- Vaccine Service – Privacy Notice
Vaccine Service – Privacy Notice
PRIVACY NOTICE – VACCINE MANAGEMENT SYSTEM (for COVID-19 and Flu)
Version 2.9 – (Last Updated November 2022)
The Department of Health (DoH) circular HSS(MD)82/2020 ‘Deployment of the COVID-19 Vaccine in Northern Ireland’ (7 December 2020) sets out the public health measures to be put in place to help contain and reduce the spread of COVID-19 by the administration of COVID-19 vaccinations to the Northern Ireland population.
The Public Health Agency (PHA), along with support from HSC Trusts, General Medical Services including Community Pharmacies are responsible for the implementation of the NI COVID-19 Vaccination and Seasonal Flu Programmes.
The PHA and DoH are joint data controllers for the Vaccination Management System (VMS), under the Data Protection Legislation, which includes UK General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.
The PHA is operationally responsible for the Vaccine Management System (VMS) where COVID-19 vaccine (including booster doses) and Flu vaccine records from 2021 will be stored and for all processing of personal data on VMS. However, as SPPG within DoH represent the interests of GPs who are integral to the data fed into the VMS, the SPPG within DoH will maintain a controller and oversight role in relation to VMS data, including in jointly deciding the means and purposes of processing along with PHA, as well as who should have access to VMS data. However PHA will manage the system and the data processing independently on a day to day basis and will be the contact point for any individual who wishes to access their data, or exercise any of their data subject rights.
This privacy notice describes the type of personal data collected and held for both the COVID-19 Vaccination and Flu vaccine Programmes on the Vaccine Management System (VMS) for Northern Ireland, the way that your data is used and your rights in respect of this.
2. COVID-19 Vaccination Programme
The COVID-19 Vaccination Programme is designed to enable the population of Northern Ireland to access COVID-19 vaccinations to develop immunity to the SARS-CoV-2 virus.
The Joint Committee on Vaccination and Immunisation (JCVI) has set out a prioritisation for persons at risk. JCVI ranked the eligible groups according to risk, largely based on prevention of COVID-19-specific mortality. Further information on the phasing of vaccinations for particular groups of the population will be advised by JCVI and DoH and will be published by the PHA here.
The COVID 19 vaccine will be administered by registered clinical staff trained in vaccination procedures.
All SMS and email appointment confirmation and reminder messages come from HSC vaccine to the mobile or email address supplied at booking. If you use the online system you will receive confirmation of your appointment bookings and reminders of your appointments either by email or text SMS.
The messaging mechanism may also be used for the purposes of Vaccine ‘Recall’, which involves sending reminders, via text SMS or email, to citizens who had previously had a vaccine to advise that they may be eligible for another vaccine.
For those residents in nursing and residential care no booking will be required as mobile teams of vaccination staff will visit individuals at home on a set day.
Further information on the NI COVID-19 Vaccination Programme can be found at: COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (hscni.net)
3. The Flu Vaccination Programme
Seasonal changes in the influenza (flu) virus occur and it is for this reason that annual vaccination against flu is recommended in certain groups who are either at risk of the complications of flu, or at risk of passing flu on to people at risk of developing complications. Every year the Chief Medical Officer in Northern Ireland issues a letter outlining who is eligible to receive the flu vaccine under the seasonal influenza programme.
Flu immunisation is one of the most effective interventions healthcare can provide to reduce harm from flu and pressures on health and social care services during the winter. It is important to increase flu vaccine uptake in clinical risk groups because of increased risk of death and serious illness if people in these groups catch flu.
In previous years only around half of patients under 65 years in clinical risk groups have been vaccinated. Influenza during pregnancy may be associated with increased risk of infant death before or after birth prematurity, smaller neonatal size, lower birth weight and increased risk of complications for mothers.
Vaccination of health and social care workers protects them and reduces the risk of spreading flu to their patients, service users, colleagues, and family members. In addition, by preventing flu infection through vaccination, secondary bacterial infections such as pneumonia are prevented. This year high uptake of flu vaccine is even more crucial than ever. Those most at risk from flu are also the most vulnerable to COVID-19 related morbidity and mortality. There is evidence that co-infection of COVID-19 and flu can increase mortality.
From 2021 the PHA will use the VMS to record flu vaccinations. Capturing flu vaccination data on the VMS simplifies the effort required by GPs to capture the information, thus saving them time, and allowing them to treat more patients.
4. Why are you processing my personal information?
Your personal information is used for the following purposes:
- confirming the appointment at your GP, Community Pharmacist, or regional vaccination centre (if that is where you are having your vaccination)
- performing a security and ID verification at the vaccination centre for COVID-19 vaccinations
- processing your vaccination
- sharing the details of your vaccination with your GP
- sharing the details of your vaccination if you request a COVID-19 certificate (see separate Privacy Notice for Covid Certification Service (CCS)).
