COVID-19 NI Menu Toggle Search
  • Home
  • Arrow Right
  • DPIA NI Vaccine Management System

DPIA NI Vaccine Management System

Data Protection Impact Assessment

Version 2.0 24/04/21

DPIA Ref no.
DPIA 01 2021  
Project Name
Vaccine Management System  
Business Area
HSCB
Information Asset Owner            Project Manager
Dr Margaret O’Brien MB,BCh,BAO,MSc,FFCI Assistant Director of Integrated Care Head of General Medical Services Responsible Officer HSCB  Claire Buchner Assistant Director Digital Health & Nursing, PHA VMS Product Manager Vaccine Management System


Contents

NORTHERN IRELAND’S VACCINE MANAGEMENT SYSTEM… 1

DATA PROTECTION IMPACT ASSESSMENT. 1

1.      DPIA Vaccine Management System.. 4

Mandate. 4

Management 4

Delivery of the vaccinations   – the Vaccine Management System.. 4

2.      Purpose of the VMS. 4

Why Adopt this Vaccination Management Approach?. 4

3.      Vaccination Management System.. 5

VMS Overview.. 5

VMS Development and Drivers. 6

VMS Development Roadmap. 7

VMS Data Management and Reporting. 8

4.      Roles and Responsibilities. 9

5.      Consultation. 10

VMS Governance. 11

VMS Stakeholders. 12

6.      Processing Overview and Scope. 13

Data Subjects. 13

Purpose of processing. 13

Description of the information flows. 15

Potential to impact on User/Patient confidence. 17

7.      Context of Processing. 17

Use of Data. 18

Sharing data to tackle COVID.. 19

8.      Compliance with data protection law and other regulatory guidance. 25

The Lawful Basis for Processing. 25

Common Law Duty of Confidentiality. 26

Necessity and Proportionality. 27

VMS Data Retention. 29

Data Rights. 29

Prevention of VMS Scope Creep. 31

9.      Security Measures. 32

Vaccine Management Information Security. 32

Security Controls in place for the VMS. 32

How we control users who access the VMS and Reporting Platform.. 33

Further Developments. 34

10.   Identify and Assess Risks (what are the risks) 34

11.   Identify Measures to Reduce Risks. 38

Appendix A- VMS Stakeholder Landscape. 47

Appendix B – Data Controllers and Processors (who are they) 48

Appendix C – Data Controller/Processor Roles. 51

Appendix D – Security Measures. 52

Appendix E – VMS Interfaces. 53

Appendix F – Glossary. 55

1.     DPIA Vaccine Management System

  Mandate The DoH circular HSS(MD)82/2020 ‘Deployment of the COVID-19 Vaccine in Northern Ireland’ (7 December 2020) sets out the public health measures to be put in place to help contain and reduce the spread of COVID-19 by the administration of COVID-19 vaccinations to the Northern Ireland population. Management A vaccination programme has been commissioned and will be managed by the Department of Health and will be delivered in partnership with HSC Trusts, General Medical Services (and other Independent Practitioners such as community pharmacy in due course).  Delivery of the vaccinations   – the Vaccine Management System

This DPIA relates to the NI Vaccine Management System (VMS) and describes the process within Northern Ireland to administer and capture data on citizens and staff who receive vaccinations against COVID -19 and the recording of information about vaccinations administered.

2.     Purpose of the VMS

The DOH has mandated the HSC Trusts, General Practice and Community Pharmacy to implement the vaccine programme in NI. The need to have access to analysis of real-time or near real-time data on vaccination uptake and take targeted actions is a requirement for DOH, Trusts and GPs. The new technical solution has been constructed to better use patient data in the fight against COVID.

Why Adopt this Vaccination Management Approach?

The “as-is” current approach to vaccination management/information recording for vaccines administered outside primary care and except for childhood immunisations in NI is paper based and admin-resource intensive. This manual approach does not support efficient, safe, or secure data recording or sharing within an urgent, pandemic-based, mass vaccination programme.

The current approach does not support the ability to report on efficiently, accurately or analyse vaccination uptake – a key facet of effective vaccine management.  Nor does it adequately support uptake at a local or regional level, on an hourly or daily basis, as will be the requirement by the NI Government i.e., as near “real time”/point-in-time reporting as possible.

Recording data at the point-of-care to a regional vaccine database will support both local and regional point-in-time/on-demand reporting and analysis, and therefore, inform a responsive, clinical, and public health intervention strategy. Furthermore, there will be a need to quickly link VMS data to future hospital admissions to advise on the patient’s vaccine status although this functionality is not in place.  

3.     Vaccination Management System

VMS Overview

The NI Vaccination Management System started development in early December 2020. The VMS is intended for use in any vaccination settings where a vaccination is delivered i.e., GP practice, clinic, care or residential home, patient’s home (housebound), ward (long stay patients) and community pharmacy. The VMS Platform, and those operating the system, is technically delivered by a combination of software companies APTVision and Kainos, NI’s Business Services Organisation (BSO) and the Belfast Health and Social Care Trust. Operational changes and revisions to the system are overseen by the Vaccine Management System Product Team managed up by Claire Buchner, Assistant Director Digital Health & Nursing. The product manager is a member of both the implementation and oversight groups within the overall programme.

The VMS is necessary to:

  • Improve the “as is”/current approach within Northern Ireland of annotating paper printouts for call/recall and keying these manually into systems following each vaccination clinic, as well as manually sending letters to GPs.
  • Reduce/negate the clinical and information governance risks associated with the “as is”/ current approach e.g., reduce physical printing and transport of paper documents containing patient data; remove the ability of these documents/data being viewable by citizens or staff in clinical or back-office settings.
  • Ensure Provider organisations meet obligations regarding patient confidentiality.
  • Improve the accuracy of vaccine data recording e.g., automated HCN look up and thus reduces data error.
  • Make available more easily and securely, COVID vaccine data to health and care staff involved in the citizen’s care pathway.
  • Provide standardised clinical management and workflow working in all vaccination settings, supported by a software solution.
  • Provided structured data relating to the vaccination of citizens to be included into regional datasets for improved reporting purposes in accordance with UK data protection legislation.

It should be noted that the VMS includes an appointment management/clinic scheduling functionality and a clinical recording tool. 

The VMS will support near time analytics of COVID 19 vaccination data through a separate but connected PHA data analytics platform. 

VMS Development and Drivers

The context for the VMS design and decision making were highly compressed timeframes and an urgency to rapidly develop a system that could support immediate vaccine roll out to the most vulnerable citizens. VMS planning and design started with a view to deploying vaccine teams to the Care Home community before Christmas 2020.

A development of this nature required the DHCNI[1] team to design the VMS tactically using rapid, agile techniques covering selection, design, build and implementation. Linear, lengthy stakeholder engagement, requirements capture, investment and procurement processes would not have delivered the outcomes in the timeframes demanded by the CMO. The urgency and speed needed to set up a VMS required DHCNI to adopt the fastest route to a workable solution using existing relationships within the DHCNI/BSO eco-system. Given the lessons learnt from the Track and Trace capability, DHCNI expanded the design brief with Kainos to incorporate the tactical VMS into their existing customer relationship management (CRM) capability built around Microsoft Dynamics. 

The tactical VMS started deployment across NI from late December and was only considered a short-term solution until a more scalable, strategic capability could be designed and developed.  The initial VMS was achieved in only 10 days and was based on a proven Commercial Off-The Shelf (COTS) medical booking system purchased via the G-Cloud 12 framework agreement. The tactical VMS has been developed by APTVision; a G-Cloud approved medical systems supplier. The high-level architecture of the VMS can be seen in Figure 1.

The VMS consists of two parts. The initial tactical aspect of the VMS uses the APTVision booking engine and database (green in figure 1) to provide the initial vaccine management functionality. This uses a web front end and web forms to deliver vaccine bookings and scheduling. No analytics or processing on citizen data is performed on this platform. This is the system that has been used since December to date. The strategic element of the VMS, shown in blue in figure 1, is the strategic VMS that is built around a Microsoft Dynamics data lake and includes an interface with a reporting platform to support national vaccine monitoring, reporting and uptake analysis.

This system is also integrated with BSO’s Health & Care Index system and the GP systems for citizen matching and patient record updates. This element of the VMS will remain the long-term solution. The APTVision VMS database will wind down and leave the web booking and front end only. This will be mapped with custom designed Trust and GP workflows built into MS Dynamics to meet their clinical needs. 

Tactical VMS & Booking Engine (Green)  
Strategic VMS & Reporting Platform (Blue)  

Figure 1 – The Core VMS System

VMS Development Roadmap

As described earlier the strategic VMS solution will be a combination of the APTVision front end, and a pre-existing Microsoft Dynamics CRM solution deployed on Belfast Trust’s current infrastructure. This will contain a central vaccine database and reporting capability for population COVID health management support.

From the week beginning the 15th of Feb 2021, the VMS had morphed into combining the booking and scheduling engine developed by APTVision with the enterprise scale database and reporting capability built by Kainos on the Belfast Trust Microsoft Azure stack. In addition, the VMS team have had time to work with Big Motive and key stakeholder groups such as the GP community and Trust leads to develop a custom workflow better suited to their clinical delivery needs. Vaccinations recorded by General Practice will not be recorded in the tactical APTVision element of the VMS. Vaccines recorded in primary care will be added to the Data Model contained within the Kainos Dynamics Platform instance which forms part of the strategic VMS solution. 

Rationale for this merger is the need for a sustainable, in-house vaccine management capability that is woven into the DoH ITS fabric and can be supported using existing service management processes and capability long term. The APTVision aspect of the VMS was only ever considered a short-term solution. To that end DHCNI want to establish a standardised, regional approach to the recording of vaccination data and a regional dataset for national, regional, and local reporting.

The scope and requirements of the VMS continually evolves[2] but the current tactical solution has met the current vaccine cohort delivery requirements to date[3]. As vaccinations move to the wider population and grow to accommodate both Trusts and GP practices DHCNI need to ensure the VMS is sustainable long term. It also needs to be supportable and able to respond to emergent clinical needs in a controlled, financially predictable way. Consideration is also been given to determine if the VMS can be used to support the delivery of the annual seasonal flu vaccination programme from 2021, and potentially other programmes, such as pneumococcal, shingles and travel vaccines.

VMS Data Management and Reporting

The information from the booking and administration of COVID -19 vaccination is hosted in a single-secure environment which can be synthesised, as required, to inform an appropriate response to vaccine uptake.  Data within the strategic VMS will also be used for reporting, and research purposes via PHA’s analytics platform, to inform responsive, clinical/public health intervention strategy.

