known as Pillar 2 tests conducted at a COVID-19 test centre or kits) and includes PCR and rapid LFT tests. The more recent LAMP test results do not feature in the COVID Pass in Pillar 2 testing.

It typically takes 24 hours for the test result to be processed. The COVID Pass will be available for 48 hours where a negative test result is available. A positive PCR, LAMP and SAMBA II test all remove the ability to surface a COVID pass for 10 days while you are infected, followed by a COVID pass based on natural immunity and recovery from day 10 to day 180; a positive LFT test removes the domestic pass for 10 days.

Note: Pillar 1 data from health and care settings can only incorporate Welsh test results for Welsh citizens tested in hospitals in England, and not all test results from hospitals in Wales. This is not available to Isle of Man residents.

Where is my data held?

Your COVID-19 vaccination data, including those who are in receipt of additional vaccines following clinical trials or returning to England to reside from overseas, is transferred from the point of care (where you received the vaccines), into the NHS England (NHSE) National Immunisation Management Service (NIMS) which is the IT software and infrastructure that supports the COVID-19 vaccination programme. NHSE is the data controller for the vaccination programme and provides your GP (who is the data controller for your medical record) with details of your vaccinations. If you were vaccinated as part of a clinical trial, you will have NHS COVID Pass exemption status within the NHS App.

Your test results, including those processed in a hospital setting through UK HSA laboratories (from those with a clinical need or who work in clinical settings) are transferred from the Test and Trace Service held by the DHSC infrastructure. As a result of short timeframes, seeking negative LFT or PCR test results by letter is not possible as the letter may take 5 days to arrive.

Further information on testing is available on the Test and Trace website: NHS Test and Trace in the workplace - GOV.UK (

Note: Private testing results are currently not part of the service.

Your demographic data: Your personal demographic details are held by the NHS Digital Personal Demographic Service (PDS) which is the national electronic database for NHS patient demographic data. This is your name, address, date of birth and NHS number, and if recorded, the mobile telephone number provided to your GP - all processed to assist in your rapid identification. For the purposes of the letter service, your address is then linked to your vaccination data and provided to a secure printer service (including the option for a Braille version) from where the letter will be posted to you.

Your NHS COVID Pass is a mechanism to display your status and no information is held within the COVID Pass area of the NHS App. Your medical records are not accessed for this purpose and no access permissions are required or provided by your GP. While you are logged in to the NHS COVID Pass area, you can display your status in a live setting. During your session you have the option to download your status into a secure wallet in your mobile phone as a PDF copy to your phone or receive an off-line copy by email allowing your device and not the COVID Pass App to store your data. Logging out ends the display session.

Your Medical and Clinical Exemption data: Is held by NHS Digital as data controller for the Summary Care Record. Your medical records held by your GP are under the separate data controllership of your GP practice. For those taking part in clinical trials, including private trial sites, the data controller for your medical information associated with that trial will be the clinical trial research body, who can provide you with a Privacy Notice to explain how they process your personal and health data.

What happens in other parts of the UK?


From 15th October 2021, Welsh citizens and those attending events and settings in Wales classed as large venues, will need to prove that you are fully vaccinated or have tested negative in the last 48 hours for COVID-19. If you are a Welsh resident or live in England and were vaccinated in Wales, you can get a digital NHS COVID Pass if you were vaccinated in Wales and you are aged 16 or over

Welsh Vaccination Data: The Department of Health and Social Care (DHSC) has agreed with the Welsh Government to provide those Citizens residing in Wales with the ability to demonstrate their COVID-19 status. The Welsh Government has shared Welsh vaccination data with DHSC, from the Welsh vaccination database operated by the Welsh Health Board. This contains vaccination information supplied from the COVID-19 vaccine point of care systems approved by Public Health Wales who is the data controller for (and operates) the COVID-19 Vaccination Programme in Wales.

Testing Results for Welsh citizens: Testing Results for Welsh citizens: COVID-19 testing that takes place in Wales is not included in this service and you are advised to check the Welsh Test and Trace service for additional support:

Test Trace Protect | GOV.WALES

Scotland: It is now a requirement in Scotland to show a domestic pass when attending high risk events. If you are a Scottish resident registered with a Scottish GP or live in England and were vaccinated in Scotland, you cannot access the NHS COVID Pass service for England and Wales but can access the Scottish service at

If you live in Scotland but are registered with a GP in England, you will be able to access the NHS App system for England.

Northern Ireland: If you are a Northern Irish resident, you are not able to access the NHS COVID Pass service for England and Wales. For further information please visit

Get a COVID-19 vaccination in Northern Ireland | nidirect

Isle of Man: If you are a citizen and resident of the Isle of Man, you can access the NHS England COVID Pass status service. You can choose either to access via the app & website or a non-digital route. The Isle of Man Government is using the UK NHS App for the purpose of providing residents with their own COVID-19 vaccination certificate for travel and will share information with NHS Digital on all COVID-19 vaccinations given in the Island. The Certificate or Pass is widely recognised and accepted for UK and international travel and will be available either electronically via the NHS App or as a paper copy as below. This will replace the temporary letter solution provided by Manx Healthcare. Your NHS number, full name, date of birth, gender and your post code must be provided to NHS Digital to confirm your identity using the Personal Demographics Service (the PDS), which is the national electronic database of NHS patient details, in order for your vaccination certificate to be available on the NHS app.

