How the NHS COVID Pass uses your information and your data rights
What is the purpose of the NHS COVID Pass service?
The Department for Health and Social Care (DHSC) as data controller, is providing citizens with a COVID Pass service to ensure that you can evidence and share your COVID-19 vaccination or test result status. This is called the NHS COVID Pass status service and it is available to you both digitally through an App or website as well as a non-digital letter service. The purpose for using the service will be to demonstrate a lower risk of transmitting the disease to others for either international travel or our own domestic purposes. Your status will be based on either your completed vaccination history, (or exemption from vaccination if you have been on a clinical trial), your natural immunity (positive PCR test in the last 180 days), or testing results (negative Lateral Flow/PCR Test result in the last 48 hours).
A new phase of continued caution means that within the UK, you may need to demonstrate your COVID Pass status to participate in some events and attend certain venues as measures continue to encourage and support businesses and large events to use the NHS COVID Pass in high risk settings to help to limit the risk of infection. The Government will also continue to work with organisations that operate large, crowded settings where people are likely to be in close proximity to others outside their household to encourage the use of the NHS COVID Pass.
These measures are there to assist in preserving public health within the UK, as well as to facilitate international travel, in accordance with emerging UK and international policy and guidance at the point of travel. It remains necessary for individuals to be vigilant on updates and changes to entry and travel requirements prior to any international travel including the red status of foreign countries and quarantine/isolation and entry requirements for vaccination and testing. A full vaccination course is increasingly becoming the entry requirement and you may be able to use your COVID Pass domestically within a number of overseas countries.
What is meant by NHS COVID Pass ‘Status’?
- Vaccination status (approved vaccine or trial participants)
- Test status (PCR; and LFT within 48 hours)
- Exemption status (trial participants, medical exemptions approved by GPs, midwives and clinicians)
- Recovery from COVID-19 Status (those who have had a positive PCR test result in the last 180 days).
Where can I find the NHS COVID Pass service?
Please ensure your contact and personal details including mobile phone number, are up to date with your registered GP.
- Using the digital service to access and display my COVID-19 status
What data will be displayed for sharing on my phone?
|COVIDStatusUserPreference||We store which flow choice you made (UK events or international travel) in order to bring you back to the right place.|
|COVID StatusQueueIt||This cookie holds your user session information so that when you return from a waiting room to log on, you can continue your session within the service without having to log on again.|
IP address: The app and website use an internet connection therefore your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to technically establish a connection between the test performer’s or vaccinator’s server and your phone or browser. The IP address is processed for management and security purposes only.
- Using the letter (i.e. non-digital service) to access my COVID-19 status
The letter service: You can call the 119 telephone service to request your vaccination status in a letter. This will be printed and sent to you through the post to the address held on your GP medical record.
Note: You will only be able to demonstrate your international vaccination status as well as exemption status and not your recovery status or negative test results. Your GP cannot provide you with this letter or service.
- Using the website service to request my COVID-19 status letter
As with the 119 letter service, you can also use the NHS.UK website to request an NHS COVID status vaccination letter. This will be sent to the address you have provided to your GP, held on your medical record. To access the service, visit the NHS.UK website at
How do I evidence my COVID Pass status if I am taking part in a clinical trial?
If you are exempt from receiving deployed approved vaccinations because you are in, or have taken part in, an NHS clinical trial, and may have received other vaccinations, you will be able to use the COVID Pass within the NHS App to display and share your COVID status in the UK. This will only be for domestic purposes, displaying a green-for-go screen as a result of your exempt status within the UK. If you have had two vaccinations as part of an unblinded trial your COVID Pass status for international travel will display your trial vaccination events/history. However, acceptance of this internationally may depend on the trial that you have taken part in and, pending any international agreements, you may need to evidence your status for foreign travel through testing. Before undertaking any further COVID vaccinations outside the trial environment, you are advised to contact both your trial site and GP for clinical assessment and advice.
Currently, those that have taken part in private clinical trials for COVID-19 vaccinations will not be able to gain an NHS COVID Pass.
Can I get a COVID Pass if I have a Medical Exemption?
- Over 18 years (or you turn 18 years in 3 months or less)
- Resident in England and registered with a GP (Note: The English service is not available to residents in Wales, Jersey or the Isle of Man)
- Have a valid medical exemption to be excluded from vaccination or vaccination and testing (but not testing only). Examples of this include (but are not confined to) those who are in receipt of end of life care, are in receipt of certain treatments, have learning disabilities such as autism and cannot be vaccinated with reasonable adjustments or who have medical contraindications to all current approved COVID-19 vaccinations, or who have certain pregnancy complications.
