Personal information we process

This Privacy Notice covers processing in relation to the National Vaccination Scheduling Service which provides appointments for vaccination and the Covid Status Scheme which includes digital and non-digital routes to obtaining information on your vaccination status.

We collect, use, store and transfer different kinds of personal information about you as indicated in the following table. We will only use your personal information when the law allows us to do so and to the minimum extent possible.

Due to the different government documentation being accepted for ID document verification and identity verification purposes e.g. all worldwide passports, EU (full) and UK driving licences (full or provisional it is not possible for us to know exactly what personal data will be available on these documents when they are provided and the photo taken and processed for identity verification checking.

The table below highlights the primary information we process and the purposes for which your personal information is used in the COVID-19 Vaccination Scheduling Service and Status Scheme:

Personal information Additional details Original source of data Purpose
Vaccination cohort data This includes information such as name, gender, age, unique personal identifiers (e.g. the CHI number), date of birth, eligibility criteria relevant to vaccination cohorts (e.g. shielding or household member, healthcare or social care worker, whether care home resident or staff, whether aged 80 and over, whether unpaid carer, care at home, etc.) GPs, NSS, NES, Health Boards, Care home managers and Social Security Scotland Determining who needs to be vaccinated and prioritising vaccination cohorts, appointment scheduling, and planning and reporting in connection with the COVID-19 Vaccination Programme. Some of this data will be used to provide information for your COVID-19 Vaccination Certificate and may be used for identity verification purposes, if you need to phone the helpline.
Vaccination appointment data This includes date and time of appointment and administering centre (venue), including the SMS or email sent for confirmation. Vaccination appointment data for the rescheduling function can only come from the National Vaccination Scheduling Service (NVSS) as the portal is only available for those who have been scheduled nationally (this applies only to mainland Scotland. Island communities should speak to their local health board). Vaccination appointment data for the Vaccination Certificate function comes from the NVSS. The NVSS is updated from the NCDS (National Clinical Data Store) (if the vaccination was scheduled nationally) or from the local clinical setting. This could be e.g. a GP setting, Pharmacy setting, or through the Boards own appointment services. Appointment scheduling,
planning and reporting in connection with the Coronavirus Vaccination Programme, and to provide information on your COVID-19 Vaccination Certificate. If you forget your username for the NVSS portal, you may be asked to provide first date or second date of Vaccination to recover your username.
First Name and Surname (Last name) This is the Citizen’s First Name and Surname (last name) as they enter it in The Covid Status App. This will also appear on the NHS Scotland Covid Check App when scanning the unique 2D QR Codes. This is provided by the Citizen. It may also appear on documentation provided by the Citizen for identity verification purposes. To identify the Citizen’s CHI number (where possible), link to the Citizen’s Vaccination history, to make sure we provide the correct information on the Citizen’s Covid Vaccination Certificate, to perform identity verification checks to ensure the right citizen obtains their vaccination certificate.
ID Document Data This is the documentation the Citizen uses to prove their identity when using The App.
• Passport
• EU Driving Licence (Full)
• UK Driving Licence (full or provisional)
The documentation can be in date or expired.
These data may include:
• ID Document image
• ID Type (the type of document used for identity verification e.g. Passport)
• ID Subtype (if applicable) e.g. if driving licence used the subtype might be Provisional.
• Issuing Country (ID Country)
• Expiry Date (where available)
• Document Number
• Personal Number (passport only and if available)
• Health data may be present on the ID
Personal Data obtained from documents provided such as:
•First Name
•Last Name
•DOB
•Address
•Gender
•Nationality
•Personal Number of the document
Processing of other personal data may occur if present on the ID documentation provided (e.g. a blood group if such information is published on the ID).
This is provided by the citizen. This is used to perform Identity and Verification checks to ensure the Citizen is the person they are claiming to be so that we can be confident that we are sending the correct Covid Vaccination Certificate to the right person.
Date of Birth (D.O.B) This is the Citizens date of birth as they enter it in The App. This is Provided by the Citizen.
It may also appear on ID documentation provided by the Citizen.
It is used to help identify the Citizen’s CHI number and to link to their vaccination history.
It may also be used to perform identity verification checks.
City and Country This is extracted from the residential address printed on the ID.
If Country is not present, or the address cannot be extracted, it will default to the issuing country of the document instead.
This is Provided by the Citizen.
It may also appear on ID documentation provided by the Citizen.
This is used to perform identity verification checks.
Gender (this field must be completed however there is option to ‘Prefer not to say’) This is the Citizens Gender that they identify with at their GP practice (if they choose to enter it on the App) This is Provided by the Citizen.
It may also appear on ID documentation provided by the Citizen.
This is used to perform identity verification checks. May be used to improve the efficacy of the CHI Matching process to ensure that the correct record is matched.
