Privacy Notice

How the NHS COVID Pass uses your information and your data rights

What is the purpose of the NHS COVID Pass service?

The Department for Health and Social Care (DHSC) as data controller, is providing citizens with a COVID Pass service to ensure that you can evidence and share your COVID-19 vaccination or test result status. This is called the NHS COVID Pass status service and it is available to you both digitally through an App or website as well as a non-digital letter service. The purpose for using the service will be to demonstrate a lower risk of transmitting the disease to others for either international travel or our own domestic purposes. Your status will be based on either your completed vaccination history, (or exemption from vaccination if you have been on a clinical trial), your natural immunity (positive PCR test in the last 180 days), or testing results (negative Lateral Flow Test result in the last 48 hours).

As part of the country’s progression to the Step 4 roadmap of the Government’s COVID-19 recovery plan from 19th July 2021, a new phase of continued caution means that within the UK, you may need to demonstrate your COVID Pass status to participate in some events and attend certain venues as measures continue encouraging and supporting businesses and large events to use the NHS COVID Pass in high risk settings to help to limit the risk of infection. The Government will continue to work with organisations that operate large, crowded settings where people are likely to be in close proximity to others outside their household to encourage the use of the NHS COVID Pass. There may also be further Events Research Programme (ERP) events from 19th July 2021 requiring an NHS COVID Pass.

These measures will assist in preserving public health within the UK, as well as to facilitate foreign travel in accordance with emerging UK and international policy and guidance at the point of travel. It will remain necessary to be vigilant for updates and changes to entry and travel requirements before going, such as getting a negative pre-departure test.

What is meant by NHS COVID Pass ‘Status’?

An NHS COVID Pass shows your Coronavirus (COVID-19) vaccination details or test results. This is your COVID-19 status which you can access if you are registered with a GP and are receiving healthcare in England and Wales (vaccination only).

  • Vaccination status (approved vaccine or trial participants)
  • Test status (PCR; and LFT within 48 hours)
  • Exemption status (trial participants, clinical exemptions approved by GP)
  • Natural Immunity Status (those who have had a positive PCR test result in the last 180 days).

Where can I find the NHS COVID Pass service?

You can choose either a digital method (NHS App and NHS.UK website) to display and download your Pass, or a non-digital (letter service) route - which can be requested via the 119 telephone service or on the NHS.UK website. Please ensure your contact and personal details are up to date with your registered GP.

- Using the digital service to access and display my COVID-19 status

NHS App: The NHS owns and manages the NHS App as a secure way to access a range of NHS services on your smartphone or tablet. This App has a large number of features and functions including the connected service of the NHS COVID Pass.

Note: The NHS COVID Pass is found within the NHS App and is not located in any other NHS or Apps from other organisations. It is not the same as the NHS COVID-19 Contact Tracing App for England and Wales (called the NHS COVID-19 App).

Note: You will see an expiry date on the display screen in your COVID Pass. This only refers to the barcode and not to the validity of your vaccination. The barcode will last for 28 days and then will automatically be renewed as long as your status remains valid. There are no current government decisions about how long your vaccine is effective for and therefore no current expiry has been applied to your completed vaccine course, enabling the barcode to continue to be regenerated. Any future changes that will come into effect will be reflected in this privacy notice.

Further information as well as Privacy Notices for the NHS App can be found at https://www.nhs.uk/apps-library/nhs-app/

NHS Login: If you are using the NHS App or NHS.UK website to access your NHS COVID Pass status, and have not registered before, you will initially be taken through the NHS Login process to authenticate your identity to prevent fraud and misuse. For the full functionality of all the features of the NHS App as well as to display and share your vaccine history for international travel, this will require verification of photographic ID (such as passport or driving licence). If you need to display your COVID Pass status for use within the UK, your Login will require verification using a single mobile number that is matched against your GP record. Please ensure your GP has an up to date mobile telephone number for you.

Further information and a privacy notice for the NHS Login can be found at Your Privacy on NHS login

https://www.nhs.uk/nhs-services/online-services/nhs-log-in/

NHS Website: You can also access NHS App services from the browser on your computer at the NHS.UK website by clicking on the area marked as the COVID Pass status service.

