Privacy Notice

How the Covid Status Certificate uses your data and what your rights are

Introduction

What does the COVID 19 Status Certificate Service do?

The Department of Health and Social Care (DHSC) is providing a service to you that will produce a COVID-19 Status Certificate. This will allow UK residents in England to display (either electronically via a smartphone, or on paper via a letter) their COVID-19 vaccination history.

How does the service work?

Digital users: Users of the NHS mobile App and the NHS.UK website can access the COVID-19 Status certification service digitally, using an NHS login to authenticate into the service. Your information will then be retrieved from existing data we hold to provide a certificate of your vaccination history on your smart device.

Your vaccination status displays your vaccination record only and no other personal health records.

- How do I access the service?

To access the service, you will need to register for a user account via the NHS mobile App or web service, if you don’t already have one. This will create an NHS login, which will allow you access to the Covid- 19 status certification service inside the NHS mobile App.

For more information on the NHS App, how to login to the NHS App you can visit the following webpages:
NHS App: https://www.nhs.uk/apps-library/nhs-app/
NHS Login: https://www.nhs.uk/nhs-services/online-services/nhs-log-in/
NHS Website: https://www.nhs.uk/conditions/coronavirus-covid-19/

Assisted Digital users - NHS.UK: This service allows you to request a letter containing your COVID-19 vaccination history. Based on these details provided, if you are identified as having received a full dose of vaccinations, then a letter will be produced and sent to the address held on your medical record. If you find any errors within the information provided please contact our support service via the COVID -119 contact centre in the first instance.

- How do I access the service?

To access the service, visit NHS.UK and click on the letter service. You will need to provide your name, date of birth and postcode which will be used to locate your vaccination record and your address information to produce the letter.
NHS Website: https://www.nhs.uk/conditions/coronavirus-covid-19/

Non-Digital users: The 119 service can produce a letter containing your COVID-19 vaccination history. Based on these details provided, if you are identified as having received a full dose of vaccinations, then a letter will be produced and sent to the address held on your medical record.

If you find any errors within the information provided please contact our support service via the COVID -119 contact centre in the first instance.

- How do I access the service?

To access the service you can call 119 and ask for a letter containing your COVID-19 vaccination history to be posted to you. You will be asked to provide your name, date of birth and postcode to the 119 COVID-19 telephone service to enable the service to produce a letter for you.

Note: The COVID-19 letter produced by accessed provided through the non-digital 119 service or the assisted digital NHS.uk service is not subject to a certifying authority as it is a statement rather than a certificate.

If you find any errors within the information provided please contact our support service via the COVID -119 contact centre in the first instance.

What is the purpose for the processing of personal data?

The principle of the COVID-19 Status Certificate programme is to ensure that UK residents in England can demonstrate their COVID-19 status in order to preserve public health and facilitate international travel in accordance with government guidance and the criteria set by destination countries.

Users of the NHS App, the NHS.uk website and those in receipt of a 119 status letter will be able to demonstrate that they have a lower risk of transmitting to others for the purpose of international travel. The COVID-19 Status Certificate provides citizens with evidence of their vaccination history.

The Personal Data we collect and how it is used

Personal DataNHS AppVaccination Letter serviceWebsite NHS.UK
NHS Login Verification (including ID verification)XX
Full name.
  • To correctly identify an individual.
XXX
Date of Birth.
  • To correctly identify an individual.
XXX
NHS number.
  • To correctly identify an individual.
XX
Home address (Inc Post Code)
  • * To correctly send Certificate letters to an individual’s home addresses if requested.
XTaking address from PDS*X
Landline and/or Mobile phone numbers.
  • To be able to contact those who have requested a Certificate, or require support
  • SMS text message for those using the assisted non digital route to receive a letter in the event of a failed journey
XX
Email address.
  • To be able to contact those who have requested a Certificate, or require support
  • Email to those using the assisted non digital route to receive a letter in the event of a failed journey
XX
Third parties’ contact details may be taken when they have agreed to be contacted on behalf of other adults.X
Special Category (Health) DataUsed in Certificate
Your vaccination dataX

NHS Digital is the certifying authority for the digital service. NHS Digital has provided the information about your vaccination history to the certification service, on behalf of NHS England, from the vaccination database it operates (the Approved Source System). This contains vaccination information supplied from the COVID-19 vaccine point of care systems approved by NHS England, who is the data controller for (and operates) the COVID-19 Vaccination Programme in England.

The COVID-19 letter produced by the 119 service (direct from 119 or via the NHS.UK website) is not subject to a certifying authority as it is a statement rather than a certificate.

Data Controller

The Data Controller for this service is the Department of Health and Social Care (DHSC).

The Data Protection Officer for the DHSC can be contacted as below:

In writing:
DPO
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU


By email:
data_protection@dhsc.gov.uk

Automated decision making or profiling.

For the purposes of effective compliance with the requirements of Article 22 of the UK General Data Protection Regulations (GDPR), the DHSC considers that automated decision making is not engaged in this service.

How will my information be shared

For the digital service:
Your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE share your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.

For the non-digital service:
Your data is taken from the point of care system the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE share your data with DHSC. Demographic data is shared with DHSC by NHS Digital. This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.

Your data will not be shared any further.

Lawful Basis for processing Personal Data

The legal basis for the use of personal data in the service will be

UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and

UK GDPR Art. 9 (2)(g). processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;

UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

This is further underpinned by

UK GDPR Art. 9 (2)(i)processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes.

How long do we keep your Personal Data?

Digital users: Data collected in providing the service will be retained for approximately three minutes while you are accessing the system. For users of the digital option the data will not be retained once you log off.

Non-digital users: For users of the non-digital, COVID-19 119 letter service, your data will not be retained once the letter has been printed and for a maximum of 28 days.

Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:

  • In cases of legal complaints - data may be retained for a period of 10 years.
  • Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
  • Subject Access requests & FOI requests where there has been an appeal - 6 years.

Personal Data storage

We handle your Personal Data in accordance with appropriate procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and to prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

Storage of data by the DHSC is provided by secure computing infrastructure on servers located in the European Economic Area (“EEA”). Our platforms are subject to extensive security protections and encryption measures.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you’re unhappy or wish to complain about how your Personal Data is used by the service you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to data.protection@dhsc.gov.uk

Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.

Security

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to our policy

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 1 June 2021.

Formal complaint about the processing

If you wish to make a formal complaint about the processing of your personal data you should contact the UK regulator the Information Commissioner at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Fax: 01625 524510

https://ico.org.uk/