CHI Number (Optional) This is the Citizen’s Community Health Index number (CHI).
It is a unique identifier used for health care purposes within Scotland.
Obtained from the Community Health Index database held by NHS National Services Scotland.
Or can be entered by the Citizen on the App.
This is used to link your Vaccination history to make sure we provide the Citizen with the correct information.
Screening data Including vaccinations history and suitability for vaccination. Health practitioner e.g. GP and/or Health Professional involved in your care. Appointment scheduling,vaccination management, and planning and reporting in connection with the Coronavirus Vaccination Programme.
Vaccination Consent data Consent to receive the vaccine Received from the Citizen/a person with authority to provide consent on behalf of the Citizen. Vaccination management and legal compliance purposes.
Opt-out data Opt-out from the Coronavirus Vaccination Programme Provided by the Citizen or by a person with authority to act on behalf of the Citizen. Inputted by NHS staff user or GPs. Appointment scheduling,
vaccination management,
planning and reporting in connection with the Coronavirus Vaccination Programme and legal compliance purposes.
Details of the vaccination given Confirmation of inoculation, product and batch number, dose, date, administration method, part of the body and other relevant details The person who administered your vaccination. Vaccination management. Planning and reporting across the NHS in Scotland in connection with the Coronavirus Vaccination Programme.
Username for Covid Vaccination scheduling and status portal (Login - Customer Service (nhs.scot)) The Username of the Citizen. This is contained within the appointment letter received by the Citizen only when Scheduled within NVSS. NHS National Services Scotland Can be used by the Citizen (or person with authority to act on behalf of the Citizen), in conjunction with their password to register via the Covid Vaccination scheduling and Status Portal. This allows access to the Re-booking function and the Vaccination Certificate. May also be used for identity verification purposes.
Password This is the password chosen by the Citizen (or person with authority to act on behalf of the Citizen) for the Covid Vaccination Scheduling and Status portal Citizen or person with authority to act on behalf of the Citizen. The Password is used in conjunction with the username to register, this allows access to the Re-booking function and the Vaccinations Certificate. It may also be used for identity verification purposes.
Address (As registered with your GP) Registered with the GP:
This is the address that will appear on the Vaccination certificate. If this address is incorrect you (or person with authority to act on your behalf) will need to inform your GP of your current and correct address.
Used for ID Documentation and ID verification purposes.
For Vaccination Certification:
Obtained from the Community Health Index database held by NHS National Services Scotland.
The Covid Status App:
Will be scanned by you for use in Identify Verification.
Will be used to post out details of the Vaccination appointment.
This is the address used to send a hard copy if requested.
used for identity verification purposes via the helpline.
Address on ID documentation provided for Identity Verification purposes will be used to check your identity and used to ensure the correct Vaccination certificate.
Email address (Optional for NVSS Portal, mandatory for use of The Covid Status App) When registering with the Covid Vaccination Scheduling and status portal (NVSS Portal), this is an optional field. However, in order to allow the Citizen (or person with authority to act on behalf of the Citizen) to reset their password in future they must provide an email address when registering.
This is an email that must be entered by the Citizen to register for the App.
Citizen or person with authority to act on behalf of the Citizen. This can be used to register (but you can decide whether or not to provide it) and may be used for identity verification purposes. If you have self-registered it is important to keep this email address current as this could be one of the methods used to contact you (if you have selected it as such).
In the event the Citizen forgets their password, this email address is used to send a four digit passcode for entry to the App.
IP Address Internet Protocol (IP) address is a numerical label assigned to your device by the mobile phone or the Wi-Fi service provider. This is assigned to your device by your mobile phone or your router. This is automatically determined by your internet service provider. This allows the App to communicate with the Internet e.g. it ensures that the screens of the App use an appropriate language of the country the Citizen is in.
Source This is the source used to provide the selfie and images of documentation. WEBCAM would mean ID and selfie were captured using a web camera. This shows how the Citizen captured their identity and the method of how ID documentation and selfie were presented.
Phone number (optional) When registering with the Covid Vaccination Scheduling and status portal, this is a contained field which may be populated. This is the phone number of the Citizen or person with authority to act on behalf of the Citizen. Citizen or person with authority to act on behalf of the Citizen. This is used to register in NVSS (but you can decide whether or not to provide it) and may be used for identity verification purposes by the NVSS helpline or for contact purposes regarding Vaccination Certificate. It is important to keep this phone number current as this could be one of the methods used to contact you regarding your vaccination appointment, if you have selected that option. It may also be used by the test and protect staff to contact you. The number provided, if a mobile phone, will also be used to send an SMS stating to individuals that according to their health records, they are due a booster vaccine and should book one as soon as possible.
