National Vaccination Scheduling Service (NVSS) privacy notice

What is this privacy notice for?

The National Vaccination Scheduling Service (NVSS) is the name of the web-based portal allowing individuals (over 12 and living in Scotland) to:

  • book and reschedule appointments for COVID-19 vaccinations (and/or boosters)
  • book and reschedule appointments for the flu vaccination
  • view their COVID-19 vaccination history via the status tab
  • download a copy of a certificate showing their COVID-19 vaccination history (referred to in this privacy notice as a “COVID-19 vaccination certificate”)
  • request a paper copy of their COVID-19 vaccination certificate
  • download a copy of a certificate showing their COVID-19 recovery certificate for international travel (referred to in this privacy notice as a ‘COVID-19 recovery certificate’)
  • request a paper copy of their COVID-19 recovery certificate for international travel

When you use the NVSS, we will process personal data about you (which may be held on paper or electronically). We will treat it in a fair, secure and lawful manner.

In this privacy notice, we will explain:

  • what information we collect
  • when we collect it
  • how we use this in relation to NVSS

It also helps you understand your rights and how to contact us if you need more information.

You can choose whether to use the NVSS portal. If you don’t want to use the NVSS portal, you have an option to contact the National Contact Centre Helpline on 0800 030 8013.

Who are we?

A controller is an organisation that determines the means and purposes of the processing of personal information.

We are The Common Services Agency for the Scottish Health Service, more commonly known as NHS National Services Scotland (“NHS NSS” or “us” or “we”). We designed the NVSS and administer the NVSS as a controller.

A processor is an organisation responsible for processing personal data on behalf of a controller. We use a number of processors for the purposes of NVSS, all under contracts with NHS NSS.


NHS NSS uses ServiceNow as a processor to provide software services. ServiceNow provides the IT platform on which information is stored but does not view or have routine access to your personal information.

In very exceptional and limited circumstances, ServiceNow may require indirect access to the databases or other parts of the system that hold personal data in order to provide technical support services to NHS NSS.

Microsoft Azure

Microsoft Azure provides IT systems that we use to coordinate and manage vaccinations. Microsoft Azure Cloud Services are used to host the Platform from which the NVSS module sits on. Microsoft Azure does not have direct access to your personal information.

Gov.Uk Notify

Gov.Uk Notify are used to send secure vaccination booking notifications back to you via email or text message, when you’ve re-scheduled your appointment via the portal or the National Vaccination Helpline.

The Notification Service has been built for the needs of government services. It has processes in place to protect your data (e.g. email and text messages encrypted). Staff have Security Check (SC) clearance from United Kingdom Security Vetting (UKSV).

Google Maps

Google Maps is used in the scheduling process to map your postcode to the nearest vaccination clinic. Google Maps will be provided with two postcodes (one of the home address and one of the clinic) through Service Now. Only the IP address of Service Now’s server will be visible to Google Maps.

How does NVSS work?

Registering for an account

You must register with the NVSS to be able to access and use the NVSS portal to:

  • book and rearrange vaccination appointments
  • obtain a digital or paper copy of your COVID-19 vaccination certificate

You’ll be provided with a unique username on your initial vaccine appointment letter and you’ll be asked to enter it along with certain basic demographic information, including personal and contact details.

You’ll also receive your username in your SMS when you book or reschedule an appointment online.

If you forget your username for the NVSS, you’ll be asked to provide details like the date of your first or second vaccination, in order to recover your username.

Email/SMS communications

When you register for the portal, we’ll check if you’re happy for us to use your email and telephone number to send you information about your vaccination appointments via email or SMS. 

We may also contact you via email or SMS to invite you to self-book an appointment when you are eligible to book.

Paper communications

Any paper communications we send to you, like appointment letters and the paper copy of your COVID-19 recovery certificate or COVID-19 vaccination certificate, will be sent using Royal Mail. Royal Mail does not have access to your vaccination or appointment information. It uses your name and address to deliver letters to you.

What personal information are we using?

You’ll provide the following information when you register to use the NVSS.

  • Account information:
    • unique username – this is contained within the appointment letter you will have received, or in any text messages for booking or rescheduling your appointment
    • password – this is a password chosen by you (or on behalf of you if you have asked someone else to set up your account)
  • Identity information:
    • Community Health Index (CHI) number (your unique NHS number), if you know this
    • surname*
    • first name*
    • date of birth*
    • sex* (as held by your GP practice)
  • Contact information:
    • home address (as registered with your GP)
    • postcode*
    • contact telephone number
    • contact email address
    • communications preference telephone or email.
  • Other:
    • ethnicity* (mandatory but there is an option of prefer not to say or don’t know)

*The items above marked with a star are mandatory items, without providing these you will not be able to access and use the NVSS.

