Privacy Notice

How the NHS COVID Pass uses your information and your data rights

What is the purpose of the NHS COVID Pass service?

The Department for Health and Social Care (DHSC) as data controller, is providing citizens with a COVID Pass service to ensure that you can evidence and share your COVID-19 vaccination, exemption or test result status, which is available to you both digitally through an App or website as well as a non-digital letter service. The purpose for using the service is to demonstrate a lower risk of transmitting the disease to others and limit infection for either international travel or to attend domestic events and settings in England where asked to share your COVID Pass by the organiser.

Wales Only: Within Wales further allowed access is permitted for those with a positive test within the last 6 months which has been followed by the appropriate period of isolation.

A new phase of continued caution means that within the UK, you now need to demonstrate your COVID Pass status to participate in some events and attend certain venues. Regulations require that you provide evidence, optionally via the COVID Pass, in high risk settings to help to limit the risk of infection.

These measures are there to assist in preserving public health within the UK, as well as to facilitate international travel.

International Travel

It remains necessary for individuals to be vigilant on updates and changes to UK entry and international travel requirements prior to any international travel including the status of foreign countries and quarantine/isolation and entry requirements for vaccination and testing when both arriving at your destination and returning to the UK. A full vaccination course is increasingly becoming the entry requirement, this may include booster vaccinations. Agreements have been made with a number of overseas countries for you to be able to use your UK COVID Pass to demonstrate compliance with travel requirements and thus avoid the need for further production of evidence.

Domestic within England, Wales and Isle of Man

Regulations domestically require that you are able to evidence your COVID Pass 'status to be permitted entry to certain high risk venues and events. The COVID Pass provides the opportunity for you to provide the necessary evidence via your mobile phone or smart device, or via a printed letter.

COVID Pass and those under 18 years of age.

All children aged 12 and over are now eligible for COVID-19 vaccination. Those aged 12-17 are eligible for a first dose of the Pfizer/BioNTech COVID-19 vaccine, although 12-17 year olds with certain medical conditions that make them more at risk of serious illness, or who are living with someone who is immunosuppressed are eligible for 2 doses. These children will be contacted by a local NHS service such as their GP surgery to arrange their appointments.

All other 12-15 year olds will be offered the vaccine via the school-based programme.

Young people aged 16-17 will be invited to a local NHS service such as a GP surgery or can access the vaccine via some walk-in COVID-19 vaccination sites.

Many countries require those over 12 years of age to have a full course of vaccination. The COVID Pass provides digital and hardcopy evidence from the relevant COVID-19 Events to allow international travel for those between 12 and 18 years of age, identical to the COVID Pass for adults.

Domestically, those under the age of 18 are exempt within the regulations for high risk venues and events, and therefore will not be required to provide evidence of vaccination.

Adult Social Care & NHS Front line staff

Where, for employment or access purposes, you are required to provide evidence that you have been fully vaccinated against COVID-19, one of the ways you can choose to do this is through the additional information that can be found in the NHS COVID Pass. When accessing your Pass digitally via the NHS App, there is an additional tab at the bottom of the screen display called ‘’View COVID-19 Records’’. By opening this tab (live access only), you can choose to share the details of your COVID-19 vaccination events. There are two levels of detail in this tab as below:

  • Level 1: Displays the type of vaccine you have had, doses by most recent first and the date you received each dose.
  • Level 2: Displays additional detail including manufacturer, batch number, country of vaccine and administration centre as verified by NHSD.

How is the service managed & delivered?

The NHS COVID Pass Service is a live service for public use, we will use reasonable efforts to keep the Service up-to-date and functioning as intended. The Service is managed and monitored on a full time basis, with further technical support to provide support on a 24/7 basis. A fully staffed 119 Support Service is available to ensure that service users are able to gain support and assistance. This is available as a telephone support between 07;00 and 23:00 daily.

However, the Service is provided on an "as is" basis and, to the extent permitted by law, we make no other representations, warranties or guarantees, whether express or implied that the Service will be accurate at all times. We also cannot guarantee that the Service will be uninterrupted, secure or error or virus free, or that defects will be corrected.

Further details of service provision are available from the Terms & Conditions of Use.