Personal Security Number (PIN) This is the PIN number as the Citizen has provided in The App. This is provided by the citizen. This is a security setting chosen by the Citizen to access the App.
Unique barcode reference ID If you were a recognised participant of a clinical trial looking into possible Covid-19 Vaccinations, this unique barcode reference ID is included on your Paper Covid Vaccination Certificate NHS NSS To allow the Covid Vaccination Certificate to be scanned to confirm that the information has been provided by a verified source
Last Activity Date (App) This is the date stored within Microsoft B2C to denote the last time off app use.  Microsoft Azure This will be used to calculate the 180 day period before deletion due to inactivity. 
Unique 2D QR Code (For international travel) The QR code contains Vaccination history for each covid vaccination dose, the Citizen’s first name and surname and date of birth.
These unique 2D QR codes are included on the Citizen’s Vaccination Certificate. A new unique QR code is produced each time a vaccination certificate is requested.
To allow the Covid Vaccination Certificate obtained via The App to be scanned to confirm that the information has been provided by a verified source.
Netcompany (a processor for NHS NSS) will create the unique QR codes. This appears on the Citizen’s vaccination certificate to ensure their vaccine history is protected against fraud e.g. if the certificate is changed the QR code cannot be changed and so when read the verifier will highlight the difference between the information held in the QR code and that in the certificate. The QR codes are digitally signed to verify authenticity.
Unique 2D QR Code (For Domestic Purposes) The QR code contains: First Name, Surname (last name) , Member state of 3rd country in which the Domestic Pass was created, Issuer, Unique certificate identifier, Date Valid From, Date Valid until and Policy Mask (a number which indicates if a person is fully vaccinated or not) Netcompany will create the unique QR codes used for Domestic purposes.  This appears on your vaccination certificate when used for Domestic purposes to enable the citizen to access domestic venues without the need to show all information present when using an International QR code. This also ensures the citizens vaccination history is protected against fraud.
Vaccination certificate The Citizen can request a Vaccination Certificate to view their vaccination history. Their certificate may be downloaded by themselves (or person acting on their behalf) or sent via the post. The Vaccination Certificate will provide details of the Citizen’s name, address (as registered with their GP), Full Postcode, Date of Birth, disease targeted, Date of Vaccination dose(s), number of Vaccination doses received, administering centre (venue where vaccination was received), Vaccine used, Vaccine Medicinal Product used, Vaccine marketing authorisation holder or manufacturer, batch number of vaccine used, date of issue of Vaccination Certificate, Country of Vaccination, unique certificate identifier and unique 2D QR code. (Unless the Citizen was a clinical trial participant for a Vaccine that hasn’t been approved by the Medicines and Healthcare Products Regulatory Agency (MHRA) in which case they will have a unique 1D barcode.) The Vaccination Certificate is NOT proof of ID. The National Clinical Data Store (all data except unique barcode reference ID image).
Netcompany provide the unique 2D QR code. NHS NSS produce the unique 1D barcode.
To allow the Citizen (or authorised person acting on their behalf) to access their Vaccination Certificate as part of their health vaccination record. This certificate is specifically to provide Citizens with the ability to have their Vaccination Certificate for the purposes of immediate international travel where the visiting country has requested it.
It may be accepted as proof of vaccination. It is the Citizen’s responsibility to check the entry requirements of the country they are travelling to.
To allow the Covid Vaccination Certificate to be scanned to confirm that the information has been provided by a verified source.
Covid Status App use This is the Citizen’s confirmation when they click “yes” to the question “Do you agree to continue to access your Covid Status?” This is generated by The App after the Citizen clicks “yes”. To generate metric data.
Results from the NHS Scotland Covid Check App This confirms a citizens vaccination status presented wither as a ‘green tick’ or ‘status invalid’, ‘expired’ or ‘2D barcode not recognised’ within the Scanner App. This data is provided by the citizen, through presenting their QR code for scanning. To allow access to establishments.
Biometric Information
Image from Verified documentation
Processing of biometric information - 3D biometric profile created on the basis of the submitted selfie used for identity verification. The Citizen provides this information when requesting their Covid Vaccination Certificate via The App. For identity and verification purposes so that the right information is shared with the correct person i.e. the person who is requesting their vaccination certificate receives only their own vaccination certificate and does not receive anyone else's by mistake.
Ethnicity data This is the Citizen’s ethnicity as collected at the point of Vaccination via the Vaccination Management Tool (VMT). This field is mandatory for completion, but the Citizen has the option to answer the question, refuse to answer or answer don’t know.  Provided by the Citizen or by a person of authority to act on behalf of the citizens.  The purpose of the collection is to understand if public health services are delivered equitably, and assist us to reduce health inequalities in Scotland. We will take actions to improve services in response to the data collected and any analysis of the data will not have outputs that identify you.