The following information is obtained from other sources:

  • Cohort information: this information is obtained from your local Health Board, GP, Public Health Scotland and/or Social Security Scotland.
    • eligibility criteria relevant to vaccination cohorts (e.g. shielding or household member, healthcare or social care worker, care home resident or staff, whether unpaid carer, care at home and age/health condition based cohorts)
  • Appointment information: this information is obtained from your scheduled appointment or the appointment you have booked or rescheduled via the portal.
    • date of appointment
    • time of appointment
    • administering centre
    • SMS or email sent for confirmation of appointment
  • Vaccine consumption record: this information is obtained from the National Clinical Data Store (NCDS), a database controlled by Public Health Scotland (PHS) and NHS Education for Scotland (NES).
    • vaccination name
    • vaccination dose
    • vaccination status
    • vaccination dates
  • Recovery status:
    • first name
    • surname
    • address
    • postcode
    • date of birth
    • date of positive test result
    • disease type (COVID-19)
    • country of test
    • recovery status valid from date (the date the recovery period starts is day 11 after a positive test)
    • recovery status
    • recovery status valid to date (the date the recovery period ends is calculated as the day the positive test was taken plus 180 days)

If you are not able to provide your CHI number, we may use other information you have provided to retrieve your CHI number from the Community Health Index database, also maintained by us. The Community Health Index stores details of all patients registered with GP Practices in Scotland. This is necessary to ensure that your records are accurate and kept up to date.

If you have had a COVID-19 vaccination in England, NHS Digital (formally known as the Health and Social Care Information Centre) will share confirmation of this to ensure that your clinical records in Scotland are up to date.

If you have had a COVID-19 vaccine within the UK other than through NHS Scotland, you can also submit evidence to update your vaccination record online. You can also contact the National Contact Centre, another service hosted within NHS NSS which supports the COVID-19 contact tracing function, via email at

We also publish information about the number of vaccines given in Scotland and other anonymous statistics for public understanding. These statistics are always provided in non-patient identifiable form and so we carry out a process known as “anonymisation” to turn your personal data into anonymous information so that you are no longer identifiable when this is used for statistical purposes.

What is our lawful basis to use your information?

We have a legal obligation to protect the health of the people in Scotland and the COVID 19 and Flu vaccines play a key role in helping us do this.

NHS NSS relies on the following lawful basis to collect and use your personal data in the provision of the NVSS:

  • UK General Data Protection Regulation (UK GDPR) Article 6(1)(e) – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the NHS NSS

Our conditions for processing information about your health, and any other sensitive information about you, are as follows:

  • UK GDPR Article 9(2)(h) – the processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services, supported by Schedule 1, Part 1, paragraph 2 of The Data Protection Act 2018
  • UK GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health, like protecting against serious cross-border threats to health, supported by Schedule 1, Part 1, paragraph 3 of The Data Protection Act 2018
  • UK GDPR Article 9(2)(j) – the processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes, supported by Schedule 1, Part 1, paragraph 4 of The Data Protection Act 2018
How will my personal data be shared?

Your personal data will only be shared if it’s necessary to do so and subject to technical and organisational measures to protect it. Any organisation that receives the data will also be responsible for ensuring the data is handled safely, securely and that they always comply with data protection law.

In addition to the processors mentioned above who provide services in relation to the NVSS, NHS NSS will share your personal data with the following organisations, for the purposes stated below.

NHS Scotland Health Boards

NHS Scotland Health Boards as part of their public health duties. Health Boards are responsible for vaccinating the population in their territorial area. GPs assist the health boards in this responsibility. Health Boards have been given access to the NVSS to make appointments for their own patients. They cannot see any other Health Boards patients’ information.

Public Health Scotland (PHS)

PHS is one of the controllers of the NCDS, which stores vaccination records for (people living in Scotland). NVSS sends ethnicity data to an ethnicity database which PHS then uses this data for research and statistics. The reports contain anonymous statistical information only and do not contain any details that could identify you. These reports are shared with the Scottish Government and NHS Scotland Health Boards.

NHS National Education for Scotland (NES)

Along with PHS, NES is a controller of the NCDS. NHS NES also assist with the creation of prioritised cohorts for vaccination based on agreed population and health risk criteria.

NHS NES also receive an extract of the appointments for each clinic to their Vaccination Management Tool (VMT). The VMT has been created by NHS NES to allow for the recording and verification of individuals upon their arrival at the clinic together with details of each vaccination dose given.

NHS Digital

NHS Digital provides the English vaccination booking service, and captures and manages vaccination events for people living in England. We share data with each other for patients who have had a COVID 19 vaccination(s) in England but now require a COVID 19 vaccination certificate in Scotland.

How long will my personal data be kept?

The personal data held as part of the NVSS will be retained for 18 months after your last vaccination.

Vaccination data used within NVSS forms part of your health record, and will be kept by your Health Board and GP for your lifetime, plus 3 years.

Where does my personal information go?

Your data will be stored securely on NHS Scotland servers within the United Kingdom. We will not share your personal data outside the United Kingdom.

What are my rights?

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restriction of processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision-making.
  9. The right to lodge a complaint with the supervisory body.

Some of these rights are not absolute and may not apply in all circumstances. Requests are considered on a case-by-case basis.

Exercising your rights

If you have questions, complaints or you would like to exercise your rights described above, the contact information you need is noted below.

NHS National Services Scotland

For details on your rights and how to exercise them for personal data processed by NHS NSS please refer to the data protection notices on: 

NHS NSS Data Protection Officer (DPO)


Gyle Square

1 South Gyle Crescent


EH12 9EB

0131 275 6000

Information Commissioner’s Office

To raise a complaint with the Information Commissioner’s Office (ICO) as the supervisory body in the UK, contact:


Wycliffe House

Water Lane




0303 123 1113

Last updated:
12 January 2023