How we use your data

This privacy notice was last updated on 25 Jan 2021.

Privacy and data security are very important to the Scottish Government and NHS Scotland. All systems and processes within the coronavirus (COVID-19) Vaccination Programme have been designed with these as a priority.

This section is the privacy notice for coronavirus vaccinations and explains:

  • the key organisations responsible for your data
  • how those organisations process personal information about you in relation to coronavirus vaccinations
  • your rights in relation to your privacy and personal data

The topics included are:


These are the key organisations involved in the coronavirus vaccination programme.

You can find more information about these organisations' roles and responsibilities when handling your data by using the links in the table.

Organisation Role within the vaccinations programme Access to personal data
Scottish Government (Scottish Ministers) The Scottish Government provides strategic direction and leadership for the Coronavirus Vaccination Programme, as per the duty of Scottish Ministers to protect public health. Scottish Government takes an active part in the governance structure of the Vaccination Programme and participates in the decisions about personal information processed in connection with the programme. The Chief Executive of the NHS Scotland, as Director General of Health and Social Care in the Scottish Government, has overall responsibility in this area on behalf of Scottish Ministers. The Health Competent Authority (run by the Scottish Government on behalf of Scottish Ministers) oversees compliance with data security and resilience in relation to the processing undertaken by health Boards. No. The Scottish Government do not have access to patient identifiable data.
NHS health boards and General Practices (GPs). Health boards are responsible for vaccinating the population in their territorial boundaries. GPs assist the health boards in discharging this responsibility. GPs are controllers of their patient’s GP medical record, and they assist in the validation of the vaccine cohorts. GPs assist with the validation of cohort, to ensure their patients are assigned to the right priority cohort for vaccination based on their understanding of the needs and risks of their patients. Health boards and GPs are represented in decision making bodies that make decisions about personal information within the Coronavirus Vaccination Programme. Yes, on a need-to-know basis only
Public Health Scotland (PHS) PHS participates in the decision-making bodies and groups created within the Coronavirus Vaccination Programme . Decides on analytical methods and reporting in its role as an independent official statistics producer. Yes, on a need-to-know basis only
NES Digital Services (NDS) NES Digital Services is part of NHS Education for Scotland as the legal entity. NDS participates in the decision-making bodies created within the Coronavirus Vaccination Programme for data and systems.
It is NDS' role to:

a. provide day-to-day management of the National Clinical Data Store (NCDS) that collects personal data from various sources (e.g. NHS Scotland systems and the Scottish Social Services Council (SSSC))

b. assist with the creation of prioritised cohorts for vaccination based on agreed population and health risk criteria.

As a data processor. it is NDS' role to:

c. develop and manage the infrastructure and provide IT support for the Vaccinations Management Tool (VMT) (vaccination record for citizens, NHS staff and care homes staff) on behalf of NHS health boards.

d. create a digital system/tool to help care homes and other care organisations identifying staff that need to be vaccinated with priority.
Yes, on a need-to-know basis only
The Common Services Agency (NHS National Services Scotland - NHS NSS) NSS participates in the decision making bodies created within the Coronavirus Vaccination Programme. NHS NSS is responsible for the Case Management System (CMS), the appointment scheduling system, and the web portal for people to change their appointments. NHS NSS also operates the vaccination helpline through the National Contact Tracing Centre (NCTC). Yes, on a need-to-know basis only
Social Security Scotland Social Security Scotland (SSS) administer three benefits which allow for identification of unpaid carers, who need to be added to Cohort 6 for COVID-19 Vaccination. These benefits are: Carers allowance (administered in Sept 2020) Child winter heating allowance (administered in Nov 2020) Young carers grant (annual applications). Yes. Social Security Scotland is the source for this information.

Controllers' contact details

Any questions, comments, complaints or requests regarding your personal information can be sent to us using the following details.

If you need to contact the various data controllers involved in the Vaccination Programme, and you prefer us to coordinate this from a central point of contact, please do so by sending your request to:

The Scottish Government Data Protection Officer
Victoria Quay
Commercial Street

See Data Protection Officer’s contact details within NHS Scotland, including Public Health Scotland, NSS, NES, Health Boards and GPS. Contact details for the Data Protection Officer at Social Security Scotland

Terms we use in our data policy

We use a number of complex terms and acronyms throughout our data and privacy policy to comply with legal requirements.

Glossary of words and acronyms we use

AWS (Amazon Web Services)

A cloud computing platform provided by Amazon.

Caldicott Guardian

A Caldicott Guardian is a senior person within a health or social care organisation who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained.


Refers to the NHS Scotland National Contact Tracing Centre’s Case Management System


A group of people with a shared characteristic


Any body which, alone or jointly with others, determines the purposes and means of the processing of personal information. Scottish Government, Public Health Scotland and NHS National Services Scotland are controllers in respect of personal information in connection with the app.

IP address

A numerical label assigned to a mobile device by the mobile phone or Wi-Fi service provider. It is typically made up of 4 sets of numbers (e.g. As a consequence of how data traffic passes across the internet, the IP address is inevitably transferred to the app server.

National Contact Tracing Centre

A service hosted within NHS NSS which will support the contact tracing function.

Personal information

Any information relating to an identified or identifiable individual who can be identified, directly or indirectly from that information.


Any body which processes personal information on behalf of the controller.


Any action or operation which is performed on personal information (whether or not by automated means) such as collection, recording, storage, use, disclosure and destruction of personal information.

SMS (Short messaging system)

is a text messaging service used by most mobile devices. It uses standardised communication protocols to enable mobile devices, apps and other information systems to exchange short text messages.