Statistical and aggregated data

We may use aggregated (grouped) vaccination data, which does not identify individuals in order to:

  • provide evidence for planning and decision making
  • evaluate the national vaccination programme
  • provide routine regular statistical outputs for public accountability
  • identify the total number of vaccination certificates that have been produced

The NHS Scotland apps used for COVID certification purposes also provide the aggregated anonymous statistics as shown in the following table; this enables the Scottish Government and Public Health Scotland to better understand the use of the various digital technologies used to enable COVID certificates, the efficiency of these technologies and potential resources needed to improve their performance.

Statistics (Total number) NHS Scotland COVID Status App NHS Scotland Check App
Downloads x x
Unsuccessful CHI matches from the registration process of the x  
Identities verified by the app x  
Identities unable to be verified by the app x  
COVID-19 certificates successfully retrieved by the app x  
COVID-19 certificates unsuccessfully retrieved due to errors in the creation of the QR codes x  
COVID-19 certificates issued (includes App, NVSS and NCC routes) x  

Public Health Scotland will also use data held within the National Clinical Data Store for health surveillance purposes, and to inform disease prevention and control measures. Scottish Government and NHS health boards also have access to a Management Information Dashboard, which does not contain Citizen-identifiable data. This dashboard is used for daily operational purposes and supporting the Scottish Government and health boards within the NHS in Scotland in making swift decisions to inform the vaccination programme. The other benefits of this dashboard are:

  • standardised vaccination reporting across the health boards
  • ‘single source of truth' in relation to vaccinations data across Scotland
  • near real-time (refreshed every 2 hours) and secure access to vaccination data
  • advanced means of monitoring of the vaccination process per health board
  • increased data accuracy as information will be held digitally, reducing manual error

Reporting data is collected on a Scotland-wide and health board area basis as this is not considered personal information in law. This data will not directly or indirectly reveal your identity. We may hold reporting data indefinitely. Reporting data allows us and members of the public to have visibility of the uptake level of the vaccine and the potential of the vaccination programme to reduce the rate of spread of infections of coronavirus.