On a case by case basis, and if no other practical option is available to fix bugs or errors within the live service, then a limited permission for use of live data MAY be granted in exceptional circumstances. All appropriate safeguards will be in place to ensure that any use of live data will maintain confidentiality/privacy at all times.

What is meant by NHS COVID Pass ‘Status’?

An NHS COVID Pass shows your Coronavirus (COVID-19) vaccination details as a specific extract from your full medical record. This is your COVID-19 status which you can access if you are registered with a GP and are receiving healthcare in England.

(Up to date details on COVID Pass for Devolved Administrations, Crown Dependencies and Overseas Territories can be found on the relevant local information services see links below)

Within England, Wales and Isle of Man your valid status is displayed as a green tick, which indicates that your vaccine history is sufficient to permit entry into venues or events covered by the regulations for high risk venues or events. In line with the regulation your Green Tick confirms that you have:

  • Received a full course of an accepted vaccination
  • Approved Medical Exemption
  • Have previously, or are currently participating in, an approved Clinical Trial
  • Have recorded a negative test result in the last 48 hrs

Where can I find the NHS COVID Pass service?

You can choose either a digital method via the NHS App https://www.nhs.uk/nhs-app/ and NHS.UK website https://www.nhs.uk/conditions/coronavirus-COVID-19/COVID-pass/ to display and download your NHS COVID Pass (https://COVID-status.service.nhsx.nhs.uk/) or a non-digital (letter service) route - which can be requested via the 119 telephone service or on the NHS.UK website (https://www.nhs.uk/conditions/coronavirus-COVID-19/COVID-pass/get-your-COVID-pass-letter/).

Please ensure your contact and personal details including mobile phone number, are up to date with your registered GP.

- Using the digital service to access and display my COVID-19 status'

NHS App: NHSD operates the NHS App and is joint controller for many of the functions with NHSE and DHSC, as a secure way to access a range of NHS services on your smartphone or tablet. This App has a large number of features and functions including the connected service of the NHS COVID Pass.

Note: The NHS COVID Pass is found from the NHS App as a connected service, and is not located in any other NHS Apps or Apps from other organisations. It is not the same as the NHS COVID-19 Contact Tracing App for England and Wales (called the NHS COVID-19 App).

Note: You will see an expiry date on the display screen in your COVID Pass. This only relates to the 2D barcode and is not the validity of your vaccination doses. The barcode will be valid for 30 days and then will automatically be renewed as long as your status remains the same. There are currently no government decisions on how long a vaccine is effective for and therefore no current expiry is applied to a completed vaccine course, therefore enabling the barcode to continue to be regenerated. Any future changes that will come into effect will be reflected in this privacy notice.

Further information as well as Privacy Notices for the NHS App can be found at NHS App: https://www.nhs.uk/apps-library/nhs-app/

NHS login: If you are using the NHS App or NHS.UK website to access your NHS COVID Pass status, and have not registered before, you will need to undertake the NHS login process to authenticate your identity and to prevent fraud and misuse. For the full functionality of all the features of the NHS App as well as to display and share your International COVID Pass (including your vaccine history in the pass) for international travel, will require verification of photographic ID (such as a passport or driving licence). If you need to display your COVID Pass status for use within the UK, your login will require verification using a single mobile number that is matched against your GP record. Please ensure your GP has an up-to-date mobile telephone number for you.

Further information and a privacy notice for the NHS login can be found at Your Privacy on NHS login

https://www.nhs.uk/nhs-services/online-services/nhs-log-in/

NHS Website: You can also access NHS App services from the browser on your computer at the NHS.UK website by clicking on the section marked as the COVID Pass status service.

Further information and a privacy notice for the NHS Website can be found at
https://www.nhs.uk/conditions/coronavirus-COVID-19/
https://www.nhs.uk/conditions/coronavirus-COVID-19/COVID-pass/
https://www.nhs.uk/our-policies/privacy-policy/

What data will be displayed for sharing on my phone?

