COVID-19 NI Menu Toggle Search
  • Home
  • Arrow Right
  • Vaccine Service – Privacy Notice

Vaccine Service – Privacy Notice


1.            Introduction

The Northern Ireland Government Strategy [1] sets out the public health measures to be put in place to help contain and reduce the spread of COVID-19 by the administration of COVID-19 vaccinations to the Northern Ireland population.

This privacy notice describes the type of personal data collected and held for the COVID-19 Vaccination Programme the way that it is used and your rights in respect of this.

The HSC Trusts and General Practitioners (GPs) are responsible for the implementation of the NI COVID-19 Vaccination Programme on behalf of the Department of Health (DoH).

2.            COVID 19 Vaccination Management System Programme

The Vaccination Management Programme and associated COVID 19 Vaccine Management System (called the VMS) is designed to enable the population of Northern Ireland to access COVID-19 vaccinations to develop immunity to the SARS-CoV-2 virus.

The objective of the Vaccination Management Programme is to protect those who are at highest risk from serious illness or death. Initially the VMS has been used to support COVID-19 vaccination roll out to:

  • Care Home residents
  • Care Home staff
  • The over 80’s
  • Vaccinators
  • HSC staff working with patient groups at higher risk and higher risk areas/settings
  • Frontline staff with increased personal risk

The COVID 19 vaccine has been administered, using the VMS, by registered clinical staff trained in vaccination procedure in 2 doses.

All text messaging and email appointment confirmation and reminder messages are triggered by the VMS to the mobile or email address supplied at booking.

Users of the VMS will receive confirmation of their appointment bookings and reminders of their appointments either by email or text SMS.  For those residents in nursing and residential care no booking will be required as mobile teams of vaccination staff will visit individuals at home on a set day. 

Further information on the NI COVID-19 Vaccination Programme can be found at: COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (

3.            Why are you processing my personal information?

The Trust or your GP will process your personal data stored in the VMS under the Data Protection Act 2018. HSCB is the Data Controller for the VMS system.  Your personal information is used for the following purposes:

  • Confirming the appointment at a regional vaccination centre (if that is where you are having your test)
  • Performing a security and ID verification at the vaccination centre
  • Processing your vaccination
  • Sharing the details of your vaccination with your GP
  • Sharing data with Business Services Organisation (BSO) IT systems to link your vaccination details to your Health and Care Number (HCN) and to analyse data in relation to coronavirus
  • Undertaking quality assurance of the vaccination process, for example clinical process assurance
  • Analysis to support operational decisions to improve the full end-to-end vaccination process, such as:
    • day-to-day use, for example whether someone attended their appointment
    • to inform regional vaccination centres of improvements to the vaccination process, for example to manage capacity or throughput
    • support end-to-end logistics planning.
  • Follow up on serious adverse effects
  • Monitoring of the vaccine to identify trends in the uptake of the COVID -19 vaccine

Information may be used by the Public Health Agency (PHA) for analysis for health research, health protection and health promotion. Anonymised information may be used for reports and the production of official statistics.

Disease Monitoring is a core public health function, therefore it is important that we have the right information available to us at the right time to make the right healthcare decisions. This also helps us take effective actions across the public health system to help control the spread of the disease.

Monitoring involves gathering a wide variety of anonymised data about a disease from a range of sources, to provide us with awareness on how effective the vaccine is.  This also applies to the uptake of COVID-19 vaccination. This is then used to inform public health action to help prevent and control the disease.

Identifiable information provided by you, and collected about you, in relation to the COVID 19 vaccine will be used to update your personal medical record.

4.            What information is collected?

If you use the online VMS platform to book your vaccine appointment you will be asked to provide only the information we need to arrange an appointment and carry out the vaccination. This will include your name, address, date of birth, ethnicity, sex at birth, contact details, allergies, any special assistance required.

At the vaccination appointment the following information will be collected and added to the vaccine management system:

  • Vaccine – where given
  • Vaccinator name
  • Date of Vaccination
  • Check screen  – confirm to screening questions
  • GP Advice received
  • Reason Vaccine not suitable
  • Vaccine type/Product Name
  • Vaccine – Course Given
  • Was Vaccine Administered
  • Vaccine – Batch Number
  • Informed Consent/Proxy consent
  • Dose Number
  • Vaccine site – left/right arm or other
  • Vaccination Centre
  • Notes field – free text

For people employed in health and social care additional information will be collected on:

  • Staff Number
  • Organisation/Professional Group

For vaccinations administered in nursing homes where the online booking has not been required the demographic details will be collected at the time of vaccination.