The NHS COVID Pass for Medical Exemptions will be available for domestic voluntary use reflecting current Government policy. For international use, acceptance will be dependent on foreign travel policy and the requirements set by individual countries as to what they will accept. There is no international agreement at this time in regards to medical exemptions.
You can apply for a Medical Exemption status for yourself or for someone else that you care for by calling 119. You will be asked to provide some initial personal information (first and second name, date of birth, NHS number, address and postcode, optional email address and GP practice). You will then be asked some basic screening questions but will not need to divulge your medical information.
NHS Digital is the data controller for Medical Exemptions whilst DHSC remains the data controller for the NHS COVID Pass.
If accepted as suitable to progress from the initial 119 call, you will be sent a form by post, been partially filled in by the 119 service which you will need to complete and provide directly (i.e., by hand) to your clinician (registered GP, midwife or NHS secondary care professional). The GP or clinician will then have 10 working days from receipt to complete your assessment and form,and update your Summary Care Record (SCR). The application must meet the criteria for either vaccination exemption or vaccination and testing exemption status and not be based on testing only exemption. Once reviewed you will receive a letter confirming successful application for medical exemption status or that the exemption has been declined. This initial letter is not the NHS COVID Pass although you will be advised to retain this letter for your own records reflecting the fact that your medical exemption status will last for a maximum of 12 months. For shorter term exemptions such as pregnancy from the second trimester, the clinician may apply an end date of (for example) due date plus 16 weeks.
Where approval has been granted, the letter will contain details of how to progress to getting the NHS COVID Pass. This is immediately available via the digital route within the NHS App and NHS.UK, or by requesting a letter from the 119 service (which will take about 5 days to receive). Your information will therefore be shared with the service’s approved printers for the production of letters and also with NHSX for the purpose of providing the digital pass.
Note: The domestic NHS COVID Pass Medical Exemption letter is valid for 30 days from the date of issue in line with the digital pass and does not reflect any separate expiry connected with the medical exemption itself. A further domestic NHS COVID Pass Medical Exemption letter will need to be requested from 119 once a Pass letter has expired, but you will NOT need to repeat the medical exemption application process as this status will be retained for a maximum of one year or as set out for a shorter term exemption.
The domestic NHS COVID Pass Medical Exemption letter will have equivalence with the NHS COVID Pass for domestic use achieved through the currently available other means vaccination, testing or recovery (from COVID-19) status. Your medical exemption details will not be revealed by the domestic COVID Pass.
If your medical exemption application decision is not upheld, there is no appeals process and you are advised to contact your GP or 119 to discuss other available options.
Further information can be found at https://www.gov.uk/nhs-covid-pass-proving-youre-unable-to-be-vaccinated-andor-get-tested-for-medical-reasons
What if I have been vaccinated abroad?
A pilot scheme will be in operation from 30th September 2021, for English residents registered with a GP in England, who were vaccinated in part or in full abroad, This pilot is for citizens already known to NHS Digital, and you will be contacted directly. As participants, you will have your vaccination history entered into the vaccination database held by NHS Digital on attending one of the pilot locations.
If you have received the approved vaccines below, regulated by the EMA,FDA and Swissmedic, you will be able to access the NHS COVID Pass within 5 days of being invited to use the pilot service.
There will be certain cases where vaccination details will not yield an NHS COVID Pass. This is likely where the vaccine has not been regulated by one or more of the three bodies named above.
For those seeking further information or who have not qualified for an NHS COVID Pass, please visit https://www.gov.uk/foreign-travel-advice
I am a visitor to England with an International Pass - can I use it for domestic settings?
From 30th September 2021, visitors to England from other devolved administrations attending English venues and settings, can show that they have a valid COVID Pass, using their international 2D barcode which can be scanned by the NHS COVID Pass Verifier App to show a green tick pass (withholding all medical and vaccination details). This is a temporary measure until a domestic pass is available to those nations.
For those overseas visitors who only have an international digital pass or paper copy carrying a 2D international barcode from your own country’s COVID Pass system, this cannot be scanned by the Verifier App and therefore those from the EU and wider countries can show their paper documents or digital pass for a visual inspection by a venue operator.
- For English residents, an international pass with 2D barcode cannot be scanned for entry into English venues and settings, and
- For those citizens from Scotland and Northern Ireland visiting English settings and needing to use their international pass and 2D barcode (unless and until a domestic pass is available), when scanned by the Verifier App, will only display a green tick pass and will not reveal any details of vaccination events.