Further information and a privacy notice for the NHS Website can be found at
https://www.nhs.uk/conditions/coronavirus-COVID-19/
https://www.nhs.uk/conditions/coronavirus-COVID-19/COVID-pass/
https://www.nhs.uk/our-policies/privacy-policy/

What data will be displayed for sharing on my phone?

- For international travel: In addition to a screen displaying a green-for go status, a 2D barcode will be displayed which may be used for point-of-departure scanning purposes alongside details of your vaccinations. Alternatively, you may just be asked to share your mobile phone screen displaying your status within the NHS COVID Pass or a download of the data. In addition to the information on the screen, the 2D barcode confirms your status with coded embedded data in the form of a visual image. This visual image can be transmitted by in-the-moment scanning from an NHS COVID Pass Verifier. This verifier is a scanning Application available as an NHS App for download to a mobile phone, which then uses its camera to capture and verify this image. Both the NHS COVID Pass and the NHS COVID Pass Verifier do not retain, share or further process your data. The display screen you surface when logged in to your NHS COVID Pass, only shows your status for long enough to share. The display screen in the Verifier App is also momentary. Your medical records are not accessed during this purpose. For international travel purposes, once the 2D barcode is successfully scanned, a vaccine status will automatically be displayed and can be expanded if further details are needed to show further details of your vaccination history.

- Use within the UK: Your mobile device will generate a 2D barcode and green-for-go (Pass) or “expired”/”not recognised” display screen to evidence your COVID status. There is no further display of your vaccination history.

Cookies: To enable the technology to work within the NHS COVID Pass in the NHS App, and to function more efficiently in use, we place small files called cookies that are strictly necessary, on your devices. The cookie policy for the NHS COVID Pass can be found at: NHS COVID Pass - NHS (nhsx.nhs.uk)

The ‘strictly necessary cookies added to the NHS COVID Pass are:

NamePurpose
COVIDStatusUserPreferenceWe store which flow choice you made (UK events or international travel) in order to bring you back to the right place.
COVID StatusQueueItThis cookie holds your user session information so that when you return from a waiting room to log on, you can continue your session within the service without having to log on again.

There are separate cookie policies for the wider applications of the NHS App, NHS Login and the NHS.UK website. NHS Digital (NHSD) is the data controller for these technologies and further information can be found at

SiteLink
NHS Loginhttps://access.login.nhs.uk/cookies
NHS Apphttps://www.nhs.uk/nhs-app/nhs-app-legal-and-cookies/nhs-app-cookies-policy/
NHS Websitehttps://www.nhs.uk/our-policies/cookies-policy/
https://www.nhs.uk/our-policies/privacy-policy/

- Using the non-digital service to access my COVID-19 status

The letter service: You can dial the 119 telephone service to request your vaccination status in a letter. This will be printed and sent to you through the post to the address held on your GP medical record.

Note: You will only be able to demonstrate your vaccination history via this service and not your exemption status or test results. Your GP cannot provide you with this letter or service.

- Using the website service to request my COVID-19 status letter

As with the 119 letter service, you can also use the NHS.UK website to request an NHS COVID status vaccination letter. This will be sent to the address you have provided to your GP, held on your medical record. To access the service, visit the NHS.UK website at
https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/get-your-covid-pass-letter/

How do I evidence my COVID Pass status if I am taking part in a clinical trial?

If you are exempt from being vaccinated because you are in, or have taken part in, a clinical trial, you will be able to use the COVID Pass within the NHS App to display and share your COVID status with the green-for-go screen for any domestic events within the UK. Your COVID Pass status for international travel may depend on the trial that you have taken part in and, pending any international agreements, you may need to evidence your status for foreign travel through testing. If you have already been provided with an interim letter, you can continue to use this letter until this expires on 31st July 2021.

What will I need to get or show my COVID Pass status?

