How we use your data

This privacy notice was last updated on 26 October 2021.

People are reminded to check they have the latest version of the app downloaded on their smartphone to ensure domestic certification updates have been accommodated. Watch a video explaining how domestic certification works through the App. 

This privacy notice covers processing in relation to the National Vaccination Scheduling Service which provides appointments for vaccination and the Covid Status Scheme which includes digital and non-digital routes to obtaining information on your vaccination status.

Privacy and data security are very important to the Scottish Government and NHS Scotland and we take our legal obligations seriously. As such, robust measures have been put in place to ensure all systems and processes within the Coronavirus (COVID-19) Vaccination Programme have been designed with these in mind and as a priority.

This is the privacy notice for coronavirus vaccination and certificates and explains:

  • the key organisations responsible for your data
  • how those organisations process personal information about you in relation to coronavirus vaccinations, exemptions and certificates
  • your rights in relation to your privacy and personal data

This privacy notice is split into 3 parts:

  1. How we use your data to support the coronavirus vaccination programme
  2. Personal information we process to support the coronavirus vaccination
  3. Your rights and the coronavirus vaccination

The topics included are:

Controllers

A Controller is an organisation that determines the means and purposes of the processing of personal information.

These are the Controllers involved in the Coronavirus Vaccination Programme.

You can find more information about these organisations' roles and responsibilities when handling your data by using the links in the following table:

Organisation Role within the vaccinations programme Access to personal data
Scottish Government (Scottish Ministers) The Scottish Government provides strategic direction and leadership for the wider Coronavirus Vaccination Programme, including COVID-19 Certification Scheme, as per the duty of Scottish Ministers to protect public health ( e.g. via The Public Health etc. (Scotland) Act 2008 section 1). Scottish Government takes an active part in the governance structure of the Vaccination Programme and participates in the decisions about personal information processed in connection with the programme. The Scottish Government is also responsible for providing Citizens with the means to access their COVID-19 Vaccination Certificate. The Chief Executive within the NHS Scotland, as Director General of Health and Social Care in the Scottish Government, has overall responsibility in this area on behalf of Scottish Ministers. The Health Competent Authority (run by the Scottish Government on behalf of Scottish Ministers) oversees compliance with data security and resilience in relation to the processing undertaken by health boards. No, the Scottish Government do not have access to personal identifiable data
NHS Territorial Health Boards and General Practices (GPs) Health Boards are responsible for vaccinating the population in their territorial boundaries. GPs assist the health boards in this responsibility. GPs (and the relevant health board) are both controllers of their patient’s GP medical record, and they assist in the validation of the vaccine cohorts. GPs assist with the validation of cohort, to ensure their patients are assigned to the right priority cohort for vaccination based on their understanding of the needs and risks of their patients. Health Boards and GPs are represented in decision making bodies that make decisions about personal information within the COVID-19 Vaccination Programme. Yes, on a need-to-know basis only
Public Health Scotland (PHS) PHS participates in the decision-making bodies and groups created within the COVID-19 Vaccination Programme decides on analytical methods and reporting in its role as an independent official statistics producer. Yes, on a need-to-know basis only
NHS Education for Scotland (NES) NHS NES participates in the decision-making bodies created within the COVID-19 Vaccination Programme for data and systems. As a Controller it is NES' role to: a. provide day-to-day management of the National Clinical Data Store (NCDS) that collects personal data from various sources (e.g. systems of health boards within the NHS in Scotland and the Scottish Social Services Council (SSSC)) b. assist with the creation of prioritised cohorts for vaccination based on agreed population and health risk criteria. c. develop and manage the infrastructure and provide IT support for the Vaccinations Management Tool (VMT) on behalf of NHS health boards. d. create a digital system/tool to help care homes and other care organisations identifying staff that need to be vaccinated with priority. Yes, on a need-to-know basis only
The Common Services Agency for the Scottish Health Service (NHS National Services Scotland - NHS NSS) NSS participates in the decision making bodies created within the COVID-19 Vaccination Programme. NHS NSS is responsible for the Case Management System (CMS), the appointment scheduling system, and the web portal for people to change their appointments. NHS NSS also operates the Vaccination Helpline through the National Contact Centre (NCC). NHS NSS is also responsible for providing citizens with the means to access their COVID-19 Vaccination Certificate either through the National Vaccination Scheduling System (NVSS) and/or the helpline. Yes, on a need-to-know basis only
Social Security Scotland Social Security Scotland (SSS) administer three benefits which allow for identification of unpaid carers, who need to be added to Cohort 6 for COVID-19 Vaccination. These benefits are carers allowance, child winter heating allowance and young carers grant. Yes. Social Security Scotland is the source for this information
NHS Digital NHS Digital provide the English vaccination booking service, and capture and manage vaccination events for people living in England, and provide COVID-19 Vaccination Certificates for English citizens. NHS Digital share data with NHS Scotland to ensure records within NCDS and your GP records reflect you have had a COVID-19 vaccination in England. Currently, if you have had one of your vaccination doses in England, and one in Scotland you will need to request separate certificates from each country. NHS Scotland share data with NHS Digital to ensure their records reflect you have had a vaccination in Scotland. Currently, if you have had one of your vaccination doses in England, and one in Scotland you will need to request separate COVID-19 certificates from each country. Yes, on a need-to-know basis only
Scottish Local Authorities For the Self-Isolation Support Grant Responsible for the personal information contained in self-isolation certificates they receive. Yes, only on a need to know basis through consent of the individual when contacted by contact tracers
Border Control Agencies Responsible for the personal information citizens hand over when travelling abroad, or back into the UK. Yes, information is supplied by the citizen when requested
Venues Responsible for the personal information citizens supply either through the App, PDF or paper to enter premises. Yes, information is supplied by the citizen when requested

