NHS Education for Scotland
A skilled and sustainable workforce for a healthier Scotland
NHS Education for Scotland
A skilled and sustainable workforce for a healthier Scotland
Your personal data and your child's data is being used by NHS Education for Scotland (NES) as the Data Controller responsible for the National Clinical Data Store (NCDS). NCDS is updated with information and events (such as your previous vaccinations or clinical treatments) from healthcare records maintained by GPs, specialist treatment centres and the Vaccination Management Tool (VMT) within NHSScotland. You will find our contact details, together with those of our Data Protection Officer (DPO) at the foot of this notice.
The purpose of processing is to support the delivery of vaccinations across Scotland. There are various organisations involved in delivering the immunisation programme through schools. Those organisations each hold your information to provide you with services. They share your information for the limited purpose of providing vaccinations to your child while your child is at school. More information about the organisations involved can be found in the next section "Sharing personal data with others".
Further information is also available:
Vaccination schedule - Immunisations in Scotland | NHS inform
Vaccinations for 12 -15 year olds - gov.scot (www.gov.scot)
Child health - Data & intelligence from PHS (isdscotland.org)
Immunisation - Child health - Data & intelligence from PHS (isdscotland.org)
Use of your immunisation data | Information Governance (scot.nhs.uk)
Your personal data and your child’s personal data will be shared with the organisations in the table below in order to deliver vaccines across Scotland. National Services Scotland (NSS) is responsible for collecting a restricted subset of your (or your child’s) NCDS patient record and making this available in a secure format to your local Health Board. Each local Health Board will use this data to make decisions about inviting you for vaccinations. Those invitations will be issued by schools or local authorities, as appropriate to you or your child.
Your information and your child’s information will be shared with different organisations because of the systems involved in delivering vaccinations across Scotland and ensuring the best health outcomes for you. Depending on what type of school your child attends, the school or local authority may also be involved in sharing data to ensure you and your child/ren are invited for immunisations.
The following table outlines which organisations may process your data and your child’s data and sets out their relationship to your data.
|
Organisation |
Data relationship |
|
Local Authorities and Schools |
Local Authorities and schools work with Public Health Scotland (PHS) and National Services Scotland (NSS) to manage invitations for your child to be vaccinated at school. Local Authorities and schools will provide minimum data to issue you with a letter which includes a yellow form for you to provide clinical consent to your child receiving vaccinations while they are at school. This is consent for your child to be vaccinated only. Your school will have its own privacy notice – you should consult your school for information on how your and your child’s personal data is managed by them. For details about information sharing for the principle of Getting it right for every child, please see: |
|
Territorial Health Boards (e.g. your local health board) |
Territorial Health Boards are your local area Health Board. They make decisions about managing GPs, managing funding etc. They are Data Controllers of health information about you and the systems they use to keep your data. Some Health Boards use specific systems to process data; sometimes these are provided by external providers such as TrakCare or Badgernet. |
|
GP practices |
Your local GP is a Joint data controller, with Territorial Health Boards, for your patient information and personal details. |
|
Public Health Scotland (PHS), including Child Health |
PHS are Scotland’s lead agency for improving and protecting health and wellbeing. To do this, PHS use data, intelligence and place-based approaches which will involve them accessing a wide range of data sources, including personal data of patients. They also carry out data matching to ensure that patient records are accurate. They will be a Data controller for prioritising groups for vaccinations and other functions. You can find more information at: Overview of immunisations - Immunisation - Health topics - Public Health Scotland PHS also provide information specifically about child immunisations. |
|
NHS Education for Scotland (NES) |
NES provide digital services to Territorial Health Boards, GPs and health care practitioners. They will be a Data controller for the systems they manage and may be Joint data controllers with other organisations listed in this table or may be Data processors on behalf of Health Boards or PHS. |
|
National Services Scotland (NSS) |
NSS provide services to the NHS in Scotland. They are a Data controller for the Test and Protect service. They are also Joint data controllers where NES share vaccination data with NSS to help with patient care and inviting people for vaccinations. |
|
Albasoft |
A third party supplier who process data on behalf of NES. |
|
Atos |
A third party supplier who process data on behalf of Health Boards. |
|
Netcompany |
A third party supplier who process data on behalf of both the Scottish Government and NES, especially with regards to vaccine certification for international travel. |
|
Orion |
A software developer (third party supplier) that some Territorial Health Boards and NES use for accessing vaccination information. |
|
Morse |
A software developer (third party supplier) that limited Territorial Health Boards use to access vaccination information. |
|
Scottish Government |
The Scottish Government are provided with reporting information about vaccines and vaccination uptake. This is mostly anonymised data but, when managing pandemics and other public health emergencies, may involve personal data. See also: Use of your immunisation data | Information Governance (scot.nhs.uk) |
The set of personal data used contains information about your:
The data flags are indicators that you might be in a clinically vulnerable group and should be considered a priority to receive an invitation for particular vaccinations. These flags are used to protect all clinical diagnoses and ensure your diagnosis is not revealed as part of this processing activity. To be clear, your clinical diagnosis does not form part of the data used to issue a vaccine invitation.
Your personal and health information and your child's information will be collected and used to provide vaccinations to you. This is on the lawful basis of:
Article 6.1(e) - where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Specifically, this public task comes from the NHS Education for Scotland Amendment Order 2021. This Order creates NES and provides their function, which is supporting Health Boards with services, including digital means.
Article 9.2(h) - where processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
Sometimes, emergency legislation will be introduced to manage a pandemic, epidemic or other public health emergency, for example, Coronavirus (COVID-19) legislation - gov.scot (www.gov.scot) and Coronavirus Legislation. Where legislation is introduced to manage a public health emergency, your information may also be processed under:
Article 6(1)(c) - where processing is necessary for compliance with a legal obligation to which the controller is subject.
Retention Period: After the data is requested by NSS from the National Clinical Data Store (NCDS) it is updated every 24 hours to ensure accuracy. This regular refresh of data is repeated daily for the duration of the vaccination programme, which is itself subject to review every 18 months.
The data in the NCDS is retained in accordance with the Scottish Government Records Management Health and Social Care Scotland Code of Practice (Scotland) 2020 and in line with retention for GP records. This decision is based on the need to ensure that GPs and other clinicians have access to vaccination records over an extended period of time to ensure clinical safety.
Your personal data will remain in the UK at all times.
You have rights regarding how we process your personal data (for details about your rights and how to invoke them, see our privacy page at https://www.nes.scot.nhs.uk/legal-and-site-information/privacy/:
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) as the regulator in the UK.
ICO Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or visit www.ICO.org.uk
NES Address: NHS Education for Scotland, Westport 102, West Port, Edinburgh, EH3 9DN.
NES DPO contact email: foidp@nes.scot.nhs.uk (postal address as above for NES)