Personal information we process

We collect, use, store and transfer different kinds of personal information about you as indicated in the following table.

We will only use your personal information when the law allows us to do so and to the minimum extent possible.

This is the data we process and the purposes for which your personal information is used:

Personal information Additional details Original source of data Purpose
Vaccination cohort data This includes information such as name, gender, age, unique personal identifiers (e.g. the CHI number), date of birth, eligibility criteria relevant to vaccination cohorts (e.g. shielding or household member, Healthcare or Social Care Worker, whether care home resident or staff, whether aged 80 and over, whether unpaid carer, care at home, etc.) GPs, NSS, NES, Health Boards SSSC (Scottish Social Services Council), Carehome managers and Social Security Scotland Determining who needs to be vaccinated and prioritising vaccination cohorts, appointment scheduling and planning and reporting in connection with the COVID-19 Vaccination Programme.
Vaccination appointment data This includes date and time of appointment and venue, including the SMS or email sent for confirmation. NPCCD, provided by or on behalf of the patient or inputted by NHS staff user or GPs Appointment scheduling and planning and reporting in connection with the Coronavirus Vaccination Programme.
Screening data Including vaccinations history and suitability for vaccination. Health practitioner Appointment scheduling, vaccination management and planning and reporting in connection with the Coronavirus Vaccination Programme.
Consent data Consent to receive the vaccine This is received from the patient / a person with authority to provide consent on behalf of the patient Vaccination management and legal compliance purposes
Opt-out data Opt-out from receiving the coronavirus vaccine Provided by or on behalf of the patient or inputted by NHS staff user or GPs Appointment scheduling, vaccination management, planning and reporting across the NHS in Scotland in connection with the COVID-19 Vaccination Programme and legal compliance purposes.
Details of the vaccination given Confirmation of inoculation, product and batch number, dose, date, administration method, part of the body and other relevant details. Health practitioner Vaccination management and planning and reporting in connection with the Coronavirus Vaccination Programme.

Statistical and aggregated data

We may use aggregated vaccination data, which does not identify individuals in order to:

  • provide evidence for planning and decision making
  • evaluate the national vaccination programme
  • provide routine regular statistical outputs for public accountability

Public Health Scotland will also use data held within the National Clinical Data Store (NCDS) for health surveillance purposes, and to inform disease prevention and control measures.

Scottish Government and NHS health boards also have access to a Management Information Dashboard, which does not contain patient-identifiable data.

This dashboard is used for daily operational purposes and supporting the Scottish Government and NHS Scotland in making swift decisions in the vaccination programme.

The other benefits of this dashboard are:

  • Standardised vaccination reporting across the health boards.
  • ‘Single source of truth' in relation to vaccinations data across Scotland.
  • Near real-time (refreshed every 2 hours) and secure access to vaccination data.
  • Advanced means of monitoring of the vaccination process per health board.
  • Increased data accuracy as information will be held digitally, reducing manual error.

Reporting data is collected on a Scotland-wide and health board area basis as this is not considered personal information in law.

This data will not directly or indirectly reveal your identity. We may hold reporting data indefinitely.

Reporting data allows us and members of the public to have visibility of the uptake level and the potential of the vaccination to reduce the rate of spread of infections of coronavirus.

What are the lawful grounds for processing the data

These are the lawful grounds on the basis of which each controller processes your personal information for the above purposes:

Data controller Legal basis
Scottish Government Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 6(1)(e))

Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(g))

Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of section 1 of The Public Health etc. (Scotland) Act 2008 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(h)).

Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(i))

Necessary for scientific research or statistical purposes in the public interest (GDPR Art 9(2)(j))
NHS National Services Scotland (NHS NSS) Necessary for performance of a task carried out in the public interest on the basis of The National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 Section 2 (Functions of the Agency) (duty to provide services in support of the functions of Scottish Ministers, Health Boards or Special Health Boards) (GDPR Art 6(1)(e))

Necessary for reasons of public interest in the area of public health (GDPR Art 9(2)(i))
Public Health Scotland (PHS) Necessary for performance of a task carried out in the public interest on the basis of Public Health Scotland Order 2019 section 4 (Functions of the Board, in particular (d) the protection of public health including those specified in section 1 of the Public Health etc. (Scotland) Act 2008 (duty of Scottish Ministers to protect public health)) and The Health Protection (Coronavirus) (International Travel) (Scotland) Regulations 2020, (Part 5 (Information Sharing - Power to use and disclose Information) (GDPR Art 6(1)(e))