For international travel: In addition to a screen displaying a green-for-records-found status, a 2D barcode will be displayed which may be used for point-of-departure and arrival scanning purposes alongside details of your vaccinations. Alternatively, you may be asked to share your mobile phone screen displaying your status within the NHS COVID Pass or a download of the data in PDF format. In addition to the information on the screen, the 2D barcode(s) confirms your status with coded embedded data in the form of a visual image. This visual image can be transmitted by in-the-moment scanning from an NHS COVID Pass Verifier. This verifier is a scanning application available as an NHS App for download to a mobile phone, which then uses its camera to capture and verify this image. Both the NHS COVID Pass and the NHS COVID Pass Verifier do not retain, share or further process your data. The display screen you surface when logged in to your NHS COVID Pass, only shows your status for long enough to share. The display screen in the Verifier App is also momentary. Your medical records are not accessed during this purpose. For international travel purposes, once the 2D barcode data is successfully scanned, a vaccine status will automatically be displayed and can be expanded if further details are needed to show further details of your vaccination history.

Use in England, Wales and Isle of Man (Domestic Pass): Your mobile device will generate a 2D barcode and green-for-go (Pass) or “expired”/” not recognised” display screen to evidence your COVID status alongside your name and date of birth. There is no further display of your medical data or vaccination history.

Cookies: To enable the technology to work within the NHS COVID Pass in the NHS App, and to function more efficiently in use, we place small files called cookies that are strictly necessary, on your devices. The cookie policy for the NHS COVID Pass can be found at: https://COVID-status.service.nhsx.nhs.uk/help/CookiePolicy/

The ‘strictly necessary cookies added to the NHS COVID Pass are:

NamePurpose
NameCOVIDStatusUserPreferencePurposeWe store which flow choice you made (UK events or international travel) to bring you back to the right place.
NameCOVID StatusQueueItPurposeThis cookie holds your user session information so that when you return from a waiting room to log on, you can continue your session within the service without having to log on again.

There are separate cookie policies for the wider applications of the NHS App, NHS login and the NHS.UK website. NHS Digital (NHSD) is the data controller for these technologies and further information can be found as below

SiteLink
SiteNHS loginLinkhttps://access.login.nhs.uk/cookies
SiteNHS AppLinkhttps://www.nhs.uk/nhs-app/nhs-app-legal-and-cookies/nhs-app-cookies-policy/
SiteNHS WebsiteLinkhttps://www.nhs.uk/our-policies/cookies-policy/
https://www.nhs.uk/our-policies/privacy-policy/

IP address: The app and website use an internet connection therefore your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to technically establish a connection between the test performer’s or vaccinator’s server and your phone or browser. The IP address is processed for management and security purposes only.

Apple Wallet option: The iOS operating systems provide a feature called a 'Wallet Function'. This will allow smartphone users to collect and organise personal data within their device and have an available offline copy of their COVID Pass. Users of the NHS COVID Pass can download their COVID Pass directly into their wallet from within the COVID Pass App, avoiding the need to create a downloaded PDF copy. COVID Pass App users are advised to familiarise themselves with their smartphone providers terms and conditions of use prior to accepting inclusion of their COVID Pass into a local wallet function.

Google Wallet option: From 2 December, if you obtain your NHS COVID Pass through the NHS App or Google Chrome web browser using an Android phone, then you will be able to store your COVID Pass to the wallet of your mobile device. You will see the ‘Google Pay - save to phone’ button within the NHS App. You can then show your COVID-19 status at events and venues in England and for international travel. The ability to store your NHS COVID Pass in the Google Pay digital wallet is available to Google certified android devices manufactured from 2014 onwards (version 5 onwards).

What will I need to get or show my COVID Pass status?

Your status will be based on your vaccination history, exemption, recovery status or test results through either a

  • Completed course of approved COVID-19 vaccinations, 2 weeks after your second dose (or be a valid vaccination trial participant)
  • Valid test status: A negative Polymerase Chain Reaction (PCR) test result or rapid Lateral Flow Test (LFT) reported within the past 48 hours
  • A Medical Exemption or Clinical Trial exempt status

Report a COVID-19 rapid lateral flow test result - GOV.UK (www.gov.uk)

There are several different types of COVID-19 tests available including PCR tests and LFT tests. Relatively new LAMP and SAMBA II tests are also being made available in certain settings and their results can filter into the COVID Pass. From 25th November 2021, the NHS COVID Pass will be able to incorporate tests conducted in UKHSA laboratories and NHS Hospitals for those with a clinical need, as well as health and care workers. These tests are known as Pillar 1 tests. The COVID Pass will continue to reflect tests carried out for the wider population (known as Pillar 2 tests conducted at a COVID-19 test centre or kits) and includes PCR and rapid LFT tests.