You may also be asked to provide some additional information about yourself when you attend for vaccination by the person vaccinating you, for example confirmation you have no symptoms or other reasons why you may have to defer your vaccination.

Please note that the COVID-19 Vaccination Programme will never:

  • Disclose any personal or health/medical information provided by you to anyone other than your GP practice patient record system. Additionally, for HSC staff, Occupational Health will hold a record of your vaccination; anonymised data will be shared with HSC employers as management reports on vaccine uptake.
  • Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us;
  • Ask you to make any form of payment or purchase a product of any kind;
  • Ask for any details about your bank account;
  • Ask for your social media identities or login details, or those of your contacts;
  • Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone;
  • Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else;
  • Ask you to access any website or smartphone application that does not belong to the Government, or HSC.

5.            The lawful basis for processing your personal information

We process your personal information according to the General Data Protection Regulation and the Data Protection Act 2018.  Your data is processed as part of our public task (in line with GDPR Article 6(1)(e))[2]

Some of the data processed relates to health data which is described as ‘special category data’.  In relation to that processing, the following GDPR conditions apply:

  • Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
  • Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
  • Article 9(2)(j) – the processing is necessary for archiving purposes in public interest – scientific/historical research purposes.
  • Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
  • Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
  • Data Protection Act 2018 – Schedule 1, Part 1 (4) – reasons of public interest in the area of public health research

6.            How will my data be processed?

All patient data will be processed in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

7.            Do I need to give my consent?

No, the data is obtained on the lawful basis of public interest (as outlined in section 5 above) and therefore consent is not required.

8.            Where do you get my personal data from?

Much of the data we use will have been provided directly by you when you book your COVID-19 vaccination appointments (or someone who booked it on your behalf) and from clinical data entered into the system at the time of your vaccination.

The COVID-19 Vaccine Management System will receive data directly from:

  • Information you provide when booking your appointment and when attending for your vaccination
  • GP Clinical and Healthcare Systems for accurate recording

9.            Do you share my personal data with anyone else? 

Yes. To help us provide the best care or service for you, we may need to share, exchange or match your vaccine information with other healthcare bodies and professionals, including GPs, Hospitals and the PHA’s Analytics capabilies for the purposes of health protection.

Anonymised information may also be shared with Public Health England for the purposes of national disease monitoring.

Anonymised information will be shared with the Department of Health in Northern Ireland for the purposes of COVID-19 monitoring.

10.          Do you transfer my personal data to other countries?

Only in exceptional circumstances, e.g. where information needs to be shared with Public Health agencies outside the UK for the purposes of disease surveillance and to protect the health of individuals and others potentially affected by an outbreak. Any transfers will be fully compliant with the UK GDPR and only when we have a legitimate basis for doing so.

11.          How long do you keep my personal data?

We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule (Good Management, Good Records).

Data for the VMS will be retained in line with GMGR section G43[3] Electronic Patient Clinical Records (inc Audit Trails) developed since 2013.

12.          What rights do I have?

  • We provide information on the collection and use of your personal information, through this Privacy Notice and through a range of public information on the PHA website. COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (  
  • We only hold information about you that we need. You can ask for copies of the information that we hold about you;
  • You can ask us to make changes to information we hold about you if you think that it is incorrect;
  • As the data collected in the COVID-19 Vaccine Management System form part of your GP clinical record, the right to erasure is partial and only applies to erasure of pieces of information no longer required by the HSC during provision of treatment.
  • You can ask us to stop processing information about you, however this will not always be possible as information will still need to be processed for the purpose of your clinical care and public health protection;
  • Other than for the planned transfer of your data to your GP record, it will not be possible to transfer your data to another organisation if requested;
  • If you are not happy with what we do with the information we hold about you, you can speak to us about this;
  • We use computers to hold and look at your information, but we do not use automated individual decision-making.

If you want more detailed information on these rights, this can be found on the ICO website, at:

If you wish to ask us about any of these rights please contact the Data Protection Officer (see email address below)

13.          How do I complain if I am not happy?

If you are unhappy with any aspect of this privacy notice, or with how your personal information is being processed, please contact:

If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF

Tel:  0303 123 1113


Changes to this Privacy Notice

This Privacy Notice will be kept under regular review any updated versions will be placed on our website.

[1] DoH circular HSS(MD)82/2020 ‘Deployment of the COVID-19 Vaccine in Northern Ireland’ (7 December 2020)

[2] – This refers to the processing that is necessary for the performance of the official tasks carried out in the public interest in providing and managing a health service.

[3],  page 53

Updated: 6 months ago Posted: January 25, 2021 1:01 pm