Vaccinations will be delivered in accordance with the advice of the Joint Committee on Vaccination and Immunisation (JCVI). The most current advice, at the time of writing, is available here:

https://www.gov.uk/government/publications/priority-groups-for-coronavirus-covid-19-vaccination-advice-from-the-jcvi-2-december-2020.

For convenience, the priority in which the COVID vaccinations will be delivered is as follows:

  1. Older adults’ resident in a care home for older adults (This DPIA) and their carers (Staff Priority Groups DPIA)
  2. All those 80 years of age and over (This DPIA) and front-line health and social care workers (Staff Priority Groups DPIA)
  3. All those 75 years of age and over (This DPIA)
  4. All those 70 years of age and over and clinically extremely vulnerable individuals (This DPIA)
  5. All those 65 years of age and over (This DPIA)
  6. All individuals aged 16 years to 64 years with underlying health conditions which put them at higher risk of serious disease and mortality (This DPIA)
  7. All those 60 years of age and over (This DPIA)
  8. All those 55 years of age and over (This DPIA)
  9. All those 50 years of age and over (This DPIA)
  10. Rest of the population (priority to be determined) (This DPIA)

This model will by necessity require a multi-agency approach where personal identifiable information of staff (essential and others), residents and general population will be disclosed between the partner organisations.

Analysis of data is likely to be performed by PHA staff, with support from the Health and Social Care Board (HSCB) clinicians and the Digital Health and Care (DHCNI) team. The future integration of VMS with PHA’s analytics platform will take account of the risks and potential risks relating to the use of personal data as well as the necessity of using the data for surveillance purposes. This will be described in a separate DPIA and be governed by a separate MOU and Data Sharing Agreement.

4.     Roles and Responsibilities

The Health and Social Care Board (HSCB) is the data controller for the personal data processed on the VMS, under the Data Protection Legislation[4], and will direct the use of personal information for the following eight purposes:

  1. Confirming the appointment at a regional vaccination centre
  2. Performing a security and ID verification at the vaccination centre
  3. Processing the citizen’s vaccination action
  4. Sharing the details of the vaccination with the citizen’s GP
  5. Undertaking quality assurance of the vaccination process, for example clinical process assurance
  6. Analysis to support operational decisions to improve the full end-to-end vaccination process, such as:
    1. Day-to-day use, for example whether someone attended their appointment
    2. To inform regional vaccination centres of improvements to the vaccination process, for example to manage capacity or throughput
    3. Support end-to-end logistics planning.
  7. In the longer-term support;
    1. The sharing of VMS data with BSO ITS to link vaccination details to individual Electronic Care Records (ECR) and to analyse data in relation to coronavirus[5]
    2. Analysis to support health surveillance and health research

DCHNI will provide the digital solutions to ensure the VMS delivers on Trust, GP and Community Pharmacy requirements. The VMS sits within the governance structures (shown in Appendix A) of the overall Vaccine programme.

There are several data processors and other roles assisting HSC and GMS in designing, building, and operating the VMS these are listed at Appendix C. 

5.     Consultation

The NI COVID -19 Vaccination Programme is being established under the strategic direction of an Oversight Group chaired by the DoH Chief Medical Officer (CMO); and a Vaccine Implementation Group established by the CMO.  The Steering Group, which reports to the CMO, is independently chaired by Patricia Donnelly with membership from DoH, PHA, Trusts.

Key stakeholders include:

  • GMS and The GP Community
  • The Northern Ireland public
  • Department of Health
  • Public Health Agency
  • Health and Social Care Board
  • Health and Social Care Trusts
  • Community Pharmacies
  • Privacy Advisory Committee
  • Information Commissioners Office
  • Interest groups (human rights, privacy, women’s rights, older people, children, minority ethnic, disability groups etc).
  • Business Services Organisation – (HR, DLS, IT)
  • Queens University Belfast & Ulster University
  • Kainos – software development company
  • APTVision – software development company
  • BigMotive – A user experience and software development company
  • NI Direct – call centre provider
  • Political representatives
  • Media

Due to the urgent requirement to establish and operationalise the service, a formal consultation was not undertaken.  However, informal engagement is ongoing with a range of stakeholders. 

Research undertaken by Big Motive on various aspects of contact tracing and the public perception thereof has provided learning as to user journey and digital communication platform content for vaccination. 

DHCNI and DOH also remain in close contact with our counterparts in England and the other devolved administrations as well as the Republic of Ireland to share learning. 

Programme leads have liaised extensively with the HSCB Personal Data Guardian (PDG), HSCB DPO, DoH DPO, Trust IG/DPO leads, and Directorate of Legal Services, taking account of advice and comments in developing this DPIA and ensuring that appropriate measures are in place to safeguard individual’s personal data.  There has also been significant engagement with and advice sought from the ICO office in NI.    

VMS Governance

A VMS Product Team has been formed by DHCNI on behalf of the Department of Health to design, develop and co-ordinate the roll out of the VMS. This is headed up by a PHA Clinical Assistant Director for Nursing and subject matter expert who acts as the Product Manager for all aspects of the Vaccine Management System.

The VMS Product Manager provides expert clinical advice and development prioritisation to the VMS development team product owners, one for Kainos the other for APTVision. The VMS Product Manager works directly for Vaccine Programme Implementation Group. The VMS Product Manager, on behalf of Patricia Donnelly, is tasked with, amongst other responsibilities, to ensure that the:

  • VMS is used for its intended purpose.
  • VMS data processing is appropriately bounded in time and scope,
  • This DPIA report is kept under review and up to date, and
  • Co‐ordination of the necessary analysis to assess the efficacy of the VMS

The VMS Product Manager, Product Owners and supporting development teams meet daily to ensure vaccine priorities from the CMO and Programme Implementation Group are enacted.

The Vaccine Programme Implementation Group Chair and VMS Product Manager provide regular updates to the on the uptake and functioning of the VMS. The frequency of these reports will be agreed and updated herein. Key stakeholder groups including PHA, the Health and Social Care Trusts, GP and Pharmacy Communities.  The ICO will also be circulated a copy of the DPIA prior to publication, for the purpose of scrutiny and to ensure due processes are adhered to.

Changes to the VMS are informed by clinical directives from the CMO via the Vaccine Programme Oversight Board.  Requirement prioritisation is conducted by the Product Manager who in turn directs VMS development through the Product Owners to the suppliers. Once the VMS moves to the strategic variant, day to day management of the system will move to BSO who will manage the system using standard ITIL change control, configuration, and service support processes.

VMS Stakeholders

A wide range of stakeholders are responsible for and contribute to the delivery of the VMS.  A summary is here. A more detailed breakdown of stakeholder roles can be found at appendix B. The breakdown of data controller vs data processor accountabilities and responsibilities is detailed in appendix C.

OrganisationEngagement /Activity
DOH (Department of Health for NI)To mandate reporting requirements
Health and Social Care Trusts (HSCTs)To provide their own staff data as an employer. To collate staff groups data and report to DOH
Primary Care Organisations e.g. GP Surgeries, Pharmacies, Dentists etc  To provide staff data To provide and use cohort identification
PHA (Public Health Authority)To ensure alignment with existing Health and Social Care vaccine processes and care pathways
Regulation and Quality Improvement Authority (RQIA)To provide up to date care home details  
Digital Health and Care NI (DHCNI)To commission the VMS design and development To commission data engineering and reporting
Information Commissioners Office (ICO)To promote openness of official information and protection of private information, and their role is to uphold the information rights in the public interest.
Business Services Organisation (BSO)To support the delivery of the VMS as a sustainable capability

6.     Processing Overview and Scope

This section of the document describes the VMS data that will be sourced, processed, how much data is being collected and used, how often it will be processed, how long it will be retained for, and who the data relates to.

Data Subjects

The proposed data processing within the VMS relates to all citizens in NI who will be vaccinated and have their data captured as part of that process.

Purpose of processing

The primary purpose of the processing of this data is to ensure the safe COVID -19 vaccination of citizens in Northern Ireland. The context of processing citizen data is described further below in section 7.

Access to basic patient demographics (e.g., name, age, address, occupation[6] etc.) will be essential to allow a rapid risk assessment to be carried out to support COVID interventions now and in the future.  COVID and vaccine efficacy information is assessed in terms of time, place, and person (e.g., name, age, address, occupation etc.) without this information you cannot effectively associate COVID cases with likely transmission.


Given the huge number of vaccinations expected and the requirement to report on population uptake by phase and other agreed data variables such as age group and disease a new system was required. This would need to automate the graphing (visual localisation dashboard[7] shown below) of vaccination uptake by age, sex, geographical location, for example, and linkage to those members of the population who have health conditions.

This is dependent upon having full details of each citizen vaccinated, right down to their residency and full demographics.  This approach is both necessary and proportional relative to the need to protect citizens. Only with this information is it possible for health protection to accurately report on the NI COVID Vaccination programme. The VMS reporting engine will facilitate this in a graphic way which is easy for human beings to understand and is used additively to the standard data collection to facilitate rapid response. 

Anonymised data may be shared later with other organisations (e.g., DoH, universities etc) for the purposes of planning and research related to COVID 19, in line with established processes.  A more detailed description of the use of vaccination data can be found in section 7 – sharing data to tackle COVID.

The PHA analytics system[8] is planned to receive a continuous stream of data from the strategic VMS to aid vaccine management and regional analysis. Going forward the VMS reporting and PHA analytic platform are anticipated to be the primary public health clinical tool for the management of the COVID pandemic and all vaccination events.  An existing analytics platform is already facilitating the NI Contact tracing Service and has become an integrated part of the response to the COVID pandemic.  The use of patient demographics in this way will shorten the length of time it takes public health experts to identify population groups and not only their update of the vaccine but longer-term follow-up and virus surveillance going forward.  This process would not be as efficient or effective if no personal data were used.  Therefore, in the balance of risk it would be negligent of the Region not to use it as efficiently as possible to protect the public. Multiple mitigations in place to make this as secure as possible -please see sections 10 and 11 for risk mitigations in place to protect the VMS and its data.

Description of the information flows  

Information Flows are shown in Figure 2 on page 22.  The cohort information will be derived from the following methods.