It typically takes 24 hours for the test result to be processed. The COVID Pass will be available for 48 hours where a negative test result is available. A positive PCR, LAMP and SAMBA II test all remove the ability to surface a COVID pass for 10 days while you are infected, followed by a COVID pass based on natural immunity and recovery from day 10 to day 180; a positive LFT test removes the domestic pass for 10 days.

Note: Pillar 1 data from health and care settings can only incorporate Welsh test results for Welsh citizens tested in hospitals in England, and not all test results from hospitals in Wales. This is not available to Isle of Man residents.

- Using the letter (non-digital) service to get a COVID Pass

The letter service: You can call the 119-telephone service to request an NHS COVID Pass Travel Letter if you have completed a COVID-19 vaccination course and are over the age of 12. This will be printed and sent to you through the post to the address held on your GP medical record and will show all the vaccinations you have received including boosters. You can do this for yourself or on behalf of a third party with their consent. Only a person with legal responsibility for a child (12-15 years of age, e.g. a parent or guardian) can request this letter on their behalf.

Further information can be found at https://www.gov.uk/nhs-covid-pass-proving-youre-unable-to-be-vaccinated-andor-get-tested-for-medical-reasons

Note: The letter service is available for international travel with a scannable 2D barcode. A domestic letter for use at English events and premises is also available and carries a 1D barcode. There is no COVID Pass letter service available for domestic or international use that covers positive or negative test results or your recovery status (natural immunity). Your GP cannot provide you with this letter or service.

- Using the website service to request my COVID-19 status letter

As with the 119-letter service described above, you can also use the NHS.UK website to request an NHS COVID status letter. This will be sent to the address you have provided to your GP, held on your medical record. To access the service, visit the NHS.UK website at
Get your NHS COVID Pass letter - NHS (www.nhs.uk)

How can I get a COVID Pass if I am taking part in a clinical trial?

If you are exempt from receiving deployed approved vaccinations because you are in, or have taken part in, an NHS clinical trial, and may have received other vaccinations, you will be able to use the COVID Pass within the NHS App to display and share your COVID status in the UK for domestic purposes, displaying a green-for-go screen because of your exempt status. If you have had two vaccinations as part of an unblinded trial your COVID Pass status for international travel will display your trial vaccination events/history. However, acceptance of this internationally may depend on the trial that you have taken part in and, pending any international agreements, you may need to evidence your status for foreign travel through testing. Blinded trial participants (those who don't know whether they are being treated with the vaccine in development or a placebo), whose vaccination events are not recorded on the National Immunisation Management System will not be able to qualify for a COVID Pass based on clinical trial status rather than vaccine history.

However, vaccine clinical trial participants now have the option to get additional MHRA vaccine doses, to enable international travel to countries which currently only accept vaccination records with deployed COVID-19 vaccinations. From 2nd December 2021, these doses, along with the clinical trial doses (as long as they have been uploaded into NIMS by the clinical trial site) will be shown in the Travel Pass and the additional ‘View COVID-19 record’ screens. You can now see all the vaccines you have had. To have your additional dose, you will need to contact your clinical trial site in the first instance and attend a consultation. You will be asked to provide your signed consent to this treatment. You will then be asked to attend an appointment booked at a hospital hub to receive those additional doses, which will be recorded. If you have had a Pfizer booster jab, this can be re-coded as a primary course of vaccine, to make up part of the top up. You can call the 119 VDRS service to facilitate this. This is not however available if you have had a half dose Moderna as your booster.

Can I get a COVID Pass if I have a Medical Exemption?

You can now apply for a domestic NHS COVID Pass if you are: -

  • Over 18 years (or you turn 18 years in 3 months or less)
  • Resident in England and registered with a GP (Note: The English service is not available to residents in Wales, Jersey, or the Isle of Man)
  • Have a valid medical exemption to be excluded from vaccination or vaccination and testing (but not testing only). Examples of this include (but are not confined to) those who are in receipt of end-of-life care, are in receipt of certain treatments, have learning disabilities such as autism and cannot be vaccinated with reasonable adjustments or who have medical contraindications to all current approved COVID-19 vaccinations, or who have certain pregnancy complications.