Further information and a link to the PDS Privacy Notice can be found here:

DHSC via Manx Care will share all vaccination data with NHS Digital for its sole and specific use of providing Manx citizens with a COVID Pass service. If you wish to use the NHS COVID Pass service via the NHS App and website, your name, date of birth and information about each dose of the COVID-19 vaccine administered to you will be used to provide you with an electronic vaccine barcode certificate. Further privacy information can be found on the Manx-care website as below and you are advised to read this information and decide whether you wish to opt out of having your information shared in this way for this purpose:

You can obtain your NHS COVID Pass as detailed below:

  • digitally via the NHS App downloaded to your mobile device and the connected service within this App of the NHS COVID Pass. You will automatically be directed to NHS login as a first-time user to verify your identity credentials, after which you will be able to access your COVID status based on vaccination events for your own international travel or domestic use purposes.

  • digitally via the COVID Pass area at NHS.UK website for international travel, where you can download and print your Pass as a PDF document. To access the service, you’ll need to register for an NHS login, and provide a photographic ID (passport, full UK driving licence).

  • non-digital service (letter format) carrying the NHS logo, by telephoning 0808 1624 119 (from the Isle of Man only) if you can satisfy the vaccination requirements previously outlined.

Information about the retention of your data by Manx Care is available on the Manx Care Privacy Notice. If you wish to see the COVID-19 vaccination data processed about you, please contact Manx Care’s Data Protection Officer on For the certification service, you will be able to contact the DPO for DHSC as detailed at the end of this notice.

Jersey, Guernsey, and Gibraltar: Further information is provided by your respective jurisdictions who are the data controllers for your COVID Pass:

- Jersey:

- Guernsey:

- Gibraltar:

The Personal Data we collect and how it is used

Personal DataNHS AppWebsite NHS.UKNHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Full name to correctly identify you.
Date of Birth to correctly identify you.
NHS number to correctly identify you.*
Home address (Including Postcode) * To correctly send COVID Pass letters to your home address if requested.*Taking address from PDS*
Landline and/or Mobile phone numbers.
  • To be able to contact you if you have requested a Pass, or require support.
  • SMS text message if using the letter route in the event of a failed journey or to receive a vaccine test result.
Email address.
  • To be able to contact you if you have requested a Pass, or require support
  • If using the non digital letter service in the event of a failed journey
Third parties’ contact details may be taken if they have agreed to be contacted on behalf of other adults.
Photographic ID verification*
Special Category (Health) Data Your vaccination and test data
Automated decision making or profiling is not engaged in this service provision (Article 22 of UK GDPR)XXXXXX
* Only required for international travel

How will my information be shared?

For the digital service:
Your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store, and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE shares your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.

For the non-digital service:
In summary, your data is taken from the point of care system, NIMS (NHSE) and shared with DHSC. Demographic data is shared with DHSC by NHS Digital This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.

Note: There is no transfer of data outside the wider UK and Crown Dependency community.

The lawful basis for processing your personal data

UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and

UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;

UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3, underpinned by

Data Protection Act 2018 (DPA 2018), Schedule 1 - Part 1, Section 2 (2) [ f] where the condition for processing special category data is met for the health or social care purposes through the management of healthcare systems or services where the conditions and safeguards in Section 3, public health, are met.

UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, based on Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

How long do we keep your Personal Data?

Digital users: Data is not stored within the NHS COVID Pass section of the NHS App. The data is displayed during your live login session. Your COVID-19 data will not be retained once you log off.

Non-digital users: For users of the 119-letter service, (directly or via a self-request on NHS.UK) your data will not be retained once the letter has been printed and posted.

Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:

  • In cases of legal complaints - data may be retained for a period of 10 years.
  • Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
  • Subject Access requests & FOI requests where there has been an appeal - 6 years.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
    Note: If information you have provided to your GP/health service is out of date, you will need to correct this at the source to whom you provided the data. If there are inaccuracies because of incorrect information held on our systems about you, please contact the 119 service in the first instance.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you are unhappy or wish to complain about how your Personal Data is used by the service, you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office. You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to

Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.

Data security

Appropriate technical, organisational and administrative security measures are employed within our systems to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration, and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to this Privacy Notice

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 18th November 2021.

The Data Controller for the NHS COVID-19 Pass status service is the Department of Health and Social Care (DHSC). Please contact the Data Protection Officer as below if you require further information or wish to bring something to our attention.

In writing:
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU

By email:

Formal complaint about the processing

If, after contacting the DPO as above, you wish to make a formal complaint about the processing of your personal data, please contact the Information Commissioner at:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Fax: 01625 524510

Last Updated: 18th November 2021