How your confidential data is used for your Covid-19 vaccination

v2.0, 24 September 2021

This notice compliments the Staff Employment Privacy Notice (for Trust staff only) and Your Personal Information leaflet for patients.

Covid-19 vaccination data is managed centrally using the National Immunisation, Vaccination Service (NIVS), commissioned by NHS England from NHS Arden and Great East Midland (GEM) Commissioning Support Unit (CSU).

1. Our contact details

Please address any queries regarding the use of your personal data to our Data Protection Officer (DPO), Andrew Harvey, who can be contacted by:

2. Information we collect and how we process it

At various points in the process the information is handled by NHS Arden and GEM CSU, NHS Digital (NHSD), NHS England (NHSE), the Trust’s vaccination booking team and East Kent NHS Foundation Trust (EKFT). All organisations have claimed ‘Standards Met’ on their 2020/21 Data Security and Protection Toolkit (DSPT), indicating good practice in Data Protection and Information Security processes. Your information is stored, processed and shared appropriately and securely to the NIVS system. This information includes your name, date of birth, gender, address and NHS number. For Trust staff it also includes your ESR staff number. We also collect the minimum amount of clinical information necessary needed to administer the vaccine. This data is self-supplied data via the PathEKS booking system when you requested your vaccination. The data entry into NIVS for this is undertaken manually by the vaccinator. PathEKS is being managed by EKFT on behalf of the Sussex Health and Care Partnership.

Following the vaccination a record of the vaccination decisions undertaken is also sent to NIVS. This includes vaccination given/not given, date vaccinated, vaccine type, dose, not immunised reason, adverse reaction details, and at risk category/group. Management information is available back to the Trust within the NIVS system.

All data will be stored in the UK.

Trust staff using NIVS are trained in its use and are, like all NHS staff, required by the DSPT and their contract of employment to complete annual training in Data Protection.

3. Legal basis for processing and your personal data

Under the UK General Data Protection Regulation (GDPR) our legal bases for processing this information are that we are under a legal obligation from the Health and Social are Act 2012 to provide general hospital services; that we are providing direct care to patients; and that it is required to manage a public health emergency.

1Related to this, The Health Service (Control of Patient Information) Regulations 2002 also allows the sharing of confidential patient data to help control the spread of infectious diseases such as Covid-19.

4. Your rights Under the GDPR 

In some instances you have various rights around the processing of your data, including access to it, the rectification of errors, restriction of processing, moving your electronic data to another service, the ability to object to processing, as well as having a clear understanding regarding any automated decision making and profiling. If you would like to discuss any of these, please contact our DPO using the details in Section 1.

5. How long we keep your information

Staff employment information is held in accordance to the Record Management Code of Practice (2021). Information held in NIVS will be retained in line with NHSE business requirements and the same Code of Practice. Data sent to NHSE will be retained in line with its Privacy Policy.3

It is likely that information collected in response to Covid-19 will be selected for permanent preservation in accordance with the Public Records Act 1958.

6. Your right to complain

If you have any concerns regarding the use of your information, and the Trust’s DPO has not been able to resolve them, you can raise it with the Information Commissioner’s Office, which regulates Data Protection. Its address is Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Alternatively its helpline is 0303 123 1113. Its website is www.ico.org.uk.