- International visitors can continue to show an international pass (digital or paper versions) for a visual operator check in English domestic settings using voluntary certification.There is no current ability to scan these barcodes.
What will I need to get or show my COVID Pass status?
Your status will be based on your vaccination history, exemption, or test results through either a
- Completed course of approved COVID-19 vaccinations, 2 weeks after your second dose (or be a valid vaccination trial participant)
- Valid test status: A Polymerase Chain Reaction (PCR) test result - a positive PCR test (within the past 6 months giving you natural immunity status after self-isolating and up to 180 days after taking the test), or negative PCR test or rapid Lateral Flow Test (LFT) reported within the past 48 hours.
- A Medical Exemption or Clinical Trial exempt status
Report a COVID-19 rapid lateral flow test result - GOV.UK (www.gov.uk)
Where is my data held?
Your COVID-19 vaccination data is transferred from the point of care (where you received the vaccines), into the NHS England (NHSE) National Immunisation Management Service (NIMS) which is the IT software and infrastructure that supports the COVID-19 vaccination programme. NHSE is the data controller for the vaccination programme and provides your GP (who is the data controller for your medical record) with details of your vaccinations.
If you were vaccinated as part of a trial, you will have NHS COVID Pass exemption status within the NHS App.
Your test results are transferred from the Test and Trace Service held by the DHSC infrastructure. A code will be provided to you or your test centre, when the results of a Lateral Flow test (LFT) or a Polymerase Chain Reaction (PCR) are reported online or by phone for you to enter in the COVID Pass area of the NHS App and your results will be linked to your status. The test and reporting need to be completed within the past 48 hours. As a result of these short timeframes, seeking negative LFT or PCR test results by letter is not possible as the letter may take 5 days to arrive.
Further information on testing is available on the Test and Trace website: NHS Test and Trace in the workplace - GOV.UK (www.gov.uk)
Note: Private testing results are currently not part of the service.
Your demographic data: Your personal demographic details are held by the NHS Digital Personal Demographic Service (PDS) which is the national electronic database for NHS patient demographic data. This is your name, address, date of birth and NHS number, and if recorded, the mobile telephone number provided to your GP - all processed to assist in your rapid identification. For the purposes of the letter service, your address is then linked to your vaccination data and provided to a secure printer service (including the option for a Braille version) from where the letter will be posted to you.
Your NHS COVID Pass is a mechanism to display your status and no information is held within this area of the NHS App. Your medical records are not accessed for this purpose and no access permissions are required or provided by your GP. While you are logged in to the NHS COVID Pass area, you can display your status in a live setting. During your session you have the option to download your status into a secure wallet in your mobile phone as a PDF copy to your phone or receive an off-line copy by email allowing your device and not the COVID Pass App to store your data. Logging out ends the display session.
Your Medical and Clinical Exemption data: Is held by NHS Digital as data controller for the Summary Care Record. Your medical records held by your GP are under the separate data controllership of your GP practice.
Apple and Google Wallet option: Both Android and iOS operating systems provide a feature called a “Wallet Function”. This function allows smartphone users to collect and organise personal data within their device. Users of the NHS COVID Pass are able to download their COVID Pass directly into their wallet from within the COVID Pass App, avoiding the need to create a downloaded pdf copy. COVID Pass App users are advised to familiarise themselves with their smartphone providers terms and conditions of use prior to accepting inclusion of their COVID Pass into a local wallet function.
Note: The facility for Google wallet will follow in October 2021.
What happens in other parts of the UK?
If you are a Welsh resident or live in England and were vaccinated in Wales: You can get a digital NHS COVID Pass if you were vaccinated in Wales and you are aged 16 or over
digitally via the COVID Pass area at NHS.UK website for international travel, where you can download and print your Pass as a PDF document. To access the service, you’ll need to register for an NHS Login, and provide a photographic ID (passport, full UK driving licence).
non-digital service (letter format) from 0300 303 5667 if you can satisfy the vaccination requirements previously outlined. Please note, this service is being provided by Welsh Healthcare and is not part of the NHS COVID Pass service for England.
The NHS COVID Pass within the NHS App is NOT currently available to you
For further information, visit Get the NHS COVID Pass to show your vaccination status for travel | GOV.WALES
- If you live in Wales but are registered with a GP in England you will be able to access the NHS App system for England.