- undertaking quality assurance of the vaccination process including clinical procedure and patient data entry in VMS
- analysis to support operational decisions to improve the vaccination process, such as:
- day-to-day use, for example whether someone attended their appointment;
- to inform regional vaccination centres of improvements to the vaccination process, for example to manage capacity or follow up on serious adverse effects;
- support logistics planning;
- observation to identify trends in the uptake, efficacy, and effectiveness of both the flu and COVID-19 vaccines.
Identifiable data will be used by the PHA from the VMS for health protection purposes. Anonymised information gathered will be used for reports and the production of official statistics and helps to inform DoH policy.
Flu vaccination data will be used by the PHA for the purposes of managing flu vaccine efficacy, effectiveness and for population health management.
Disease observation and monitoring is a core public health function of the PHA. Health bodies need to make sure they have the right information available to them at the right time to inform decisions and actions across the public health system. This helps the PHA to control the spread of COVID and reduce the impacts of flu.
Observation involves gathering a wide variety of anonymised data about a disease from a range of sources, to provide us with situational awareness. This also applies to the uptake of COVID-19 and flu vaccinations. This is then used to inform public health action to help prevent and control both diseases. This will also allow data linkage with other datasets to monitor the impact of COVID-19 on health services e.g. in-patient admissions, intensive care admissions, long COVID.
5. What information is collected?
Data to be collected
When you book your vaccine appointment you will be asked to provide the following information:
- First name
- Family name (last name)
- Date of birth
- Health and Care Number (this can be found on any letter from HSC, any prescription or medical care record)
- Contact telephone number
- Email address
- GP name and practice
At the vaccination appointment the following information will be collected and added to the vaccine management system
- Date of vaccination
- Dose number
- Batch numbers for each vaccine
- Any conditions you may have that are considered high risk
- Your pregnancy status
For people employed in health and social care additional information will be collected for those being administered a COVID vaccine:
- Place of work
- Job role
- Staff Number
- RQIA home code
For vaccinations administered in nursing homes where the online booking has not been required the demographic details will be collected at the time of vaccination.
For COVID-19 vaccines you may also be asked to provide some additional information about yourself when you attend for vaccinations by the person vaccinating you, for example confirmation you have no symptoms or other reasons why you may have to defer your vaccination.
Please note that both Flu and COVID-19 Vaccination Programmes will never:
- Disclose any personal or health/medical information provided by you to anyone other than the PHA, your GP practice patient record system or the processors listed in Annex A. Additionally, for Health and Social Care (HSC) staff, Occupational Health will hold a record of your vaccination; anonymised data will be shared with HSC employers as management reports on vaccine uptake.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us;
- Ask you to make any form of payment or purchase a product of any kind;
- Ask for any details about your bank account;
- Ask for your social media identities or login details, or those of your contacts;
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone;
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else;
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
6. The lawful basis for processing your personal information
The lawful basis for processing your personal information under the UK GDPR and Data Protection Act 2018 is:
- UK GDPR Article 6(1)(e) – the processing is necessary for the performance of official tasks carried out in the public interest.
The DoH – SPPG plans and oversees the delivery of health and social care services for the population of Northern Ireland. The Group is part of the Department of Health and is accountable to the Minister for Health. It is responsible for planning, improving and overseeing the delivery of effective, high quality, safe health and social care services within available resources.
The PHA – provides strategic oversight and coordination of the implementation and ongoing delivery of regional vaccination programmes; provision of resources for health professionals and the public; interventions to improve uptake; disease and vaccine coverage surveillance; investigation, and management of cases, outbreaks and other immunisation incidents; and provision of expert advice to policy makers, commissioners, providers and the public.
In this instance the public task relates to the functions of the Public Health Agency which the Agency exercises on behalf of the Department of Health as outlined in the Health and Social Care (Reform) Act (Northern Ireland), 2009, section 13:
(a) the health improvement functions mentioned in subsection (2);
(b) the health protection functions mentioned in subsection (3); and
(c) obtaining and analysis of data and other information in subsection (4).
The data collected on the Vaccination Management System includes personal data. Some of this data relates to health data which is described as ‘special category data’ in UK GDPR. In relation to that processing, the following UK GDPR conditions apply:
- Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
- Article 9(2)(j) – the processing is necessary for archiving purposes in public interest – scientific/historical research purposes.
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 1 (4) – reasons of public interest in the area of public health research.
7. How will my data be processed?
Under UK GDPR Article 5(1)(f) all data will be processed in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Vaccination Management System is hosted in the secure isolated cloud storage solution provided by Microsoft within the UK. Data is processed within the secure HSCNI network. Access to the systems is restricted and governed by firewalls and only known authorised user accounts can gain access. All data processors involved in the processing of your data are listed at Annex A and their processing is governed by UK GDPR compliant contracts, agreements and/or MoUs.