The NHS COVID Pass for Medical Exemptions will be digitally available for domestic voluntary use reflecting current Government policy. For international use, acceptance will be dependent on foreign travel policy and the requirements set by individual countries as to what they will accept. There is no international agreement currently regarding medical exemptions. The Medical exemption COVID Pass does not disclose your medical history or detail.

You can apply for a Medical Exemption status for yourself or for someone else that you care for by calling 119. You will be asked to provide some initial non-medical personal information (first and second name, date of birth, NHS number, address and postcode, optional email address and GP practice). You will then be asked some basic screening questions but will not need to divulge your medical information to the 119-call handler.

NHS Digital is the data controller for Medical Exemptions whilst DHSC remains the data controller for the NHS COVID Pass.

If accepted as suitable to progress from the initial 119 call, you will be sent a form by post, it will have been partially filled in by the 119 service which you will then need to further complete and provide directly (i.e., by hand) to your clinician (registered GP, midwife, or NHS secondary care professional), who will access your medical records to progress the application. The GP or clinician will then have 10 working days from receipt to complete your assessment and form and update your Summary Care Record (SCRa). The application must meet the criteria for either vaccination exemption or vaccination and testing exemption status and not be based on testing only exemption. Once reviewed you will receive a letter confirming successful application for medical exemption status or that the exemption has been declined. This initial letter is not the NHS COVID Pass although you will be advised to retain this letter for your own records reflecting the fact that your medical exemption status will last for a maximum of 12 months. For shorter term exemptions such as pregnancy from the second trimester, the clinician may apply an end date of (for example) due date plus 16 weeks.

Where approval has been granted, the letter will contain details of how to progress getting the digital NHS COVID Pass. This is available via the NHS App and NHS.UK.

Your information will be shared with the service’s approved printers to produce information letters and with DHSC through NHSX for the purpose of providing the digital pass.

The domestic NHS COVID Pass Medical Exemption will have equivalence with the NHS COVID Pass for domestic use achieved through other means - vaccination, testing or recovery (from COVID-19) status.

If your medical exemption application decision is not upheld, there is no appeals process and you are advised to contact your GP or 119 to discuss other available options.

Further information can be found at https://www.gov.uk/nhs-COVID-pass-proving-youre-unable-to-be-vaccinated-andor-get-tested-for-medical-reasons

What if I have been vaccinated abroad?

A pilot scheme in operation from 30th September 2021, for English residents registered with a GP in England, who were vaccinated in part or in full abroad. This pilot has been for residents already known to NHS Digital, who are being contacted directly. As participants, you will have your vaccination history entered into the vaccination database held by NHS Digital on attending one of the pilot locations. The pilot scheme is being extended and will soon be covering more areas across England

Note: You will be eligible for this service if you have received AstraZeneca, Pfizer, Moderna or Janssen in the majority of countries across the world. There will remain a small number of countries and territories where this service will not be enabled. In the meantime international COVID passes accepted at the UK border are also accepted at events and venues in England.

For those seeking further information or who have not qualified for an NHS COVID Pass, please visit https://www.gov.uk/foreign-travel-advice

I work in adult social care and need to share my vaccination events

Where for employment or access purposes in adult social care settings, you are required to provide evidence that you have been fully vaccinated against COVID-19, one of the ways you can choose to do this is through the additional information that can be found in the Domestic NHS COVID Pass. When accessing your Domestic Pass digitally via the NHS App, there is an additional tab at the bottom of the screen display called ‘’View COVID-19 Records’’. By opening this tab (live access only), you can choose to share the details of your COVID-19 vaccination events. There are two levels of detail in this tab as below:

  • Level 1: Displays the type of vaccine you have had, doses by most recent first and the date you received each dose.
  • Level 2: Displays additional detail including manufacturer, batch number, country of vaccine and administration centre as verified by NHSD.

I am a visitor to England with an International Pass - can I use it for domestic settings?