Necessary for reasons of public interest in the area of public health ((GDPR Art 9(2)(i))

Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose ((GDPR Art 9(2)(j))
NES It is necessary for the performance of a task carried out in the public interest (NHS Scotland Act 1978 – Part 1 2A (Duty of Health Board, Special Health Board…) and (4) Anything done by a Health Board or Special Health Board in pursuance of subsection (1) or (2) is to be regarded as done in exercise of functions of the Scottish Ministers conferred on

(b) the Special Health Board by the order under section 2(1)(b) which constituted the Board

Also:

Part 1 (13) Co-operation between Health Boards and other authorities. In exercising their respective functions, Health Boards, HIS (as respects its health service functions only), local authorities, integration joint boards and education authorities shall co-operate with one another in order to secure and advance the health of the people of Scotland.

DPA 2018 Schedule Part 1 paragraph 2 condition(s): Health or Social Care Purposes:

2(2) (a) preventive or occupational medicine

(d) the provision of health care of treatment

(f) the management of health care systems or services or social care systems or services

9(2)(j) Archiving, research and statistics

NHS health boards and GPs It is necessary for the performance of a task carried out in the public interest (NHS Scotland Act 1978 . The public task duty is established within Part 1 2A (Duty of Health Board, Special Health Board…) and the National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (GMS 2018) respectively.

The processing of special categories of data (Health) is undertaken for Health or Social Care Purposes:

2(2) (a) preventive or occupational medicine

Art.9(2)(d) the provision of health care of treatment

Art.9.(2)(f) the management of health care systems or services or social care systems or services

Art.9(2)(j) Archiving, research and statistics
Social Security Scotland Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 6(1)(e))

Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(g)

Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of section 1 of The Public Health etc. (Scotland) Act 2008 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(h)).

Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(i))Necessary for scientific research or statistical purposes in the public interest (GDPR Art 9(2)(j))

Automated processing

No automated decisions take place during the processing of your personal data.

Disclosures of your personal information

Your personal information is shared with the parties set out below for the purposes/activities mentioned in the table.

Organisation Role in the vaccination programme Data disclosed
ServiceNow ServiceNow is the organisation providing software services to NHS NSS. The software has been used to develop the Case Management System, the appointment portal system and the web portal.

ServiceNow provides technical support under contract with the NHS National Services Scotland
ServiceNow does not have access to your data.

In exceptional circumstances, they may require indirect access to the databases or other parts of the system that hold your data to provide technical support services.
Albasoft Albasoft is the organisation responsible for extracting data from the GP IT systems necessary for transferring vaccination cohorts data to the NCDS.

Albasoft provides these services under contract with NES.
Albasoft has direct access to data within the GP IT systems as this is required in order to provide their service (extract the data and transfer to the NCDS).

They perform this task within the NHS network.
Amazon Web Services (AWS) NES have contracted Amazon Web Services (AWS) to provide cloud services. AWS provide and maintain the cloud infrastructure, including the network and operating systems to run the infrastructure and the associated services. AWS does not have access to the NES AWS account being used to host the NCDS and therefore do not have access to any data processed.
Microsoft Azure Azure is the cloud platform used by NES and NSS to provide cloud services for the various digital solutions used within the Coronavirus Vaccination Programme, including the NCDS and the Vaccination Management Tool (VMT). Microsoft Azure does not have direct access to your personal data, but they host the information within their Cloud platform and undertake regular IT support services required to run their infrastructure.
Gov.UK Notify service (UK Government) The Cabinet Office acts as a data processor for GOV.UK Notify. This service is used to send secure SMS and email notifications.

GOV.UK Notify is built for the needs of government services. It has processes in place to protect user data. On Notify, SMS are encrypted.
GOV.UK Notify processes personal data necessary to send you the SMS or email confirming your scheduled appointment.

Data retention

The data will be retained in line with the Scottish Government Records Management Health and Social Care Code of Practice (Scotland) 2020.

The standard retention period for master patient records is the lifetime of the patient and for 3 years after their death.

We hold aggregated and anonymised or pseudo-anonymised reporting data indefinitely.

UK Notify will retain the SMS or email sent to you between 72 hours and 7 days, before is deleted permanently.

International transfers

Your personal information is not transferred outside the UK.

Data security

Health boards must comply with the Security of Network and Information Systems (NIS) Regulations.

The Regulations also apply to organisations considered to be Digital Service Providers (DSPs).

We are strongly committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data - for example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.