How the NHS COVID Pass uses your information and your data rights
What is the purpose of the NHS COVID Pass service?
The Department for Health and Social Care (DHSC) as data controller, is providing citizens with a COVID Pass service to ensure that you can evidence and share your COVID-19 vaccination or test result status. This is called the NHS COVID Pass status service and it is available to you both digitally through an App or website as well as a non-digital letter service. The purpose for using the service will be to demonstrate a lower risk of transmitting the disease to others for either international travel or our own domestic purposes. Your status will be based on either your completed vaccination history, (or exemption from vaccination if you have been on a clinical trial), your natural immunity (positive PCR test in the last 180 days), or testing results (negative Lateral Flow Test result in the last 48 hours).
As part of the country’s progression to the Step 4 roadmap of the Government’s COVID-19 recovery plan from 19th July 2021, a new phase of continued caution means that within the UK, you may need to demonstrate your COVID Pass status to participate in some events and attend certain venues as measures continue encouraging and supporting businesses and large events to use the NHS COVID Pass in high risk settings to help to limit the risk of infection. The Government will continue to work with organisations that operate large, crowded settings where people are likely to be in close proximity to others outside their household to encourage the use of the NHS COVID Pass. There may also be further Events Research Programme (ERP) events from 19th July 2021 requiring an NHS COVID Pass.
These measures will assist in preserving public health within the UK, as well as to facilitate foreign travel in accordance with emerging UK and international policy and guidance at the point of travel. It will remain necessary to be vigilant for updates and changes to entry and travel requirements before going, such as getting a negative pre-departure test.
What is meant by NHS COVID Pass ‘Status’?
- Vaccination status (approved vaccine or trial participants)
- Test status (PCR; and LFT within 48 hours)
- Exemption status (trial participants, clinical exemptions approved by GP)
- Natural Immunity Status (those who have had a positive PCR test result in the last 180 days).
Where can I find the NHS COVID Pass service?
- Using the digital service to access and display my COVID-19 status
What data will be displayed for sharing on my phone?
|COVIDStatusUserPreference||We store which flow choice you made (UK events or international travel) in order to bring you back to the right place.|
|COVID StatusQueueIt||This cookie holds your user session information so that when you return from a waiting room to log on, you can continue your session within the service without having to log on again.|
- Using the non-digital service to access my COVID-19 status
The letter service: You can dial the 119 telephone service to request your vaccination status in a letter. This will be printed and sent to you through the post to the address held on your GP medical record.
Note: You will only be able to demonstrate your vaccination history via this service and not your exemption status or test results. Your GP cannot provide you with this letter or service.
- Using the website service to request my COVID-19 status letter
As with the 119 letter service, you can also use the NHS.UK website to request an NHS COVID status vaccination letter. This will be sent to the address you have provided to your GP, held on your medical record. To access the service, visit the NHS.UK website at
How do I evidence my COVID Pass status if I am taking part in a clinical trial?
If you are exempt from being vaccinated because you are in, or have taken part in, a clinical trial, you will be able to use the COVID Pass within the NHS App to display and share your COVID status with the green-for-go screen for any domestic events within the UK. Your COVID Pass status for international travel may depend on the trial that you have taken part in and, pending any international agreements, you may need to evidence your status for foreign travel through testing. If you have already been provided with an interim letter, you can continue to use this letter until this expires on 31st July 2021.
What will I need to get or show my COVID Pass status?
Your status will be based on your vaccination history, exemption, or test results through either a
- Completed course of approved COVID-19 vaccinations, 2 weeks after your second dose (or be a valid vaccination trial participant)
- Valid test status: A Polymerase Chain Reaction (PCR) test result - a positive PCR test (within the past 6 months giving you natural immunity status after self-isolating and up to 180 days after taking the test), or negative PCR test or rapid Lateral Flow Test (LFT) reported within the past 48 hours.
Report a COVID-19 rapid lateral flow test result - GOV.UK (www.gov.uk)
Where is my data held?
Your COVID-19 vaccination data is transferred from the point of care (where you received the vaccines), into the NHS England (NHSE) National Immunisation Management Service (NIMS) which is the IT software and infrastructure that supports the COVID-19 vaccination programme. NHSE is the data controller for the vaccination programme and provides your GP (who is the data controller for your medical record) with details of your vaccinations.
If you were vaccinated as part of a trial, you will be given NHS COVID Pass exemption status within the NHS App.
Your test results are transferred from the Test and Trace Service held by the DHSC infrastructure. A code will be provided to you or your test centre, when the results of a Lateral Flow test (LFT) or a Polymerase Chain Reaction (PCR) are reported online or by phone for you to enter in the COVID Pass area of the NHS App and your results will be linked to your status. The test and reporting need to be completed within the past 48 hours. As a result of these short timeframes, seeking negative test results by letter is not possible as the letter may take 5 days to arrive.
Further information on testing is available on the Test and Trace website:NHS Test and Trace in the workplace - GOV.UK (www.gov.uk)
Note: Private testing is not currently part of the service.