Welsh Vaccination Data: The Department of Health and Social Care (DHSC) has agreed with the Welsh Government to provide those Citizens residing in Wales with the ability to demonstrate their COVID-19 status. The Welsh Government has shared Welsh vaccination data with DHSC, from the Welsh vaccination database operated by the Welsh Health Board. This contains vaccination information supplied from the COVID-19 vaccine point of care systems approved by Public Health Wales who is the data controller for (and operates) the COVID-19 Vaccination Programme in Wales.
Testing Results for Welsh citizens: COVID-19 testing that takes place in Wales is not included in this service and you are advised to check the Welsh Test and Trace service for additional support:
digitally via the NHS App downloaded to your mobile device and the connected service within this App of the NHS COVID Pass. You will automatically be directed to NHS login as a first time user to verify your identity credentials, after which you will be able to access your COVID status based on vaccination events for your own international travel or domestic use purposes.
digitally via the COVID Pass area at NHS.UK website for international travel, where you can download and print your Pass as a PDF document. To access the service, you’ll need to register for an NHS login, and provide a photographic ID (passport, full UK driving licence).
non-digital service (letter format) carrying the NHS logo, by telephoning 0808 1624 119 (from the Isle of Man only) if you can satisfy the vaccination requirements previously outlined.
you have had 2 doses of a COVID-19 vaccine or full course if single dose
both doses of the vaccine were delivered in Jersey.
Further information is provided by your data controller at: https://www.gov.je/Health/Coronavirus/Vaccine/Pages/CovidStatus.aspx
The Personal Data we collect and how it is used
|Personal Data||NHS App||Website NHS.UK||NHS login for NHS App and NHS.UK||Vaccination Letter service (119 and NHS.UK)||Hash encoded data in the 2D barcode|
|Full name to correctly identify you.|
|Date of Birth to correctly identify you.|
|NHS number to correctly identify you.||*|
|Home address (Including Postcode) * To correctly send COVID Pass letters to your home address if requested.||*||Taking address from PDS*|
|Landline and/or Mobile phone numbers.||Mobile|
|Third parties’ contact details may be taken if they have agreed to be contacted on behalf of other adults.|
|Photographic ID verification||*|
|Special Category (Health) Data Your vaccination and test data|
|Automated decision making or profiling is not engaged in this service provision (Article 22 of UK GDPR)||X||X||X||X||X|
|* Only required for international travel and other uses of the NHS App which provide you with access to your medical records|
How will my information be shared?
For the digital service:
In summary, your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE shares your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.
For the non-digital service:
In summary, your data is taken from the point of care system, NIMS (NHSE) and shared with DHSC. Demographic data is shared with DHSC by NHS Digital This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.
Note: There is no transfer of data outside the wider UK and Crown Dependency community.
The lawful basis for processing your personal data
UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and
UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;
UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3, underpinned by
Data Protection Act 2018 (DPA 2018), Schedule 1 - Part 1, Section 2 (2)[ f] where the condition for processing special category data is met for the health or social care purposes through the management of healthcare systems or services where the conditions and safeguards in Section 3, public health, are met.
UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
How long do we keep your Personal Data?
Digital users: Data is not stored within the NHS COVID Pass section of the NHS App. The data is displayed during your live login session. Your COVID-19 data will not be retained once you log off.
Non-digital users: For users of the 119 letter service, (directly or via a self request on NHS.UK) your data will not be retained once the letter has been printed and posted.
Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:
- In cases of legal complaints - data may be retained for a period of 10 years.
- Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
- Subject Access requests & FOI requests where there has been an appeal - 6 years.
Your rights as a data subject
- Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
- Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
Note: If information you have provided to your GP/health service is out of date, you will need to correct this at the source to whom you provided the data. If there are inaccuracies as a result of incorrect information held on our systems about you, please contact the 119 service in the first instance.
- Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
- Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
- Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.
If you are unhappy or wish to complain about how your Personal Data is used by the service you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.
You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to email@example.com
Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.
Appropriate technical, organisational and administrative security measures are employed within our systems to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.
Changes to this Privacy Notice
We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 22nd June 2021.
The Data Controller for the NHS COVID-19 Pass status service is the Department of Health and Social Care (DHSC). Please contact the Data Protection Officer as below in the event that you require further information or wish to bring something to our attention.
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
Formal complaint about the processing
If, after contacting the DPO as above, you wish to make a formal complaint about the processing of your personal data, please contact the Information Commissioner at:
Information Commissioner's Office (ICO)
Telephone: 0303 123 1113
Fax: 01625 524510
Last Updated: 30th September 2021