Your status will be based on your vaccination history, exemption, or test results through either a

  • Completed course of approved COVID-19 vaccinations, 2 weeks after your second dose (or be a valid vaccination trial participant)
  • Valid test status: A Polymerase Chain Reaction (PCR) test result - a positive PCR test (within the past 6 months giving you natural immunity status after self-isolating and up to 180 days after taking the test), or negative PCR test or rapid Lateral Flow Test (LFT) reported within the past 48 hours.

Report a COVID-19 rapid lateral flow test result - GOV.UK (www.gov.uk)

Where is my data held?

Your COVID-19 vaccination data is transferred from the point of care (where you received the vaccines), into the NHS England (NHSE) National Immunisation Management Service (NIMS) which is the IT software and infrastructure that supports the COVID-19 vaccination programme. NHSE is the data controller for the vaccination programme and provides your GP (who is the data controller for your medical record) with details of your vaccinations.

If you were vaccinated as part of a trial, you will be given NHS COVID Pass exemption status within the NHS App.

Your test results are transferred from the Test and Trace Service held by the DHSC infrastructure. A code will be provided to you or your test centre, when the results of a Lateral Flow test (LFT) or a Polymerase Chain Reaction (PCR) are reported online or by phone for you to enter in the COVID Pass area of the NHS App and your results will be linked to your status. The test and reporting need to be completed within the past 48 hours. As a result of these short timeframes, seeking negative test results by letter is not possible as the letter may take 5 days to arrive.

Further information on testing is available on the Test and Trace website:

NHS Test and Trace in the workplace - GOV.UK (www.gov.uk)

Note: Private testing is not currently part of the service.

Your demographic data: Your personal demographic details are held by the NHS Digital Personal Demographic Service (PDS) which is the national electronic database for NHS patient demographic data. This is your name, address, date of birth and NHS number, and if recorded, the mobile telephone number provided to your GP - all processed to assist in your rapid identification. For the purposes of the letter service, your address is then linked to your vaccination data and provided to a secure printer service (including the option for a Braille version) from where the letter will be posted to you.

Your NHS COVID Pass is a mechanism to display your status and no information is held within this area of the NHS App. Your medical records are not accessed for this purpose and no access permissions are required or provided by your GP. While you are logged in to the NHS COVID Pass area, you can display your status in a live setting. During your session you have the option to download your status as a PDF copy to your phone or receive an off-line copy by email allowing your device and not the COVID Pass App to store your data. Logging out ends the display session.

What happens in other parts of the UK?

Wales:

If you are a Welsh resident or live in England and were vaccinated in Wales: You can get a digital NHS COVID Pass if you were vaccinated in Wales and you are aged 16 or over

Welsh Vaccination Data: The Department of Health and Social Care (DHSC) has agreed with the Welsh Government to provide those Citizens residing in Wales with the ability to demonstrate their COVID-19 status. NHS Digital has provided the information about your vaccination history to the COVID Pass service, on behalf of the Welsh Government, from the Welsh vaccination database operated by the Welsh Health Board. This contains vaccination information supplied from the COVID-19 vaccine point-of-care systems approved by Public Health Wales who is the data controller for (and operates) the COVID-19 Vaccination Programme in Wales.

Testing Results for Welsh citizens: COVID-19 testing that takes place in Wales is not included in this service and you are advised to check the Welsh Test and Trace service for additional support:

Test Trace Protect | GOV.WALES

Scotland: If you are a Scottish resident registered with a Scottish GP or live in England and were vaccinated in Scotland you cannot access the NHS COVID Pass service for England and Wales but can access the Scottish service at

Get a record of your coronavirus (COVID-19) vaccination status | The coronavirus (COVID-19) vaccine (nhsinform.scot)

If you live in Scotland but are registered with a GP in England you will be able to access the NHS App system for England.