  Priority Group Where does data come from? Older adults’ resident in a care home Care home workers Records obtained from RQIA that have a care home address, with cross checking to the testing data. 80 years of age and over Records in GP clinical systems where age >=80   Health and social care workers Minimum dataset collected by and supplied HSC Trusts to identify workers 75 years of age and over Records in GP clinical systems where age >=75   70 years of age and over Records in GP clinical systems where age >=70   65 years of age and over Records in GP clinical systems where age >=65   Clinically extremely vulnerable individuals Citizens considered high risk extracted from GMS and the shielded patient list developed earlier in the first COVID lock-down [9]   Individuals aged 16 years to 64 years with underlying health conditions Citizens considered at moderate risk extracted from GMS and criteria in the GP systems 60 years of age and over Records in NI Census where age >=60 55 years of age and over Records in NI Census where age >=55 50 years of age and over Records in NI Census where age >=50 The rest of the population aged over 18 All other records not previously extracted from NI Census      Information is derived from the following sources: Applicable cohorts Approach Older persons resident in care homes NI Demographic Survey forms the basis for population data which is then matched with care home residential address list held by RQIA.  In addition, care home residents (and staff) are identified as part of the COVID testing process as their status is held in test registry. Care home workers; HSC workers Employers have been asked to supply list of eligible employees in care home sector.  HSC Trusts are supplying lists of staff. Clinically extremely vulnerable individuals As above, citizens considered high risk extracted from GP systems and the shielded patient list developed earlier in the first COVID lock-down. HSCB are compiling this list. Individuals aged 16 years to 64 years with underlying health conditions Citizens with underlying health conditions extracted from criteria in the GP systems Citizens in age bands 80+, 75+, 70+, 65+, 60+, 55+ NI Demographic Survey will be used to identify these cohorts, considering individuals who fall into one of the cohorts identified above             
   

Potential to impact on User/Patient confidence

The VMS has the potential to hold at a minimum the demographics relating of the whole of the adult population of Northern Ireland. Prior to individuals receiving a vaccine, the data held will not consist of data which is subject to the duty of confidence.

Individuals may have concerns about their data being processed in this way (without consent) but the overriding benefits to individuals, the health and care system and wider society are the driving factors for the vaccination programme.

A privacy notice is now available in the public domain to ensure all service users are aware of how their data is used. This can be found at this website:

7.     Context of Processing

Twenty-eight citizen data attributes are held and entered into the VMS. This data will be provided by citizens directly into the web booking platform, via the NIdirect call centre or vaccinators on their behalf in care homes. This data will be linked to General Practice systems and the Health and Care Index to ensure accurate patient identity and vaccination recording. The data capture will be as follows: 

Health Vaccination

  • Vaccine – where given
  • Date of Vaccination
  • Reason Vaccine not suitable
  • Vaccine type
  • Vaccine Batch
  • Product Name
  • Vaccine – Course Given
  • Was Vaccine Administered
  • Vaccine – Batch Number
  • Vaccine – Product Number
  • Informed Consent not given
  • Vaccination Course
  • Dose Number
  • Vaccine method
  • Vaccination Centre

Personal Identification

  • Age
  • Date of Birth
  • Surname
  • Sex
  • Ethnicity
  • First Name
  • Family Name

Health/Medical Data

  • Health & Care Number

Contact Information

  • Home Address
  • Phone Numbers
  • Email

HSC Staff (in addition to above)

  • Place of Work
  • Job role

For vaccinations administered in nursing homes where the online booking has not been used the demographic details will be collected at the time of vaccination directly into the VMS recording tool. Some nursing home data has been collated manually via paper and excel spreadsheets. This information is in the process of being transferred into the VMS.

Data will also be collected from the individuals who come forward book and consent to receiving a vaccination.

Use of Data

Personally, identifiable data will be held for the primary purposes of clinical vaccination and any required follow-up health care. Anonymised information will only be shared in exceptional circumstances, e.g. where anonymised information needs to be shared with Public Health agencies outside the UK for the purposes of disease surveillance and to protect the health of individuals and others potentially affected by an outbreak. Any transfers will be fully compliant with the UK GDPR and only when we have a legitimate basis for doing so. 

To enable the necessary daily public health reporting requirements to be extracted from the VMS strategic platform requires the holding of anonymised data variables. This is necessary to ensure that we have as much information as possible to be able to link to other disease registries and system held health and care data. A VMS strategic platform is the quickest and most effective way of reporting the defined vaccine programme matrix.  User data collected by Trusts will be imported directly to the VMS strategic platform via the AptVision clinical workflow component. This should be complete by April 2021.

Sharing of VMS data with the PHA analytics platform will allow better analysis of the vaccine and help establish vaccine efficacy. PHA’s analytics platform may include other sources of data in the future, including COVID-19 test data such as Antibody serology and screening testing. Decisions regarding the expansion of the VMS data sharing are beyond the remit of this document, but appropriate DPIAs will be carried out on that processing when required. Data sharing between the VMS and PHA analytics platform will be covered with a separate data sharing agreement (DSA) and the Analytics Platform’s DPIA.

As set out above health protection and surveillance is the statutory responsibility of the PHA and the organisation and indeed HSC has much experience in vaccination programmes in relation to communicable diseases, albeit the COVID 19 Vaccination programme is of a much larger scale and longer duration.  However, PHA health protection expertise and knowledge is central to the development and management of this programme.  Collaboration is taking place between the DOH, Trusts and GPs, Digital Health NI (DoH and Health and Social Care Board (HSCB) eHealth) and Business Services Organisation IT Service (BSO ITS), to bring in expert technical knowledge and advice in respect of the IT system development, implementation, governance and management.

Sharing data to tackle COVID


The VMS system is a time stamped register of all the citizens in NI who have received a vaccine to protect against COVID 19. The recording of the vaccination is only the first part in establishing if vaccination has been successful in preventing infection from COVID 19. To confirm effectiveness the vaccination system must be matched to records of disease activity – in this case the Test Track Protect platform. By integrating information regarding positive COVID 19 tests to a vaccine registry we can identify if citizens who are vaccinated subsequently become infected, and we can confirm the timeframe around that infection. This is critical to understanding the effectiveness of vaccination.

The UK is deploying vaccines based on JCVI recommendations, which deviate from pharmaceutical trial protocols. There is, therefore, a greater imperative to ensure appropriate collection of relevant data to confirm safety and efficacy of the vaccination deployment strategy. To facilitate this procedure the positive test registry for COVID 19 on the TTP platform must be compared to vaccination status on the VMS. Data will be shared with the PHA in the near future, this will be covered by a separate DPIA.  

Citizens with positive COVID 19 events post vaccination will be identified for further evaluation. Depending on timing of infection this may represent vaccine failure, or unpreventable infection occurring before vaccination could reasonably be expected to provide protection.

In addition to identifying episodes of vaccine failure – methodology as outlined above – we must be able to quantify the effects of that failure on the in citizens infected. To do this we are required to follow-up citizens identified with vaccine failure to see if they came to harm, and if so, to quantify that harm. This will require matching of citizens with vaccine failure to records of hospitalisation, Intensive Care admission, and diagnostic coding data. This will include mortality data. This matching will be performed within the BSO data warehouse which manages all Northern Ireland’s secure health data sets. Additional analysis on this dataset will be for immediate safety and delivery of vaccination programme and will not involve research without a separate application to the Honest Broker[10]Service and process by relevant ethics authorities.

Information may also be shared with other countries in line with International Health Regulations (2005) part VIII, Article 45, Treatment of Personal Data but only where there is a suitable lawful basis which allows us to do this.  Non identifiable and aggregated data will be shared with Public Health England for the purposes of UK national vaccination surveillance. 

Text Box: E
20  

Text Box: JFigure 2 – High Level Process Flow and Data Interfaces into the VMS

The complete data flow and capture of citizen information to support vaccination is shown above in Figure 2. The VMS interface details can be found at appendix E. Patient related vaccine data enters the VMS in 7 ways:

  1. The citizen enters their demographic data[11] at the time of booking into the APTVision booking webpage. This enables a vaccine booking slot to be generated, their details to be recorded and a confirmation (shown below) plus an SMS or email to be sent out. The SMS /email message provides the citizen confirmation of their booking.

From May 2021, functionality on the booking platform will be improved to include an API to check entered demographics citizen information with the NI Health and Care Index.   If a match is found it will auto populate the required HCN field but will not be visible to the person completing the booking. Citizens who do not match in VMS will be able to proceed with booking and HCN will be added retrospectively.

By checking if the supplied details will match at the point the user gives them we can take early action to check and confirm the data before it enters the VMS; such as prompting the user on the vaccination portal if the details are correct or if they used a formal name when registering with their GP.

For citizens who are unable to book their vaccination online they can book via NI Direct telephone call centre. NI Direct call handlers will use the same VMS booking webpage and enter the same citizen data into the VMS on their behalf. They have the same access to the VMS as citizens booking themselves on the website.

  • Care home residents and their care staff provide their vaccine booking data to community nurses or nominated Trust staff who will enter the demographic data into the VMS via an authorised vaccinator computing device e.g. laptop.
  • BSO transfer patient’s unique H&CN data into the Pharmacy VMS via an electronic interface via a secure file transfer system. This data exchange is one way and done automatically by the BSO system.
  • A one-way extract of historical patient COVID vaccination records are transferred from GP systems into the VMS to ensure a complete picture of COVID vaccination is recorded for vaccine efficacy and distribution purposes. These are records of COVID vaccinations given at a GP practice to citizens prior to the VMS being available.
  • Citizens who present themselves at their local GP practice provide identical demographic data to those citizens in A. GP staff will enter patient demographic data into the VMS through a customised application via a practice computing device. Additional health vaccination data (listed in section 7) is entered into the VMS when the vaccine is administered. The VMS GP booking system differs slightly from the Trust variant to match their specific workflows.
  • Citizens who present themselves at Trusts provide identical demographic data to those citizens in A, if they have not already booked via the website or NI Direct. Trust/Mass vaccination administrators will enter patient demographic data into the VMS through a customised workflow via an authorised computing device. When the Trust administer the vaccine the additional health vaccination data is then recorded on the VMS. Like GPs, Trusts will use their specific Trust VMS workflow version of the VMS to record the vaccination.
  • Citizens who present themselves at community pharmacies provide identical demographic data to those citizens in A. Nominated pharmacy staff will enter patient demographic data into the VMS through a customised VMS application via an authorised pharmacy terminal. When the Pharmacy administers the vaccine the additional health vaccination data is then recorded on the VMS. Like GPs, pharmacies will use their specific Pharmacy VMS workflow version of the VMS to record the vaccination.

In addition, data flows out of the VMS in three ways to support vaccine analysis, GP record updates and system administrative functions

  •  PHA health and care analysts draw on patient data extracts to determine COVID vaccine efficacy, distribution and to support regional reporting to health decision makers.
  •  System administration staff, based at the Belfast Trust, manage the VMS’s Azure cloud platform. They are required to interact with the VMS database in order to conduct database housekeeping, record management and maintenance. These staff also support release and change management to the MS Dynamics database that underpins the VMS.
  • The regions GPs have an ongoing responsibility to ensure their patient records are updated post any vaccinations. The VMS sends a record of NI citizens who have been vaccinated back to the relevant GP system. This keeps patient records up to date, supports clinical decision making and maintains on-going clinical safety.