What are the lawful grounds for processing the data?

Other data controllers highlighted ie venues will disclose their lawful basis for processing in their own privacy notice.

These are the lawful grounds on the basis of which each primary controller processes your personal information for the above purposes:

Data controller Lawful Basis
Scottish Government (Scottish Ministers) Article 6
• Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 6(1)(e)).
Article 9
• Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of section 1 of The Public Health etc. (Scotland) Act 2008 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(h)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes.
• Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(i)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 3 – Public Health.
• Necessary for scientific research or statistical purposes in the public interest (UK GDPR Art 9(2)(j)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc.
NHS National Services Scotland (NHS NSS) Article 6
• Necessary for performance of a task carried out in the public interest on the basis of The National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 Section 2 (Functions of the Agency) (duty to provide services in support of the functions of Scottish Ministers, Health Boards or Special Health Boards) (GDPR Art 6(1)(e)).
Article 9
• Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of The National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 Section 2 (Functions of the Agency) (duty to provide services in support of the functions of Scottish Ministers, Health Boards or Special Health Boards)) (UK GDPR Art 9(2)(h)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes.
• Necessary for reasons of public interest in the area of public health (UK GDPR Art 9(2)(i)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 3 – Public Health.
• Necessary for scientific research or statistical purposes in the public interest (UK GDPR Art 9(2)(j) The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc).
Public Health Scotland (PHS) Article 6
• Necessary for performance of a task carried out in the public interest on the basis of Public Health Scotland Order 2019 section 4 (Functions of the Board, in particular (d) the protection of public health including those specified in section 1 of the Public Health etc. (Scotland) Act 2008 (duty of Scottish Ministers to protect public health)) and The Health Protection (Coronavirus) (International Travel) (Scotland) Regulations 2020, (Part 5 (Information Sharing - Power to use and disclose Information) (UK GDPR Art 6(1)(e)).
Article 9
• Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) and National Health Service (Scotland) Act 1978 (UK GDPR Art 9(2)(h) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes).
• Necessary for reasons of public interest in the area of public health ((UK GDPR Art 9(2)(i)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 3 – Public Health.
• Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose ((UK GDPR Art 9(2)(j)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc.
NHS Education for Scotland (NES) Article 6
It is necessary for the performance of a task carried out in the public interest (National Health Service (Scotland) Act 1978 – Part 1 2A (Duty of Health Board, Special Health Board…) and (4) Anything done by a Health Board or Special Health Board in pursuance of subsection (1) or (2) is to be regarded as done in exercise of functions of the Scottish Ministers conferred on (b) the Special Health Board by the order under section 2(1)(b) which constituted the Board Also: Part 1 (13) Co-operation between Health Boards and other authorities. In exercising their respective functions, Health Boards, HIS (as respects its health service functions only), local authorities, integration joint boards and education authorities shall co-operate with one another in order to secure and advance the health of the people of Scotland. (UK GDPR Art 6(1)(e)). DPA 2018 Schedule 1 Part 1 paragraph 2 condition(s): Health or Social Care Purposes: 2(2) (a) preventive or occupational medicine (d) the provision of health care of treatment (f) the management of health care systems or services or social care systems or services.
Article 9
• Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of The Public Health etc. (Scotland) Act 2008 section 2 (Duty of Health Boards to protect public health) and National Health Service (Scotland) Act 1978 (UK GDPR Art 9(2)(h) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes).
• Necessary for reasons of public interest in the area of public health ((UK GDPR Art 9(2)(i)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 3 – Public Health.
• Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose ((UK GDPR Art 9(2)(j)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc.
Social Security Scotland Article 6
Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 6(1)(e))
Article 9
• Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of section 1 of The Public Health etc. (Scotland) Act 2008 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(h)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes.
• Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (GDPR Art 9(2)(i)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 3 – Public Health.
• Necessary for scientific research or statistical purposes in the public interest (GDPR Art 9(2)(j)) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc.
NHS territorial health boards and GPs Article 6
It is necessary for the performance of a task carried out in the public interest (NHS Scotland Act 1978 . The public task duty is established within Part 1 2A (Duty of Health Board, Special Health Board…) and the National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (GMS 2018) respectively. Also DPA 2018 Schedule Part 1 paragraph 2 condition(s): Health or Social Care Purposes: 2(2) (a) preventive or occupational medicine (d) the provision of health care of treatment 2(f) the management of health care systems or services or social care systems or services
Article 9
•Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of The Public Health etc. (Scotland) Act 2008 section 2 (Duty of Health Boards to protect public health) and National Health Service (Scotland) Act 1978 (UK GDPR Art 9(2)(h) supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 2 - Health or social care purposes).
•The processing of special categories of data (Health) is undertaken for Health or Social Care Purposes: UK GDPR Art.9(2)(j) Archiving, research and statistics supplemented by The Data Protection Act (DPA) 2018, Schedule 1, Part 1, paragraph 4 – Research etc.
NHS Digital Information on NHS Digital’s lawful basis. For more information on why NHS Digital may be involved, please refer to the Controller’s table.
Scottish Local Authorities (self-isolation notice/certificate data only) Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller on the basis of the local authority’s statutory functions in administering self-isolation support grants as per the Welfare Funds (Scotland) Act 2015 and the Welfare Funds (Scotland) Regulations 2016. (UK GDPR Art 6(1)(e)). Necessary for reasons of substantial public interest for statutory and government purposes on the basis of the local authority’s statutory functions in administering self-isolation support grants as per the Welfare Funds (Scotland) Act 2015 and the Welfare Funds (Scotland) Regulations 2016(UK GDPR Art 9(2)(g)), and Schedule 1 Part 2 (para 10) of the Data Protection Act 2018 for preventing or detecting unlawful acts. 