If you are a visitor to England attending English venues and settings (where the organiser has chosen to apply COVID-19 certification or are identified as high risk venues or events), you may be able to show that you have a valid COVID Pass (see below). This has been made possible through international compliance with EU DCC standards (the EU Commission's Digital COVID Certificate) making the encoding of the 2D barcode within the COVID-19 international passes, interoperable. This applies to EU countries and those outside the EU, including the UK, wishing to use this same standard.

If you have an international digital COVID pass or gained entry to the UK with a paper copy carrying a 2D international barcode from your own country’s COVID Pass system, this can be presented to an English venue operator for

- a visual check (if scanning cannot be achieved, or where a visual check is preferable) so that the setting can confirm your status (but which may also reveal the medical information of vaccination events)

- scanning by the NHS COVID Pass Verifier (App) downloaded in advance to an operator's mobile device. The scanning process will not reveal any of the vaccination event details and will simply display the citizen’s name and a green tick as valid. Your data will not be retained, shared, or further processed in this verification process as it is a momentary screen to screen check.

In summary, an organisation can use visual checks or the COVID Pass Verifier App to check the following:

- For those citizens from Northern Ireland visiting English settings and needing to use their international pass and 2D barcode (unless and until a domestic pass becomes available), when scanned by the Verifier App, will only display a green tick pass and will not reveal any details of vaccination events.

- International visitors can continue to show an international pass (digital or paper versions) for a visual operator check in English domestic settings using voluntary certification. There is also the ability to scan these 2D international barcodes in domestic mode - which will not reveal the full details of vaccination events (reserved only for international travel purposes).

- For English residents, an international pass with 2D barcode cannot be scanned for entry into English venues and settings.

Where is my data held?

Your COVID-19 vaccination data is transferred from the point of care (where you received the vaccines), into the NHS England (NHSE) National Immunisation Management Service (NIMS) which is the IT software and infrastructure that supports the COVID-19 vaccination programme. NHSE is the data controller for the vaccination programme and provides your GP (who is the data controller for your medical record) with details of your vaccinations.

If you were vaccinated as part of a trial, you will have NHS COVID Pass exemption status within the NHS App.

Your demographic data: Your personal demographic details are held by the NHS Digital Personal Demographic Service (PDS) which is the national electronic database for NHS patient demographic data. This is your name, address, date of birth and NHS number, and if recorded, the mobile telephone number provided to your GP - all processed to assist in your rapid authentication. For the purposes of the letter service, your address is then linked to your vaccination data and provided to a secure printer service (including the option for a Braille version) from where the letter will be posted to you.

Your NHS COVID Pass is a mechanism to display your status and no information is held within this area of the NHS App. Your medical records are not accessed for this purpose and no access permissions are required or provided by your GP. While you are logged in to the NHS COVID Pass area, you can display your status in a live setting. During your session you have the option to download your status into a secure wallet in your mobile phone as a PDF copy or receive an off-line copy by email allowing your device and not the COVID Pass App to store your data. Logging out ends the display session.

Your Medical and Clinical Exemption data: Is held by NHS Digital as data controller for the Summary Care Record. Your medical records held by your GP are under the separate data controllership of your GP practice.

Apple and Google Wallet option: Both Android and iOS operating systems provide a feature called a “Wallet Function”. This function allows smartphone users to collect and organise personal data within their device. Users of the NHS COVID Pass are able to download their COVID Pass directly into their wallet from within the COVID Pass App, avoiding the need to create a downloaded pdf copy. COVID Pass App users are advised to familiarise themselves with their smartphone providers terms and conditions of use prior to accepting inclusion of their COVID Pass into a local wallet function.

What happens in other parts of the UK?

Wales:

From 15th October 2021, Welsh citizens and those attending events and settings in Wales classed as large venues, will need to prove that you are fully vaccinated or have tested negative in the last 48 hours for COVID-19. If you are a Welsh resident or live in England and were vaccinated in Wales, you can get a digital NHS COVID Pass if you were vaccinated in Wales and you are aged 16 or over

Welsh Vaccination Data: The Department of Health and Social Care (DHSC) has agreed with the Welsh Government to provide those Citizens residing in Wales with the ability to demonstrate their COVID-19 status. The Welsh Government has shared Welsh vaccination data with DHSC, from the Welsh vaccination database operated by the Welsh Health Board. This contains vaccination information supplied from the COVID-19 vaccine point of care systems approved by Public Health Wales who is the data controller for (and operates) the COVID-19 Vaccination Programme in Wales.