From a clinical risk perspective, when the citizen attends the vaccination clinic the vaccinator must check to ensure the patient has not had any immunisations within a specific timeframe and check the patient does not have specific allergies / health conditions  that could mean they cannot have the injection. The following information is also captured and is limited to that which is necessary for the purpose.  This information is derived from the patient, their carer or if necessary by calling the patient’s GP.  

This helps ensure that the patient can safely receive the COVID vaccine. The vaccinator must ask the patient’s permission to call their GP. Access to GP records is only available to GPs within that individual’s surgery.  While explicit consent is not required under common law (consent is implied) this is consistent with the approach to accessing the patient’s HCN number view the Health & Care Index via WebView.

8.     Compliance with data protection law and other regulatory guidance

The Lawful Basis for Processing

The HSCB is accountable to the Department of Health (DoH). The Department’s general duty shall be to promote in Northern Ireland an integrated system of health care designed to secure improvement in the physical and mental health of people in Northern Ireland, and in the prevention, diagnosis, and treatment of illness.  The DoH is accountable through the Minister for Health to the NI Assembly.

To that end we process your vaccine related information according to the UK General Data Protection Regulation and the Data Protection Act 2018.  Your data is processed as part of our public task (in line with UK GDPR Article 6(1)(e))[12] .

Some of the data processed relates to health data which is described as ‘special category data’.  In relation to that processing, the following UK GDPR conditions apply:

  • Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
  • Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
  • Article 9(2)(j) – the processing is necessary for archiving purposes in public interest – scientific/historical research purposes.
  • Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
  • Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
  • Data Protection Act 2018 – Schedule 1, Part 1 (4) – reasons of public interest in the area of public health research

In line with the HSCB statutory duty, as stated in the Health and Social Care (Reform) Act (Northern Ireland) 2009, which sets out the functions of the HSCB, including that:

  • 8—(1) The Regional Board shall exercise on behalf of the Department— (b)such other functions of the Department (including functions imposed under an order of any court) with respect to the administration of health and social care as the Department may direct. (paragraph 8 (1)).[13]

Common Law Duty of Confidentiality

The staff working within the vaccination programme and collecting data for use within the VMS Strategic platform are governed by their professional codes of conduct and HSC contractual terms, including the duty of confidentiality.

Under common law, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.  In practice, this means that all patient/client information, whether held on paper or computer, must not normally be disclosed without the consent of the patient/client.  However, there are several very specific circumstances that makes the disclosure of confidential information lawful, including the sharing of necessary information with other health/care professionals and agencies where the interests of patient safety and public protection override the need for confidentiality.

The vaccination programme will need to share personal information in the interests of individual patient safety as the vaccination record held in VMS will need to form part of the individual’s primary care record held by their General Practitioner. The VMS team will consult with the Privacy Advisory Committee (PAC) regarding secondary uses of data prior to any sharing being agreed. Any decisions made by the PAC will added as an appendix to this DPIA and guided by the DoH code of practice on confidentiality.

Necessity and Proportionality

In Northern Ireland, the COVID-19 Vaccination programme will be supported by the VMS to allow citizens to book their vaccination appointments and to provide a central regionalised record of all COVID vaccinations.

Only the minimum data set is processed to enable safe vaccination and to provide demographic data to identify and manage uptake for public health surveillance. 

COVID 19 is still a new and relatively unknown disease, and actions will be determined by both local (NI) experience of it as well as from wider national and international experience, knowledge and understanding. While it is recognised that specific actions may need to change, and may do so rapidly, as understanding and knowledge of the disease develops, the personal data collected through the VMS will only be used for purposes of vaccination and public health surveillance in respect of COVID 19.

The VMS sits within the decision-making structures of HSCB, the GMS and is accountable for VMS development to the DoH via the Vaccine Oversight Group. 

Vaccination is an established and recognised methodology for controlling and reducing the spread of communicable infectious diseases, that is used nationally and internationally. 

Vaccines contain weakened or inactive parts of a particular organism (antigen) that triggers an immune response within the body. Newer vaccines contain the blueprint for producing antigens rather than the antigen itself. Regardless of whether the vaccine is made up of the antigen itself or the blueprint so that the body will produce the antigen, this weakened version will not cause the disease in the person receiving the vaccine, but it will prompt their immune system to respond much as it would have on its first reaction to the actual pathogen.

Some vaccines require multiple doses, given weeks or months apart. This is sometimes needed to allow the production of long-lived antibodies and development of memory cells. In this way, the body is trained to fight the specific disease-causing organism, building up memory of the pathogen to rapidly fight it when exposed in the future. This information is a vital part of the fight against COVID and will be needed to ensure vaccine efficacy and interventions are delivered when and where they needed as soon as possible.

There is an urgent need for an accurate, near real-time vaccine management system to support the fight against COVID-19 across NI. To support this work the DOH launched a new Vaccine Management System team in November 2020 to drive forward, expedite and co-ordinate efforts to design and then develop a coronavirus vaccine management system that supported the roll out of vaccines to the public as quickly as possible.

Developing a VMS has been necessary to delivering the vaccine rapidly to the population because they current mixed IT/ paper-based vaccine delivery mechanism in place is not geared to delivering vaccines at volume in a pandemic scenario.  A specifically designed VMS has ensured equity of access to the vaccine across population cohorts through a single, consistent scheduled booking system.

The optimal way to accelerate vaccine roll out and provide NI with a simple, easy and speedy vaccination programme has been enabled by a single VMS collating the key COVID-19 vaccination data. This has provided the ability to have all the vaccine records in one place and help save lives by having vaccination records in one place that can be continually updated and analysed to track the vaccine’s efficacy. With access to this data the DOH, Trusts and GPs will be able to effectively monitor the impact of the vaccine and make optimal decisions in the future.

The VMS is proportionate given the current vaccine’s delivery mechanism’s inability to support a pandemic scenario. It does this by:

  • Ensuring the DOH meets its obligations regarding the protection of patient data and confidentiality
  • Ensuring the DOH use best practice in the care and safety of any person receiving the vaccine
  • Reducing or eliminating the clinical and information governance risks associated with the existing vaccination systems and processes.
  • Providing a fit for purpose platform that can be used again in future pandemic outbreaks and for consistent vaccinations generally. Improving the accuracy of NI clinical/vaccine data recording and reporting
  • Capturing data relating to adverse drug reactions post administration of the vaccine and within the observation period
  • Making COVID vaccine data readily and securely accessible to those authorised to process it
  • Helping support standardised clinical and GP workflow management in all vaccination settings.

VMS Data Retention

Data for the VMS will be retained in line with GMGR section G43 Electronic Patient Clinical Records (inc Audit Trails)[14] developed since 2013.  Within the record keeping system, there must be a method of deciding ‘what is a record?’ and therefore ‘what needs to be kept?’ This is described as ‘declaring a record’. A declared record is then managed in a way that will hold it in an accessible format until it is appraised for further value or it is destroyed, according to retention policy that has been adopted.

The data contained in the staff proforma spreadsheets submitted for inclusion in VMS will be retained for six months to ensure that any issues can be audited. Information collected by the originating organisation are subject to their own retention criteria based on their own requirements.

Retention will relate to operational records that need to be kept for legal compliance, or that have a limited life as part of an operational activity. These records will be retained for seven years (the current year plus six financial years).

Records will not be kept after the retention period unless:

•          The record is the subject of live litigation or a request for information. In these circumstances, destruction should be delayed until the litigation is complete or the relevant complaint procedure has been exhausted, at which time a new trigger point and retention period is created.

•          The record has long-term value for the organisations statutory functions.

•          The record has been or should be selected for permanent preservation

The whole or part of the record may be extrapolated in order to preserve health and social care activity as part of a NI residents Health & Social Care Record – Retention values in these circumstances will be different from those described for operational use.

Any uploaded data recorded on Gov.UK Notify is held for seven days.

Any data shared between the VMS and other public healthcare systems will be protected under Data Sharing or Access Agreements between HSCB and the relevant party. Data Access Agreements will be drawn up between the Data Controller (HSCB) and the Data Processor, which will assist the data controller in setting out the guidelines for retention and disposal of the information.

Data Rights

The GDPR sets out the 8 rights that individuals have in respect of their data.  These have been considered in respect of the NI COVID Vaccination programme as follows:

  1. The right to be informed

Individuals are provided with information about the collection and use of their personal data for the VMS, including what personal data is collected, the purposes for collecting, retention periods and potential sharing of data.  The information is available in the privacy notices found here:

In addition, the PHA website also includes a range of information about the vaccine programme, so that the public are informed and aware about the service. 

  • Right of access

Individuals can ask for copies of the information that we hold about them.  HSC has an established subject access request (SAR) process to ensure that requests are dealt with promptly and appropriately. Subject Access requests would be dealt with by the receiving organisation using existing local procedures. Incorrect details can be corrected at local level on VMS.

  • Right to rectification

Individuals can ask to have inaccurate personal data corrected or completed if it is incomplete.  Vaccine centre and general practice staff will verify data at vaccination appointments.

  • Right to erasure

GDPR introduced a right for individuals to have personal data erased (‘the right to be forgotten’), however the right is not absolute and only applies in certain circumstances. 

  • Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data, however the right is not absolute.  While individuals can request that the vaccine programme stops processing their data, as set out in number 4 above, the data held will still need to be processed for the purpose of public health protection and personal clinical record keeping. 

  • Right to data portability

Individuals can ask the vaccine programme to share their information with another organisation (although this may not always be possible). 

  • Right to object

Individuals have the right to object to the processing of their personal data, including when the lawful basis for processing is public task.  However, this is not an absolute right, and processing can continue if there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual. 

  • Rights relating to automated decision-making

While the VMS uses computer systems to process personal data, it does not include automated individual decision-making (i.e. making a decision solely by automated means without any human involvement).

The VMS platform components do not use any automated processing at present rather they identify statistical observation that are flagged to human beings.

Every person booking through the VMS will get a notification (provided their details are accurately added) there is no algorithm determining the decision.

SMS and email booking confirmation and reminder messages will only be sent to those that have booked vaccine appointments; this is algorithm based.

If an individual is not happy with what the VMS does with the information that is held about them, they can contact their GP.