12 to 15 year olds

Children and young people aged 12 to 15 years old have been offered one dose of a COVID-19 Vaccination from Monday 20 September 2021. Individuals in this cohort who have specific underlying conditions and disabilities, will be offered 2 doses 8 weeks apart. 12 to 15 year olds can access their Vaccination Status through the NHS Inform portal and through the NCC helpline on 0808 196 8565.

NVSS portal

Specific workers can register within the portal in NVSS. This allows them to book an appointment and adjust their scheduled appointment time, date and location. They self-identify as part of their specific cohort. Self-registration will only include the necessary data to enable local health boards to perform their tasks, including coordinating the Flu and Covid vaccinations process across Scotland.

Medical exemptions

There's a very small number of people in Scotland who cannot be vaccinated for medical reasons.

People who've been identified as medically exempt will receive a paper certificate, as exemptions are not currently not provided through the COVID Status App. Your paper certificate will allows you to attend events or access services throughout the UK in the same way as those who are fully vaccinated.

Those who do not receive a certificate will be able to apply for an exemption by mid-October.

Self-isolation support grant

If you are contacted as a positive case or as a traced contact we will ask you for information as detailed below. We will also ask you for your consent for your contact information (including any language or other accessibility support you need) and vaccination status to be passed to your Local Authority to provide you with self-isolation support and/or help to access funding during self-isolation.  We will not pass this information to your Local Authority without your consent.  The information that will be shared is:

  • Name
  • Date of birth
  • Address, including postcode
  • Contact telephone number
  • CHI
  • Isolation start and end dates
  • Confirmation of consent for contact
  • your Covid vaccination status (including date of 2nd dose where applicable)
  • Language or accessibility requirements in relation to being able to contact the individual (where known)

Local Authorities will use this information to identify you on their systems and then provide you with support and/or help to access funding during periods of self-isolation. For more information, please visit your Local Authorities webpage.