8. Where do you get my personal data from?
Much of the data we use will have been provided directly by you when you book your COVID-19 or Flu vaccination appointments (or by someone who booked it on your behalf) and from clinical data entered into the system at the time of your vaccination. Data on other medical conditions you may have will come from other Health and Social Care (HSC) systems including GP records.
The Vaccine Management System will receive data directly from:
- Information you provide when booking your appointment and when attending for your vaccination;
- GP Clinical Systems when they administer your vaccine or booster
- Community Pharmacy Systems when they administer your vaccine or booster.
All SMS text and email appointment confirmation and reminder messages come from HSC vaccine to the mobile or email address supplied at booking for COIVD vaccinations. If attending your GP or a pharmacy for vaccination they will provide this information to you personally.
9. Do you share my personal data with anyone else?
Yes. To help us provide the best service for you, we will share the record of your vaccination(s) with your GP, through a secure transfer of digital data to your GP patient record system.
Your data will also be shared with the data processors listed at Annex A for the purposes of the delivery of the VMS.
Anonymised data will be shared with HSC employers as management reports on vaccine uptake.
10. Do you transfer my personal data to other countries?
VMS has enabled secure cross sharing of vaccination records between Northern Ireland and England and intend to enable a similar mechanism for Scotland and Wales. If you have received your vaccine outside of Northern Ireland but are registered with a GP in Northern Ireland; if you have received your vaccine in Northern Ireland but are registered with a GP in another UK jurisdiction, VMS will securely transfer your records.
Non identifiable and aggregated data is shared with other countries in line with International Health Regulations (2005) part VIII, Article 45, Treatment of Personal Data, such as Public Health England for the purposes of UK national vaccination surveillance.
11. How long do you keep my personal data?
We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule and specific guidance issued by the Department of Health in Northern Ireland (Good Management, Good Records) which can be found here.
12. What rights do I have?
- We provide information on the collection and use of your personal information, through this Privacy Notice, the VMS Data Protection Impact Assessment, and through a range of public information on the PHA website. COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (hscni.net)
- We only hold information about you that we need. You can ask for copies of the information that we hold about you.
- You can ask us to make changes to information we hold about you if you think that it is wrong.
- As the data collected in the Vaccine Management System form part of your clinical record, the right to erasure is partial and only applies to erasure of pieces of information no longer required by the HSC during provision of treatment.
- You can ask us to stop processing information about you, however this will not always be possible as information will still need to be processed for the purpose of your clinical care and public health protection.
- Other than for the planned transfer of your data to your GP record, it will not be possible to transfer your data to another organisation if requested.
- If you are not happy with what we do with the information we hold about you, you can speak to us about this.
- We use computers to hold and look at your information, but we do not use automated individual decision-making.
If you wish to exercise or ask us about any of these rights please contact the PHA Data Protection Officer (see email address below).
If you want more detailed information on these rights this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
13. How do I complain if I am not happy?
If you are unhappy with any aspect of this privacy notice, or with how your personal information is being processed, please contact the Data Protection Officer at the following address:
PHA Data Protection Officer:
Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updates will be placed on our website.
Annex A – VMS Data Processors
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or Memorandum of Understanding (MoU).
Under the terms of these arrangements PHA is the data controller responsible for assessing that all processors listed below are competent to process personal data in line with UK GDPR requirements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) PHA will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – GDPR.
The following provides a list of data processors involved in delivery of the system.
- Kainos is a system integrator providing VMS platform for storage and processing of vaccination records.
- APTVision are medical systems software development company chosen to develop the VMS booking and scheduling platform and are responsible for the configuration of the booking system and interim VMS database. They are regarded as a processor. APTVision will provide support on an ongoing basis to the VMS booking system for the duration of its operation, as part of their contract. Their services are delivered via UK GDPR compliant G-Cloud contracts.
- BigMotive are software development company who were chosen to develop the VMS user interface and are responsible for the configuration of the VMS webforms and are regarded as a processor. BigMotive will provide support for user experience (UX) design on an ongoing basis for the duration of the VMS operation, as part of their contract. Their services are delivered via UK GDPR compliant contracts.
- Business Services Organisation (BSO) is a statutory organisation providing services as a data processor. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by PHA. They are responsible for all VMS environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA have overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA.
- Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor. BHSCT host the VMS application on their infrastructure.
- Microsoft are responsible for, within the Microsoft Azure environment including the Dynamic 365 environment, software upgrades, security patching and updates for the Vaccine Management System; these are published via MS Office 365 portal that BSO ITS have access to.