We are utilising some IT solutions to mitigate risks such as the transfer of personal data from the VMS to the MS Dynamics system used to record information about vaccination. 

As set out in section 7 personal data will be shared with General Practice. 

Prevention of VMS Scope Creep

When citizen vaccine information is collected and processed for one reason but is then used or processed in ways beyond the original VMS purpose this is called function creep. Measures are in place to ensure this is prevented.

Any technical or functional changes needed to be made to the VMS that do not change the data usage require a formal request be made to the VMS programme team. These are then prioritised, costed and applied to a technical backlog for subsequent development.  

Technical or functional changes that are needed to enable the sharing VMS data with a 3rd party or additional government agency will required the development and approval of an appropriate Data Sharing or Access Agreement (DSA or DAA). These can only be approved by the Personal Data Guardian (or equivalent) within the data controller organisation (HSCB) once usage has been determined to satisfy this DPIA, confidentiality and appropriateness. This may also require the data controller organisation to confer with invested stakeholder groups prior to approval being given. This formal process ensures there is clear accountability and governance of the VMS during development and on-going operation.

9.     Security Measures

Security measures are in place to ensure the information processed is carried out only as detailed in this DPIA and ultimately only for the purposes intended.

Vaccine Management Information Security

The organisational security measures implemented include the following security controls  

  • VMS citizen data can only be accessed under specific circumstance by authorised clinical/administration staff at GP practices, Trusts and Community Pharmacy Staff[15]. Citizen data is protected within each Trust or GP practice. This cannot be seen by users outside this domain.
  • Trust, GP staff and Community Pharmacy staff are nominated access by their role within their area of business only. Users will not be able to use the system unless added to an application role.
  • Access controls for VMS vaccine administration staff is governed by each HSC Trusts, GP Practices and Pharmacy operational procedures
  • Access to citizen data is monitored by security and authentication mechanisms. Data access by clinical users, VMS administrators and development staff is also monitored and recorded for audit purposes.  
  • Common VMS data and analytic services are limited to specific users within two Azure Active Directory groups
  • Only required accounts have been sync’d from on premise to Azure Active Directory via AD Connect.
  • No live system access rights are allocated to 3rd parties. All 3rd party access is in accordance to agreed contacts and contract management processes.
  • An appropriate separation of roles will be employed, for example developers will manage supporting backend configurations.

Security Controls in place for the VMS

VMS Suppliers Kainos, APTVision and Microsoft comply with both international and industry-specific compliance standards and participate in rigorous third-party audits and penetration testing that verify security controls. As required by the GDPR, the VMS developers implement and maintain appropriate technical and organisational security measures, including measures that meet the requirements of ISO 27001 and ISO 27018, to protect personal data they process as data processors or sub processors on its customers’ behalf.

Both VMS Suppliers provide audit capabilities that allow the data controller and processors to monitor vaccine data. VMS administrators can run a report on any patient record to see all the staff who have accessed it, what if any change were made and where that access was appropriate or necessary.

Appendix D gives more detail about the VMS security measures in place. A glossary at Appendix F gives more description of the technical terms and abbreviations.

How we control users who access the VMS and Reporting Platform

The organisational security measures implemented include the following security controls that have applied to the environment:

  1. Restriction on user access to the VMS Reporting capability
  1. Two factor authentication is used by APTVision to control administration access for the web booking platform via mobile or email.
    1. All Azure resources are securely managed via Azure Active Directory. This provides a mechanism to ensure only those who are on the system directory and authorised can access the VMS.
    1. Access to Data Science Virtual Machines (DSVM) is restricted to via encrypted connection through Azure Bastion. Connection to Bastion is via whitelisted IP addresses only. Only named Azure Active Directory identities can access the DSVMs via this secure connection
    1. Access to the Reporting dashboard is currently whitelisted to only Kainos IP addresses. When planning to open this up to HSCNI staff, it will be to named individuals identified by Azure Active Directory identity and whitelisted to the appropriate HSCNI IP addresses only.
  2. Security of data as it moves into the strategic VMS and within the reporting platform is controlled by four mechanisms:
  • A named CRM service account with least-privilege access is used in conjunction with a registered Azure Active Directory App to authenticate and authorise the data extract application when connecting to the VMS to retrieve data for sync to the reporting database
    • This connection between the data extract application and Dynamics CRM web services is encrypted via secure method known as SSL which uses TLS encryption
    • Connections to the VMS database[16] are also encrypted via SSL/TLS and access is only granted via managed identity used by the Data Science VMS, reporting dashboard, and data extract processes. I.e., there is no direct access to the database via a user of the Azure portal
    • All data stored in the Azure DB is strongly encrypted using industry standards[17]
  • All users are offered training to cover their use of the VMS. Training for the APTVision element of the VMS to Trusts has provided on a ‘train the trainer’ basis and VMS run-throughs by the development team.  Training for the strategic VMS system so far includes:
    • User training on VMS; The VMS Programme designer and tester Dr Michael McKenna has created a video for users to reference. This this was referenced in correspondence to all GP practices from HSCB on 11 Feb and sits on the Primary Care Intranet Site; The application contains a guide and FAQ section with comprehensive guides on how to use the system.  These FAQs are also available on the Primary Care Intranet site.
  • User readiness has been tracked as part of the GP Readiness meetings and tracking during 8-16 February; the VMS team maintain a training tracker which receives biweekly updates.
  • Users are being supported by Practice Support Team and DHCNI central team during the first weeks of stabilisation. A daily meeting is in place at 3pm to collate and resolve queries; FAQs and guides will be updated accordingly.

Further Developments

As more information is made available about the different vaccines available in Northern Ireland the VMS may have to change and develop accordingly. While it is impossible to predict these developments at this stage several developments are anticipated including:

  • VMS reporting function uses cloud architecture, hosted within Microsoft UK Southern Region datacentres, using software already configured within the Belfast Trust. In the longer term it will ultimately be re-provisioned centrally within Business Services Organisation when a Microsoft Azure environment for Northern Ireland can be constructed.
  • Consideration of machine learning purposes, a human element would remain. There is no automated decision made by machines in this process, all decisions are human made.  There are no plans to change this in the future.

As the Vaccine Management System DPIA is a living document it will be updated, as necessary. 

10.            Identify and Assess Risks (what are the risks)

Risks will be assessed using both HSCB regional risk matrix (Diagram C; full document in Appendix H)

IMPACTRisk Quantification Matrix
5 – Catastrophic  Low (5)Medium (10) High (15)High (20)High (25)
4 – Major  Low (4)Medium (8)High (12)High (16)High (20)
3 – Moderate  Low (3)Medium (6)Medium (9)High (12)High (15)
2 – Minor  Low (2)Low (4)Medium (6)Medium (8)Medium (10)
1 – Insignificant  Low (1)Low (2)Low (3)Low (4)Low (5)
 1 Rare2 Unlikely3 Possible4 Likely5 Almost Certain
   Likelihood  
Describe source of the risk and nature of potential impact on individualsLikelihood of harmSeverity of impactOverall Risk Rating
1Access by nominated VMS programme staff and developers to patient data during product development cannot be limitedPossibleModerateMedium
2Volume of central administration users created in December exposing extend patient data availability to a wider audience than is necessary.RemoteModerateMedium
3Non-vetted staff users exist in the VMS accepted user lists e.g. using personal email accounts to log on to the system.PossibleModerateMedium
4Risk of inaccurate data being entered into the VMS by clinical staff or by members of the public that will delay the patient’s vaccine booking. For example,
– The ability to be able to stop a person booking into several different facilities to get their vaccines’. go to a Trust to receive first dose and then invited by GP for first dose.
 – Being able to overcome a common scenario where citizens are commonly known by one name but registered in Health and Care Index under another variation of this name.
PossibleMinorLow
5Risk of inaccurate data from HCN Index supplying the VMS with the patient’s unique health and care number.UnlikelyMinorLow
6Risk of data loss during import of patient data from APTVision solution to the Kainos VMS Dynamics data lake resulting in low quality, low confidence population. This will reduce the ability of the DHCNI to support the CMO in making timely decisions to accelerate and target vaccinations.RemoteModerateLow
7Risk of data breach (with the loss or unauthorised sharing of personal identifiable data, with potential impact of distress or reputational damage to individuals.), by staff working in the VMS Teams, through human error or intent. In addition, the risk of reputational damage to the HSCB and DoH.RemoteModerateMedium
8Risk of the VMS being ‘hacked’, with the theft of personal identifiable data (data breach), with the risk of distress or reputational damage to individuals. Or the system being compromised or inaccessible because of a cyber security incident therefore VMS being unable to operate with no vaccine bookings being undertaken. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.PossibleMajorHigh
9Risk of unauthorised access to the personal data on the VMS, resulting in a data breach with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.     PossibleMajorHigh
10Risk of unauthorised access (internal or external) to the personal data on the APTVision (PostgreSQL), Kainos VMS Data (Azure Data Lake) and Reporting Platforms, resulting in a data breach with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.PossibleMajorHigh
11Risk relating to Adult Safeguarding Privacy concerns, particularly regarding inappropriate access to current information on identity and location. Vulnerable people may be particularly concerned about the risk of identification or the disclosure of information.
Communication issues with vulnerable adults – issues with receiving/understanding information/instructions. If there are inadequate disclosure controls, there is an increase in the likelihood of information being shared inappropriately
PossibleMajorHigh
12Risk of noncompliance with HSCB/DHCNI data protection and information governance policies and procedures which may result in accidental or deliberate misuse of sensitive personal data with potential of data protection requirements not being adhered to and for a data breach with the potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.RemoteModerateMedium
13Risk of noncompliance with established BSO ITS Service Transition Approval Process (the VMS STAP) and the BSO do not have enough capacity to support the VMS. Potential, in error, to negatively impact the MS Dynamics environment and therefore the VMS would not be available when required.UnlikelyModerateMedium
14Risk of access to personal data by 3rd party processors which may result in accidental or deliberate use of sensitive personal information. Potential impact of a data breach, with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.PossibleMajorHigh
15Risk that personal data is used inappropriately for analytical purposes. Inappropriate sharing of personal data which could result in potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI. RareMinorLow
16Risk of fraudsters sending similar looking messages with malicious intent. Potential impact of distress or reputational damage to individuals, in addition the risk of reputational damage to the DoH, HSCB and DHCNI.LikelyModerateMedium
17Risk of fraudsters setting up a similar web booking front end with malicious intent. Potential impact of distress or reputational damage to individuals, in addition the risk of reputational damage to the DoH, HSCB and DHCNI.PossibleModerateMedium
18Risk of the VMS failing or suffering technical malfunctions rendering the system inoperable. The impact of the VMS suffering failure would slow or reduce the vaccination programme’s ability to vaccinate NI citizens. UnlikelyMajorMedium