Booster vaccinations (reminder via SMS)

If, according to an individual’s health record a Covid booster vaccination is due, a text message will be sent to the mobile phone number individuals have provided within the NVSS portal stating they can now book an appointment and should do so as soon as possible. Test messages will be generated by NHS NSS. Please contact NHS NSS should you wish to understand more about the text message.

Automated processing

In order to pull your data from the NHS records to produce your vaccination status, we use automated processing, e.g. when matching you to your CHI record so that the correct vaccination history is matched to the right person. If the vaccination certificate you receive is not yours, you should contact the helpline on 0808 196 8565.

Biometric data

In order to provide you with your COVID Status, we are first required by law to verify your identity. In order to verify your identity, we use an approved ID verification supplier (Jumio) to complete a secure online ID verification process.

As part of the online ID verification process, you will be asked to present photo ID documentation (e.g. your driving license, passport, etc.) to the app. Then, using your device’s camera to take a picture, and using Biometric ID verification technology, a verification process will be undertaken to decide whether or not you are the same person as is shown on the photo ID documentation you have provided. You may be asked for camera permission to scan your ID and take a selfie. This will determine whether you are then able to access your COVID Status through the App.

If this process verifies your identity, the personal data (such as your name and address) from your photo ID document will then be used and checked against the details held within an NHS Scotland database in order for us to locate and present to you, via the app, your COVID Status.

If, however, this process cannot verify your identity, you will still be able to obtain your COVID Status using alternative means, involving a manual process to verify your identity by our supplier Jumio. Should this not be successful, you will have the ability to obtain your Covid Status by calling the helpline or through the NHS inform portal.

Get a record of your vaccination status

The information provided by you as part of the online ID verification process (including both the photo ID documentation and your Biometric information) is only processed by our approved ID verification supplier for the minimum time required to provide this secure ID verification service. As soon as the ID verification is complete (and regardless of whether it has successfully identified you or not), the information provided by you is then securely deleted after 24 hours.

In the unlikely event that the online ID verification process has incorrectly identified you and, as a result, has retrieved records that are not yours, you should contact the helpline.

Please note that the secure, fully online ID verification process is subject to regular quality assurance and audit checks.

Disclosures of your personal information

Your personal information is shared with the following parties for the purposes/activities mentioned in the table supporting the COVID-19 Response.

Organisation Role in the vaccination programme Data disclosed
NetCompany Netcompany develops the unique 2D QR codes and provides support under contract with the NHS NSS on behalf of the Scottish Government. Netcompany does not have direct access to the Citizens data. In their supporting role, in rare circumstances they may have access to personal data in the testing environment or to respond to technical problems
Jumio Jumio’s semi automated service Jumio GO+ will be used to validate the identities of Citizens applying for their Covid Vaccination Certificate on behalf of NHS NSS. All data provided by the Citizen during the ID Documentation and ID Verification process.
iProov iProov liveness detection technology uses a brief, facial biometric scan to assure the identity and genuine presence of the Citizen during remote onboarding. This liveness process occurs when the Citizen is providing the Photo and selfie when asked to be the App. The Citizen’s selfie: facial recognition images.
Royal Mail This service is used to deliver the vaccination appointment letters and the COVID-19 Vaccination Certificate. Royal Mail does not have access to Citizens Vaccination Certificates however it is a recipient of your data. Royal Mail uses the Citizen’s name, address and postcode to deliver vaccination appointment letters or the Citizen’s Vaccination Certificate to the Citizen.

The companies below provide support to the COVID-19 response as well as legacy systems within NHS Scotland. These services are used to already support NHS functions before the pandemic, and continue to form key functions in supporting the NHS Scotland in delivering its services. These companies only host data under contract of NHS Scotland, who maintain control and ownership.