Testing Results for Welsh citizens: COVID-19 testing that takes place in Wales is not included in this service and you are advised to check the Welsh Test and Trace service for additional support:

Test Trace Protect | GOV.WALES

Scotland: It is now a requirement in Scotland to show a domestic pass when attending high risk events as determined by the Scottish government. If you are a Scottish resident registered with a Scottish GP or live in England and were vaccinated in Scotland, you cannot access the NHS COVID Pass service for England and Wales but can access the Scottish service at

https://www.nhsinform.scot/nhs-scotland-COVID-status

If you live in Scotland but are registered with a GP in England, you will be able to access the NHS App system for England.

Northern Ireland: If you are a Northern Irish resident, you are not able to access the NHS COVID Pass service for England and Wales. For further information please visit

Get a COVID-19 vaccination in Northern Ireland | nidirect

Note: If you were vaccinated in Wales, Scotland, Northern Ireland and are an English resident, your vaccine event data will be processed under cross border data sharing agreements and will show in your COVID Pass.

Isle of Man: If you are a citizen and resident of the Isle of Man, you can access the NHS England COVID Pass status service. You can choose either to access via the app and website or a non-digital route. The Isle of Man Government is using the UK NHS App for the purpose of providing residents with their own COVID-19 vaccination certificate for travel and will share information with NHS Digital on all COVID-19 vaccinations given in the Island. The Certificate or Pass is widely recognised and accepted for UK and international travel and will be available either electronically via the NHS App or as a paper copy as below. This will replace the temporary letter solution provided by Manx Healthcare. Your NHS number, full name, date of birth, gender and your post code must be provided to NHS Digital to confirm your identity using the Personal Demographics Service (the PDS), which is the national electronic database of NHS patient details, in order for your vaccination certificate to be available on the NHS app.

Further information and a link to the PDS Privacy Notice can be found here:

https://digital.nhs.uk/services/demographics/personal-demographics-service-fair-processing

DHSC via Manx Care will share all vaccination data with NHS Digital for its sole and specific use of providing Manx citizens with a COVID Pass service. If you wish to use the NHS COVID Pass service via the NHS App and website, your name, date of birth and information about each dose of the COVID-19 vaccine administered to you will be used to provide you with an electronic vaccine barcode certificate. Further privacy information can be found on the Manx-care website as below and you are advised to read this information and decide whether you wish to opt out of having your information shared in this way for this purpose:

https://www.gov.im/about-the-government/statutory-boards/manx-care/COVID-19-vaccination-certificate-privacy-statement/#accordion

You can obtain your NHS COVID Pass as detailed below:

  • digitally via the NHS App downloaded to your mobile device and the connected service within this App of the NHS COVID Pass. You will automatically be directed to NHS login as a first-time user to verify your identity credentials, after which you will be able to access your COVID status based on vaccination events for your own international travel or domestic use purposes.

  • digitally via the COVID Pass area at NHS.UK website for international travel, where you can download and print your Pass as a PDF document. To access the service, you’ll need to register for an NHS login, and provide a photographic ID (passport, full UK driving licence).

  • non-digital service (letter format) carrying the NHS logo, by telephoning 0808 1624 119 (from the Isle of Man only) if you can satisfy the vaccination requirements previously outlined.

Information about the retention of your data by Manx Care is available on the Manx Care Privacy Notice. If you wish to see the COVID-19 vaccination data processed about you, please contact Manx Care’s Data Protection Officer on DPO-ManxCare@gov.im. For the certification service, you will be able to contact the DPO for DHSC as detailed at the end of this notice.