11.            Identify Measures to Reduce Risks

Describe source of the risk and nature of potential impact on individualsOptions to mitigate (treat) the riskEffect on risk (Eliminated, Reduced, Accepted)Residual harm (Low; medium; or high) 
1Access by nominated VMS programme staff and developers to patient data during product development cannot be limitedDHCNI have several controls in place contractually suppliers covered under their contracts.
Patient data processing and confidentiality is described and enforced by Kainos Limited’s contractual and call-off terms under the UK’s G-Cloud 11 & 12 framework agreements.
Patient data and confidentiality is covered and enforces by APTVision contractual and call-off terms under the UK’s G-Cloud 12 framework agreement.  APTVision may process patient data on behalf of DHCNI as a data processor for the purposes of development. No patient identifiable info in APTVision or Kainos pre-production environments
Patient data and confidentiality is covered and enforced by Gartner UK Ltd. contractual and call-off terms under the UK’s G-Cloud 12 framework agreement.  Gartner does not process any patient data on behalf of DHCNI as a data processor.
 ReducedLow 
2Volume of central administration users created in December exposing extend patient data availability to a wider audience than is necessary.Trust to immediate action or reduce list to only those staff members who need access ReducedLow 
3Non-vetted staff users exist in the VMS accepted user lists e.g., using personal email accounts to log on to the system.Trusts have ownership of their users and need to ensure access protocols are deployed to limit access to only approved, identified vaccination staff. Trust IT leads have actively scanned user access and reduced access. Users reduced roles automatically based on their email (e.g., Northern trust email restricted to only northern locations) ReducedLow 
4Risk of inaccurate data being entered into the VMS by clinical staff or by members of the public that will delay the patient’s vaccine booking. For example,
– The ability to be able to stop a person booking into several different facilities to get their vaccines’. go to a Trust to receive first dose and then invited by GP for first dose.
 – Being able to overcome a common scenario where citizens are commonly known by one name but registered in Health and Care Index under another variation of this name.
Verification of patient identification via photo ID and checks against the HCN Index by vaccination staff conducted at the point of vaccination to mitigate data inaccuracies or errors made during phone or web bookings.
Clinical staff have been briefed and trained on the use of the APTVision booking system.
The APTVision booking system has gone through numerous design changes to improve user experience, ease of use and accessibility to ensure patient entry errors are minimised.
Once patient data has been entered into the VMS after the vaccine has been administered the record is ‘locked’. Any subsequent changes to the record will need to be done via the VMS Service desk.
 ReducedLow 
5Risk of inaccurate data from HCN Index supplying the VMS with the patient’s unique health and care number.The risk of duplicate HCN’s is very low but they may occur due to adoptions. Vaccinators will conduct several checks against the patient to mitigate this risk checking the primary demographics of DOB, surname and gender against the HCN followed by two secondary checks of patient address and their GP practice. ReducedLow 
6Risk of data loss during import of patient data from APTVision solution to the Kainos VMS Dynamics data lake resulting in low quality, low confidence population. This will reduce the ability of the DHCNI to support the CMO in making timely decisions to accelerate and target vaccinations.Automatic electronic import process is used to load the APTVision patient data extract on the Kainos VMS Dynamics data lake. EliminatedLow 
7Risk of data breach (with the loss or unauthorised sharing of personal identifiable data, with potential impact of distress or reputational damage to individuals.), by NI Direct staff working in the VMS Teams, through human error or intent. In addition, the risk of reputational damage to HSCB and the DoH.All involved HSCNI staff in the VMS are required to complete the HSC information governance and IT Security e-learning module. NI Direct has been established as the primary contact centre for the Northern Ireland Civil Service (NICS), its agencies and the wider public sector. Suppliers to NI Direct must comply with Data Protection requirements and this is detailed in the contract with the supplier, in this case BT. The Privacy Notice i.e. https://covid-19.hscni.net/vaccine-service-privacy-notice/ is referenced at the start of each call and in the MOU with DOH. There are strict protocols and training provided to the call handlers. The supplier also has a Quality Manager who sample checks calls against set criteria to score the call.Risk and management of breach of confidentiality covered in training, in line with contract requirements. Staff are subject to regulatory Codes of Conduct e.g., NMC and GMC which include duties of confidentiality. Confidentiality clauses in contracts of employment of staff and supporting developer/advisory suppliers. Appropriate disciplinary action will be taken in the event of proven breachStaff operating within Trusts and GP Practices come under their respective IG governance rules and procedures. ReducedLow 
8Risk of the VMS being ‘hacked’, with the theft of personal identifiable data (data breach), with the risk of distress or reputational damage to individuals. Or the system being compromised or inaccessible because of a cyber security incident therefore VMS being unable to operate with no vaccine bookings being undertaken. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.Kainos and Microsoft (VMS developers) comply with both international and industry-specific compliance standards and participate in rigorous third-party audits and penetration testing that verify security controls. As required by the GDPR, the VMS developers implement and maintain appropriate technical and organisational security measures, including measures that meet the requirements of ISO 27001 and ISO 27018, to protect personal data it processes as a data processor or sub processor on its customers’ behalf. APTVision meet the requirements of ISO 9001:2015 and develop/deploy their software products on the GDS approved G-Cloud provider Google Cloud. Google Cloud are ISO-27001, 27017 and 27018 certified. The VMS developers follow the UK Standard Contractual Clauses (data resides in secure cloud locations within the UK. The Belfast Trust (BHSCT) have applied the following security controls: ● Common data services is unavailable to everyone on WWW except for users within two Azure Active Directory groups ● Multi-Factor authentication is required to access the VMS outside of BHSCT Trusted locations (BHSCT and BSO Networks). ● Legacy authentication has been blocked for all users. ●A user must have a Dynamic 365 license assigned before they are able to access the Kainos VMS Common Data Services. ● Users will not be able to use the system unless added to an application role. ● Application roles have been set up to ensure a “least privileged” approach (Kainos developed). ● Only required accounts have been sync’d from on premise to Azure Active Directory via AD Connect. APTVision security protocols include: ● Firewalls deny access by default ● Security patches applied automatically (nightly) ● All external traffic in transit encrypted ● SSL 2.0, 3.0, TLS 1.0, 1.1 are disabled, only TLS 1.2, 1.3 allowed ● No patient identifiable info in pre-production environments ● Certificates provided by DigiCert ● We have an A+ rating from Qualys SSL labs:  https://www.ssllabs.com/ssltest/analyze.html?d=admin%2dimmunisation.aptvision.com&s=172.67.71.82&hideResults=on&latest ● HTTP Strict Transport Security (HSTS) used ● A recent external audit tested against OWASP top 10, all significant findings were resolvedReduced MediumMedium 
9Risk of unauthorised access to the personal data on the VMS, resulting in a data breach with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI. Kainos and Microsoft (VMS developers) comply with both international and industry-specific compliance standards and participate in rigorous third-party audits and penetration testing that verify security controls. As required by the GDPR, the VMS developers implement and maintain appropriate technical and organisational security measures, including measures that meet the requirements of ISO 27001 and ISO 27018, to protect personal data it processes as a data processor or sub processor on its customers’ behalf. APTVision meet the requirements of ISO 9001:2015 and develop/deploy their software products on the GDS approved G-Cloud provider Google Cloud. Google Cloud are ISO27001, 27017 and 27018 certified.
The VMS developers follow the UK Standard Contractual Clauses (data resides in secure cloud locations within the UK).
The Belfast Trust (BHSCT) & Kainos have applied the following security controls:
● Common data services is unavailable to everyone on WWW except for users within two Azure Active Directory groups
● Multi-Factor authentication is required to access the VMS outside of BHSCT Trusted locations (BHSCT and BSO Networks).
●Once logged into VMS, user actions are logged in an audit trail which includes CREATE, VIEW, UPDATE events on patient details ●Legacy authentication has been blocked for all users.
●A user must have a Dynamic 365 license assigned before they are able to access the Kainos VMS Common Data Services.
● Users will not be able to use the system unless added to an application role.
● Application roles have been set up to ensure a “least privileged” approach (Kainos developed).
● Only required accounts have been sync’d from on premise to Azure Active Directory via AD Connect. APTVision controls
-APTVision sessions to the infrastructure (SSH access) records login time and IP source
-Sessions to the admin portal are logged. There is auto logout functionality in place after session expires.
Once logged into VMS, user actions are logged in an audit trail which includes CREATE, VIEW, UPDATE events on patient details
-Access to reporting functionality that includes export is controlled via individual user permission group that has to be explicitly assigned to selected users
-SSH access require short lived (12 hour) SSH certificates, meaning regular re-authentication is required with the identity provider
-Remote access is controlled using industry standard methods (SSH keys, no passwords allowed, secure VPN, roles and permissions assigned per user)
ReducedLow 
10Risk of unauthorised access (internal or external) to the personal data on the APTVision (PostgreSQL), Kainos VMS Data (Azure Data Lake) and reporting Platforms, resulting in a data breach with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.APTVision controls
-APTVision sessions to the infrastructure (SSH access) records login time and IP source
-Sessions to the admin portal are logged. There is auto logout functionality in place after session expires.
-Once logged into VMS, user actions are logged in an audit trail which includes CREATE, VIEW, UPDATE events on patient details
-Access to reporting functionality that includes export is controlled via individual user permission group that has to be explicitly assigned to selected users
-SSH access require short lived (12 hour) SSH certificates, meaning regular re-authentication is required with the identity provider
-Remote access is controlled using industry standard methods (SSH keys, no passwords allowed, secure VPN, roles and permissions assigned per user)