Please refer to the ‘Disclosures of your personal information’ table for more information on border control agencies and venues. They are controllers of data when scanning/accessing the data supplied to them by individuals.

Controllers' contact details

Any questions, comments, complaints or requests regarding your personal information can be sent to us using the following details.

If you need to contact the various Controllers involved in the Vaccination Programme, please refer to your rights and coronavirus vaccination and send your relevant request to the Data Protection Officer of that organisation.

Data Protection Officer’s contact details within NHS Scotland, including Public Health Scotland, NSS, NES, Health Boards and GPS.

To contact the Data Protection Officer at NHS Digital email enquiries@nhsdigital.nhs.uk or phone 0300 303 5678

Royal Mail Data Protection Officer’s contact details can be found here.

To contact Apple, click here.

To contact Google, click here.

For contact details about venues, information may be found on the internet or at the venue.

Terms we use

We use a number of complex terms and acronyms throughout our data and privacy policy to comply with legal requirements.

Glossary of words and acronyms we use

Aggregated

Aggregated data is high-level data that is acquired by combining individual-level data, for example grouping all people in a particular age band 16-45 years together or grouping all males together.

Anonymised

Anonymised data is personal data that has been de-identified to make it impossible for individuals to be re-identified.

Automated Processing

A processing operation that is performed without any human intervention.

AWS (Amazon Web Services)

A cloud computing platform provided by Amazon.

Caldicott Guardian

A Caldicott Guardian is a senior person within a health or social care organisation who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained.

CHI Number

The CHI number is a unique numeric identifier, allocated to each patient on first registration with the Service The CHI number is a 10-character code consisting of the 6-digit patient date of birth (format: DDMMYY), two digits, a 9th digit which is always even for females and odd for males and an arithmetical check digit.

CMS

Refers to the NHS Scotland National Contact Centre Case Management System.

Cohort

A group of people with a shared characteristic.

Controller

Any organisation which, alone or jointly with others, determines the purposes and means of the processing of personal information. Scottish Government, Public Health Scotland and NHS National Services Scotland are controllers in respect of personal information in connection with the app.

COVID-19 Vaccination Certificate or COVID-19 Status Certificate 

At the moment the COVID-19 Status Certificate only include vaccination details, therefore COVID-19 Vaccination Certificate and COVID-19 Status Certificate are terms used interchangeably.