Organisation Role in the vaccination programme Data disclosed
ServiceNow ServiceNow is the organisation providing software services to NHS NSS. The software has been used to develop the Case Management System, the appointment portal system and the web portal. ServiceNow provides technical support under contract with the NHS National Services Scotland. ServiceNow does not have access to the Citizens data. In exceptional circumstances, they may require indirect access to the databases or other parts of the system that hold the Citizens data to provide technical support services.
Albasoft Albasoft is the organisation responsible for extracting data from the GP IT systems necessary for transferring vaccination cohorts data to the NCDS. Albasoft provides these services under contract with NSS. Albasoft is the organisation responsible for extracting data from the GP IT systems necessary for transferring vaccination cohorts data to the NCDS. Albasoft provides these services under contract with NSS.
Amazon Web Services (AWS) NES have contracted Amazon Web Services (AWS) to provide cloud services. AWS provide and maintain the cloud infrastructure, including the network and operating systems to run the infrastructure and the associated services. AWS does not have access to the NES AWS account being used to host the NCDS and therefore do not have access to any data processed.
Microsoft Azure Azure is the cloud platform used by NES and NSS to provide cloud services for the various digital solutions used within the Coronavirus Vaccination Programme, including the NCDS and the Vaccination Management Tool (VMT). Microsoft Azure does not have direct access to the Citizen’s personal data, but they host the information within their Cloud platform and undertake regular IT support services required to run their infrastructure.

Data retention

NHS Data will be kept in line with requirements for general practice master patient records as described in the Scottish Government Records Management Code of Practice for Health and Social Care (Scotland) 2020

Data held by Retention
NVSS Deleted a 18 months after the date of second vaccination.
GP medical record Vaccination history details will be included in the citizen’s GP medical record and those are kept for the lifetime of the data subject plus 3 years as they are part of the data subjects Medical Records
NCDS For data within the GP records it is “preserved for the lifetime of the patient, and at least three years after death" where the record is paper. If the record is electronic, the record should be kept in perpetuity. This is in line with the applicable records management code of practice (2020).
Data processed as part of the ID&V process by Jumio Data held by Jumio and iProov will be retained for 1 day and then deleted.
Microsoft Azure Retained for 180 days then deleted. As this includes the user’s email and password to The App (needed for signing in to The App), after 180 days the user will no longer have an account and will need to re-register. If a user does not wish to go through the registration process again they will need to log in at least once every 6 months.
UK Notify Retains the SMS or email sent to you between 72 hours and 7 days, before is deleted permanently.
Royal Mail Retains letters until it is delivered to the citizen. If the letters or Certificate cannot be delivered then Royal Mail will retain the certificate according to their own data protection policies.
NHS Digital NHS Digital retain data in line with Records Management Code of Practice for Health and Social Care 2016 and NHS Digital Records Management Policy. If you are somebody who was vaccinated in England but resides in Scotland with a Scottish GP and want to know how long NHS Digital will retain your data for please contact NHS Digital directly.

Neither the Scottish Government nor Netcompany keep any personal data. We hold aggregated and anonymised reporting data indefinitely.

International transfers

All NHS Scotland held data is processed within the EU and will be subject to UK Data Protection legislation. This data covers your Vaccination history.

Data used within the Identity Verification process of the App is processed within Europe. If when manual intervention is needed it is processed India and Colombia. There is a contractual obligation on Jumio to bring this processing into the EEA within a reasonable timescale. Our supplier Jumio has assessed the data protection adequacy of their processors in Colombia and India and has provided assurances to NHS Scotland of security measures in place to protect data.

You may choose to share your personal information when travelling abroad as you show your COVID Vaccination Certificate (electronic or paper) to border control agencies abroad.

Data security

NHS Scotland must comply with the Network and Information Systems (NIS) Regulations. The Regulations also apply to organisations considered to be Digital Service Providers (DSPs). We are strongly committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data, for example, we protect your data using varying levels of encryption. We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.