Kainos/Belfast Trust Controls
-All Belfast Trust Azure resources are managed via Azure Active Directory
-Access to BHSCT Trust based Kainos Servers, Containers and Virtual Machines are
restricted to via encrypted connection through Azure Bastion. Connection to Bastion is via whitelisted IP addresses only. Only named Azure Active Directory identities can access the DSVMs via this secure connection
Security of VMS data as it moves from APTVision, into and within the VMS Kainos dynamics platform:
– Data is securely transferred from APTVision to VMS via encrypted SSL/TLS connection using a secure Azure Logic App flow. A secure managed identity is used to connect the Logic App to Dynamics CRM which is associated with a least privilege security role granting the minimum permissions to update the VMS data model.
-A named CRM service account with least privilege access is used in conjunction with a registered Azure Active Directory App to authenticate and authorise the data extract application when connecting to the Contact Tracing system to retrieve data for sync to the reporting database
-This connection between the data extract application and Dynamics CRM web services is encrypted via SSL using TLS encryption
-Future connections to PHA’s Analytics platform –  database will also encrypted via SSL/TLS and access is only granted via managed identity used by the Data Science VMs, reporting dashboard and data extract processes. I.e., there is no direct access to the database via a user of the Azure portal. This capability is not yet in place.
Any VMS data stored in analytics DB will be encrypted at rest by default using AES-256 encryption.
ReducedLow 
11Risk relating to Adult Safeguarding Privacy concerns, particularly regarding inappropriate access to current information on identity and location. Vulnerable people may be particularly concerned about the risk of identification or the disclosure of information.
Communication issues with vulnerable adults – issues with receiving/understanding information/instructions. If there are inadequate disclosure controls, there is an increase in the likelihood of information being shared inappropriately
Administration access to the VMS is controlled (as set out above), so no unauthorised personnel have access to the VMS.
Only authorised clinical, Trust/GP administration and VMS development staff have access to the data on the VMS; they are bound by the existing controls and policies and professional regulatory Codes of Conduct.
VMS operated by staff recruited for their professional skills (e.g., nursing) that will assist in communicating with vulnerable adults. In respect of vulnerable adults, the vaccinators and clinical staff will seek to speak to a proxy (e.g., legal guardian). If a vaccinator has a concern about the capacity of the contact, they can refer to the clinical lead.
Managerial and clinical supervision arrangements are in place via the relevant Trust or GP Practice. Legal advice is sought as required
ReducedLow 
12Risk of noncompliance with HSCB data protection and information governance policies and procedures which may result in accidental or deliberate misuse of sensitive personal data with potential of data protection requirements not being adhered to and for a data breach with the potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI.Development of DPIA to identify risks & put appropriate measures in place;
There is mandatory Information Governance and IT Security training for all DoH staff.
All staff have access to the DoH, HSCB and DHCNI Information Governance policies and procedures. All are available on each organisations intranet site;
All staff bound by HSCNI employment contracts Staff bound by professional regulatory Codes of Conduct
Appropriate disciplinary action will be taken in the event of proven breach
ReducedLow 
13Risk of noncompliance with established BSO ITS Service Transition Approval Process (the VMS STAP) and the BSO do not have enough capacity to support the VMS. Potential, in error, to negatively impact the MS Dynamics environment and therefore the VMS would not be available when required.The VMS is being developed using a rapid, agile development technique which differs from a standard IT service transition used by the BSO. The VMS programme are collaborating with BSO, Suppliers and the BHSCT to align with the STAP process as closely as is practical to ensure a smooth transition to on-going sustainable services.
Completion of documentation and approval by BSO ITS assistant director in line with existing governance applied to all HSC IT systems.
Approved STAP documents are still in development. These are expected to be complete by w/ending 12 Feb.
ReducedLow
14Risk of access to personal data by 3rd party processors which may result in accidental or deliberate use of sensitive personal information. Potential impact of a data breach, with potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI. .No live system access rights are allocated to 3rd parties. All 3rd party access is in accordance with agreed contacts and contract management processes.ReducedLow
15Risk that personal data is used inappropriately for analytical purposes. Inappropriate sharing of personal data which could result in potential impact of distress or reputational damage to individuals. In addition, the risk of reputational damage to the DoH, HSCB and DHCNI. .There is a current development of a joint VMS /PHA Analytics capability which shares functionality with the Test & Trace capability and includes involvement from all key stakeholders (including health protection, DHCNI). All staff involved are HSCNI employees and therefore must comply with mandatory Information Governance training.
Developers and advisory suppliers are bound by NDAs align with DHCNI Information Governance standards. (APTV to confirm)
Access to the Kainos VMS capability will be controlled via user management and allocation of appropriate rights and levels (e.g., read/write at various levels based on authorised need)
ReducedLow
16Risk of fraudsters sending similar looking messages with malicious intent. Potential impact of distress or reputational damage to individuals, in addition the risk of reputational damage to the DoH, HSCB and DHCNI. Advice was sought from the National Cyber Security Centre (NCSC) for Test & Trace usage of SMS to ensure that the SMS is as safe as possible – this advice has been adopted by the VMS programme when considering the use of NI Direct sourced SMS to confirm vaccine bookings.
Sender ID based on guidance from the National Cyber Security Centre (NCSC) and SMS message content was also reviewed. Both have been classed as technically suitable by NCSC due to: The creation of some distance between SenderID and others nearby and the creation of a simple, recognisable link that is harder to mimic.
MaintainedLow 
17Risk of fraudsters setting up a similar web booking front end with malicious intent. Potential impact of distress or reputational damage to individuals, in addition the risk of reputational damage to the DoH, HSCB and DHCNI. Advice was sought from the National Cyber Security Centre (NCSC) to ensure that the SMS is as safe as possible.
There is a large amount of material available via website, apps etc to ensure the public are fully aware of what information will be required and why.
ReducedLow 
18Risk of the VMS failing or suffering technical malfunctions rendering the system inoperable. The impact of the VMS suffering failure would slow or reduce the vaccination programme’s ability to vaccinate NI citizens.The VMS Programme are adding the system to DHCNI’s Information Asset (IA) Register. In the event of a major failure or catastrophe systems listed in the organisation’s IA register are deemed critical and receive the highest priority in terms of resources and measures to restore back to normal operation. In such cases Trusts, GPs and other vaccination centres will revert to their existing patient records to ensure vaccination data is still captured during vaccine roll outs until the VMS has been fully restored.ReducedLow 

Lynda McAree IG  
Appendix A- VMS Stakeholder Landscape

Appendix B – Data Controllers and Processors (who are they)

All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR.  HSCB is the data controller, responsible for assessing that its processors are competent to process personal data in line with UK GDPR requirements. This assessment will consider the nature of the processing and the risks to the data subjects.

Under Article 28(1) HSCB will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals.

Data Access/Sharing Agreements and Memorandum of Understanding (MoU) will be in place to govern relationships with the above data processors and sub-processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).

All data processing takes place within the EEA area, and as such is subject to legislation in the form of the UK – General Data Protection Regulation (GDPR).

All the data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR.  All data processors and sub-processor arrangements are managed via UK GDPR compliant agreements and contracts.  The following provides a list of data processors and sub processors involved in delivery of the system. 

  • Health and Social Care Board (HSCB) act as the data controller on behalf of the Health Trusts and GPs identifying the personal data to be collected, which individuals it is collected about, and how it is used.
  • Digital Health and Care Northern Ireland (DHCNI) act as data processor as it is responsible for running the Vaccine Management System and it is associated Reporting Platform.  DHCNI hold the contracts with Kainos, APTVision and BigMotive.
  • Strategic Investment Board act as a centre of expertise in the public sector on data and digital innovation. SIB is supporting the programme in the area of data strategy and advanced analytics.
  • APTVision are medical systems software development company were chosen to develop the VMS booking and scheduling platform and are responsible for the configuration of the booking system and interim VMS database. They are regarded as a sub-processor contracted by the DHCNI, on behalf of HSCB.   APTVision will provide support on an ongoing basis to the VMS booking system for the duration of its operation, as part of their contract. Their services are delivered via DHCNI GDPR compliant G-Cloud contracts. 
  • Kainos are a system integrator organisation who were chosen to develop the strategic VMS and analytic platform and are responsible for the configuration of the Dynamics system and are regarded as a sub-processor contracted by the DHCNI, on behalf of HSCB.   Kainos will provide support on an ongoing basis to the VMS configuration and analytic platform for the duration of its operation, as part of their contract. Their services are delivered via DHCNI GDPR compliant contracts. 
  • BigMotive are software development company who were chosen to develop the VMS user interface and are responsible for the configuration of the VMS web forms and are regarded as a sub-processor contracted by the DHCNI, on behalf of HSCB.   BigMotive will provide support for user experience (UX) design on an ongoing basis to HSCNI for the duration of the VMS operation, as part of their contract. Their services are delivered via DHCNI GDPR compliant contracts. 
  • NI Direct – NI Direct is the official government website for Northern Ireland citizens. NI Direct aims to make it easier to access government information and services. It does this by working closely with Northern Ireland departments and other public bodies to collate key information based on users’ needs. Members of the public who are eligible for a vaccination but are un-able to book a vaccine via the website are directed to use the indirect telephone booking service. Call handlers at NI Direct enter citizen data into the VMS booking platform on their behalf.
  • Business Services Organisation (BSO) is a statutory organisation providing services as a data processor for HSCB and DHCNI. They host the Health & Care Index which provides the HCN information to the Kainos VMS environment. They host the Dynamics platform (in line with their contract with Microsoft).  BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by HSCB.  They are responsible for all Kainos environments user access and provision of new user hardware (PC and phones).  BSO ITS are responsible for the supply and maintenance of user hardware.  PHA has an overarching SLA with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA and HSCB.
  • Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing services as a sub processor for HSCB and DHCNI, through the BSO. BHSCT host the VMS Dynamics application and reporting platform (as well as PHA’s analytics platform) in line with their contract with Microsoft.  PHA has an overarching SLA with the BSO for services including ITS. BSO have SLA’s with all Trusts including BHSCT.  Their services are managed via appropriate agreements with DHCNI and HSCB.
  • Microsoft are responsible for, within the Microsoft Azure environment including the Dynamic 365 environment, software upgrades, security patching and updates for the Vaccine Management System; these are published via MS Office 365 portal that BSO ITS have access to. Microsoft will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Those measures shall be set forth in a Microsoft Security Policy attached. Microsoft make that policy available to customers, along with descriptions of the security controls in place for the Online Service and other information reasonably requested by customers regarding Microsoft security practices and policies. In addition, those measures shall comply with the requirements set forth in ISO 27001, ISO 27002, and ISO 27018.  See appendix D for MOU, this will ultimately be included in existing contract between Microsoft and BSO (on behalf of HSCB). They are a sub-processor contracted by BSO (to provide this service).

Contracts, Data Sharing Agreements and MoU are in place to govern relationships with the above data processors and sub-processors which set out the obligations of each party and the data controller’s obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes with legal input provided by BSO Department of Legal Services (DLS).

All data processing takes place within the UK area, and as such is subject to legislation in the form of the UK General Data Protection Regulation (GDPR).

Appendix C – Data Controller/Processor Roles

Appendix D – Security Measures

The VMS retains a full audit history of both user access (who viewed what and when) and an audit history on field-level record modifications. The later will record:

  • The record that was changed,
  • Who changed it,
  • Timestamp,
  • The value before the change,
  • The value after the change for the affected fields.