Is a certificate showing that you have received a vaccine to reduce the spread of COVID-19. This certificate replaces the interim solution previously known as the Covid-19 Vaccination Record that follows European Union (EU) standards for certification.

You can use this as evidence of your COVID-19 vaccination status. You can either download a PDF version of this certificate yourself or request a paper copy from the NVSS Portal (you will need to log into your account to do so) or request that a paper copy is posted to you by phoning the dedicated free helpline on 0808 196 8565.

Information contained in this certificate includes Forename, Surname, Address (as registered with your GP), Full Postcode, Date of Birth, disease targeted, Date of Vaccination dose(s), Number of vaccination doses received, Administering centre (the venue where the vaccine was received), Vaccine used, Vaccine Medicinal Product used, Vaccine marketing authorisation holder or manufacturer, Batch number of the vaccine used, Date of issue of the record, Country of Vaccination and a unique 2D QR code (individuals who participated in a recognised clinical trial will receive a unique 1D reference bar code.)

The COVID-19 Vaccination Certificate is to allow you (or authorised person acting on your behalf) access to your vaccination status as part of your health vaccination record. This certificate is specifically to provide citizens with the ability to have their vaccination status for the purposes of immediate international travel where the visiting country has requested it.

If you decide to use this certificate for travel purposes, it is your responsibility to check the requirements of the country you are travelling to and to determine if this vaccination certificate is sufficient for access into that country.

This vaccination certificate is not proof of ID.

E-mail address

Your e-mail address is the electronic address used to deliver important information to you about the Vaccination Programme and may be used to contact you.

ID Document

An identity document (also called a piece of identification or ID) is any document that may be used to prove a person's identity.

ID document verification and Identity Verification (ID&V)

The process of verifying both the ID documentation used to prove identity, such as a Passport, and verifying the photos and selfie used to prove identity.

IP address

A numerical label assigned to a mobile device by the mobile phone or Wi-Fi service provider. It is typically made up of 4 sets of numbers (e.g. 192.168.0.50). As a consequence of how data traffic passes across the internet, the IP address is inevitably transferred to the app server.

National Contact Centre (NCC)

A service hosted within NHS NSS that supports the vaccination programme.

NHS Scotland

NHS Scotland currently employs approximately 140,000 staff who work across 14 territorial NHS Boards, seven special NHS Boards, one public health body and includes the Common Services Agency for the Scottish Health Service.

Each NHS Board is accountable to Scottish Ministers, supported by the Scottish Government Health and Social Care Directorates.

Territorial NHS Boards are responsible for the protection and the improvement of their population’s health and for the delivery of frontline healthcare services. Special NHS Boards support the regional NHS Boards by providing a range of important specialist and national services.

National Vaccination Scheduling System (NVSS Portal) also known as Covid Vaccination and Scheduling System Portal

This is the portal that allows citizens (or authorised persons acting on their behalf) to digitally re-schedule COVID-19 vaccination appointments or to request a COVID-19 Vaccination Certificate.

Personal information

Any information relating to an identified or identifiable individual who can be identified, directly or indirectly from that information.

Processor

Any body which processes personal information on behalf of the controller.

Processing

Any action or operation which is performed on personal information (whether or not by automated means) such as collection, recording, storage, use, disclosure and destruction of personal information.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

QR Code

A machine-readable image that will be included within your COVID certificate containing encrypted personal information relating to your vaccination status.

Royal Mail

Royal Mail is responsible for delivering the vaccination appointment letters and paper copies of the COVID-19 Vaccination Certificate.

Self-identification

Occurs when the citizen declares they are part of a particular group (Cohort) as defined by the Joint Committee on Vaccination and Immunisation.

Self-Registration

Occurs when a ‘new’ previously unvaccinated person registers themselves on NVSS or contacts the helpline to register.

SMS (Short messaging system)

A text messaging service used by most mobile devices. It uses standardised communication protocols to enable mobile devices, apps and other information systems to exchange short text messages.