Jersey, Guernsey, and Gibraltar: Further information is provided by your respective jurisdictions who are the data controllers for your COVID Pass:

- Jersey: https://www.gov.je/Health/Coronavirus/Vaccine/Pages/COVIDStatus.aspx

- Guernsey: https://COVID19.gov.gg/guidance/vaccine/passports

- Gibraltar: https://www.gibraltar.gov.gi/press-releases/government-issues-new-COVID-19-certificates-in-same-format-as-the-uks-nhs-COVID-pass-letter-apply-online-5472021-7121

The Personal Data we collect and how it is used

Personal DataNHS AppWebsite NHS.UKNHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal DataFull name to correctly identify you.NHS App Website NHS.UK NHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Date of Birth to correctly identify you.NHS App Website NHS.UK NHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data NHS number to correctly identify you.NHS App Website NHS.UK NHS login for NHS App and NHS.UK*Vaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Home address (Including Postcode) * To correctly send COVID Pass letters to your home address if requested.NHS App Website NHS.UK NHS login for NHS App and NHS.UK*Vaccination Letter service (119 and NHS.UK)Taking address from PDS*Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Landline and/or Mobile phone numbers.
  • To be able to contact you if you have requested a Pass, or require support.
  • SMS text message if using the letter route in the event of a failed journey or to receive a vaccine test result.
NHS App Website NHS.UK NHS login for NHS App and NHS.UKMobileVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Email address.
  • To be able to contact you if you have requested a Pass, or require support
  • If using the non digital letter service in the event of a failed journey
NHS App Website NHS.UK NHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Third parties’ contact details may be taken if they have agreed to be contacted on behalf of other adults.NHS App Website NHS.UK NHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Photographic ID verificationNHS App Website NHS.UK NHS login for NHS App and NHS.UK*Vaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Special Category (Health) Data Your vaccination and test dataNHS App Website NHS.UK NHS login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)Hash encoded data in the 2D barcodeMedical Exemptions
Personal Data Automated decision making or profiling is not engaged in this service provision (Article 22 of UK GDPR)NHS App XWebsite NHS.UK XNHS login for NHS App and NHS.UKXVaccination Letter service (119 and NHS.UK)XHash encoded data in the 2D barcodeXMedical Exemptions X
Personal Data * Only required for international travel and other uses of the NHS App which provide you with access to your medical records

How will my information be shared?

For the digital service:
Your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store, and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE shares your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.

For the non-digital service:
In summary, your data is taken from the point of care system, NIMS (NHSE) and shared with DHSC. Demographic data is shared with DHSC by NHS Digital This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.

Note: There is no transfer of data outside the wider UK and Crown Dependency community.

The lawful basis for processing your personal data

UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and

UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;

UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3, underpinned by

Data Protection Act 2018 (DPA 2018), Schedule 1 - Part 1, Section 2 (2) [ f] where the condition for processing special category data is met for the health or social care purposes through the management of healthcare systems or services where the conditions and safeguards in Section 3, public health, are met.

UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, based on Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

How long do we keep your Personal Data?

Digital users: Data is not stored within the NHS COVID Pass section of the NHS App. The data is displayed during your live login session. Your COVID-19 data will not be retained once you log off.

Non-digital users: For users of the 119-letter service, (directly or via a self-request on NHS.UK) your data will not be retained once the letter has been printed and posted.

Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:

  • In cases of legal complaints - data may be retained for a period of 10 years.
  • Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
  • Subject Access requests & FOI requests where there has been an appeal - 6 years.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
    Note: If information you have provided to your GP/health service is out of date, you will need to correct this at the source to whom you provided the data. If there are inaccuracies because of incorrect information held on our systems about you, please contact the 119 service in the first instance.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you are unhappy or wish to complain about how your Personal Data is used by the service, you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office. You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to data.protection@dhsc.gov.uk

Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.

Data security

Appropriate technical, organisational and administrative security measures are employed within our systems to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration, and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to this Privacy Notice

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 9th December 2021

Data Controller

The Data Controller for the NHS COVID-19 Pass status service is the Department of Health and Social Care (DHSC). Please contact the Data Protection Officer as below if you require further information or wish to bring something to our attention.

In writing:
DPO
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU


By email:
data.protection@dhsc.gov.uk

Formal complaint about the processing

If, after contacting the DPO as above, you wish to make a formal complaint about the processing of your personal data, please contact the Information Commissioner at:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Fax: 01625 524510

https://ico.org.uk/

Last Updated: 9th December 2021