Your demographic data: Your personal demographic details are held by the NHS Digital Personal Demographic Service (PDS) which is the national electronic database for NHS patient demographic data. This is your name, address, date of birth and NHS number, and if recorded, the mobile telephone number provided to your GP - all processed to assist in your rapid identification. For the purposes of the letter service, your address is then linked to your vaccination data and provided to a secure printer service (including the option for a Braille version) from where the letter will be posted to you.
Your NHS COVID Pass is a mechanism to display your status and no information is held within this area of the NHS App. Your medical records are not accessed for this purpose and no access permissions are required or provided by your GP. While you are logged in to the NHS COVID Pass area, you can display your status in a live setting. During your session you have the option to download your status as a PDF copy to your phone or receive an off-line copy by email allowing your device and not the COVID Pass App to store your data. Logging out ends the display session.
What happens in other parts of the UK?
If you are a Welsh resident or live in England and were vaccinated in Wales: You can get a digital NHS COVID Pass if you were vaccinated in Wales and you are aged 16 or over
digitally via the COVID Pass area at NHS.UK website for international travel, where you can download and print your Pass as a PDF document. To access the service, you’ll need to register for an NHS Login, and provide a photographic ID (passport, full UK driving licence).
non-digital service (letter format) from 0300 303 5667 (to be available via 119 in the coming weeks) if you can satisfy the vaccination requirements previously outlined.
NHS COVID Pass within the NHS App is currently unavailable.
For further information, visit Get the NHS COVID Pass to show your vaccination status for travel | GOV.WALES
- - If you live in Wales but are registered with a GP in England you will be able to access the NHS App system for England.
Welsh Vaccination Data: The Department of Health and Social Care (DHSC) has agreed with the Welsh Government to provide those Citizens residing in Wales with the ability to demonstrate their COVID-19 status. NHS Digital has provided the information about your vaccination history to the COVID Pass service, on behalf of the Welsh Government, from the Welsh vaccination database operated by the Welsh Health Board. This contains vaccination information supplied from the COVID-19 vaccine point-of-care systems approved by Public Health Wales who is the data controller for (and operates) the COVID-19 Vaccination Programme in Wales.
Testing Results for Welsh citizens: COVID-19 testing that takes place in Wales is not included in this service and you are advised to check the Welsh Test and Trace service for additional support:
The Personal Data we collect and how it is used
|Personal Data||NHS App||Website NHS.UK||NHS Login for NHS App and NHS.UK||Vaccination Letter service (119 and NHS.UK)|
|Full name to correctly identify you.|
|Date of Birth to correctly identify you.|
|NHS number to correctly identify you.||*|
|Home address (Including Postcode) * To correctly send COVID Pass letters to your home address if requested.||*||Taking address from PDS*|
|Landline and/or Mobile phone numbers.||Mobile|
|Third parties’ contact details may be taken if they have agreed to be contacted on behalf of other adults.|
|Photographic ID verification||*|
|Special Category (Health) Data Your vaccination and test data|
|Automated decision making or profiling is not engaged in this service provision (Article 22 of UK GDPR)||X||X||X||X|
|* Only required for international travel and other uses of the NHS App which provide you with access to your medical records|
Automated decision making or profiling.
For the purposes of effective compliance with the requirements of Article 22 of the UK General Data Protection Regulations (GDPR), the DHSC considers that automated decision making is not engaged in this service.
How will my information be shared?
For the digital service:
In summary, your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE shares your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.
For the non-digital service:
In summary, your data is taken from the point of care system, NIMS (NHSE) and shared with DHSC. Demographic data is shared with DHSC by NHS Digital This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.
Note: There is no transfer of data outside the UK.
The lawful basis for processing your personal data
UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and
UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;
UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3, underpinned by
Data Protection Act 2018 (DPA 2018), Schedule 1 - Part 1, Section 2 (2)[ f] where the condition for processing special category data is met for the health or social care purposes through the management of healthcare systems or services where the conditions and safeguards in Section 3, public health, are met.
UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes.
How long do we keep your Personal Data?
Digital users: Data is not stored within the NHS COVID Pass area of the NHS App. The data is displayed during your live login session. Your COVID-19 data will not be retained once you log off.
Non-digital users: For users of the 119 letter service, your data will not be retained once the letter has been printed and posted.
Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:
- In cases of legal complaints - data may be retained for a period of 10 years.
- Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
- Subject Access requests & FOI requests where there has been an appeal - 6 years.
Your rights as a data subject
- Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
- Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
Note: If information you have provided to your GP/health service is out of date, you will need to correct this at the source to whom you provided the data. If there are inaccuracies as a result of incorrect information held on our systems about you, please contact the 119 service in the first instance.
- Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
- Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
- Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.
If you’re unhappy or wish to complain about how your Personal Data is used by the service you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.
You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to email@example.com
Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.
Appropriate technical, organisational and administrative security measures are employed within our systems to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.
Changes to this Privacy Notice
We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 22nd June 2021.
The Data Controller for the NHS COVID-19 Pass status service is the Department of Health and Social Care (DHSC). Please contact the Data Protection Officer as below in the event that you require further information or wish to bring something to our attention.
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
Formal complaint about the processing
If, after contacting the DPO as above, you wish to make a formal complaint about the processing of you personal data, please contact the Information Commissioner at:
Information Commissioner's Office (ICO)
Telephone: 0303 123 1113
Fax: 01625 524510