Scottish Vaccinations Privacy Notices | NHS Education for Scotland

Scottish Vaccinations Privacy Notices

The way that vaccinations are delivered in Scotland changed in 2022. Responsibility for vaccine delivery moved from GPs to Territorial Health Boards in order to tailor them to meet the needs of local populations. Responsibility for all immunisation programmes and ad hoc vaccines will be fully transferred to Health Boards.

Why your personal data is being used

Your personal data is being used by NHS Education Scotland (NES) as the Data Controller responsible for the National Clinical Data Store (NCDS). NCDS is updated with information and events (such as your previous vaccinations or clinical treatments) from healthcare records maintained by GPs, specialist treatment centres and the Vaccination Management Tool (VMT) within NHS Scotland. You will find our contact details, together with those for our Data Protection officer (DPO) at the foot of this notice.

Why we are processing your personal data

The purpose of processing is to support the delivery of vaccinations across Scotland.

Sharing personal data with others

Your personal data will be shared with the following organisations listed below in order to deliver vaccines across Scotland. National Services Scotland (NSS) is responsible for collecting a restricted subset of your NCDS patient record and making this available in a secure format to your local Health Board. Each local Health Board will use this data to make decisions about inviting you for vaccinations.

Territorial Health Boards (e.g. your local health boards
- Territorial Health Boards are your local area Health Board. They make decisions about managing GPs, managing funding etc. They are Data Controllers of health information about you and the systems they use to keep your data.

GP Practices
- Your local GP is a Joint data controller, with Territorial Health Boards, for your patient information and personal details.

Public Health Scotland (PHS)
- PHS are Scotland’s lead agency for improving and protecting health and wellbeing. To do this, PHS use data, intelligence and place-based approaches which will involve them accessing a wide range of data sources, including personal data of patients. They also carry out data matching to ensure that patient records are accurate. They will be a Data controller for prioritising groups for vaccinations and other functions. You can find more information at: Overview of immunisations - Immunisation - Health topics - Public Health Scotland

NHS Education for Scotland (NES)
- NES provide digital services to Territorial Health Boards, GPs and health care practitioners. They will be a Data controller for the systems they manage and may be Joint data controllers with other organisations listed in this table or may be Data processors on behalf of Health Boards or PHS.

National Services Scotland (NSS)
- NSS provide services to the NHS in Scotland. They are a Data controller for the Test and Protect service. They are also Joint data controllers where NES share vaccination data with NSS to help with patient care, inviting people for vaccinations and for ‘self-isolation’ grants.

Albasoft
- A third party supplier who process data on behalf of NES.

Netcompany
- A third party supplier who process data on behalf of both the Scottish Government and NES, especially with regards to vaccine certification for international travel.

Orion
- A software developer (third party supplier) that some Territorial Health Boards and NES use for accessing vaccination information.

Morse
- A software developer (third party supplier) that limited Territorial Health Boards use to access vaccination information.

Scottish Government
- The Scottish Government are provided with reporting information about vaccines and vaccination uptake. This is mostly anonymised data but, when managing pandemics and other public health emergencies, may involve personal data. See also: Use of your immunisation data | Information Governance (scot.nhs.uk)

About the personal data we use

The set of personal data used contains information about your:

Identity;
contact details;
vaccination history and, where appropriate, “data flags”. The flags are indicators that you might be in a clinically vulnerable group and should be considered a priority to receive an invitation for particular vaccinations. These flags are used to protect all clinical diagnoses and ensure your diagnosis is not revealed as part of this processing activity. To be clear, your clinical diagnosis DOES NOT form part of the data used to issue a vaccine invitation.

Our legal basis for processing personal data

Lawful reasons for processing areas follows:

UK GDPR Article 6(1)(e): A task carried out in the public interest.
UK GDPR Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine.

Sometimes, emergency legislation will be introduced to manage a pandemic, epidemic or other public health emergency, for example, Coronavirus (COVID-19) legislation - gov.scot (www.gov.scot) and Coronavirus Legislation. Where legislation is introduced to manage a public health emergency, your information may also be processed under:

UK GDPR Article 6(1)(c): Processing is necessary for compliance with a legal obligation to which the controller is subject.

Retention periods for the information we hold about you

After the data is requested by NSS from the National Clinical Data Store (NCDS) it is updated every 24 hours to ensure accuracy. This regular refresh of data is repeated daily for the duration of the vaccination programme, which is itself subject to review every 18 months. The data in the NCDS is retained in accordance with the Scottish Government Records Management Health and Social Care Scotland Code of Practice (Scotland) 2020 and in line with retention for GP records. This decision is based on the need to ensure that GPs and other clinicians have access to vaccination records over an extended period of time to ensure clinical safety.

Transferring personal information aboard

Your personal data will remain in the UK at all times.

Your rights regarding your personal data

You have rights regarding how we process your personal data (for details about your rights and how to invoke them, see our privacy page at https://www.nes.scot.nhs.uk/legal-and-site-information/privacy/:

1. The right to be informed;
2. The right of access;
3. The right to rectification;
4. The right of erasure;
5. The right to restrict processing;
6. The right to portability;
7. The right to object;
8. Rights in relation to automated decision making and profiling.

Your right to complain

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the regulator in the UK. ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Or visit ICO.org.uk

NHS Education for Scotland contact details

NES Address: NHS Education for Scotland, Westport 102, West Port, Edinburgh, EH3 9DN.

Data Protection Officer (DPO) contact details

NES DPO contact email: foidp@nes.scot.nhs.uk(postal address as above for NES).