Northern Ireland: If you are a Northern Irish resident, you are not able to access the NHS COVID Pass service for England and Wales. For further information please visit

Get a COVID-19 vaccination in Northern Ireland | nidirect

The Personal Data we collect and how it is used

Personal DataNHS AppWebsite NHS.UKNHS Login for NHS App and NHS.UKVaccination Letter service (119 and NHS.UK)
Full name to correctly identify you.
Date of Birth to correctly identify you.
NHS number to correctly identify you.*
Home address (Including Postcode) * To correctly send COVID Pass letters to your home address if requested.*Taking address from PDS*
Landline and/or Mobile phone numbers.
  • To be able to contact you if you have requested a Pass, or require support.
  • SMS text message if using the letter route in the event of a failed journey or to receive a vaccine test result.
Mobile
Email address.
  • To be able to contact you if you have requested a Pass, or require support
  • If using the non digital letter service in the event of a failed journey
Third parties’ contact details may be taken if they have agreed to be contacted on behalf of other adults.
Photographic ID verification*
Special Category (Health) Data Your vaccination and test data
Automated decision making or profiling is not engaged in this service provision (Article 22 of UK GDPR)XXXX
* Only required for international travel and other uses of the NHS App which provide you with access to your medical records

Automated decision making or profiling.

For the purposes of effective compliance with the requirements of Article 22 of the UK General Data Protection Regulations (GDPR), the DHSC considers that automated decision making is not engaged in this service.

How will my information be shared?

For the digital service:
In summary, your data is taken from approved source systems, point of care systems, the NHS Digital vaccination data store and the National Immunisation Management System (NIMS) owned by NHS England (NHSE). NHSE shares your data with NHS Digital who make your data available to you either via the NHS App or NHS.UK.

For the non-digital service:
In summary, your data is taken from the point of care system, NIMS (NHSE) and shared with DHSC. Demographic data is shared with DHSC by NHS Digital This data is used to verify the details provided by you and provides the address held on record for the letter to be sent to you.

Note: There is no transfer of data outside the UK.

The lawful basis for processing your personal data

UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and

UK GDPR Art. 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Underpinned by the Data Protection Act (DPA) 2018 – Schedules 1, Part 2, para 6 - Statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency;

UK GDPR Art. 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3, underpinned by

Data Protection Act 2018 (DPA 2018), Schedule 1 - Part 1, Section 2 (2)[ f] where the condition for processing special category data is met for the health or social care purposes through the management of healthcare systems or services where the conditions and safeguards in Section 3, public health, are met.

UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes.

How long do we keep your Personal Data?

Digital users: Data is not stored within the NHS COVID Pass area of the NHS App. The data is displayed during your live login session. Your COVID-19 data will not be retained once you log off.

Non-digital users: For users of the 119 letter service, your data will not be retained once the letter has been printed and posted.

Additional retention periods may be engaged in circumstances where a data subject exercises their information access rights:

  • In cases of legal complaints - data may be retained for a period of 10 years.
  • Subject Access Requests (SAR) and Freedom of Information Requests (FOI) - 3 years.
  • Subject Access requests & FOI requests where there has been an appeal - 6 years.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
    Note: If information you have provided to your GP/health service is out of date, you will need to correct this at the source to whom you provided the data. If there are inaccuracies as a result of incorrect information held on our systems about you, please contact the 119 service in the first instance.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you’re unhappy or wish to complain about how your Personal Data is used by the service you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

You can get in touch with us by contacting the Data Protection Officer. The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to data_protection@dhsc.gov.uk

Once we receive your request, members of our Data Protection Team will endeavour to get back to you as soon as possible to confirm receipt.

Data security

Appropriate technical, organisational and administrative security measures are employed within our systems to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to this Privacy Notice

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on the DHSC website. This Privacy Notice was last updated on 22nd June 2021.

Data Controller

The Data Controller for the NHS COVID-19 Pass status service is the Department of Health and Social Care (DHSC). Please contact the Data Protection Officer as below in the event that you require further information or wish to bring something to our attention.

In writing:
DPO
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU


By email:
data_protection@dhsc.gov.uk

Formal complaint about the processing

If, after contacting the DPO as above, you wish to make a formal complaint about the processing of you personal data, please contact the Information Commissioner at:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Fax: 01625 524510

https://ico.org.uk/