APTVision meet the requirements of ISO 9001:2015 and develop/deploy their software products on the GDS approved G-Cloud provider Google Cloud. Google Cloud are ISO-27001, 27017 and 27018 certified.

The VMS developers follow the UK Standard Contractual Clauses (data resides in secure cloud locations within the UK). APTVision, Kainos and The Belfast Trust (BHSCT) have collectively applied the following security controls to protect the VMS:

  • Multi-Factor authentication is required to access the VMS outside of BHSCT Trusted locations (BHSCT and BSO Networks). Legacy authentication has been blocked for all users.
  • Common VMS data services are unavailable to everyone on WWW except for users within two Azure Active Directory groups
  • APTVision sessions to the infrastructure (SSH access) records login time and IP source to track users access the APTVision system
  • APTVision sessions to the admin portal are logged. There is auto logout functionality in place after session expires.
  • Once logged into the tactical VMS, APTVision user actions are logged in an audit trail which includes CREATE, VIEW, UPDATE events on patient details
  • Access to reporting functionality that includes export is controlled via individual user permission group that must be explicitly assigned to selected APTVision users
  • SSH access require short lived (12 hour) SSH certificates, meaning regular re-authentication is required with the identity provider
  • A user must have a Dynamic 365 license assigned before they are able to access federated VMS data and services.
  • Application roles have been set up to ensure a “least privileged” approach (Kainos developed).
  • Only required accounts have been sync’d from on premise to Azure Active Directory via AD Connect.


Appendix E – VMS Interfaces

#NameOwnerDescriptionDirectionSource/Target SystemsProtocol
1VMS Access by Vaccination StaffRelevant TrustAllow Trust staff Access via appropriate URLBidirectionalVMSVia Internet
2VMS Access by GP StaffBSO ITSAllow GP staff Access via appropriate URLBidirectionalVMSVia Internet
3Analytics Power BIBHSCT/ KainosAllow operational/ admin staff Access via appropriate VMS access groupsOne DirectionVMSVia Internet
4Vaccine Records ReportingBHSCT/ KainosExport data to analytics database for wider Analytics staff Access via appropriate VMS access groupsOne DirectionVMS- analytics databaseVia Internet
5Vaccine Records ReportingBHSCT/ KainosAllow Analytics staff access via appropriate VMS access groupsOne Directionanalytics databaseVia Internet
6Vaccine Records GP ExtractsBHSCT/ KainosExtracting of Data from VMS to BHSCT FTPS serverOne DirectionVMS-FTPS serverAzure Data Factory / FTPS
7Vaccine Records GP Extracts to EMISBHSCT/ BSOExtracting of Data from BHSCT FTPS server to EMISOne DirectionFTPS server-IUVO-EMISFTPS / SMTP
8Vaccine Records GP Extracts to VisionBHSCT/ BSOExtracting of Data from BHSCT FTPS server to VisionOne Direction (responses stored on FTPS server)FTPS server-VisionFTPS
9Vaccine Records GP Extracts to MerlokBHSCT/ BSOExtracting of Data from BHSCT FTPS server to MerlokOne DirectionFTPS server-IUVO-MerlokFTPS / SMTP
10Admin Access to Dynamics    BHSCTAdmin Access to DynamicsBidirectionalVMSVia Internet
#NameOwnerDescriptionDirectionSource/Target SystemsProtocol
11User/Group Management in BHSCT Active DirectoryBHSCT for set up then relevant orgAD Authentication of users and security groupsBidirectionalAD-VMSAzure AD
12GP System ListBSO/ KainosReference list of GP practice codes and vendorsOne DirectionSpreadsheet-VMS 
13GPIP ExtractBSO/ KainosHistorical Vaccinations from GP SystemsOne DirectionGPIP-VMSFTPS/ Azure Data Factory
14HCN Extract ListsBSO/ KainosHCN dataOne DirectionHCN-VMSFTPS/ Azure Data Factory
15Data from APTVisionAPTVision/ KainosLocation, Booking, Vaccination data from APTVisionOne DirectionAPTVision-VMSREST API over Internet  
16APTVision UsersAPTVision/ TrustsPublic Booking platform / Trust VaccinationsBidirectionalAPTVisionVia Internet
17Records from EMIS to GPIPBSOExtracting of Data from EMISOne DirectionEMIS practicesSpreadsheets/ FTPS
18Records from Vision to GPIPBSOExtracting of Data from VisionOne DirectionVision practicesSpreadsheets/ FTPS
19Records from Merlok to GPIPBSOExtracting of Data from MerlokOne DirectionMerlokSpreadsheets/ FTPS
20Gov NotifyAPTVision/ DHCNISMS GatewayOne DirectionAPTVision- gov.notifyREST API over Internet
21Pharmacy AppBSO ITS/CPNIAllow Pharmacy staff Access via appropriate URLBidirectionalVMSVia Internet


Appendix F – Glossary

AD Active Directory, which is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services
AES-256The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AzureMicrosoft Azure, commonly referred to as Azure, is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centres.
CMOChief Medical Officer who is the most senior government advisor on health matters.
COTSCommercial off-the-Shelf Systems are products are packaged solutions which are then adapted to satisfy the needs of the purchasing organisation, rather than the commissioning of custom-made, or bespoke, solutions.
CRMCustomer Relationship Management system
Data LakeA data lake is a system or repository of data stored in its natural/raw format.  A data lake is usually a single store of data including raw copies of source system data, sensor data, social data etc.
DHCNIDigital Health and Care Northern Ireland (DHCNI) is the data and technology lead to the Health and Social Care (HSC) system in Northern Ireland.
DLSDirectorate of Legal Services for Northern Ireland
DOHThe Department of Health for Northern Ireland
DPAData Protection Act 2018
DPIAData Protection Impact Assessment – this document.
DSVMDSVMs are Azure Virtual Machine images, pre-installed, configured and tested with several popular tools that are commonly used for data analytics, machine learning and AI training.
G-CloudIs the principal commercial framework run by UK government for the purchase of cloud related software and services.
GDPRThis refers to the UK-General Data Protection Regulations
GDSThe Government Digital Service (GDS) which is part of the UK Cabinet Office. GDS’s job is digital transformation of government.
GMSGeneral Medical Services is the term used to describe the very wide range of services and support that all patients receive from their General Practitioner (GP).
GPGeneral Practitioner commonly known as a Doctor
GPIPGP Intelligence Platform. An aggregated platform that’s still in development that takes data from the GP systems for sharing with other medical systems.
HCNHealth and Care Number. The HCN uniquely identifies a patient within the NHS in Northern Ireland. It is the equivalent of the NHS NUMBER in England and Wales.
HTTPHypertext Transfer Protocol (HTTP) is an application layer protocol for distributed, collaborative, hypermedia information systems
HSCHealth and Social Care
HSCBThe Health and Social Care Board (HSCB) is a statutory organisation that arranges or ‘commissions’ health and social care services for the population of Northern Ireland
HSCTsHealth and Social Care (HSC) Trusts in Northern Ireland. 5 HSC Trusts provide integrated health and social care services across Northern Ireland, the sixth is the NI Ambulance Service.
HSTSHTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
ICOThe Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
IUVOA specialist electronic messaging and integrated information transfer system for the healthcare industry.
IPThe Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
ISO 9001:2015ISO 9001:2015 is an international standard dedicated to Quality Management Systems (QMS).
ISO 27001ISO/IEC 27001 is an international standard on how to manage information security.
ISO 27017ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems
ISO 27018ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry.
ITILITIL is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of business
ITSInformation & Technology Systems
JCVIThe Joint Committee on Vaccination and Immunisation (JCVI) advises UK health departments on immunisation.
MS DynamicsMicrosoft Dynamics CRM is cloud based customer relationship management software package developed by Microsoft.
Multi-Factor authenticationMulti-factor authentication (MFA; encompassing Two-factor authentication or 2FA, along with similar terms) is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism:
NCSCNational Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats.
NDANon-Disclosure Agreement
OWASPOpen Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security
PACThe Privacy Advisory Committee whose role is to advise HSC bodies about the use of information relating to patients and clients.
PHAPublic Health Agency is the NI body responsible for health and social wellbeing, health protection, public health support to commissioning, policy and HSC research.
PostgreSQLPostgreSQL also known as Postgres, is a free and open-source relational database management system (RDBMS) emphasising extensibility and SQL compliance.
SLAService Level Agreement which describes how a service will be delivered and defines the quality aspects of the service
SMSSimple Messaging Service, also known as text messages.
SQL Structured Query Language is a domain-specific language used in programming and designed for managing data held in a relational database management system (RDBMS), or for stream processing in a relational data stream management system (RDSMS).
SSHSSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network.
SSLSecure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer network.
STAPService Transition Approval Process. This document provides BSO with the necessary information to take on support of a new healthcare Service.
TLSThe Transport Layer Security protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.
VMSVaccine Management System used to support the delivery and roll out of vaccines across Northern Ireland

[1] Digital Health and Care Northern Ireland (DHCNI) is the data and technology lead to the Health and Social Care (HSC) system in Northern Ireland.

[2] For example, vaccine certificates, portals for SAR requirements may emerge

[3] As at 23rd  Mar 2021

[4] Updated to cover UK GDPR (following UK exit from EU ) and DPAO 2018

[5] To be covered under the relevant Data Sharing Agreement.

[6] For HS&C staff only

[7] https://covid-19.hscni.net/ni-covid-19-vaccinations-dashboard/

[8] PHA are the data controller for the PHA analytics system.

[9] There have been several additions to this cohort following first lockdown. Trusts have also been an important source of information particularly for those on immunosuppressant therapies that are red listed to primary care.

[10] The Business Services Organisation (BSO has established an Honest Broker Service (HBS) for Health and Social Care (HSC). The aim is to enable non-identifiable data to be safely shared to maximise the uses and health service benefits which can be gained from it, including planning, commissioning of services and public health monitoring. The HBS enables access to anonymised, aggregated and in some cases pseudonymised health and social care data to the DoH, HSC organisations and for anonymised data for health and social care related research

[11] Include Personal identification, contact information and H&CN

[12] This refers to the processing that is necessary for the performance of the official tasks carried out in the public interest in providing and managing a health service.

[13] https://www.legislation.gov.uk/nia/2009/1/contents

[14]https://www.health-ni.gov.uk/sites/default/files/publications/health/gmgr-disposal-schedule.pdf,  page 53

[15] Currently under development to give Community Pharmacy staff access to the VMs booking system.

[16] Microsoft Azure DB

[17] At rest by default using AES-256 encryption.

Updated: 2 months ago Posted: April 12, 2021 10:06 am