Seasonal vaccination privacy notice | NHS Education for Scotland

NHS Education for Scotland Seasonal vaccination privacy notice

This is the privacy notice for the data held by NES for seasonal vaccinations.

Your personal data is being used by NHS Education for Scotland (NES) as the Data Controller responsible for the National Clinical Data Store (NCDS). NCDS is updated with information and events (such as your previous vaccinations or clinical treatments) from healthcare records maintained by GPs, specialist treatment centres and the Vaccination Management Tool within NHS Scotland. You will find our contact details, together with those for our Data Protection officer (DPO) at the foot of this notice.

Why we are processing your personal data

The purpose of processing is to support the delivery of invitations for seasonal flu, shingles and pneumococcal vaccinations which will be sent to you by your local Health Board.

Sharing personal data with others

Your personal data will be shared with

your local Health Board as a data controller, and
NHS National Services Scotland (NSS) as a data processor. NSS is responsible for collecting a restricted subset of your NCDS patient record and making this available in a secure format to your local Health Board. Each local Health Board will use this data to make decisions about inviting you for particular types of vaccination.

About the personal data we use

The set of personal data used contains information about your:

Identity;
Contact details;
Vaccination history and, where appropriate, “data flags”. The flags are indicators that you might be in a clinically vulnerable group and should be considered a priority to receive an invitation for vaccination. These flags are used to protect all clinical diagnoses and ensure your diagnosis is not revealed as part of this processing activity. To be clear, your clinical diagnosis DOES NOT form part of the data used to issue a vaccine invitation.

Our legal basis for processing personal data

Lawful reasons for processing areas follows:

1. UK GDPR Article 6/1/e: A task carried out in the public interest.
2. UK GDPR Article 9/2/h: Processing is necessary for the purposes of preventive or occupational medicine.

Retention periods for the information we hold

After the data is requested by SEER from the NCDS database it is updated every 24 hours to ensure accuracy. This regular refresh of data is repeated daily for the duration of the vaccination programme, which is itself subject to review every 18 months.

Transferring personal information aboard

Your personal data will remain in the UK at all times.

Your rights regarding your personal data

You have rights regarding how we process your personal data (for details about your rights and how to invoke them, see our privacy page):

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right of erasure
5. The right to restrict processing
6. The right to portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Your right to complain

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the regulator in the UK. ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or visit ico.org.uk

NHS Education for Scotland contact details

NES Address: NHS Education for Scotland, Westport 102, West Port, Edinburgh, EH3 9DN.

Data Protection Officer (DPO) contact details

NES DPO contact email: foidp@nes.scot.nhs.uk (postal address as above for NES).