Your rights

Under UK GDPR and data protection laws, you have a number of rights that you can exercise around your personal data and the processing of it. These are:

  • The right to be informed
  • The right to access your personal information
  • The right to have personal information rectified if it is inaccurate or incomplete
  • The right to have personal information erased
  • The right to data portability
  • The right to restrict the processing of personal information
  • The right to object to processing

Your right to be informed

We must explain how we use your personal information. To do this we have produced this privacy notice and an easy read version can be found here

You can also speak to a health professional involved in your care.

Your right to access your personal information

You have the right to access and receive a copy of personal data we hold on you as part of the COVID-19 Vaccination Programme, including the processing of the COVID-19 Certification.

If you are only interested in the data we hold for your COVID-19 Certification, you can access it using the COVID-19 Status App at any time. 

For other information that we hold as part of the COVID-19 Vaccinations programme, you can submit a Subject Access Request (SAR) to the relevant controller of the data, as listed under the Controllers' contact details set out in this privacy notice. You can make a SAR verbally, or in writing including email. We may ask for more detail and proof of ID in your request to make sure the data is yours and will respond within one calendar month of the request being submitted.

Alternatively, if it is a copy of your vaccination certificate that you wish to obtain, this can be done by through NHS inform.

Get a copy of your COVID-19 vaccination certificate

NHS Scotland Covid Status App

The App gives you access to your Covid 19 Certificate, and at all times you should be able to access this in the first instance. If you are not able to, or are struggling to see your certificate please call the Covid-19 helpline on 0808 196 8565, or use the portal to request a PDF version.

Your right to have personal information rectified if it is inaccurate or incomplete

UK Data Protection laws allows for you to make a request to have inaccurate personal data rectified, or completed if you know it is incomplete or misleading as to any matter of fact.

If any data on your vaccination certificate is incorrect or incomplete, you should phone the COVID Status Helpline on 0808 196 8565. The helpline can only resolve issues in relation to vaccinations administered in Scotland.

You do not need middle name(s) for vaccination certificates or international travel. If your address on your certificate is out of date you can still use it for international travel, providing your name and date of birth are correct.

NHS Scotland Covid Status App

If the information displayed in the App is incorrect (for example if is not displaying all your COVID-19 vaccination doses, your name is incorrect, or any other details are incorrect) you should phone the COVID Status Helpline on 0808 196 8565.

Your right to have personal information erased

You have the right to request that your personal data is erased from the systems used in the COVID-19 Certification, known as ‘the right to be forgotten'. However, this right is not absolute and depends on the circumstances and legal bases used, for example if the processing is necessary for public health purposes in the public interest, then right to erasure will not apply.

NHS Scotland Covid Status App

Individuals can delete any data stored within their phones through their operating system deletion method. This App can be deleted like any other App on your phone, and once deleted it removes all personal data stored in your smartphone device.

Your right to data portability

Your information contained within QR codes can be scanned and used as part of your medical record in different countries.

If controllers are relying upon processing data using lawful basis 6(1)(e) the right to data portability will not apply.

Your right to restrict processing of personal information

You have the right to request the restriction of your personal data we hold for this processing. This means you can limit the way we use your data, and how it is used.

This is a qualified right and may not be able to be undertaken and will be dealt with on a case by case basis.

NHS Scotland Covid Status App

You can select the 'Sign-out' function in the settings and/or uninstall the app at any time through your phones deletion method. This will remove your data from the App and your phone, as well as the Microsoft B2C server, which stores your log in credentials.  

Your right to object to processing

Under UK GDPR, you have the right to object to the processing of your personal information in certain circumstances.

None of your personal information will be shared outwith the primary parties mentioned within this privacy notice, and it will never be sold on for marketing purposes

This is a qualified right and may not be able to be undertaken and will be dealt with on a case by case basis.

How to exercise your rights

If you would like to exercise your data protection rights, you can do this by contacting the relevant body for that personal information as follows:

Data Controller
NCDS Master Vaccination Record Either your Health Board or PHS
Appointment Scheduling data Either NSS, your Health Board or your GP. Please note that different health boards have different methods of scheduling appointments initially.
Your GP record data Your GP
Vaccination Record (Vaccination Management Tool - National system) Your Health Board
Vaccination Certificate (Local systems) Your Health Board or your GP
Vaccination Certificate to review your vaccination history NHS NSS through information provided by NES

If you wish to access your Vaccination Certificate you can do so by either logging on to the NVSS Portal using your unique Username and Password or by calling the dedicated NCC COVID-19 helpline on 0808 196 8565 or by using the NHS Scotland Covid Status App.

Further information about these rights and how to exercise them

Further information on how to access your Health Records

Contact details for specific data controllers if you have any specific questions

Your right to complain

If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed in connection with your COVID-19 Vaccination Certificate, please contact The Scottish Government using the details set out in Controllers’ contact details.

If you have a query about anything that's the responsibility of a specific controller, please contact the Data Protection Officer of the organisation using the available contact details.

If you feel your information rights concern hasn't been resolved, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

The ICO is the supervisory authority responsible for data protection in the UK.

For further information, including independent data protection advice and information in relation to your rights, you can contact the Information Commissioner at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113

The ICO can also be contacted by e-mail at: icocasework@ico.org.uk.

Visit the ICO website to report any concerns.

Changes to this privacy notice

We keep our privacy notice under regular review.

This version was last updated on 19 October 2021.

Related and third party services and websites

Further information about how your data is processed across health boards within the NHS in Scotland in connection with various elements of the Vaccination Programme is available on: